* [bitcoin-dev] ChainWallet - A way to prevent loss of funds by physical violence
@ 2019-10-04 9:15 Saulo Fonseca
2019-10-04 10:02 ` Bryan Bishop
0 siblings, 1 reply; 2+ messages in thread
From: Saulo Fonseca @ 2019-10-04 9:15 UTC (permalink / raw)
To: Christian Decker via bitcoin-dev
[-- Attachment #1: Type: text/plain, Size: 5473 bytes --]
Hi everyone
If you are a hodler, I like to propose the creation of a key stretching as a new layer of protection over your current wallet. I call it ChainWallet. Whatever is the method used to generate your private key, we can do the following:
newPrivKey = sha256(sha256(sha256(…sha256(privKey)…)))
NewWallet = PubAddress(newPrivKey)
In this way we create a chain of hashes over your private key and generate a new wallet from it. If the chain is very long (billions or trillions of hashes) it will take a long time to be created. If you don’t keep the newPrivKey, the only way to move coins in the NewWallet is to generate the chain again.
The length of the chain can be easy memorized as an exponent such as 2^40 or 10^12.
What is that gut for? You will not be able to move your coins in an unplanned way such as being tortured by a kidnaper. You can create a wallet that takes days or even months to return the final address.
Comparison with a BrainWallet
If the first privKey is the hash of a password, your ChainWallet can be compared to a BrainWallet with a chain added to it. BrainWallets have a bad reputation because it is possible to create a brute-force attack against it. There are reports where the attacker was able to guess the password by generating hundreds of thousands of hashes per second. But, if you use a ChainWallet that takes one second to be generated, it means that the speed of an attack would be reduced to one guess per second. This makes a brute force attack practically impossible.
Entropy
The ChainWallet adds only a few bits of entropy to your key. The idea here is not to increase the entropy, but to add “time” as part of the puzzle.
SHA-256
I am suggesting the use of SHA-256 because it is the most popular hash algorithm in the crypto community. But you could use SHA-512 or a slower hash algorithm such as Bcrypt to do it. But keep in mind that other hash algorithms can reduce the entropy.
The idea is to add time to the key generation. If you use many SHA-256 or a few SHA-512, as long as both need the same time to be generated, there is no difference.
Other hashes have the advantage that a hardware implementation of it is not widespread.
ASICs
Someone could mention that ASICs get more and more powerful and could crack a ChainWallet. But they have a huge hash rate because they calculate it in parallel. A ChainWallet requires that the output of a hash would be the input of the next calculation. This dramatically reduces the speed of a hardware implementation of such algorithms.
Let’s pick an example: The Bitfury Clarke has 8.154 cores and runs 120 Gh/s. This means that each core can perform about 14.72 Mh/s. This speed is all that you can get with one of the best ASIC on the market. 17.72 Mh/s is only about 17,7 times faster than a typical computer. This speed can only increase slowly, as technology needs time to make the transistors run faster. So, the best way to generate a ChainWallet is by using such an ASIC core.
Misuse
Someone could argue that people would misuse it by picking easy to remember passwords or small chain length. A wallet implementation could solve it by forcing a minimum length for the chain and block commonly used words for the password. It is a matter of design.
Theft
The major advantage of a ChainWallet is the ability to avoid a theft. If your wallet takes a really long time to be generated and someone tries to force you to give your private key, you would not be able to do it, even if you really want. You could also give away a wrong password or chain length and he/she is not able to verify it. The chances are very small that he/she will wait weeks of months for the chain generation of even that he/she is able to do the chain calculation.
Final Thoughts
A ChainWallet could be used as an alternative to BIP39. Instead of keeping 24 words, you would have a password and two numbers, a base and an exponent, that defines the length of the chain. This is easier to memorize, so you do not need to write it down.
This is only meant as an additional option along with all others available in the crypto environment, such as multisig and smart contracts. As for those other ideas, the ChainWallet is not applicable in every case.
When the day arrives at which you want to stop hodling and transferring your coins to another location, you should re-generate your wallet in a planned way with the same original private key and length of the chain. Then, after waiting until the program concludes, you will get the new private key back.
Web Links
The original idea can be found on this post:
https://www.reddit.com/user/sauloqf/comments/a3q8dt/chainwallet <https://www.reddit.com/user/sauloqf/comments/a3q8dt/chainwallet>
A proof of concept in C++ can be found on this link:
https://github.com/Saulo-Fonseca/ChainWallet <https://github.com/Saulo-Fonseca/ChainWallet>
The community is testing the concept for a while. You can find discussions on this links:
https://www.reddit.com/r/Bitcoin/comments/cya467/chainwallet_challenge_get_01_btc_if_you_solve_it <https://www.reddit.com/r/Bitcoin/comments/cya467/chainwallet_challenge_get_01_btc_if_you_solve_it>
https://www.reddit.com/r/Bitcoin/comments/d9ltec/does_someone_know_how_to_submit_a_bip_for_bitcoin <https://www.reddit.com/r/Bitcoin/comments/d9ltec/does_someone_know_how_to_submit_a_bip_for_bitcoin>
Saulo Fonseca
[-- Attachment #2: Type: text/html, Size: 13159 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [bitcoin-dev] ChainWallet - A way to prevent loss of funds by physical violence
2019-10-04 9:15 [bitcoin-dev] ChainWallet - A way to prevent loss of funds by physical violence Saulo Fonseca
@ 2019-10-04 10:02 ` Bryan Bishop
0 siblings, 0 replies; 2+ messages in thread
From: Bryan Bishop @ 2019-10-04 10:02 UTC (permalink / raw)
To: Bitcoin Dev, Bryan Bishop
[-- Attachment #1: Type: text/plain, Size: 858 bytes --]
Since the user can't prove that they are using this technique, or
petertodd's timelock encryption for that matter, an attacker has little
incentive to stop physically attacking until they have a spendable UTXO.
I believe you can get the same effect with on-chain timelocks, or
delete-the-bits plus a rangeproof and a zero-knowledge proof that the
rangeproof corresponds to some secret that can be used to derive the
expected public key. I think Jeremy Rubin had an idea for such a proof.
Also, adam3us has described a similar thought here:
https://bitcointalk.org/index.php?topic=311000.0
- Bryan
On Fri, Oct 4, 2019, 4:43 AM Saulo Fonseca via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Hi everyone
>
> If you are a hodler, I like to propose the creation of a key stretching as
> a new layer of protection over your current wallet.
>
[-- Attachment #2: Type: text/html, Size: 1581 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-10-04 10:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-04 9:15 [bitcoin-dev] ChainWallet - A way to prevent loss of funds by physical violence Saulo Fonseca
2019-10-04 10:02 ` Bryan Bishop
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox