* [bitcoin-dev] No Order Mnemonic @ 2022-07-07 14:33 Anton Shevchenko 2022-07-07 17:36 ` Bram Cohen 0 siblings, 1 reply; 14+ messages in thread From: Anton Shevchenko @ 2022-07-07 14:33 UTC (permalink / raw) To: bitcoin-dev Hello, I am new to this list, sorry if it's been discussed earlier. I made a python implementation for a different mnemonic encoding. The encoding requires user to remember words but not the order of those words. The code is open (MIT license) at https://github.com/sancoder/noomnem -- Anton Shevchenko ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] No Order Mnemonic 2022-07-07 14:33 [bitcoin-dev] No Order Mnemonic Anton Shevchenko @ 2022-07-07 17:36 ` Bram Cohen 2022-07-07 17:52 ` Pavol Rusnak 0 siblings, 1 reply; 14+ messages in thread From: Bram Cohen @ 2022-07-07 17:36 UTC (permalink / raw) To: Anton Shevchenko, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 672 bytes --] On Thu, Jul 7, 2022 at 7:43 AM Anton Shevchenko via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > I made a python implementation for a different mnemonic encoding. The > encoding requires user to remember words but not the order of those words. > The code is open (MIT license) at https://github.com/sancoder/noomnem Thanks Anton. There's an interesting mathematical question of whether it's possible to make a code like this which always uses the BIP-39 words for the same key as part of its encoding, basically adding a few words as error correction in case the order is lost or confused. If the BIP-39 contains a duplicate you can add an extra word. [-- Attachment #2: Type: text/html, Size: 1059 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] No Order Mnemonic 2022-07-07 17:36 ` Bram Cohen @ 2022-07-07 17:52 ` Pavol Rusnak 2022-07-07 17:58 ` Anton Shevchenko 2022-07-08 1:47 ` Bram Cohen 0 siblings, 2 replies; 14+ messages in thread From: Pavol Rusnak @ 2022-07-07 17:52 UTC (permalink / raw) To: Bitcoin Protocol Discussion, Bram Cohen [-- Attachment #1: Type: text/plain, Size: 1272 bytes --] There is. Just encode the index of permutation used to scramble the otherwise sorted list. For 12 words you need to store 12! = ~32 bits so 3 words should be enough. Repetitions make this more difficult, though. On Thu 7. 7. 2022 at 19:41, Bram Cohen via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > On Thu, Jul 7, 2022 at 7:43 AM Anton Shevchenko via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > >> I made a python implementation for a different mnemonic encoding. The >> encoding requires user to remember words but not the order of those words. >> The code is open (MIT license) at https://github.com/sancoder/noomnem > > > Thanks Anton. There's an interesting mathematical question of whether it's > possible to make a code like this which always uses the BIP-39 words for > the same key as part of its encoding, basically adding a few words as error > correction in case the order is lost or confused. If the BIP-39 contains a > duplicate you can add an extra word. > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > -- Best Regards / S pozdravom, Pavol "stick" Rusnak Co-Founder, SatoshiLabs [-- Attachment #2: Type: text/html, Size: 2491 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] No Order Mnemonic 2022-07-07 17:52 ` Pavol Rusnak @ 2022-07-07 17:58 ` Anton Shevchenko 2022-07-08 1:47 ` Bram Cohen 1 sibling, 0 replies; 14+ messages in thread From: Anton Shevchenko @ 2022-07-07 17:58 UTC (permalink / raw) To: Pavol Rusnak, Alfred Hodler, Bram Cohen [-- Attachment #1: Type: text/plain, Size: 1445 bytes --] But this will require user to distinguish 12 words from error correcting words. Which is another hassle. On Thu, Jul 7, 2022, at 10:52 AM, Pavol Rusnak wrote: > There is. Just encode the index of permutation used to scramble the otherwise sorted list. For 12 words you need to store 12! = ~32 bits so 3 words should be enough. > > Repetitions make this more difficult, though. > > On Thu 7. 7. 2022 at 19:41, Bram Cohen via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: >> On Thu, Jul 7, 2022 at 7:43 AM Anton Shevchenko via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: >>> I made a python implementation for a different mnemonic encoding. The encoding requires user to remember words but not the order of those words. >>> The code is open (MIT license) at https://github.com/sancoder/noomnem >> >> Thanks Anton. There's an interesting mathematical question of whether it's possible to make a code like this which always uses the BIP-39 words for the same key as part of its encoding, basically adding a few words as error correction in case the order is lost or confused. If the BIP-39 contains a duplicate you can add an extra word. >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > -- > > Best Regards / S pozdravom, > > Pavol "stick" Rusnak > Co-Founder, SatoshiLabs [-- Attachment #2: Type: text/html, Size: 3225 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] No Order Mnemonic 2022-07-07 17:52 ` Pavol Rusnak 2022-07-07 17:58 ` Anton Shevchenko @ 2022-07-08 1:47 ` Bram Cohen 2022-07-08 2:19 ` Eric Voskuil 1 sibling, 1 reply; 14+ messages in thread From: Bram Cohen @ 2022-07-08 1:47 UTC (permalink / raw) To: Pavol Rusnak; +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 1591 bytes --] Part of the rules of my challenge is that the 'new' words need to be in the same pool as the 'old' words, so any ordering is okay. Without that requirement it's mathematically very straightforward. On Thu, Jul 7, 2022 at 10:52 AM Pavol Rusnak <stick@satoshilabs.com> wrote: > There is. Just encode the index of permutation used to scramble the > otherwise sorted list. For 12 words you need to store 12! = ~32 bits so 3 > words should be enough. > > Repetitions make this more difficult, though. > > On Thu 7. 7. 2022 at 19:41, Bram Cohen via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > >> On Thu, Jul 7, 2022 at 7:43 AM Anton Shevchenko via bitcoin-dev < >> bitcoin-dev@lists.linuxfoundation.org> wrote: >> >>> I made a python implementation for a different mnemonic encoding. The >>> encoding requires user to remember words but not the order of those words. >>> The code is open (MIT license) at https://github.com/sancoder/noomnem >> >> >> Thanks Anton. There's an interesting mathematical question of whether >> it's possible to make a code like this which always uses the BIP-39 words >> for the same key as part of its encoding, basically adding a few words as >> error correction in case the order is lost or confused. If the BIP-39 >> contains a duplicate you can add an extra word. >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> > -- > Best Regards / S pozdravom, > > Pavol "stick" Rusnak > Co-Founder, SatoshiLabs > [-- Attachment #2: Type: text/html, Size: 2943 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] No Order Mnemonic 2022-07-08 1:47 ` Bram Cohen @ 2022-07-08 2:19 ` Eric Voskuil 2022-07-08 4:35 ` vjudeu 0 siblings, 1 reply; 14+ messages in thread From: Eric Voskuil @ 2022-07-08 2:19 UTC (permalink / raw) To: Bram Cohen, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 2168 bytes --] Without a performance requirement there is no reason you can’t store the BIP39 words in any order you want. So it’s certainly possible, just brute force the recovery. If you have less than a second vs. a few days then it’s a different question. e > On Jul 7, 2022, at 18:48, Bram Cohen via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: > > Part of the rules of my challenge is that the 'new' words need to be in the same pool as the 'old' words, so any ordering is okay. Without that requirement it's mathematically very straightforward. > >> On Thu, Jul 7, 2022 at 10:52 AM Pavol Rusnak <stick@satoshilabs.com> wrote: >> There is. Just encode the index of permutation used to scramble the otherwise sorted list. For 12 words you need to store 12! = ~32 bits so 3 words should be enough. >> >> Repetitions make this more difficult, though. >> >>> On Thu 7. 7. 2022 at 19:41, Bram Cohen via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: >>>> On Thu, Jul 7, 2022 at 7:43 AM Anton Shevchenko via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: >>> >>>> I made a python implementation for a different mnemonic encoding. The encoding requires user to remember words but not the order of those words. >>>> The code is open (MIT license) at https://github.com/sancoder/noomnem >>> >>> Thanks Anton. There's an interesting mathematical question of whether it's possible to make a code like this which always uses the BIP-39 words for the same key as part of its encoding, basically adding a few words as error correction in case the order is lost or confused. If the BIP-39 contains a duplicate you can add an extra word. >>> _______________________________________________ >>> bitcoin-dev mailing list >>> bitcoin-dev@lists.linuxfoundation.org >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> -- >> Best Regards / S pozdravom, >> >> Pavol "stick" Rusnak >> Co-Founder, SatoshiLabs > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev [-- Attachment #2: Type: text/html, Size: 3839 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] No Order Mnemonic 2022-07-08 2:19 ` Eric Voskuil @ 2022-07-08 4:35 ` vjudeu 2022-07-08 9:12 ` Paul Sztorc 0 siblings, 1 reply; 14+ messages in thread From: vjudeu @ 2022-07-08 4:35 UTC (permalink / raw) To: Eric Voskuil <eric@voskuil.org>, Bitcoin Protocol Discussion, Bram Cohen, Bitcoin Protocol Discussion Isn't it enough to just generate a seed in the same way as today, then sort the words alphabetically, and then use that as a seed? I know, the last word is a checksum, but there are only 2048 words, so it is not a big deal to get any checksum we want. If that is insecure, because of lower possible combinations, then it is always possible to increase the number of words to compensate that. On 2022-07-08 04:27:21 user Eric Voskuil via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: Without a performance requirement there is no reason you can’t store the BIP39 words in any order you want. So it’s certainly possible, just brute force the recovery. If you have less than a second vs. a few days then it’s a different question. e On Jul 7, 2022, at 18:48, Bram Cohen via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: Part of the rules of my challenge is that the 'new' words need to be in the same pool as the 'old' words, so any ordering is okay. Without that requirement it's mathematically very straightforward. On Thu, Jul 7, 2022 at 10:52 AM Pavol Rusnak <stick@satoshilabs.com> wrote: There is. Just encode the index of permutation used to scramble the otherwise sorted list. For 12 words you need to store 12! = ~32 bits so 3 words should be enough. Repetitions make this more difficult, though. On Thu 7. 7. 2022 at 19:41, Bram Cohen via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: On Thu, Jul 7, 2022 at 7:43 AM Anton Shevchenko via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: I made a python implementation for a different mnemonic encoding. The encoding requires user to remember words but not the order of those words. The code is open (MIT license) at https://github.com/sancoder/noomnem Thanks Anton. There's an interesting mathematical question of whether it's possible to make a code like this which always uses the BIP-39 words for the same key as part of its encoding, basically adding a few words as error correction in case the order is lost or confused. If the BIP-39 contains a duplicate you can add an extra word. _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] No Order Mnemonic 2022-07-08 4:35 ` vjudeu @ 2022-07-08 9:12 ` Paul Sztorc 2022-07-08 14:08 ` James MacWhyte 0 siblings, 1 reply; 14+ messages in thread From: Paul Sztorc @ 2022-07-08 9:12 UTC (permalink / raw) To: vjudeu, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 3901 bytes --] What do you do if the "first" word (of 12), happens to be the last word in the list alphabetically? So that seems like a dead end. Since users are never expected to memorize the "whole list" (of 2048 words) in any case, it seems that the smarter thing to do (if this "order" criterion is desirable) may have been to just make the whole list 12x longer and cut it into 12 sections. Each of the 12 slots would have 2048 distinct words. Then the computer would handle the order; the user could neglect it. I can guess why people weren't particularly interested in this: words always have to be written down in some order or another. Even if you write them down in a 3x4 grid, there are very few combinations needed to guess the one true ordering. I wonder how obscure the words would have to be, by the 12th list of 2048? But still it might be fun - the 4th word might always be a nautical word, the 5th word a farm word, etc. And no one would confuse it with a bip39 phrase -- in fact since they are just lists of integers 1 to 2048, it would be pretty easy to make them interoperable. Very easy but perhaps still not worth doing. Paul On Fri, Jul 8, 2022, 4:48 AM vjudeu via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > Isn't it enough to just generate a seed in the same way as today, then > sort the words alphabetically, and then use that as a seed? I know, the > last word is a checksum, but there are only 2048 words, so it is not a big > deal to get any checksum we want. If that is insecure, because of lower > possible combinations, then it is always possible to increase the number of > words to compensate that. > > > On 2022-07-08 04:27:21 user Eric Voskuil via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > > > Without a performance requirement there is no reason you can’t store the > BIP39 words in any order you want. So it’s certainly possible, just brute > force the recovery. If you have less than a second vs. a few days then it’s > a different question. > > > e > > > On Jul 7, 2022, at 18:48, Bram Cohen via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > Part of the rules of my challenge is that the 'new' words need to be in > the same pool as the 'old' words, so any ordering is okay. Without that > requirement it's mathematically very straightforward. > > > On Thu, Jul 7, 2022 at 10:52 AM Pavol Rusnak <stick@satoshilabs.com> > wrote: > There is. Just encode the index of permutation used to scramble the > otherwise sorted list. For 12 words you need to store 12! = ~32 bits so 3 > words should be enough. > > > Repetitions make this more difficult, though. > > > On Thu 7. 7. 2022 at 19:41, Bram Cohen via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > On Thu, Jul 7, 2022 at 7:43 AM Anton Shevchenko via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > I made a python implementation for a different mnemonic encoding. The > encoding requires user to remember words but not the order of those words. > The code is open (MIT license) at https://github.com/sancoder/noomnem > > > > Thanks Anton. There's an interesting mathematical question of whether it's > possible to make a code like this which always uses the BIP-39 words for > the same key as part of its encoding, basically adding a few words as error > correction in case the order is lost or confused. If the BIP-39 contains a > duplicate you can add an extra word. > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 5378 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] No Order Mnemonic 2022-07-08 9:12 ` Paul Sztorc @ 2022-07-08 14:08 ` James MacWhyte 2022-07-09 20:31 ` Zac Greenwood 0 siblings, 1 reply; 14+ messages in thread From: James MacWhyte @ 2022-07-08 14:08 UTC (permalink / raw) To: Paul Sztorc, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 773 bytes --] > What do you do if the "first" word (of 12), happens to be the last word in > the list alphabetically? > That couldn't happen. If one word is the very last from the wordlist, it would end up at the end of your mnemonic once you rearrange your 12 words alphabetically. However! (@vjudeu) Choosing 11 random words and then sorting them alphabetically before assigning a checksum would reduce entropy considerably. If you think about it, to bruteforce the entire keyspace one would only need to come up with every possible combination of 11 words + 1 checksum. I'm not the best at napkin math, but I think that leaves you with around 10 trillion combinations, which would only take a couple months to exhaust with hardware that can do 1 million guesses per second. James [-- Attachment #2: Type: text/html, Size: 1096 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] No Order Mnemonic 2022-07-08 14:08 ` James MacWhyte @ 2022-07-09 20:31 ` Zac Greenwood 2022-07-09 22:21 ` James MacWhyte 2022-07-09 23:46 ` Anton Shevchenko 0 siblings, 2 replies; 14+ messages in thread From: Zac Greenwood @ 2022-07-09 20:31 UTC (permalink / raw) To: Bitcoin Protocol Discussion, James MacWhyte [-- Attachment #1: Type: text/plain, Size: 1359 bytes --] Sorting a seed alphabetically reduces entropy by ~29 bits. A 12-word seed has (12, 12) permutations or 479 million, which is ln(469m) / ln(2) ~= 29 bits of entropy. Sorting removes this entropy entirely, reducing the seed entropy from 128 to 99 bits. Zac On Fri, 8 Jul 2022 at 16:09, James MacWhyte via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > > What do you do if the "first" word (of 12), happens to be the last word in >> the list alphabetically? >> > > That couldn't happen. If one word is the very last from the wordlist, it > would end up at the end of your mnemonic once you rearrange your 12 words > alphabetically. > > However! > > (@vjudeu) Choosing 11 random words and then sorting them alphabetically > before assigning a checksum would reduce entropy considerably. If you think > about it, to bruteforce the entire keyspace one would only need to come up > with every possible combination of 11 words + 1 checksum. I'm not the best > at napkin math, but I think that leaves you with around 10 trillion > combinations, which would only take a couple months to exhaust with > hardware that can do 1 million guesses per second. > > > James > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 2433 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] No Order Mnemonic 2022-07-09 20:31 ` Zac Greenwood @ 2022-07-09 22:21 ` James MacWhyte 2022-07-09 23:46 ` Anton Shevchenko 1 sibling, 0 replies; 14+ messages in thread From: James MacWhyte @ 2022-07-09 22:21 UTC (permalink / raw) To: Zac Greenwood; +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 1727 bytes --] Thanks, Zac! I indeed did get the napkin math very wrong. I now get around 10^30 total possible phrases, which would take an impossibly long time to brute force. So, it is less entropy but probably still sufficient for low-stakes usage. James On Sat, Jul 9, 2022 at 10:31 PM Zac Greenwood <zachgrw@gmail.com> wrote: > Sorting a seed alphabetically reduces entropy by ~29 bits. > > A 12-word seed has (12, 12) permutations or 479 million, which is ln(469m) > / ln(2) ~= 29 bits of entropy. Sorting removes this entropy entirely, > reducing the seed entropy from 128 to 99 bits. > > Zac > > > On Fri, 8 Jul 2022 at 16:09, James MacWhyte via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > >> >> What do you do if the "first" word (of 12), happens to be the last word >>> in the list alphabetically? >>> >> >> That couldn't happen. If one word is the very last from the wordlist, it >> would end up at the end of your mnemonic once you rearrange your 12 words >> alphabetically. >> >> However! >> >> (@vjudeu) Choosing 11 random words and then sorting them alphabetically >> before assigning a checksum would reduce entropy considerably. If you think >> about it, to bruteforce the entire keyspace one would only need to come up >> with every possible combination of 11 words + 1 checksum. I'm not the best >> at napkin math, but I think that leaves you with around 10 trillion >> combinations, which would only take a couple months to exhaust with >> hardware that can do 1 million guesses per second. >> >> >> James >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> > [-- Attachment #2: Type: text/html, Size: 3122 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] No Order Mnemonic 2022-07-09 20:31 ` Zac Greenwood 2022-07-09 22:21 ` James MacWhyte @ 2022-07-09 23:46 ` Anton Shevchenko 2022-07-11 13:11 ` Erik Aronesty 1 sibling, 1 reply; 14+ messages in thread From: Anton Shevchenko @ 2022-07-09 23:46 UTC (permalink / raw) To: Alfred Hodler [-- Attachment #1: Type: text/plain, Size: 2260 bytes --] I would say removing ordering from 12-word seed reduces 25 bits of entropy, not 29. Additional 4 bits come from checksum (12 words encode 132 bits, not 128). My idea [for developing this project] was to feed its output to some kind of AI story generator (GPT-3 based?) so a user can remember a story, not ordered words. But as others pointed out, having 12 words without order is probably good enough. So at this point there's not much sense of using the proposed encoding. Unless a remembered story has wholes/errors. In this case recovering few words would be easier with unordered encoding. Any thoughts? -- Anton Shevchenko On Sat, Jul 9, 2022, at 1:31 PM, Zac Greenwood via bitcoin-dev wrote: > Sorting a seed alphabetically reduces entropy by ~29 bits. > > A 12-word seed has (12, 12) permutations or 479 million, which is ln(469m) / ln(2) ~= 29 bits of entropy. Sorting removes this entropy entirely, reducing the seed entropy from 128 to 99 bits. > > Zac > > > On Fri, 8 Jul 2022 at 16:09, James MacWhyte via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: >> >>> What do you do if the "first" word (of 12), happens to be the last word in the list alphabetically? >> >> That couldn't happen. If one word is the very last from the wordlist, it would end up at the end of your mnemonic once you rearrange your 12 words alphabetically. >> >> However! >> >> (@vjudeu) Choosing 11 random words and then sorting them alphabetically before assigning a checksum would reduce entropy considerably. If you think about it, to bruteforce the entire keyspace one would only need to come up with every possible combination of 11 words + 1 checksum. I'm not the best at napkin math, but I think that leaves you with around 10 trillion combinations, which would only take a couple months to exhaust with hardware that can do 1 million guesses per second. >> >> >> James >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 4541 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] No Order Mnemonic 2022-07-09 23:46 ` Anton Shevchenko @ 2022-07-11 13:11 ` Erik Aronesty 2022-07-11 13:18 ` Erik Aronesty 0 siblings, 1 reply; 14+ messages in thread From: Erik Aronesty @ 2022-07-11 13:11 UTC (permalink / raw) To: Anton Shevchenko, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 3068 bytes --] 1. You can swap two positions, and then your recovery algorithm can brute-force the result by trying all 132 possible swaps. 2. You can make a single deletion and only have to brute 2048 3. You can keep doing these, being aware that it becomes geometrically more difficult each time (deletion + swap = 270k ops) 4. A home PC can make 20k secpk256 operations per second per core, so try to keep your number under a few million ops and it's still a decent UX (under a minute) On Sat, Jul 9, 2022 at 8:01 PM Anton Shevchenko via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > I would say removing ordering from 12-word seed reduces 25 bits of > entropy, not 29. Additional 4 bits come from checksum (12 words encode 132 > bits, not 128). > > My idea [for developing this project] was to feed its output to some kind > of AI story generator (GPT-3 based?) so a user can remember a story, not > ordered words. But as others pointed out, having 12 words without order is > probably good enough. So at this point there's not much sense of using the > proposed encoding. Unless a remembered story has wholes/errors. In this > case recovering few words would be easier with unordered encoding. Any > thoughts? > > -- Anton Shevchenko > > > On Sat, Jul 9, 2022, at 1:31 PM, Zac Greenwood via bitcoin-dev wrote: > > Sorting a seed alphabetically reduces entropy by ~29 bits. > > A 12-word seed has (12, 12) permutations or 479 million, which is ln(469m) > / ln(2) ~= 29 bits of entropy. Sorting removes this entropy entirely, > reducing the seed entropy from 128 to 99 bits. > > Zac > > > On Fri, 8 Jul 2022 at 16:09, James MacWhyte via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > > > What do you do if the "first" word (of 12), happens to be the last word in > the list alphabetically? > > > That couldn't happen. If one word is the very last from the wordlist, it > would end up at the end of your mnemonic once you rearrange your 12 words > alphabetically. > > However! > > (@vjudeu) Choosing 11 random words and then sorting them alphabetically > before assigning a checksum would reduce entropy considerably. If you think > about it, to bruteforce the entire keyspace one would only need to come up > with every possible combination of 11 words + 1 checksum. I'm not the best > at napkin math, but I think that leaves you with around 10 trillion > combinations, which would only take a couple months to exhaust with > hardware that can do 1 million guesses per second. > > > James > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 5468 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] No Order Mnemonic 2022-07-11 13:11 ` Erik Aronesty @ 2022-07-11 13:18 ` Erik Aronesty 0 siblings, 0 replies; 14+ messages in thread From: Erik Aronesty @ 2022-07-11 13:18 UTC (permalink / raw) To: Anton Shevchenko, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 3430 bytes --] Sorry, I totally forgot the checksum. You can take my ops-per-second and multiply it by about 16 (because of the 4 check bits), making a delete + two swaps or 4 swaps, etc. still pretty reasonable. On Mon, Jul 11, 2022 at 9:11 AM Erik Aronesty <erik@q32.com> wrote: > 1. You can swap two positions, and then your recovery algorithm can > brute-force the result by trying all 132 possible swaps. > 2. You can make a single deletion and only have to brute 2048 > 3. You can keep doing these, being aware that it becomes geometrically > more difficult each time (deletion + swap = 270k ops) > 4. A home PC can make 20k secpk256 operations per second per core, so try > to keep your number under a few million ops and it's still a decent UX > (under a minute) > > > On Sat, Jul 9, 2022 at 8:01 PM Anton Shevchenko via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > >> I would say removing ordering from 12-word seed reduces 25 bits of >> entropy, not 29. Additional 4 bits come from checksum (12 words encode 132 >> bits, not 128). >> >> My idea [for developing this project] was to feed its output to some kind >> of AI story generator (GPT-3 based?) so a user can remember a story, not >> ordered words. But as others pointed out, having 12 words without order is >> probably good enough. So at this point there's not much sense of using the >> proposed encoding. Unless a remembered story has wholes/errors. In this >> case recovering few words would be easier with unordered encoding. Any >> thoughts? >> >> -- Anton Shevchenko >> >> >> On Sat, Jul 9, 2022, at 1:31 PM, Zac Greenwood via bitcoin-dev wrote: >> >> Sorting a seed alphabetically reduces entropy by ~29 bits. >> >> A 12-word seed has (12, 12) permutations or 479 million, which is >> ln(469m) / ln(2) ~= 29 bits of entropy. Sorting removes this entropy >> entirely, reducing the seed entropy from 128 to 99 bits. >> >> Zac >> >> >> On Fri, 8 Jul 2022 at 16:09, James MacWhyte via bitcoin-dev < >> bitcoin-dev@lists.linuxfoundation.org> wrote: >> >> >> What do you do if the "first" word (of 12), happens to be the last word >> in the list alphabetically? >> >> >> That couldn't happen. If one word is the very last from the wordlist, it >> would end up at the end of your mnemonic once you rearrange your 12 words >> alphabetically. >> >> However! >> >> (@vjudeu) Choosing 11 random words and then sorting them alphabetically >> before assigning a checksum would reduce entropy considerably. If you think >> about it, to bruteforce the entire keyspace one would only need to come up >> with every possible combination of 11 words + 1 checksum. I'm not the best >> at napkin math, but I think that leaves you with around 10 trillion >> combinations, which would only take a couple months to exhaust with >> hardware that can do 1 million guesses per second. >> >> >> James >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> >> >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> > [-- Attachment #2: Type: text/html, Size: 6152 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2022-07-11 13:18 UTC | newest] Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-07-07 14:33 [bitcoin-dev] No Order Mnemonic Anton Shevchenko 2022-07-07 17:36 ` Bram Cohen 2022-07-07 17:52 ` Pavol Rusnak 2022-07-07 17:58 ` Anton Shevchenko 2022-07-08 1:47 ` Bram Cohen 2022-07-08 2:19 ` Eric Voskuil 2022-07-08 4:35 ` vjudeu 2022-07-08 9:12 ` Paul Sztorc 2022-07-08 14:08 ` James MacWhyte 2022-07-09 20:31 ` Zac Greenwood 2022-07-09 22:21 ` James MacWhyte 2022-07-09 23:46 ` Anton Shevchenko 2022-07-11 13:11 ` Erik Aronesty 2022-07-11 13:18 ` Erik Aronesty
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox