public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: "Joseph Gleason ⑈" <fireduck@gmail.com>
To: shatzakis@gmail.com,
	 slurms--- via bitcoin-dev
	<bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Proposal for Palindromic (Reversible) Mnemonics
Date: Mon, 3 Dec 2018 12:54:10 -0800	[thread overview]
Message-ID: <CA+ASnrGEbksc-YeKR7bKpAv5=rcWcg8BeR6XDVUzvJ9C76bGpA@mail.gmail.com> (raw)
In-Reply-To: <CABsxsG234DhY8Lxn0UMgXG0YnPdyJ5__U9P-aweV9L=xw7hxyw@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 4277 bytes --]

I have a suggestion.  If you are concerned about plausible deniability,
then it might make sense to just have the single mnemonic seed lead to a
single xprv key (as usual) and then do a private key derivation from that
based on a password string.  The password can be simple, as it is based on
the security of the seed, just as long as the user feels they need for
deniability.

A simple reverse scheme like you describe would just be another thing a
person would know to check if given some seed so I don't see it as
providing much value, but I could be missing something.

On Mon, Dec 3, 2018 at 10:45 AM Steven Hatzakis via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Hi All,
>
> I've developed a method to check if a mnemonic is also valid when the
> words are put into reverse order (not the entropy), where a given 12 or
> 24-word mnemonic could be valid both in little endian and big endian
> format. I've coined these "Palindromic Mnemonics", but perhaps more
> user-friendly is "reversible mnemonics."
>
> Purpose:
> A checksum-valid reversible mnemonic allows two separate vaults to be
> connected to the same mnemonic string of words, where all a users must do
> is enter the words in reverse order (the last word becomes first, second to
> last becomes second, and so on) to access the secondary (reversed words)
> vault. This utility could provide multiple use-cases, including related to
> combinations with passphrases and plausible deniability, as well as
> conveniences for those wishing to use a separate vault tied to the same
> string of words.
>
> Security:
> For any randomly generated 12-word mnemonic (128-bits of security) the
> chances of it also being reversible are 1/16 (I believe), as a total of 4
> bit positions must be identical (4 bits from the normal mnemonic and
> another 4 bits from the reversed string must match). For a 24-word
> mnemonic, those values increase to 8 bits which need to match 8 bits from
> the reversed string, leading to about 1 in every 256 mnemonics also being
> reversible. While the message space of valid reversible mnemonics should be
> 2^124 for 12 words, that search must still be conducted over a field of 2^128,
> as the hash-derived checksum values otherwise prevent a way to
> deterministically find valid reversible mnemonics without first going
> through invalid reversible ones to check. I think others should chime in on
> whether they believe there is any security loss, in terms of entropy bits
> (assuming the initial 128 bits were generated securely). I estimate at most
> it would be 4-bits of loss for a 12-word mnemonic, but only if an attacker
> had a way to search only the space of valid reversible mnemonics (2**124)
> which I don't think is feasible (could be wrong?). There could also be
> errors in my above assumptions, this is a work in progress and sharing it
> here to solicit initial feedback/interest.
>
> I've already written the code that can be used for testing (on GitHub user
> @hatgit), and when run from terminal/command prompt it is pretty fast to
> find a valid reversible mnemonics, whereas on IDLE in Python on a 32-bit
> and 64-bit machine it could take a few seconds for 12 words and sometimes
> 10 minutes to find a valid 24-word reversible mnemonic.
> Example 12 words reversible (with valid checksum each way):
>
> limit exact seven clarify utility road image fresh leg cabbage hint canoe
>
> And Reversed:
>
> canoe hint cabbage leg fresh image road utility clarify seven exact limit
>
>
> Example 24 reversible:
>
> favorite uncover sugar wealth army shift goose fury market toe message
> remain direct arrow duck afraid enroll salt knife school duck sunny grunt
> argue
>
> And reversed:
>
> argue grunt sunny duck school knife salt enroll afraid duck arrow direct
> remain message toe market fury goose shift army wealth sugar uncover
> favorite
>
>
> My two questions 1) are how useful could this be for
> you/users/devs/service providers etc.. and 2) is any security loss
> occurring and whether it is negligible or not?
>
> Best regards,
>
> Steven Hatzakis
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

[-- Attachment #2: Type: text/html, Size: 7691 bytes --]

  reply	other threads:[~2018-12-03 20:54 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-03 18:27 [bitcoin-dev] Proposal for Palindromic (Reversible) Mnemonics Steven Hatzakis
2018-12-03 20:54 ` Joseph Gleason ⑈ [this message]
2018-12-04 12:16   ` James MacWhyte
2018-12-04 12:42     ` Steven Hatzakis
     [not found]       ` <CALYX514jH_wYrONu=hpj924p98cEcHnyZLdu2jDt5tkhoKL9kw@mail.gmail.com>
2018-12-04 21:39         ` Steven Hatzakis

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CA+ASnrGEbksc-YeKR7bKpAv5=rcWcg8BeR6XDVUzvJ9C76bGpA@mail.gmail.com' \
    --to=fireduck@gmail.com \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=shatzakis@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox