public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* [bitcoin-dev] Proposal for Palindromic (Reversible) Mnemonics
@ 2018-12-03 18:27 Steven Hatzakis
  2018-12-03 20:54 ` Joseph Gleason ⑈
  0 siblings, 1 reply; 5+ messages in thread
From: Steven Hatzakis @ 2018-12-03 18:27 UTC (permalink / raw)
  To: bitcoin-dev

[-- Attachment #1: Type: text/plain, Size: 3277 bytes --]

Hi All,

I've developed a method to check if a mnemonic is also valid when the words
are put into reverse order (not the entropy), where a given 12 or 24-word
mnemonic could be valid both in little endian and big endian format. I've
coined these "Palindromic Mnemonics", but perhaps more user-friendly is
"reversible mnemonics."

Purpose:
A checksum-valid reversible mnemonic allows two separate vaults to be
connected to the same mnemonic string of words, where all a users must do
is enter the words in reverse order (the last word becomes first, second to
last becomes second, and so on) to access the secondary (reversed words)
vault. This utility could provide multiple use-cases, including related to
combinations with passphrases and plausible deniability, as well as
conveniences for those wishing to use a separate vault tied to the same
string of words.

Security:
For any randomly generated 12-word mnemonic (128-bits of security) the
chances of it also being reversible are 1/16 (I believe), as a total of 4
bit positions must be identical (4 bits from the normal mnemonic and
another 4 bits from the reversed string must match). For a 24-word
mnemonic, those values increase to 8 bits which need to match 8 bits from
the reversed string, leading to about 1 in every 256 mnemonics also being
reversible. While the message space of valid reversible mnemonics should be
2^124 for 12 words, that search must still be conducted over a field of 2^128,
as the hash-derived checksum values otherwise prevent a way to
deterministically find valid reversible mnemonics without first going
through invalid reversible ones to check. I think others should chime in on
whether they believe there is any security loss, in terms of entropy bits
(assuming the initial 128 bits were generated securely). I estimate at most
it would be 4-bits of loss for a 12-word mnemonic, but only if an attacker
had a way to search only the space of valid reversible mnemonics (2**124)
which I don't think is feasible (could be wrong?). There could also be
errors in my above assumptions, this is a work in progress and sharing it
here to solicit initial feedback/interest.

I've already written the code that can be used for testing (on GitHub user
@hatgit), and when run from terminal/command prompt it is pretty fast to
find a valid reversible mnemonics, whereas on IDLE in Python on a 32-bit
and 64-bit machine it could take a few seconds for 12 words and sometimes
10 minutes to find a valid 24-word reversible mnemonic.
Example 12 words reversible (with valid checksum each way):

limit exact seven clarify utility road image fresh leg cabbage hint canoe

And Reversed:

canoe hint cabbage leg fresh image road utility clarify seven exact limit


Example 24 reversible:

favorite uncover sugar wealth army shift goose fury market toe message
remain direct arrow duck afraid enroll salt knife school duck sunny grunt
argue

And reversed:

argue grunt sunny duck school knife salt enroll afraid duck arrow direct
remain message toe market fury goose shift army wealth sugar uncover
favorite


My two questions 1) are how useful could this be for you/users/devs/service
providers etc.. and 2) is any security loss occurring and whether it is
negligible or not?

Best regards,

Steven Hatzakis

[-- Attachment #2: Type: text/html, Size: 6273 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [bitcoin-dev] Proposal for Palindromic (Reversible) Mnemonics
  2018-12-03 18:27 [bitcoin-dev] Proposal for Palindromic (Reversible) Mnemonics Steven Hatzakis
@ 2018-12-03 20:54 ` Joseph Gleason ⑈
  2018-12-04 12:16   ` James MacWhyte
  0 siblings, 1 reply; 5+ messages in thread
From: Joseph Gleason ⑈ @ 2018-12-03 20:54 UTC (permalink / raw)
  To: shatzakis, slurms--- via bitcoin-dev

[-- Attachment #1: Type: text/plain, Size: 4277 bytes --]

I have a suggestion.  If you are concerned about plausible deniability,
then it might make sense to just have the single mnemonic seed lead to a
single xprv key (as usual) and then do a private key derivation from that
based on a password string.  The password can be simple, as it is based on
the security of the seed, just as long as the user feels they need for
deniability.

A simple reverse scheme like you describe would just be another thing a
person would know to check if given some seed so I don't see it as
providing much value, but I could be missing something.

On Mon, Dec 3, 2018 at 10:45 AM Steven Hatzakis via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Hi All,
>
> I've developed a method to check if a mnemonic is also valid when the
> words are put into reverse order (not the entropy), where a given 12 or
> 24-word mnemonic could be valid both in little endian and big endian
> format. I've coined these "Palindromic Mnemonics", but perhaps more
> user-friendly is "reversible mnemonics."
>
> Purpose:
> A checksum-valid reversible mnemonic allows two separate vaults to be
> connected to the same mnemonic string of words, where all a users must do
> is enter the words in reverse order (the last word becomes first, second to
> last becomes second, and so on) to access the secondary (reversed words)
> vault. This utility could provide multiple use-cases, including related to
> combinations with passphrases and plausible deniability, as well as
> conveniences for those wishing to use a separate vault tied to the same
> string of words.
>
> Security:
> For any randomly generated 12-word mnemonic (128-bits of security) the
> chances of it also being reversible are 1/16 (I believe), as a total of 4
> bit positions must be identical (4 bits from the normal mnemonic and
> another 4 bits from the reversed string must match). For a 24-word
> mnemonic, those values increase to 8 bits which need to match 8 bits from
> the reversed string, leading to about 1 in every 256 mnemonics also being
> reversible. While the message space of valid reversible mnemonics should be
> 2^124 for 12 words, that search must still be conducted over a field of 2^128,
> as the hash-derived checksum values otherwise prevent a way to
> deterministically find valid reversible mnemonics without first going
> through invalid reversible ones to check. I think others should chime in on
> whether they believe there is any security loss, in terms of entropy bits
> (assuming the initial 128 bits were generated securely). I estimate at most
> it would be 4-bits of loss for a 12-word mnemonic, but only if an attacker
> had a way to search only the space of valid reversible mnemonics (2**124)
> which I don't think is feasible (could be wrong?). There could also be
> errors in my above assumptions, this is a work in progress and sharing it
> here to solicit initial feedback/interest.
>
> I've already written the code that can be used for testing (on GitHub user
> @hatgit), and when run from terminal/command prompt it is pretty fast to
> find a valid reversible mnemonics, whereas on IDLE in Python on a 32-bit
> and 64-bit machine it could take a few seconds for 12 words and sometimes
> 10 minutes to find a valid 24-word reversible mnemonic.
> Example 12 words reversible (with valid checksum each way):
>
> limit exact seven clarify utility road image fresh leg cabbage hint canoe
>
> And Reversed:
>
> canoe hint cabbage leg fresh image road utility clarify seven exact limit
>
>
> Example 24 reversible:
>
> favorite uncover sugar wealth army shift goose fury market toe message
> remain direct arrow duck afraid enroll salt knife school duck sunny grunt
> argue
>
> And reversed:
>
> argue grunt sunny duck school knife salt enroll afraid duck arrow direct
> remain message toe market fury goose shift army wealth sugar uncover
> favorite
>
>
> My two questions 1) are how useful could this be for
> you/users/devs/service providers etc.. and 2) is any security loss
> occurring and whether it is negligible or not?
>
> Best regards,
>
> Steven Hatzakis
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

[-- Attachment #2: Type: text/html, Size: 7691 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [bitcoin-dev] Proposal for Palindromic (Reversible) Mnemonics
  2018-12-03 20:54 ` Joseph Gleason ⑈
@ 2018-12-04 12:16   ` James MacWhyte
  2018-12-04 12:42     ` Steven Hatzakis
  0 siblings, 1 reply; 5+ messages in thread
From: James MacWhyte @ 2018-12-04 12:16 UTC (permalink / raw)
  To: fireduck, Bitcoin Protocol Discussion; +Cc: shatzakis

[-- Attachment #1: Type: text/plain, Size: 5346 bytes --]

I agree with Joseph. If you want plausible deniability, it would be better
to simply hide the funds somewhere in the HD chain. Same if you want a
second vault tied to the same phrase.

You are reducing security by eliminating all entropy that doesn't fit the
reversible criteria, although in practice it doesn't make a difference
because the numbers are so big. However, it doesn't seem like a very useful
feature to have.

Thanks for doing all that work though, it was fun to read about your idea
and what you found out through experimenting!

James


On Mon, Dec 3, 2018 at 1:00 PM Joseph Gleason ⑈ via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> I have a suggestion.  If you are concerned about plausible deniability,
> then it might make sense to just have the single mnemonic seed lead to a
> single xprv key (as usual) and then do a private key derivation from that
> based on a password string.  The password can be simple, as it is based on
> the security of the seed, just as long as the user feels they need for
> deniability.
>
> A simple reverse scheme like you describe would just be another thing a
> person would know to check if given some seed so I don't see it as
> providing much value, but I could be missing something.
>
> On Mon, Dec 3, 2018 at 10:45 AM Steven Hatzakis via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Hi All,
>>
>> I've developed a method to check if a mnemonic is also valid when the
>> words are put into reverse order (not the entropy), where a given 12 or
>> 24-word mnemonic could be valid both in little endian and big endian
>> format. I've coined these "Palindromic Mnemonics", but perhaps more
>> user-friendly is "reversible mnemonics."
>>
>> Purpose:
>> A checksum-valid reversible mnemonic allows two separate vaults to be
>> connected to the same mnemonic string of words, where all a users must do
>> is enter the words in reverse order (the last word becomes first, second to
>> last becomes second, and so on) to access the secondary (reversed words)
>> vault. This utility could provide multiple use-cases, including related to
>> combinations with passphrases and plausible deniability, as well as
>> conveniences for those wishing to use a separate vault tied to the same
>> string of words.
>>
>> Security:
>> For any randomly generated 12-word mnemonic (128-bits of security) the
>> chances of it also being reversible are 1/16 (I believe), as a total of 4
>> bit positions must be identical (4 bits from the normal mnemonic and
>> another 4 bits from the reversed string must match). For a 24-word
>> mnemonic, those values increase to 8 bits which need to match 8 bits from
>> the reversed string, leading to about 1 in every 256 mnemonics also being
>> reversible. While the message space of valid reversible mnemonics should be
>> 2^124 for 12 words, that search must still be conducted over a field of 2
>> ^128, as the hash-derived checksum values otherwise prevent a way to
>> deterministically find valid reversible mnemonics without first going
>> through invalid reversible ones to check. I think others should chime in on
>> whether they believe there is any security loss, in terms of entropy bits
>> (assuming the initial 128 bits were generated securely). I estimate at most
>> it would be 4-bits of loss for a 12-word mnemonic, but only if an attacker
>> had a way to search only the space of valid reversible mnemonics (2**124)
>> which I don't think is feasible (could be wrong?). There could also be
>> errors in my above assumptions, this is a work in progress and sharing it
>> here to solicit initial feedback/interest.
>>
>> I've already written the code that can be used for testing (on GitHub
>> user @hatgit), and when run from terminal/command prompt it is pretty fast
>> to find a valid reversible mnemonics, whereas on IDLE in Python on a 32-bit
>> and 64-bit machine it could take a few seconds for 12 words and sometimes
>> 10 minutes to find a valid 24-word reversible mnemonic.
>> Example 12 words reversible (with valid checksum each way):
>>
>> limit exact seven clarify utility road image fresh leg cabbage hint canoe
>>
>> And Reversed:
>>
>> canoe hint cabbage leg fresh image road utility clarify seven exact limit
>>
>>
>> Example 24 reversible:
>>
>> favorite uncover sugar wealth army shift goose fury market toe message
>> remain direct arrow duck afraid enroll salt knife school duck sunny grunt
>> argue
>>
>> And reversed:
>>
>> argue grunt sunny duck school knife salt enroll afraid duck arrow direct
>> remain message toe market fury goose shift army wealth sugar uncover
>> favorite
>>
>>
>> My two questions 1) are how useful could this be for
>> you/users/devs/service providers etc.. and 2) is any security loss
>> occurring and whether it is negligible or not?
>>
>> Best regards,
>>
>> Steven Hatzakis
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

[-- Attachment #2: Type: text/html, Size: 9288 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [bitcoin-dev] Proposal for Palindromic (Reversible) Mnemonics
  2018-12-04 12:16   ` James MacWhyte
@ 2018-12-04 12:42     ` Steven Hatzakis
       [not found]       ` <CALYX514jH_wYrONu=hpj924p98cEcHnyZLdu2jDt5tkhoKL9kw@mail.gmail.com>
  0 siblings, 1 reply; 5+ messages in thread
From: Steven Hatzakis @ 2018-12-04 12:42 UTC (permalink / raw)
  To: macwhyte; +Cc: bitcoin-dev

[-- Attachment #1: Type: text/plain, Size: 6586 bytes --]

Thanks, James and Joseph, for the feedback,
It has been a fun experiment!

I just want to note that the plausible deniability was not the motive but
just an example use-case, there are perhaps other use-cases that would be
on the user to decide. I think having a mnemonic that is also reversible
could be useful for other reasons - convenience related perhaps.
*Re security:* I am still not convinced entirely that security is reduced
at all because one still has to search through all entropy in the range
of 2^128 to see whether any of those are reversible (unless there is a way
to only search the field of 2^124 that are reversible, which I don't think
is possible because the hash-derived checksum cannot be determined before
hashing, only afterward). Therefore, security should still be 2^128 for a
12-word mnemonic whether it is reversible or not (as one in every 16 people
that already have one (12-word) is reversible, they just might not realize
it, so we can't say those are less secure).

Best regards,

On Tue, Dec 4, 2018 at 2:16 PM James MacWhyte <macwhyte@gmail.com> wrote:

> I agree with Joseph. If you want plausible deniability, it would be better
> to simply hide the funds somewhere in the HD chain. Same if you want a
> second vault tied to the same phrase.
>
> You are reducing security by eliminating all entropy that doesn't fit the
> reversible criteria, although in practice it doesn't make a difference
> because the numbers are so big. However, it doesn't seem like a very useful
> feature to have.
>
> Thanks for doing all that work though, it was fun to read about your idea
> and what you found out through experimenting!
>
> James
>
>
> On Mon, Dec 3, 2018 at 1:00 PM Joseph Gleason ⑈ via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> I have a suggestion.  If you are concerned about plausible deniability,
>> then it might make sense to just have the single mnemonic seed lead to a
>> single xprv key (as usual) and then do a private key derivation from that
>> based on a password string.  The password can be simple, as it is based on
>> the security of the seed, just as long as the user feels they need for
>> deniability.
>>
>> A simple reverse scheme like you describe would just be another thing a
>> person would know to check if given some seed so I don't see it as
>> providing much value, but I could be missing something.
>>
>> On Mon, Dec 3, 2018 at 10:45 AM Steven Hatzakis via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>> Hi All,
>>>
>>> I've developed a method to check if a mnemonic is also valid when the
>>> words are put into reverse order (not the entropy), where a given 12 or
>>> 24-word mnemonic could be valid both in little endian and big endian
>>> format. I've coined these "Palindromic Mnemonics", but perhaps more
>>> user-friendly is "reversible mnemonics."
>>>
>>> Purpose:
>>> A checksum-valid reversible mnemonic allows two separate vaults to be
>>> connected to the same mnemonic string of words, where all a users must do
>>> is enter the words in reverse order (the last word becomes first, second to
>>> last becomes second, and so on) to access the secondary (reversed words)
>>> vault. This utility could provide multiple use-cases, including related to
>>> combinations with passphrases and plausible deniability, as well as
>>> conveniences for those wishing to use a separate vault tied to the same
>>> string of words.
>>>
>>> Security:
>>> For any randomly generated 12-word mnemonic (128-bits of security) the
>>> chances of it also being reversible are 1/16 (I believe), as a total of 4
>>> bit positions must be identical (4 bits from the normal mnemonic and
>>> another 4 bits from the reversed string must match). For a 24-word
>>> mnemonic, those values increase to 8 bits which need to match 8 bits from
>>> the reversed string, leading to about 1 in every 256 mnemonics also being
>>> reversible. While the message space of valid reversible mnemonics should be
>>> 2^124 for 12 words, that search must still be conducted over a field of
>>> 2^128, as the hash-derived checksum values otherwise prevent a way to
>>> deterministically find valid reversible mnemonics without first going
>>> through invalid reversible ones to check. I think others should chime in on
>>> whether they believe there is any security loss, in terms of entropy bits
>>> (assuming the initial 128 bits were generated securely). I estimate at most
>>> it would be 4-bits of loss for a 12-word mnemonic, but only if an attacker
>>> had a way to search only the space of valid reversible mnemonics (2**124)
>>> which I don't think is feasible (could be wrong?). There could also be
>>> errors in my above assumptions, this is a work in progress and sharing it
>>> here to solicit initial feedback/interest.
>>>
>>> I've already written the code that can be used for testing (on GitHub
>>> user @hatgit), and when run from terminal/command prompt it is pretty fast
>>> to find a valid reversible mnemonics, whereas on IDLE in Python on a 32-bit
>>> and 64-bit machine it could take a few seconds for 12 words and sometimes
>>> 10 minutes to find a valid 24-word reversible mnemonic.
>>> Example 12 words reversible (with valid checksum each way):
>>>
>>> limit exact seven clarify utility road image fresh leg cabbage hint canoe
>>>
>>> And Reversed:
>>>
>>> canoe hint cabbage leg fresh image road utility clarify seven exact limit
>>>
>>>
>>> Example 24 reversible:
>>>
>>> favorite uncover sugar wealth army shift goose fury market toe message
>>> remain direct arrow duck afraid enroll salt knife school duck sunny grunt
>>> argue
>>>
>>> And reversed:
>>>
>>> argue grunt sunny duck school knife salt enroll afraid duck arrow direct
>>> remain message toe market fury goose shift army wealth sugar uncover
>>> favorite
>>>
>>>
>>> My two questions 1) are how useful could this be for
>>> you/users/devs/service providers etc.. and 2) is any security loss
>>> occurring and whether it is negligible or not?
>>>
>>> Best regards,
>>>
>>> Steven Hatzakis
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>

[-- Attachment #2: Type: text/html, Size: 11391 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [bitcoin-dev] Proposal for Palindromic (Reversible) Mnemonics
       [not found]       ` <CALYX514jH_wYrONu=hpj924p98cEcHnyZLdu2jDt5tkhoKL9kw@mail.gmail.com>
@ 2018-12-04 21:39         ` Steven Hatzakis
  0 siblings, 0 replies; 5+ messages in thread
From: Steven Hatzakis @ 2018-12-04 21:39 UTC (permalink / raw)
  To: mike; +Cc: bitcoin-dev

[-- Attachment #1: Type: text/plain, Size: 10946 bytes --]

Hi Michael, thanks for the feedback.
To answer your question, the motivation was partly that some applications
do not accept passphrases, making mnemonics less versatile in those cases
in terms of vault separation when logging in to those services, although I
agree in that specific context reversible mnemonics don't add further
security (like a passphrase can) but it shouldn't lessen security either
(in terms of entropy and bit-security).

Of course, If someone finds a plaintexts recovery phrase (i.e. hacker) then
there is no security to prevent the funds being moved out whether it is
reversible or not (unless again a passphrase was present, and even that can
be brute forced so protecting the words are key) unless it represented some
multi-sig key or was a Shamir secret share (such as is being proposed under
SLIP0039 by Satoshi Labs, and Ian Coleman hosts a prototype).

I think comparable to vanity addresses, reversible mnemonics could be part
novelty, but I do think there is also an actual utility. I am not
suggesting they are used 100% of the time, rather a user could choose to
generate one manually or check if their existing one is already reversible.
Those options could be provided at the software level and then it would be
up to the user to chose. Bottom line, I think that users who have smaller
amounts in hot wallets could find it useful to have reversible mnemonics
for switching from one service to another without having to access yet
another mnemonic. Whereas, for those creating them offline (cold storage)
it could provide an additional vault and additional passphrase options.
Here's an example:

Vault #1 normal mnemonic
Vault #2 normal mnemonic w/passphrase
Vault #3 reversed mnemonic
Vault #4 reversed mnemonic w/passphrase


Best regards,

Steven Hatzakis


On Tue, Dec 4, 2018 at 4:16 PM Michael Dunworth <mike@sendwyre.com> wrote:

> Cool idea, and appreciate the explainer surrounding it!
>
> What are the motivators to have it? Simplifying the recovery process
> (easier to remember?) - Would love to know more from that if you're happy
> to share! That'd help gauge the security considerations.
>
> Security thoughts:
> - Probability of guessing is one thing, probability of getting access to a
> keyword/phrase is another thing. So if the recovery/accessibility becomes a
> motivator, that then can broaden the attack vectors pretty significantly.
> Which would result in a significant decrease in the security (IMO?).
> - Broadcasting the use of reversable mnemonics would become an attack
> vector potentially. Now any members of the security team or members within
> close proximity could learn that reversible phrases are used, and
> insulating this information from becoming public knowledge would become
> it's own security consideration. If it's already a 6.25% (1/16) chance
> they're reversible, I wouldn't want it publicly known that it's a 100%
> chance.
> - Feels like it could be useful in terms of a "duress password" although
> that might be implemented similarly to what Joseph mentioned where you
> would route the reverse phrase to somewhere other than the core assets.
>
> May be misunderstanding or have bad maths this early in the morning, but I
> think I'd be nervous to implement something like this without a pretty
> clear upside. Seems like it only adds additional risk?
>
> Thank you.
>
> Kind regards,
>
> Michael.
> ᐧ
>
> On Tue, Dec 4, 2018 at 5:11 AM Steven Hatzakis via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Thanks, James and Joseph, for the feedback,
>> It has been a fun experiment!
>>
>> I just want to note that the plausible deniability was not the motive but
>> just an example use-case, there are perhaps other use-cases that would be
>> on the user to decide. I think having a mnemonic that is also reversible
>> could be useful for other reasons - convenience related perhaps.
>> *Re security:* I am still not convinced entirely that security is
>> reduced at all because one still has to search through all entropy in the
>> range of 2^128 to see whether any of those are reversible (unless there is
>> a way to only search the field of 2^124 that are reversible, which I don't
>> think is possible because the hash-derived checksum cannot be determined
>> before hashing, only afterward). Therefore, security should still be 2^128
>> for a 12-word mnemonic whether it is reversible or not (as one in every 16
>> people that already have one (12-word) is reversible, they just might not
>> realize it, so we can't say those are less secure).
>>
>> Best regards,
>>
>> On Tue, Dec 4, 2018 at 2:16 PM James MacWhyte <macwhyte@gmail.com> wrote:
>>
>>> I agree with Joseph. If you want plausible deniability, it would be
>>> better to simply hide the funds somewhere in the HD chain. Same if you want
>>> a second vault tied to the same phrase.
>>>
>>> You are reducing security by eliminating all entropy that doesn't fit
>>> the reversible criteria, although in practice it doesn't make a difference
>>> because the numbers are so big. However, it doesn't seem like a very useful
>>> feature to have.
>>>
>>> Thanks for doing all that work though, it was fun to read about your
>>> idea and what you found out through experimenting!
>>>
>>> James
>>>
>>>
>>> On Mon, Dec 3, 2018 at 1:00 PM Joseph Gleason ⑈ via bitcoin-dev <
>>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>
>>>> I have a suggestion.  If you are concerned about plausible deniability,
>>>> then it might make sense to just have the single mnemonic seed lead to a
>>>> single xprv key (as usual) and then do a private key derivation from that
>>>> based on a password string.  The password can be simple, as it is based on
>>>> the security of the seed, just as long as the user feels they need for
>>>> deniability.
>>>>
>>>> A simple reverse scheme like you describe would just be another thing a
>>>> person would know to check if given some seed so I don't see it as
>>>> providing much value, but I could be missing something.
>>>>
>>>> On Mon, Dec 3, 2018 at 10:45 AM Steven Hatzakis via bitcoin-dev <
>>>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> I've developed a method to check if a mnemonic is also valid when the
>>>>> words are put into reverse order (not the entropy), where a given 12 or
>>>>> 24-word mnemonic could be valid both in little endian and big endian
>>>>> format. I've coined these "Palindromic Mnemonics", but perhaps more
>>>>> user-friendly is "reversible mnemonics."
>>>>>
>>>>> Purpose:
>>>>> A checksum-valid reversible mnemonic allows two separate vaults to be
>>>>> connected to the same mnemonic string of words, where all a users must do
>>>>> is enter the words in reverse order (the last word becomes first, second to
>>>>> last becomes second, and so on) to access the secondary (reversed words)
>>>>> vault. This utility could provide multiple use-cases, including related to
>>>>> combinations with passphrases and plausible deniability, as well as
>>>>> conveniences for those wishing to use a separate vault tied to the same
>>>>> string of words.
>>>>>
>>>>> Security:
>>>>> For any randomly generated 12-word mnemonic (128-bits of security) the
>>>>> chances of it also being reversible are 1/16 (I believe), as a total of 4
>>>>> bit positions must be identical (4 bits from the normal mnemonic and
>>>>> another 4 bits from the reversed string must match). For a 24-word
>>>>> mnemonic, those values increase to 8 bits which need to match 8 bits from
>>>>> the reversed string, leading to about 1 in every 256 mnemonics also being
>>>>> reversible. While the message space of valid reversible mnemonics should be
>>>>> 2^124 for 12 words, that search must still be conducted over a field
>>>>> of 2^128, as the hash-derived checksum values otherwise prevent a way
>>>>> to deterministically find valid reversible mnemonics without first going
>>>>> through invalid reversible ones to check. I think others should chime in on
>>>>> whether they believe there is any security loss, in terms of entropy bits
>>>>> (assuming the initial 128 bits were generated securely). I estimate at most
>>>>> it would be 4-bits of loss for a 12-word mnemonic, but only if an attacker
>>>>> had a way to search only the space of valid reversible mnemonics (2**124)
>>>>> which I don't think is feasible (could be wrong?). There could also be
>>>>> errors in my above assumptions, this is a work in progress and sharing it
>>>>> here to solicit initial feedback/interest.
>>>>>
>>>>> I've already written the code that can be used for testing (on GitHub
>>>>> user @hatgit), and when run from terminal/command prompt it is pretty fast
>>>>> to find a valid reversible mnemonics, whereas on IDLE in Python on a 32-bit
>>>>> and 64-bit machine it could take a few seconds for 12 words and sometimes
>>>>> 10 minutes to find a valid 24-word reversible mnemonic.
>>>>> Example 12 words reversible (with valid checksum each way):
>>>>>
>>>>> limit exact seven clarify utility road image fresh leg cabbage hint
>>>>> canoe
>>>>>
>>>>> And Reversed:
>>>>>
>>>>> canoe hint cabbage leg fresh image road utility clarify seven exact
>>>>> limit
>>>>>
>>>>>
>>>>> Example 24 reversible:
>>>>>
>>>>> favorite uncover sugar wealth army shift goose fury market toe message
>>>>> remain direct arrow duck afraid enroll salt knife school duck sunny grunt
>>>>> argue
>>>>>
>>>>> And reversed:
>>>>>
>>>>> argue grunt sunny duck school knife salt enroll afraid duck arrow
>>>>> direct remain message toe market fury goose shift army wealth sugar uncover
>>>>> favorite
>>>>>
>>>>>
>>>>> My two questions 1) are how useful could this be for
>>>>> you/users/devs/service providers etc.. and 2) is any security loss
>>>>> occurring and whether it is negligible or not?
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Steven Hatzakis
>>>>> _______________________________________________
>>>>> bitcoin-dev mailing list
>>>>> bitcoin-dev@lists.linuxfoundation.org
>>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>>
>>>> _______________________________________________
>>>> bitcoin-dev mailing list
>>>> bitcoin-dev@lists.linuxfoundation.org
>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>
>>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
>
> --
> Michael Dunworth
> Co-Founder, CEO
>
>
>
> We're now Wyre, Inc! Read about the rebrand here
> <https://medium.com/@wyre/wyre-raises-5-8m-series-a-10e90718009b>.
>
> Wyre uses blockchain technology to help make your bank transfers faster
> than email.
>

[-- Attachment #2: Type: text/html, Size: 19205 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2018-12-04 21:39 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-03 18:27 [bitcoin-dev] Proposal for Palindromic (Reversible) Mnemonics Steven Hatzakis
2018-12-03 20:54 ` Joseph Gleason ⑈
2018-12-04 12:16   ` James MacWhyte
2018-12-04 12:42     ` Steven Hatzakis
     [not found]       ` <CALYX514jH_wYrONu=hpj924p98cEcHnyZLdu2jDt5tkhoKL9kw@mail.gmail.com>
2018-12-04 21:39         ` Steven Hatzakis

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox