📅 Original date posted:2018-12-04
📝 Original message:Thanks, James and Joseph, for the feedback,
It has been a fun experiment!
I just want to note that the plausible deniability was not the motive but
just an example use-case, there are perhaps other use-cases that would be
on the user to decide. I think having a mnemonic that is also reversible
could be useful for other reasons - convenience related perhaps.
*Re security:* I am still not convinced entirely that security is reduced
at all because one still has to search through all entropy in the range
of 2^128 to see whether any of those are reversible (unless there is a way
to only search the field of 2^124 that are reversible, which I don't think
is possible because the hash-derived checksum cannot be determined before
hashing, only afterward). Therefore, security should still be 2^128 for a
12-word mnemonic whether it is reversible or not (as one in every 16 people
that already have one (12-word) is reversible, they just might not realize
it, so we can't say those are less secure).
Best regards,
On Tue, Dec 4, 2018 at 2:16 PM James MacWhyte <macwhyte at gmail.com> wrote:
> I agree with Joseph. If you want plausible deniability, it would be better
> to simply hide the funds somewhere in the HD chain. Same if you want a
> second vault tied to the same phrase.
>
> You are reducing security by eliminating all entropy that doesn't fit the
> reversible criteria, although in practice it doesn't make a difference
> because the numbers are so big. However, it doesn't seem like a very useful
> feature to have.
>
> Thanks for doing all that work though, it was fun to read about your idea
> and what you found out through experimenting!
>
> James
>
>
> On Mon, Dec 3, 2018 at 1:00 PM Joseph Gleason ⑈ via bitcoin-dev <
> bitcoin-dev at lists.linuxfoundation.org> wrote:
>
>> I have a suggestion. If you are concerned about plausible deniability,
>> then it might make sense to just have the single mnemonic seed lead to a
>> single xprv key (as usual) and then do a private key derivation from that
>> based on a password string. The password can be simple, as it is based on
>> the security of the seed, just as long as the user feels they need for
>> deniability.
>>
>> A simple reverse scheme like you describe would just be another thing a
>> person would know to check if given some seed so I don't see it as
>> providing much value, but I could be missing something.
>>
>> On Mon, Dec 3, 2018 at 10:45 AM Steven Hatzakis via bitcoin-dev <
>> bitcoin-dev at lists.linuxfoundation.org> wrote:
>>
>>> Hi All,
>>>
>>> I've developed a method to check if a mnemonic is also valid when the
>>> words are put into reverse order (not the entropy), where a given 12 or
>>> 24-word mnemonic could be valid both in little endian and big endian
>>> format. I've coined these "Palindromic Mnemonics", but perhaps more
>>> user-friendly is "reversible mnemonics."
>>>
>>> Purpose:
>>> A checksum-valid reversible mnemonic allows two separate vaults to be
>>> connected to the same mnemonic string of words, where all a users must do
>>> is enter the words in reverse order (the last word becomes first, second to
>>> last becomes second, and so on) to access the secondary (reversed words)
>>> vault. This utility could provide multiple use-cases, including related to
>>> combinations with passphrases and plausible deniability, as well as
>>> conveniences for those wishing to use a separate vault tied to the same
>>> string of words.
>>>
>>> Security:
>>> For any randomly generated 12-word mnemonic (128-bits of security) the
>>> chances of it also being reversible are 1/16 (I believe), as a total of 4
>>> bit positions must be identical (4 bits from the normal mnemonic and
>>> another 4 bits from the reversed string must match). For a 24-word
>>> mnemonic, those values increase to 8 bits which need to match 8 bits from
>>> the reversed string, leading to about 1 in every 256 mnemonics also being
>>> reversible. While the message space of valid reversible mnemonics should be
>>> 2^124 for 12 words, that search must still be conducted over a field of
>>> 2^128, as the hash-derived checksum values otherwise prevent a way to
>>> deterministically find valid reversible mnemonics without first going
>>> through invalid reversible ones to check. I think others should chime in on
>>> whether they believe there is any security loss, in terms of entropy bits
>>> (assuming the initial 128 bits were generated securely). I estimate at most
>>> it would be 4-bits of loss for a 12-word mnemonic, but only if an attacker
>>> had a way to search only the space of valid reversible mnemonics (2**124)
>>> which I don't think is feasible (could be wrong?). There could also be
>>> errors in my above assumptions, this is a work in progress and sharing it
>>> here to solicit initial feedback/interest.
>>>
>>> I've already written the code that can be used for testing (on GitHub
>>> user @hatgit), and when run from terminal/command prompt it is pretty fast
>>> to find a valid reversible mnemonics, whereas on IDLE in Python on a 32-bit
>>> and 64-bit machine it could take a few seconds for 12 words and sometimes
>>> 10 minutes to find a valid 24-word reversible mnemonic.
>>> Example 12 words reversible (with valid checksum each way):
>>>
>>> limit exact seven clarify utility road image fresh leg cabbage hint canoe
>>>
>>> And Reversed:
>>>
>>> canoe hint cabbage leg fresh image road utility clarify seven exact limit
>>>
>>>
>>> Example 24 reversible:
>>>
>>> favorite uncover sugar wealth army shift goose fury market toe message
>>> remain direct arrow duck afraid enroll salt knife school duck sunny grunt
>>> argue
>>>
>>> And reversed:
>>>
>>> argue grunt sunny duck school knife salt enroll afraid duck arrow direct
>>> remain message toe market fury goose shift army wealth sugar uncover
>>> favorite
>>>
>>>
>>> My two questions 1) are how useful could this be for
>>> you/users/devs/service providers etc.. and 2) is any security loss
>>> occurring and whether it is negligible or not?
>>>
>>> Best regards,
>>>
>>> Steven Hatzakis
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev at lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev at lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20181204/6b7a7b5b/attachment-0001.html>;
Steven Hatzakis [ARCHIVE] /
npub1fe…s4kk9
2023-06-07 18:15:30
in reply to nevent1q…gnnk
Author Public Key
npub1fe0qjndz68rvx5pstyk4rug57e3p9e9apnr36sq8g7zef35zmmeqts4kk9Published at
2023-06-07 18:15:30Event JSON
{
"id": "c1cdbbe4cca70cde8f6f8f5e3d88ced004c5d2f4bee73c110ea2b6def2515f2f",
"pubkey": "4e5e094da2d1c6c35030592d51f114f66212e4bd0cc71d4007478594c682def2",
"created_at": 1686161730,
"kind": 1,
"tags": [
[
"e",
"6a6abd479ceb1ad5ee8839bd6887abb3f540bbfcf7ee1bb5c1d6c447cadb565d",
"",
"root"
],
[
"e",
"6bf39e78a31d3caf2b68b3429db9b2c278f4b2be05c43344c9ef9d17a64dba80",
"",
"reply"
],
[
"p",
"52e5d0646af3ea5ccb6c4bd31237d6068258a11ace3ac40f02466a3f89342928"
]
],
"content": "📅 Original date posted:2018-12-04\n📝 Original message:Thanks, James and Joseph, for the feedback,\nIt has been a fun experiment!\n\nI just want to note that the plausible deniability was not the motive but\njust an example use-case, there are perhaps other use-cases that would be\non the user to decide. I think having a mnemonic that is also reversible\ncould be useful for other reasons - convenience related perhaps.\n*Re security:* I am still not convinced entirely that security is reduced\nat all because one still has to search through all entropy in the range\nof 2^128 to see whether any of those are reversible (unless there is a way\nto only search the field of 2^124 that are reversible, which I don't think\nis possible because the hash-derived checksum cannot be determined before\nhashing, only afterward). Therefore, security should still be 2^128 for a\n12-word mnemonic whether it is reversible or not (as one in every 16 people\nthat already have one (12-word) is reversible, they just might not realize\nit, so we can't say those are less secure).\n\nBest regards,\n\nOn Tue, Dec 4, 2018 at 2:16 PM James MacWhyte \u003cmacwhyte at gmail.com\u003e wrote:\n\n\u003e I agree with Joseph. If you want plausible deniability, it would be better\n\u003e to simply hide the funds somewhere in the HD chain. Same if you want a\n\u003e second vault tied to the same phrase.\n\u003e\n\u003e You are reducing security by eliminating all entropy that doesn't fit the\n\u003e reversible criteria, although in practice it doesn't make a difference\n\u003e because the numbers are so big. However, it doesn't seem like a very useful\n\u003e feature to have.\n\u003e\n\u003e Thanks for doing all that work though, it was fun to read about your idea\n\u003e and what you found out through experimenting!\n\u003e\n\u003e James\n\u003e\n\u003e\n\u003e On Mon, Dec 3, 2018 at 1:00 PM Joseph Gleason ⑈ via bitcoin-dev \u003c\n\u003e bitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e\n\u003e\u003e I have a suggestion. If you are concerned about plausible deniability,\n\u003e\u003e then it might make sense to just have the single mnemonic seed lead to a\n\u003e\u003e single xprv key (as usual) and then do a private key derivation from that\n\u003e\u003e based on a password string. The password can be simple, as it is based on\n\u003e\u003e the security of the seed, just as long as the user feels they need for\n\u003e\u003e deniability.\n\u003e\u003e\n\u003e\u003e A simple reverse scheme like you describe would just be another thing a\n\u003e\u003e person would know to check if given some seed so I don't see it as\n\u003e\u003e providing much value, but I could be missing something.\n\u003e\u003e\n\u003e\u003e On Mon, Dec 3, 2018 at 10:45 AM Steven Hatzakis via bitcoin-dev \u003c\n\u003e\u003e bitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e\u003e\n\u003e\u003e\u003e Hi All,\n\u003e\u003e\u003e\n\u003e\u003e\u003e I've developed a method to check if a mnemonic is also valid when the\n\u003e\u003e\u003e words are put into reverse order (not the entropy), where a given 12 or\n\u003e\u003e\u003e 24-word mnemonic could be valid both in little endian and big endian\n\u003e\u003e\u003e format. I've coined these \"Palindromic Mnemonics\", but perhaps more\n\u003e\u003e\u003e user-friendly is \"reversible mnemonics.\"\n\u003e\u003e\u003e\n\u003e\u003e\u003e Purpose:\n\u003e\u003e\u003e A checksum-valid reversible mnemonic allows two separate vaults to be\n\u003e\u003e\u003e connected to the same mnemonic string of words, where all a users must do\n\u003e\u003e\u003e is enter the words in reverse order (the last word becomes first, second to\n\u003e\u003e\u003e last becomes second, and so on) to access the secondary (reversed words)\n\u003e\u003e\u003e vault. This utility could provide multiple use-cases, including related to\n\u003e\u003e\u003e combinations with passphrases and plausible deniability, as well as\n\u003e\u003e\u003e conveniences for those wishing to use a separate vault tied to the same\n\u003e\u003e\u003e string of words.\n\u003e\u003e\u003e\n\u003e\u003e\u003e Security:\n\u003e\u003e\u003e For any randomly generated 12-word mnemonic (128-bits of security) the\n\u003e\u003e\u003e chances of it also being reversible are 1/16 (I believe), as a total of 4\n\u003e\u003e\u003e bit positions must be identical (4 bits from the normal mnemonic and\n\u003e\u003e\u003e another 4 bits from the reversed string must match). For a 24-word\n\u003e\u003e\u003e mnemonic, those values increase to 8 bits which need to match 8 bits from\n\u003e\u003e\u003e the reversed string, leading to about 1 in every 256 mnemonics also being\n\u003e\u003e\u003e reversible. While the message space of valid reversible mnemonics should be\n\u003e\u003e\u003e 2^124 for 12 words, that search must still be conducted over a field of\n\u003e\u003e\u003e 2^128, as the hash-derived checksum values otherwise prevent a way to\n\u003e\u003e\u003e deterministically find valid reversible mnemonics without first going\n\u003e\u003e\u003e through invalid reversible ones to check. I think others should chime in on\n\u003e\u003e\u003e whether they believe there is any security loss, in terms of entropy bits\n\u003e\u003e\u003e (assuming the initial 128 bits were generated securely). I estimate at most\n\u003e\u003e\u003e it would be 4-bits of loss for a 12-word mnemonic, but only if an attacker\n\u003e\u003e\u003e had a way to search only the space of valid reversible mnemonics (2**124)\n\u003e\u003e\u003e which I don't think is feasible (could be wrong?). There could also be\n\u003e\u003e\u003e errors in my above assumptions, this is a work in progress and sharing it\n\u003e\u003e\u003e here to solicit initial feedback/interest.\n\u003e\u003e\u003e\n\u003e\u003e\u003e I've already written the code that can be used for testing (on GitHub\n\u003e\u003e\u003e user @hatgit), and when run from terminal/command prompt it is pretty fast\n\u003e\u003e\u003e to find a valid reversible mnemonics, whereas on IDLE in Python on a 32-bit\n\u003e\u003e\u003e and 64-bit machine it could take a few seconds for 12 words and sometimes\n\u003e\u003e\u003e 10 minutes to find a valid 24-word reversible mnemonic.\n\u003e\u003e\u003e Example 12 words reversible (with valid checksum each way):\n\u003e\u003e\u003e\n\u003e\u003e\u003e limit exact seven clarify utility road image fresh leg cabbage hint canoe\n\u003e\u003e\u003e\n\u003e\u003e\u003e And Reversed:\n\u003e\u003e\u003e\n\u003e\u003e\u003e canoe hint cabbage leg fresh image road utility clarify seven exact limit\n\u003e\u003e\u003e\n\u003e\u003e\u003e\n\u003e\u003e\u003e Example 24 reversible:\n\u003e\u003e\u003e\n\u003e\u003e\u003e favorite uncover sugar wealth army shift goose fury market toe message\n\u003e\u003e\u003e remain direct arrow duck afraid enroll salt knife school duck sunny grunt\n\u003e\u003e\u003e argue\n\u003e\u003e\u003e\n\u003e\u003e\u003e And reversed:\n\u003e\u003e\u003e\n\u003e\u003e\u003e argue grunt sunny duck school knife salt enroll afraid duck arrow direct\n\u003e\u003e\u003e remain message toe market fury goose shift army wealth sugar uncover\n\u003e\u003e\u003e favorite\n\u003e\u003e\u003e\n\u003e\u003e\u003e\n\u003e\u003e\u003e My two questions 1) are how useful could this be for\n\u003e\u003e\u003e you/users/devs/service providers etc.. and 2) is any security loss\n\u003e\u003e\u003e occurring and whether it is negligible or not?\n\u003e\u003e\u003e\n\u003e\u003e\u003e Best regards,\n\u003e\u003e\u003e\n\u003e\u003e\u003e Steven Hatzakis\n\u003e\u003e\u003e _______________________________________________\n\u003e\u003e\u003e bitcoin-dev mailing list\n\u003e\u003e\u003e bitcoin-dev at lists.linuxfoundation.org\n\u003e\u003e\u003e https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev\n\u003e\u003e\u003e\n\u003e\u003e _______________________________________________\n\u003e\u003e bitcoin-dev mailing list\n\u003e\u003e bitcoin-dev at lists.linuxfoundation.org\n\u003e\u003e https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev\n\u003e\u003e\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20181204/6b7a7b5b/attachment-0001.html\u003e",
"sig": "1fcd4ab0902061d1ae40aa162ba1abc438044550504cc94c077d7335b6365aca36ff00b6d517b5b56429c4a1a9df7ce32f689d403a5a32045d9e30283d3146f4"
}