[bitcoin-dev] Fortune Cookies to Bitcoin Seed

[bitcoin-dev] Fortune Cookies to Bitcoin Seed

[Trey Del Bonis]

Hello all,

This might be another proto-BIP similar to the post about using a card
shuffle as a wallet seed that was posted here a few weeks back:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-February/016645.html

This is an idea I had to deriving a wallet seed from the lucky numbers
on a fortunes from fortune cookies [1].

On one side is some silly fortune, which we don't really care about
here.  But depending on the brand, on the other side there's 2 parts:

* "Learn Chinese", with a word in English and its translation into
Chinese characters and the (probably) pinyin.

* "Lucky Numbers", followed by usually 6 or 7 numbers, presumably in
the range of 1 to 99.  Someone can correct me on this if I'm wrong.

So each number should have around ~6.6 bits of entropy, which means
you could generate a "very secure" wallet seed with about 7 fortunes.
We can remember the order of the numbers on these fortunes based on
the English words, which we can commit to memory.

It's considered a rule of thumb that you can remember "7 things" at
once, which is pretty convenient for this.  Sometimes the numbers are
sorted, which decreases the entropy a bit, but that can be remedied
with just more fortunes.  This also splits up the information required
to reconstruct the seed into both something physical and something
remembered, and there isn't any particular ordering that someone can
mess up by, say, shuffling the card deck.  Although someone is
arguably more likely to throw away random fortunes than they are to
throw away a deck of cards which is a weakness of this scheme.

It also arguably has better deniability.  If you keep a pile of 20
fortunes (with different "Learn Chinese" words) and remember which 7
of them are for your key, but pick another 7 you can use to make a
decoy wallet to use if being forced to reveal a wallet.  Keeping 20
around is a little excessive but it gives 390700800 possible wallets.
So security can be trivially parameterized based on how secure you
want your wallet to be if someone finds your stash.

I wrote a little Python script to generate a key with this, it's not
very clean and could be much improved but it works pretty well as a
proof of concept: https://gitlab.com/delbonis/chinese-wallet

-Trey Del Bonis

[1] https://en.wikipedia.org/wiki/Fortune_cookie

Re: [bitcoin-dev] Fortune Cookies to Bitcoin Seed

[James MacWhyte]

[-- Attachment #1: Type: text/plain, Size: 999 bytes --]

On Tue, Mar 5, 2019 at 4:39 PM Trey Del Bonis via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Keeping 20 around is a little excessive but it gives 390700800 possible
> wallets. So security can be trivially parameterized based on how secure you
> want your wallet to be if someone finds your stash.
>

Mid-level hardware can check 50k addresses per second, which means it would
only take around 2 hours to check all possibilities. So please don't think
this presents any kind of challenge to someone who finds your 20 pieces of
paper and assumes you would only keep them if they are hiding your wallet ;)

Entropy-wise, simply using a strong RNG would provide a better result than
relying on the printing company. Maybe they only print 35 different
combinations and assume people don't eat Chinese food enough to notice?

If it's poor entropy and doesn't really provide any protection against
being brute forced if found, I'm not sure why you would want to go
this route :)

James

[-- Attachment #2: Type: text/html, Size: 1483 bytes --]

Re: [bitcoin-dev] Fortune Cookies to Bitcoin Seed

[Trey Del Bonis]

>Mid-level hardware can check 50k addresses per second, which means it would only take around 2 hours to check all possibilities.

Yes that's a problem that I'm now realizing exists.  Whoops!  Changing
the parameters to a 25-of-50 setup gets us ~129 bits in that case,
which is better but still somewhat crappy as 25 is a lot of words to
remember.  You'd be *far* better off just memorizing a BIP-39
seedphrase.  Maybe it would make sense to include in the hash some
extra secret phrase as extra entropy?  Probably not worth it.

>Maybe they only print 35 different combinations and assume people don't eat Chinese food enough to notice?

Upon some later research I found that this is actually the case from
certain vendors, which is unfortunate.

>I'm not sure why you would want to go this route :)

Because it was a fun idea I had while eating Chinese take-out the other day. :)

On Tue, Mar 5, 2019 at 8:06 PM James MacWhyte <macwhyte@gmail.com> wrote:
>
> On Tue, Mar 5, 2019 at 4:39 PM Trey Del Bonis via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>> Keeping 20 around is a little excessive but it gives 390700800 possible wallets. So security can be trivially parameterized based on how secure you want your wallet to be if someone finds your stash.
>
>
> Mid-level hardware can check 50k addresses per second, which means it would only take around 2 hours to check all possibilities. So please don't think this presents any kind of challenge to someone who finds your 20 pieces of paper and assumes you would only keep them if they are hiding your wallet ;)
>
> Entropy-wise, simply using a strong RNG would provide a better result than relying on the printing company. Maybe they only print 35 different combinations and assume people don't eat Chinese food enough to notice?
>
> If it's poor entropy and doesn't really provide any protection against being brute forced if found, I'm not sure why you would want to go this route :)
>
> James