From: Steven Hatzakis <shatzakis@gmail.com>
To: bitcoin-dev@lists.linuxfoundation.org
Subject: [bitcoin-dev] Proposal for Palindromic (Reversible) Mnemonics
Date: Mon, 3 Dec 2018 20:27:52 +0200 [thread overview]
Message-ID: <CABsxsG234DhY8Lxn0UMgXG0YnPdyJ5__U9P-aweV9L=xw7hxyw@mail.gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 3277 bytes --]
Hi All,
I've developed a method to check if a mnemonic is also valid when the words
are put into reverse order (not the entropy), where a given 12 or 24-word
mnemonic could be valid both in little endian and big endian format. I've
coined these "Palindromic Mnemonics", but perhaps more user-friendly is
"reversible mnemonics."
Purpose:
A checksum-valid reversible mnemonic allows two separate vaults to be
connected to the same mnemonic string of words, where all a users must do
is enter the words in reverse order (the last word becomes first, second to
last becomes second, and so on) to access the secondary (reversed words)
vault. This utility could provide multiple use-cases, including related to
combinations with passphrases and plausible deniability, as well as
conveniences for those wishing to use a separate vault tied to the same
string of words.
Security:
For any randomly generated 12-word mnemonic (128-bits of security) the
chances of it also being reversible are 1/16 (I believe), as a total of 4
bit positions must be identical (4 bits from the normal mnemonic and
another 4 bits from the reversed string must match). For a 24-word
mnemonic, those values increase to 8 bits which need to match 8 bits from
the reversed string, leading to about 1 in every 256 mnemonics also being
reversible. While the message space of valid reversible mnemonics should be
2^124 for 12 words, that search must still be conducted over a field of 2^128,
as the hash-derived checksum values otherwise prevent a way to
deterministically find valid reversible mnemonics without first going
through invalid reversible ones to check. I think others should chime in on
whether they believe there is any security loss, in terms of entropy bits
(assuming the initial 128 bits were generated securely). I estimate at most
it would be 4-bits of loss for a 12-word mnemonic, but only if an attacker
had a way to search only the space of valid reversible mnemonics (2**124)
which I don't think is feasible (could be wrong?). There could also be
errors in my above assumptions, this is a work in progress and sharing it
here to solicit initial feedback/interest.
I've already written the code that can be used for testing (on GitHub user
@hatgit), and when run from terminal/command prompt it is pretty fast to
find a valid reversible mnemonics, whereas on IDLE in Python on a 32-bit
and 64-bit machine it could take a few seconds for 12 words and sometimes
10 minutes to find a valid 24-word reversible mnemonic.
Example 12 words reversible (with valid checksum each way):
limit exact seven clarify utility road image fresh leg cabbage hint canoe
And Reversed:
canoe hint cabbage leg fresh image road utility clarify seven exact limit
Example 24 reversible:
favorite uncover sugar wealth army shift goose fury market toe message
remain direct arrow duck afraid enroll salt knife school duck sunny grunt
argue
And reversed:
argue grunt sunny duck school knife salt enroll afraid duck arrow direct
remain message toe market fury goose shift army wealth sugar uncover
favorite
My two questions 1) are how useful could this be for you/users/devs/service
providers etc.. and 2) is any security loss occurring and whether it is
negligible or not?
Best regards,
Steven Hatzakis
[-- Attachment #2: Type: text/html, Size: 6273 bytes --]
next reply other threads:[~2018-12-03 18:28 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-03 18:27 Steven Hatzakis [this message]
2018-12-03 20:54 ` [bitcoin-dev] Proposal for Palindromic (Reversible) Mnemonics Joseph Gleason ⑈
2018-12-04 12:16 ` James MacWhyte
2018-12-04 12:42 ` Steven Hatzakis
[not found] ` <CALYX514jH_wYrONu=hpj924p98cEcHnyZLdu2jDt5tkhoKL9kw@mail.gmail.com>
2018-12-04 21:39 ` Steven Hatzakis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CABsxsG234DhY8Lxn0UMgXG0YnPdyJ5__U9P-aweV9L=xw7hxyw@mail.gmail.com' \
--to=shatzakis@gmail.com \
--cc=bitcoin-dev@lists.linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox