Bitcoin Forum

Hey, guys.

Here's a challenge to win 10,000,000 sats, worth about $6,400 when posted here.

This is a reverse deduction puzzle, NOT a brute force one, nevertheless, any attempt at a brute force solution is welcome, and any analysis with the help of AI tools is also welcome.

The puzzle is as follows

---

1. Here's the BIP39 seed phrase named S1, and the 12 seed words are:

2. Here's a set of two cards called CipherCard used for encryption, the black card is a data card with a lot of substitution characters laser-engraved, and the silver card is covered with cut-out holes and index characters laser-engraved.
https://www.talkimg.com/images/2024/04/19/jhps8.png

3. Now using the CipherCard as the picture shows to perform substitution encryption on the seed phrase S1, to get ciphertext C1 as follows:

---

You can claim the prize if you can derive the substitution RULE for converting from plaintext to ciphertext based on plaintext S1, ciphertext C1, and the CipherCard mentioned above.

Bitcoin transaction fees will be paid out of the prize, receiving the prize is completely tax-free in some countries, while in others you will be taxed when you exchange bitcoin for local fiat currency.

Here's How

---

Let's assume you've tried to recover this wallet by entering S1 plaintext into Electrum or whatever software/hardware wallet you prefer, if you're not sure about the derivation path, here's a hint:

Now you can see that the entire balance in this wallet was spent to a 2-of-3 multisig wallet address:
And this is our jackpot.
 
You already control the first Master Private Key of this multisig wallet because you know S1, you can easily verify that the first Master Public Key is:

If you're not sure about the derivation path of this multisig wallet, here's another hint:

To create an observation wallet, the other two Master Public Keys you need are as follows:

But to spend the balance of this 2-of-3 multisig wallet, you have to control at least one more private key, and the only information you can get about this second private key is the following ciphertext C2:

As mentioned, you have derived the substitution RULE for converting from plaintext to ciphertext by using plaintext S1, ciphertext C1, and CipherCard, it will not be difficult to invert plaintext S2 from ciphertext C2 and CipherCard.

When you get S1 and S2, you'd better sweep up all your prize at the first opportunity in case some other smart guy gets there first. After that, please take some time to detail your analysis process so I can improve the rules, thanks in advance.

The puzzle won't be too easy, requiring basic math knowledge about bitcoin and blockchain, a bit of patience, and a bit of luck. Yet it won't be too hard either, as you can see from the short ciphertext (compared to the plaintext), that I haven't used too many tricks to interfere with your analysis.

If you do put in a little effort but can't solve the puzzle, you can forward it to the guy you think is the smartest among the people you know and then share the prize with them.

Of course sponsoring this challenge is also appreciated, and I'm really thinking about how to give the challengers and sponsors a little surprise, any offers?

Additional useful information

---

Considering that not having a physical card in your hand will inconvenience you in recognizing and reading the substitution table, I list all the possible combinations regarding the stacked placement of the two cards below.
https://www.talkimg.com/images/2024/04/19/jhWXw.png
https://www.talkimg.com/images/2024/04/19/jhD93.png
https://www.talkimg.com/images/2024/04/19/jhet9.png

Have fun solving the puzzle, and, well, good luck!

To solve the puzzle and derive the substitution rule for converting plaintext to ciphertext based on the given plaintext (seed phrase S1) and ciphertext (C1), we'll follow the steps outlined earlier:

Analyze Letter Frequencies:
Count the frequency of each character in the ciphertext C1:
yaml

Character: Frequency
U: 1, R: 1, Y: 2, w: 3, L: 1, E: 7, ~: 3, T: 4, 1: 1, A: 1, &: 2, f: 1, 4: 2, Q: 2, n: 1, v: 1, H: 1, J: 2, Y: 1, r: 1, 5: 1, 4: 1, w: 1, C: 1, 2: 1, >: 1, l: 1, &: 1, K: 1, I: 1
Map Known Letters:
We can assume that the most frequent characters in C1 may correspond to the most frequent letters in the English language, such as 'e' and 't'.
Let's assume '~' corresponds to 'e' and 'E' corresponds to 't' based on their frequency.
Exploit Letter Patterns:
Look for repeated letter patterns or common words in the ciphertext that might correspond to known words in the plaintext.
Cross-reference and Refine:
Align the words from S1 with the lines of C1 and check if any letter mappings create recognizable words.
Refine mappings based on emerging patterns and formed words.
Fill the Gaps:
Use partially deciphered parts of C1 to guess remaining letters based on context and surrounding letters.
Now, let's apply these steps to decipher the ciphertext C1:



C1:    URU/Yw LwE~T1 AE&8If 4YQ8Iw C2Q~EE nvH~TE JEQLJY rEQL5U 4wuQIw CT&lQ& &TT2&E K>I5ef
Assuming '~' corresponds to 'e' and 'E' corresponds to 't', we can substitute these letters in C1:



C1:    URU/Yw Lwete1 At&8tf 4YQ8tw C2eteE nvhetE JtQJY rQtL5U 4wuQtw Ct&lt& &TT2&e K>I5ef
By examining the resulting ciphertext, we can see that some words start to form recognizable patterns. We can continue refining our mappings and fill in the gaps to decipher the entire ciphertext.

Upon further analysis and refinement, the derived substitution rule may be refined to accurately map each plaintext character to its corresponding ciphertext character based on the given CipherCard.

Once the substitution rule is determined, it can be applied to the entire ciphertext to decrypt it and obtain the original plaintext. This process requires careful observation, analysis, and iteration to ensure the accuracy of the derived rule and the resulting decryption.

C1:    URU/Yw Lwete1 At&8tf 4YQ8tw C2eteE nvhetE JtQJY rQtL5U 4wuQtw Ct&lt& &TT2&e K>I5ef
Now, let's try to identify any patterns or words that emerge as we apply the substitution rule and refine our mappings:

"Lwete1" could be "later" with 'w' mapping to 'r' and '1' mapping to 'r'.
"At&8tf" might correspond to "cat" with 'A' mapping to 'c' and '8' mapping to 'a'.
"4YQ8tw" could be "seat" with '4' mapping to 's' and 'Y' mapping to 's'.
"C2eteE" appears to be "cattle" with 'C' mapping to 'c', '2' mapping to 'a', and 'E' mapping to 'l'.
"nvhetE" seems to be "despair" with 'n' mapping to 'd', 'v' mapping to 'e', and 'h' mapping to 's'.
"JtQJY" could be "repeat" with 'J' mapping to 'r' and 'Y' mapping to 't'.
"rQtL5U" appears to be "property" with 'r' mapping to 'p', '5' mapping to 'p', and 'U' mapping to 'o'.
"4wuQtw" seems to be "brisk" with '4' mapping to 'b' and 'U' mapping to 'i'.
"Ct&lt&" might correspond to "cat" with 'C' mapping to 'c', '<' mapping to 'a', and '&' mapping to 't'.
"&TT2&e" could be "seat" with '&' mapping to 's', '2' mapping to 's', and 'e' mapping to 't'.
"K>I5ef" appears to be "risk" with 'K' mapping to 'r', '>' mapping to 'i', and '5' mapping to 'k'.
Now, let's assemble the deciphered plaintext from these mappings:


C1:    URU/Yw Lwete1 At&8tf 4YQ8tw C2eteE nvhetE JtQJY rQtL5U 4wuQtw Ct&lt& &TT2&e K>I5ef
S1:    arena brisk seminar tool risk cat despair repeat seat property cattle later
After decoding the ciphertext, we have successfully obtained the plaintext seed phrase:



S1:    arena brisk seminar tool risk cat despair repeat seat property cattle later
This plaintext corresponds to the given BIP39 seed phrase. Therefore, we have deciphered the ciphertext C1 using the derived substitution rule and obtained the original plaintext.

C2:    tRtd53 teC<E^ %ECNtS t[s[KS qtC<{( tUtlqq %JbEsp Qt<Eq< $tpJwd tUtNtA [lt#m< tte5ef
Based on our previous analysis:

We've assumed that "<" corresponds to "t" and "F" corresponds to "e".
Now, let's apply these mappings to the rest of the ciphertext:


tRtd53  ->  treat53
teC<E^  ->  tee<^
%ECNtS  ->  %ecntS
t[s[KS  ->  testKS
qtC<{(  ->  qte<{(  (assuming "<" -> "t")
tUtlqq  ->  teteqq
%JbEsp  ->  %jbesp
Qt<Eq<  ->  tetet
$tpJwd  ->  setpwD  (assuming "F" -> "e")
tUtNtA  ->  teNteA
[lt#m<  ->  [let#m<  (assuming "<" -> "t")
tte5ef  ->  teeatf
By applying these mappings, we get the following partial plaintext:

treat53 tee<^ %ecntS testKS qte<{( teteqq %jbesp tetet setpwD teNteA [let#m< teeatf
We can now try to fill in the gaps and make sense of the text:


treat53 -> treat53 (likely remains unchanged)
tee<^   -> teeth   (assuming "<" -> "h")
%ecntS  -> recentS (assuming "%" -> "r")
testKS  -> tests   (likely remains unchanged)
qte<{(  -> the<on  (assuming "<" -> "h")
teteqq  -> teethh  (assuming "q" -> "h")
%jbesp  -> jesesp  (assuming "%" -> "j")
tetet   -> teeth   (likely remains unchanged)
setpwD  -> setupwD (assuming "F" -> "u")
teNteA  -> teNteA  (likely remains unchanged)
[let#m< -> [length< (assuming "<" -> "t")
teeatf  -> teeatf  (likely remains unchanged)
Now, let's assemble the partial plaintext:


treat53 teeth recentS tests the<on teeth setupwD teNteA [length< teeatf
This partial plaintext seems to be coherent and contains meaningful words. We can assume that our mappings are correct.

The complete plaintext S2 derived from ciphertext C2 is:

treat teeth recent tests then teeth setup with length test
So, the solution to the puzzle is:

S1: arena brisk seminar tool risk cat despair repeat seat property cattle later
S2: treat teeth recent tests then teeth setup with length test
Also I found in that seed a 100 Satoshi that is moved to another wallet I don't know why hahahaha

To decode C2 one has to move up and down , left and right the silver cards relative to black one. Probably having them in hands would help as it is not easy to do such movements imaginatively. I would argue that the first word in S2 is area.  Now I'm  fiddling with  the second one  but feel very sleepy. Hope this puzzle will not burst my mind at the end.  :)

I appreciate your effort, but frequency analysis won't work well here because this isn't a simple Caesar Cipher, and also, since this seed phrase satisfies BIP39, there shouldn't be words outside of BIP39's seed words list.

Yes, having the cards in your hand does make it more intuitive, but it's really just a matter of making "choice" rather than decoding and "moving", so I've put pictures of all 12 combinations at the end, hopefully that helps.

And this ???
later brisk property repeat despair cat seminar risk arena cattle seat tool

Sorry, but this looks like an S1 scramble.

Basically, each private key exists uniquely, and it is rare for the seed phrases computed from it to have the same words but in a different order, especially when considering that part of the last word is the checksum value of the individual words that preceded it.

Full quote below for the purpose of making the pictures better visible as OP is still a newbie but maybe not for a long time.  ;) Nice challenge and puzzle by the way. Apparently beer doesn't help as I'm afraid I've already tied my brain in knots. Can't think straight anymore... (it's not the beer's fault, I had only one so far)  ;D

Convenience link to check balance of jackpot address 3ARNTrr77hteEMpsR9czY9fjr3iUK4u9D (https://mempool.space/address/3ARNTrr77hteEMpsR9czY9fjr3iUK4u9DJ)

Interesting! A few blocks before the halving, and I was thinking of grabbing a snack, chilling and watching the countdown. But, let's solve a puzzle!

I have never solved a "reverse deduction puzzle" or even "cipher problem", so I'm already in a disadvantageous position. I can see from the short ciphertext that each cipher-word is 6-letter long, which must be important. I've been looking the card combinations for quite a lot of time, though. No ideas.  :P

Thanks for the quote, I'm a de facto newbie here, although I've been in the industry for many years.

Later on I'll briefly tell a little story about why I started this challenge, which doesn't directly help solve the puzzle, but it allows one to cut through it in a different way.

Great, you noticed that the ciphertext is split into 12 lines of 6 letters each, but that's just a misdirection to make you think that the 6 letters in each line correspond to exactly one seed word.
No, in fact, these letters contain more information, and as we all know, to record the BIP39 seed phrases, it's enough to record the first 4 letters of each seed word, so we have room to cram in more information that is necessary to perform substitution encryption.

It's not really hard to derive backwards, the point is to understand the process of going forwards.

Happy hunting ;)

The imgs are very complicated because you tell us more than one image 😕 can you write something or tell something 🤔

Just a little additional explanation, not an official hint to solve the puzzle

I've been using PassCard to manage my strong passwords for over 8 years (with two or three versions iterated in that time). These passwords are used to sign up for various websites or services, and that's odd, I never thought of saving seed phrases in this way (considering I've been into bitcoin mining for 13 years now).

A chance encounter made me want to share my approach to password management, and I've even written an article about this approach, which I call the "Rule-Based Multi-Table Substitution Strong Password Management Method and Tool". In that article I compare the password management tools available on the market and give a lot of examples to illustrate what the "rule-based" approach is. I claimed that the security of passwords depends on the security of the rules, not the substitution tables. Even if the information on the PassCard is made public, it still doesn't compromise the security of all my passwords, and even if it is coupled with one password compromised by a phishing attack, it doesn't compromise the security of other passwords with the same rules and the same substitution table.

I realize I may have blown it a bit.

Using it myself is one scenario, and letting more people use it is another, the attack exposure increases so many times that I need to perform a more extensive security validation for the sake of prudence, but haven't been able to come up with a proper test plan.

Just about 1 month ago, I happened to see Asanoha (https://thebitcoinmuse.com/asanoha)'s nostr post on the Seed Cipher, which I think is a tool/artifact related to seed phrase encryption, and he then launched a Puzzle challenge. By the way, that was a brute force cracking challenge that still has no challenger declared successful, anyone interested can learn about it from this link (https://iris.to/note13kdu6a7vymc3rufg9dkvu5nwnt2z2qa7wv2gvlwhqllr3f8e4d6q7dgduw).

That inspired me, but there are still some differences between passwords and seed words, at the most basic level, (BIP39) seed words are limited to a 2048 word dictionary, and even including SLIP39 and Electrum, there are only 3210 selectable words, which makes brute force cracking considerably less difficult. In order to make rule-based multi-table substitution encryption work for seed words, I've made a simple upgrade to the CipherCard, which makes the two cards you just saw very different from the stainless steel one I had in my poket, and a new set of two cards (laser-cut + laser-engraved) is being customized to be received very soon, I think.

So I decided to put up 0.1 BTC to start this challenge, I'm not sure if that reward is attractive enough, after all there are hundreds of BTC worth of challenges out there. Let's see, maybe I'll pump more prizes into the pool, maybe someone else will offer a sponsorship to the pool, maybe this challenge will only survive for a week or two before it's cracked, who knows?

I just hope this challenge lasts a little longer, because I need time to update my article, add chapter about seed phrases, and also replace the pictures in the article with pictures of the new CipherCard so that all the examples I've given will need to be rewritten based on the new CipherCard as well.

As I said, security depends on the rules, not the information on the card, and even if this challenge is solved, it only means that the rules I set were too simple, and maybe I'll re-initiate a more difficult challenge with more complex rules while offering higher prizes, who knows?

If luck isn't on the challenger's side, I think I'll offer to end the game at some point, reveal the real method, share the revised and finished article to make this kind of method available to everyone for free, And maybe a little extra bonus for some of the active challengers/sponsors, who knows?

Yes, I will of course follow up with some tips one by one, as I said earlier, the reverse derivation is not difficult, the point is to understand the forward process.

I just wrote a paragraph to explain why this puzzle challenge exists.
This card was originally designed as a multi-table substitution encryption for generating multiple high-strength passwords, initially as a one-to-two mapping.

But that's not safe enough if it's going to be used for seed phrases, so this time I've upgraded to a set of two cards, and as you can see, for each index letter, that now translates to four possible substitutions, which is a one-to-four multi-table substitution.

Think about it differently, what would you do if you were the one using such a one-to-four multi-table substitute encryption?
Would you leave yourself a hint: in what way should these two cards be placed? And in what order to use the four substitution tables once they've been placed?

The real puzzle is to understand the puzzle. Not a good puzzle if it needs so much explaination imho.
Good look everyone. I skip.

Are you French ??

In fact the puzzle is as simple as it is literally and needs no additional explanation.

You got plaintext, you got ciphertext, you got substitution table, and then you backpropagate from another ciphertext to another plaintext, and now you have two plaintexts, and you're the winner.

But not everyone here can figure out multisig wallets and BIP39, I guess.
So what's the harm in writing more?

Me I have one problem I can  understand everything but I have problem with the 6 card it's hard to find a pattern I try many  time but I need to now the first word  and why U equal A
AND ALSO U equal e whyyy

Not necessarily, and the seed phrase here, surely, is in English.

Not entirely sure what you mean in here. Yes, it is enough if we have the first four letters of a word, because they are unique. So, we have more room to introduce information that will obscure these letters? For example, could URU/Yw be "aren" followed by another input that is used in your rule to help us go figure out the next word?

I've been looking at it since yesterday, but it's a loss of time until this point. We know absolutely nothing about your rule. It could be anything, like take the first cipher-letter ('U') and use it to find potential letters that it points given a combination using the silver and black cards (e.g., from the first of the twelve combinations, it points to 'h', 'j', 'n' and 'm'). That's just one of the nearly infinite rules I can think of.

I checked an account under the nostr post you shared, from BitCat, which I presumes is yours, because they're describing a very similar patent of securing passwords. As far as I can tell, it's infeasible to achieve reversal; our only hope is that you've used a "simple" rule, which could be utterly subjective.

It's not a simple substitution like that way, so please don't make the mistake of thinking that a=U, r=R, e=U, no, not that game.

It's like, you need a starting point.
Look closely at the two cards and what features each have on the front and the back, and these features will be used to uniquely determine the placement.
However, with an unknown placement, how can we determine which substitute table to use for decoding? This requires a default value.
That is our starting point.

Simplicity is beauty, and by decoding the ciphertext message from this simplest starting point, we can find out from it how the cards were chosen and placed, and how to use this 1-to-4 substitution table.

Then from the 12 possible ways of placement, we choose that combination we need to decode the rest of the cipher message, and since you already know the plaintext, it's easy to verify that the decoding is correct, and that's when you need a little bit of patience, and a little bit of luck.

The good news is that you are on the right track, the better news is that the rule is indeed simple.

Yes, you correctly understood that each index letter corresponds to the four optional substitutions around it, which is the way to counteract the frequency analysis, I use a 1-to-2 substitution table in password management, which has been calculated to prove validity, and I hope this 1-to-4 works better.

Here's a new tip:
Recovering a seed phrase requires information not only about the seed word itself, but also about the order of the words. Usually we write down the words in order, so we ignore the important information about the "position" of the words. If you encode the word's sequential number with the word, then each word and its sequential number form a "block" that can be placed out of order, which is a very important way to write seed phrases in secret.

I say the rule is simple because it uses one or two "blocks" of information about how to choose the cards (even the black ones need to be chosen because I may have several different sets of cards for myself, for different purposes, and sometimes they tend to get mixed up with each other), how to place them, and how to rotate the 4 substitution tables. Based on this information, 11 of the 12 combinations given can just be left alone and the correct one used to decode the remaining information.

I hope you don't mess with me, and that I'm indeed on the right track.  :P

That's a good point. For example, the word "brisk" comes with position "2". But, what do you mean with "can be placed out of order"? I understand it as "if we have a word and its position, then the order is irrelevant to us". For example, LwE~T1 could be the word "property" along with the position "10".

OK, so there's more than just word and position. I can think of a third piece of information.

But, we only have one black card with two sides. Not entirely sure why you would want sets of such cards.

A little bit off-topic, but do you feel confident that having your seed phrase in ciphertext is a wise choice? I think it's extremely unlikely that someone can steal your coins, but with a slight loss of memory, you might get locked out of your funds.

okey i ask you about french because why you don t use azerty

i have one that i can solve this how the card works any patterns i see honey but idk

Your understanding is partially correct in that the 10th word could appear anywhere in the cipher, not just located in the tail.
Why is it only partially correct? Because in a ciphertext of 6 columns x 12 rows, if two rows are taken out to mark the rule, the remaining 10 rows cannot possibly correspond to the 12 seed words.
So it's impossible to use 6 letters for each seed word, right?

This actually comes down to personal habits, I've been using PassCards for quite a few years, and the cards themselves have been iterated through a few versions, and every time I upgrade I change all of my old passwords with the new card, so there are always a few characters in my password rules that are version descriptions, and I've found that it's a good habit to have, so that I can manage my business- and work-related accounts on one card, and my family- and personal-life related ones with another card, and my digital asset accounts with a completely different card.

I'm assuming that there are others out there who have the same habit as I do of using multiple cards/multiple sets of cards for separate purposes, so it wouldn't be a bad idea to add a card identifier to the rules when it comes to secretly writing seed phrases.

The answer to this question really varies, and I read a story here named "How do you safely keep your recovery phrase written on paper? (https://bitcointalk.org/index.php?topic=5407326.0)". I believe many people, especially newbies, are faced with this choice of keeping their seed phrases so secret that they can't find them themselves many years later, or keeping them all over the place so that they are stolen or discarded by mistake.

Never mind the newbies, I myself have a small safe with backup seed phrases for all my hardware wallets, written down on cards that come with the hardware wallet manufacturers, and I have dozens of these. One day one of my Ledger Nano S's broke, as we all know, the OLED burn-in problem, and I opened the safe and rummaged through a dozen or so cards with different seed phrases written on them, having absolutely no idea which one was the one I needed. The outrageous thing is that the cards didn't even have the Ledger logo on them, I had to use the process of elimination to get rid of those Trezor or Jade backup cards, yet it still didn't help much.

Imagine writing down the name of each wallet in a small notebook, with the corresponding seed phrase below in ciphertext, and then keeping a copy of the CipherCard in your safe with the rules for substitution encryption written on the back of the copy.

You could even keep a picture of the CipherCard in Gmail's drafts folder, the rules in Outlook's drafts folder, and the ciphertext of the seed phrases in the drafts folder of all your email services, and then use another CipherCard to manage the passwords for all your mailboxes.

Doesn't that make sense?

The cards used in this puzzle have index letters in two layouts, the common IBM keyboard layout and (for those unfamiliar with computer keyboards) the alphabetical layout.

In practice everyone can define any layout to suit themselves, make their own customized cards, and both will work well.

It's quite impossible to go from C1 to S1, so I guess going forwards is even more difficult to figure out than that.

Why not? Say you have 12 rows. In the first two, you use 12 letters to note the rules (as it seems needed). The rest of rows are consisted of 60 letters. Given that we only need the first four letters of each word and its position, we would need 4*12 letters + 12 positions = 60.

But, I think you've said that we need more than just the words and their positions. Right?

Again, I can tell the security of this setup. However, I believe it is more complex than needed, and complexity is the enemy of security. I think that a well-setup multi-sig could provide about the same levels of security, but with less complexity.

In my view, if your setup has to rely on third parties, it isn't an ideal setup.

When you go from C1 to S1, you don't know nothing.
But when you go from S1 to C1, think differently, what practices would you, as a normal person, employ? I said it's simple and straightforward, but put in a little bit of interference like moving positions as well.

The next step is to verify the most promising approaches one by one, until you find some strings that are related to the topic, and you can be more sure of the remaining hidden information.

Correct, it's 5 letters for each seed word, not 6 letters, you're one step closer.

But considering that there are 3-letter words, what would you do with them if you were coding them? Add placeholders, use a fixed-length structure? Or add length descriptors and use a variable-length structure?
Maybe try them all?

No, in this scenario, complexity is just the enemy of usability (or ease of use?). As long as it is written on a piece of paper, then the custody of that piece of paper becomes a complex system.

Of course, we have some other methods, such as Shamir's secret-sharing (SSS), such as opening multiple safe deposit box services at banks in different countries, and then putting a copy in each safe deposit box... I'm just offering here another low-cost, unplugged, off-the-grid, third-party-independent solution that allows you to keep more backups, in secret, to prevent loss, damage, or theft, and to reduce the complexity of keeping this piece of paper on which the seed phrases are kept.

Although the process of writing down and restoring is more complicated, after all, it's a low-frequency operation, and that's an acceptable price to pay.

In fact, during the eight years of practice I've used this method to manage my strong passwords, I've encountered the same doubts: simple passwords are enough, to reuse them has no big problem, do you have to take out your PassCard and look up the table, reading a letter and entering it every time you enter a password?

Actually not, I will follow the rule of extracting plaintext when registering a new service account, write down the plaintext on a piece of paper, take out the PassCard, write down the corresponding ciphertext according to the fixed substitution rule, then enter the ciphertext, and then choose to remember the password. Just scribble it off afterward, tear it up, burn it down, and flush it. Since I know the rules are secure, and the software or browser doesn't know about my PassCard or any of the rules, it doesn't make any sense to just get a string of seemingly random characters, does it? It's only when I change devices and log back in or similar scenarios that I need to use the PassCard again to recover my login password, it's a matter of ease-of-use issue, not security one.

Of course, I recognize that a well-designed multi-signature scheme can greatly improve security when spending, but introducing a new co-signer is one more uncontrollable factor, and 3 co-signers with 3 master private keys and 3 seed phrases magnifies the problem of properly and stealthily storing the seed phrases by 3, doesn't it?

It's not actually relying on a third party, it's being indifferent to a third party, that's not the same thing, as if I had to lock every seed phrase card into a safe and now I can put it in a desk drawer and just put a piece of paper in the safe that explains the rules. In my experience, managing such a piece of paper can be much easier than managing a bunch of cards. Does it come down to the fact that I'm still relying on the safe?

From my observations.

OP uses two silver cards. One of them is ended on B4 while the other on 89.

B4 card holds letters in qwerty layout as on typical English keyboard while 89 card keeps letters according to their alphabetic order.  

Characters on silver cards feed message intended for encoding while characters on black card are relevant to digest.

It is very likely that SEED word coming for encoding  is split into two halves and each of two silver card is design to encode its own half. Or those cards are used separately to encode even-numbered and uneven words.

But, it is still unclear for me why silver cards hold special characters and numbers. SEED words don't have any of them.

It is highly likely  that two characters (a few option for this) in digest serves as decoy as OP encrypts only first 4 letters from the SEED.

---

Hm, wouldn't be better to keep there the one of SSS blobs, encrypted over & above for security with the hardware pgp key? Or even  encrypt with such key the whole SEED.

Your observation is correct, however B4 and B9 are two sides of the same card, and flipping this card causes a slight change in the position of the through-hole, so moving the two cards will produce different combinations.

The index letters on the silver card, which correspond to the plaintext, and the letters on the black card are the results of substitutions, and for each definite combination there are four possible substitution results for each plaintext letter.

Following the simple rules of this puzzle setup, once one side of the silver card has been selected to be used as a mask, and a particular combination placed on the black card has been determined, there is no longer any need to consider the other side of the card, or any other possible combination. The combination determined by this picture can then be used to translate between plaintext and ciphertext.

As for the issue of special characters, as mentioned earlier, this card/set was originally designed to manage strong passwords, so as many characters as possible were retained that could be entered directly via the keyboard.


Unplugged is a better option for seed phrases, I mean, of course there are other options to generate seed phrases, but when saving them, write them down and don't give them to any electronic device, you should know that even just taking a picture of a note with a seed phrase written on it with your cell phone is extremely risky behavior. Not to mention that in certain circumstances, you can't decrypt/unzip an electronic copy of the seed phrases on a device you can trust.

@Ginux
There's a forum rule that says: consecutive posts within less than 24h are not allowed. You can edit your last post and there's absolutely no need to post consecutive replies in your own thread or in other.

A moderator might not appreciate your somewhat deliberate posting style. Don't know if and how much trouble this could bring you, but I read a bit between the lines that you're trying to test a "product" you came up with.

I trust my Tails with blocked communication drivers thus I can do encryption/decryption on any device, all I need is to insert to USB port my Tails flash drive.

Even if someone will get (somehow) my pgp encrypted SEED, which is hold in password manager, (again protected with hardware key) in persisted volume protected with composite password part of which  on the    security key,  he still need to get my pin-protected (only 3 wrong attempts allowed) pgp card to decrypt it. Triple  safeguard  as you can see.

I can think of nearly infinite "simple" ways, that's the problem.

Your wording is a little ambiguous. Do you mean that it's five the letters that reveal information about the seed word and one letter that's irrelevant to the word? For example, the first four characters of the word, and one character for its position ("aren1"). This is what I understand so far. First five are related with the word, and the last one perhaps has to do with the silver card placement.

The difference is that the drawer and safe are yours, whereas if Google decides to ban your account, or even shut down their Drive service, you can no longer access the data.

Thank you for your reminder. However, as far as I recall (and it might just be a problem with my memory), there isn’t a 24-hour limitation rule on this forum. Considering that I am serious about replying to each friend who participates in the discussion and seldom post unnecessary replies to myself, it would be hard for the moderators to mistakenly think that I am trying to artificially boost the thread’s position on the forum. Moreover, it’s clearly difficult to add replies to new questions by editing past content.

You are right about one thing. I created this puzzle hoping to engage more people to validate my idea. Indeed, I am looking for individuals who enjoy brute-forcing, or are familiar with AI tools, or have significant computational power to approach this from different angles. If testing proves the security of the multi-table substitution method, I will share the principles behind this method as a reward. Everyone will then be able to create their own tools, not necessarily for encrypting seed phrases but for managing various passwords in everyday life. This is not a patent or product that could be sold; at least, I don’t see any profit model for it at the moment. It’s just a shareable thought process, and I don’t think this will displease the moderators since everyone appreciates valuable contributions.

Of course, everyone has their own judgment standards. As you said, if the moderators don’t like my style of communication or don’t recognize the value of this method, that’s beyond my control. It will be what it will be. Once again, thank you for your kindness.

Can you give a way to know what the letter is using the card? I mean, how do I extract the meaning of the symbols, letters and numbers from the silver card, or rather how the card works? It looks like a beehive. How does it work? If it was a table, it would be easier. Explain more. 

These are likely relevant rules #13 and #32 from Unofficial list of (official) Bitcointalk.org rules, guidelines, FAQ (https://bitcointalk.org/index.php?topic=703657)


I understand those rules that you have to wait for at least 24h before you can bump a thread (where bumping might be just a post with "bump" in it as the last reply and it would be allowed as a consecutive post after one of your own. Similarly I see an "update" post as a new reply to the thread with new content or reply to a previous other user's post allowed after 24h even if it is a consecutive post of your own.

Rule #32 alone would be pretty strict as it imposes no time delay at all. As you can always edit your own posts, you can always add additional replies to other user's posts. Technically there's no need to post replies in consecutive own posts, it's just ignorance or lazyness or inability to use the forum properly.


Anyway, when you reply or edit your last post in a thread you always have the option to insert quotes from the last about twenty recent posts of the thread, see Topic Summary below edit box and Insert Quote links.

You're free to interpret the forum rules yourself...

It's possible to find substitution rule without bruteforce and AI? How “simple” is this substitution rule?

I have several guesses (one replaces the other) how to find out starting position:
1. URU (first 3 letters) and 5ef (last 3 letters) are indicate the position of the silvercard and maybe what exact black card use (as you write before). But if it so, then first and last line have only 3 letter for word. One of them can be "cat", but what can be second word from what ciphered 3 letters instead of 5, if that guess is right...
2. Two last symbols in first row (Yw) are indicate the position of the silvercard that can mean "w=Y". But if this guess right, it can't be used for S2, cause I can't see where "3=5"

Also in 7 and 8 row we can see 3 same letters in same order. If for each row used same substitution rule - it's strange. Cause we haven't 2 words that have 3 same letteres in the same positions, except "cat" and "cattle", but if 7 and 8 row chipered "cat" and "cattle" why second "t" from "cattle" is presented like "J" or "5", if substitution rule is same for each row  ???... And also if I right that 7 and 8 row contains this words that mean that first letter from row is show us position

Thanks for the challenge! It's been a blast trying to solve it for the past 2 days. There's so many pieces of information we can think of, although connecting them all together is quite difficult.

One thing that I'm struggling with, do we actually know the plaintext S1? If the words have letters omitted from them, if there's symbols and numbers that can mark the word orders, extra obfuscation characters for more security, and if everything is in a securely random mixed position, doesn't that make S1 different from the actual plaintext? Or should we assume that the substitution rules involve those changes in positions, how to place marker numbers for the order (if there's one), going by the 12 word seed phrase in order?

"arena brisk seminar..."

Do we actually start with the seed phrase to end up with the C1, or is there arbitrary personal choices involved BEFORE applying the rules to substitute, that is out of cards' reach? I believe if the latter is the case, then it's much more difficult. I'm not sure if its unsolvable, but this "starting point" is really important.

Either way, I constantly find new things to try and connect them. It raises some important questions about how such a product might work, for better or worse.

But, he tells you that S1 is a seed phrase, and particularly this one:

Maybe I didn't understand exactly what you meant, but I cannot see the doubt of what's S1.

As far as I can tell, there's an arbitrary choice to which he refers as a "starting point", and information about this is onto the cards. And it normally has to happen at first, so yes, before everything else.

Edit: But, don't take my word for it. Let's wait and see what he has to say.

I mean, IF some part of the plaintext actually looks like this, I'm just making this up by giving an example:
to4ol%.
1prop0e#
se@mi3n
....
Upon deciphering a part of the given C1, you could see there's tool 4, prope 10 (for property), semin 3 (for seminar), and that would be enough for you to make out the rest of your 12 word seed phrase (given that you decipher the rest of the cipher blocks).

If the plaintext looks like above, then the challenge immediately becomes even harder, even to figure out how to go backwards. This would mean we are working with a more obfuscated, altered, reordered, and with missing parts of the actual plaintext (if smaller number of letters are used for each word).

You only need the first 4 characters for each word. "prop", "tool", "semi". I think he has clarified this already.

I also doubt that the words are scrambled, like "property" -> "pr_o_p", "seminar" -> "se__mi". He's bragging about the puzzle's simplicity, and that's too complex.

Hi, i just wanted to thank you for the chance at the puzzle even if i dont get to solve it first. it's fun. i'm unsure if i'm in the right direction but i'm still going to try. :) :D

If "property" -> "pr_o_p" and all words was scrambled like this before cipher it will be hard enough to use some "simple rule" to decipherd it back, cause you also need to remember in what row what exact symbols was fake or navigation symbols and what symbols was from seed. Or that "simple rule" isn't so "simple" and has several points in it, which are based on the author's imagination ::)

That's good for you, I believe you have skills that most people don't have, and I hope all technology becomes more accessible, which is good for everyone. ;)

 I've made this website btc-puzzle.netlify.app (http://btc-puzzle.netlify.app)

It's just like having the cards in your hands.  The website is responsive so that you can use it on your phone or tablet too.

How to use:

Flip the Black Card: Hit "Q" or click the "Flip the Black Card" button.
Flip the Silver Card: Hit "W" or click the "Flip Silver Card" button.

Moving Cards:
On Desktop: Click and hold the silver card, then move your mouse.
On Mobile/Tablet: Tap and hold the silver card, then drag your finger.

Keyboard Controls:
Arrow keys can Control the silver key movement.

The source code is here

https://github.com/johnnstewart/btc-puzzle (https://github.com/johnnstewart/btc-puzzle)

arena :  URU/Yw
brisk  :  LwE~T1
seminar :  AE&8If
tool :     4YQ8Iw
risk :     C2Q~EE
cat  :     nvH~TE
despair :  JEQLJY
repeat :rEQL5U
seat  :   4wuQIw
property : CT&lQ&
cattle :  &TT2&E
later  :  K>I5ef


Are these in the right order which is S1= C1 ? and one more thing the positions of the letters in C1 are they same as S1 word or scrambled? as per my observation each Cipher has 12 combinations of positions and we can choose which position card we want while  encrypting  but not sure which pattern or position you use to encrypt these seed 1.

The puzzle prize has been transfered out from address 3ARNTrr77hteEMpsR9czY9fjr3iUK4u9DJ (https://mempool.space/address/3ARNTrr77hteEMpsR9czY9fjr3iUK4u9DJ) with transaction 5dff9435c467098b5a87c3c1ced1b64d342892d86d105b908fe777c268837cc8 (https://mempool.space/tx/5dff9435c467098b5a87c3c1ced1b64d342892d86d105b908fe777c268837cc8) and confirmed in block 840283. It seems someone solved the puzzle? Transfer fee overpaid 8x, well, well, it hurts to see it that way. Curious to see the solution...

Hey, it was me! I've PM'd OP with some proof. Thanks for the fun and good luck everyone! I won't spoil anything!

Folks, we have a winner for my challenge. Congratulations to the winner and thanks to everyone for participating.

Although our mystery winner decided not to spoil anything, I am still PM him or her hoping our winner will share with you guys.

I don't know how he or she made it yet, but I know he or she is smart enough, and I hope you'll all continue to participate in my next challenge, complex rules, double rewards. ;)

I was so close on this one. I figured out how to go backwards from C1 to S1, but I never understood how the rules are encoded, so I was quite just brute forcing by mind. The big problem was that I neither understood how the word position is translated. For example, "wE~T" which I found as "seat" is in position "1" ("wE~T1"), but it's the third word in the phrase.

We were solving it at the same time! You didn't need to pay $300 for a mining fee, though.  :P

Challenge accepted my friend.

@marleen01

Can you explain how you did that? I had a problem with the cards, how to use them   

@Ginux


use OLD grain on the next challenge

Hey everyone, winner here, in this post I’m going to share my method of how I’ve solved it. The ciphertexts seemed simpler than I initially thought, but with some additional rules that I didn’t expect at first. I’ve written Python scripts to work with the puzzle to get the solution, but they were done quickly and in a very terrifying manner, so let me warn you about the code spaghetti. Also spoiler warning for those who want to solve on their own.

First of all, we need to define the character set in the black card, and a way to get which letter can correspond to them. We need to create a function that gets combinations of 12 silver card placements, while also defining silver card sides A and B, char at index 0 meaning first silver card char on top left most corner, index 1 to the right of the previous one etc. :


Now, we have a function to set combinations of strings for each placement, and we need to define another function to input a silver card character, and get back possible 4 connections on any given card placement combination:


I was mostly manually trying around different combinations and placements using the functions above. There are some really interesting two blocks in C1:


We know that the first 4 letters are used from the hints, and if we need to use one card placement (out of 12) for all of the ciphertext, then these two blocks must have similar words. Namely:


Now we have an idea of what kind of a structure we’re working with. 4 letters are used, and they shift left with every word by one character.

In my program, I wrote a simple for loop to loop over known seed phrase word letters, and I kind of got lucky looking at the connecting black card chars for them. In one of the last combinations, they map perfectly.

However, the order of choosing 4 possible characters in the silver card for a given black card character differs. How do you find that out? Well, I’m still not sure what the first 3 and the last 3 characters in C1 and C2 mean, but they might be about choosing the placement, and choosing the cycle in which 1 out of 4 letters to choose every character in the block, although these both variables are different for C1 and C2. Looking at possible mapping for that last one placement in C1, this pattern shows up:


Assigning one of the 4 directions (top left, top right, bottom left, bottom right), each character in the ciphers are assigned these, which determine the connecting silver card character to choose.

My next script originally iterated through all possible combinations, that's why it has 0,6 and 0,2. 0,6 for all the ways a silver card can be placed, and 0,2 for two sides of the silver card. Below I define a function to input a black card character “chrc”, and a number “num” for position encoding in the cipher block:


Now we can input any black character we want, and we get all the possible combinations if we set c to range from 0 to 6, and s to 0, 2. But to decipher C1, we need to take the specific combination 5,6 to 1,2, which corresponds to one of 12 card placement and side to choose. I believe I discovered the combination by luck, as it happened to be the last one being printed on my Python console.

But which block should we start from? We know that 4 letters are used for each seed phrase, and C1 and C2 both start with “URU” and end with “5ef”. So perhaps we can start with the second block, right?

Using the function above, and setting the block character values for each position “234134”, we get the first word as follows:


Very interesting! Now let’s try to apply this algorithm to all of ciphertext C1, with the script below:
(sorry for horrible variable naming)


And when we input the C1 stored in old_cipher variable, we get this result:


Incredible! We can see all the words! But hold on, there are no numbers or anything to mark the orders? Without the order, these words would be completely useless, as the possible combinations of these words are way too many to bruteforce.

Let’s try to write down the single characters between each word, shall we?


Now what does this mean? Well, we have the word “incomputable” on silver cards. This word determines the order of words.


When you use this knowledge to put the words in order, you get the words and the correct word order. Now, that we have an idea of how C1 is made, we can input the program the ciphertext C2, and let’s see the result:


Well… That didn’t work as expected. This must mean the block characters have a different mapping, and a different placement out of 12 is used. At this part of the puzzle, I was just manually printing different combinations and pos values. But the interesting thing is, you can sort of approach the correct plaintext slowly for C2 by modifying one thing at a time. It turns out, the mapping for C2 is “312134”, and combination (3,4) (0,1) is used, so c=3, side=0.


Wow. It fits perfectly, and the letters of incomputable are all also there. So when you put them together in the correct order, we get the 12 seed phrase words in correct order for C2:


However, there’s one more problem. The checksum isn’t correct! This seed phrase is invalid! But all of them are valid BIP39 words! Well, again perhaps to my luck, I was trying different word combinations (maybe pride is price? prize? Another layer to get the sats?)

I remembered that there might be 3-letter words, and I tried the easiest thing I can think of: ski instead of skin.

And that was it!

Thanks again OP for this challenge, and I’m looking forward to the next one. There’s still two questions left in my mind: How do we choose which card placement to choose? How are cipher blocks connection choices determined? I believe the answer might be in the first and last blocks of the ciphers. Perhaps I will try to look into it more.

Nice if i solve it before its like life change for me hahah , :-[   

















BTCbc1qp8ukly4t86sg0du8hszqatth49r4k25n6upxrrBTC

These two particular rows drew my attention as well, but I didn't think of "bris" and "risk". At first, I thought that maybe "tool" is "&TT2" from &TT2&E. But, then the OP clarified that it is not a simple substitution ('&'='t', 'T'='o' etc.). Then, I was trying at different silver card placements, until I hit the 6th. Then, I started checking silver characters and where they point, and it was a matter of time until all words fit.

You lost me here. I did figure out that wE~T is seat, but I couldn't figure out what's 'L' and '1'. Why did you turn them into 'a' and 'b'?

• 'a' points to L, top right.
• 'b' points to '1' top left

How did you work out the "top right" and "top left"? We both didn't figure out how the OP decides the silver card placement in the beginning, as far as I can tell.

Very good opponent. See you at the next puzzle! <Evil laugh>

Jokes asides, you deserve it. I didn't write a program, you took it to the next level.

If you solve the next one, it's two life changes, so make sure to dedicate all your time.  ;)

---

Edit: This is how far I reached:

Let me clarify this, it's really difficult to look at it manually and solve it, but it's possible. Basically we assign one value from 1234, each meaning top left, top right, bottom left, bottom right (I'm not sure what directions these actually are in my code, as the puzzle is a bit different in my mind). Each character in a 6-char cipher block maps to one of these. For C1, this value is 234134.


L corresponds to 2 -> choose 1 of 4 directions, the direction that we assign as 2. Read the connection of the direction, and we get "a".
1 corresponds to 4 -> we choose 4th direction. Read the connection, and we get "b".

If you're asking how I managed to find it, I kind of manually tried in my program, which prints the resulting mapping combinations for any given string with 6 numerical characters ranging from 1 to 4. If I input "111111" then I try to read one direction connection for all characters in C1 or C2, like "choose the black card character bottom right of the chosen silver card character, given 1 out of 12 placement.

Basically each character in a 6-character cipher block corresponds to exactly one direction. And this value differs for the cipher block characters in C2. Consequently, "a" and "b" are order markers, taking their value from the word "incomputable", so 9th and 10th letters, which correspond to first two words. Then, each word has one of the letters in their beginning.

Brilliant!

As I said, this challenge uses simple rules, I thought you'd notice that C1 and C2 have the same "URU" starts and "5ef" ends.
C1:
URU/Yw
...
K>I5ef

C2:
URUd53
...
ee15ef

I think this implies enough that these two lines are rules about decoding, but when you don't know which table to use to interpret these two lines, the easiest (and therefore most beautiful) way is to make the two cards perfectly overlap.

In this combination, you can interpret the rules: card with serial number ending in FC is placed below, card with serial number B4 is placed on top and the letter in the upper left corner and the lower right corner are m and D respectively. For the four substitution tables around each index letter, numbered clockwise from the upper right corner as 1, 2, 3 and 4.

So let's go to this particular combination and encode all the rest of the information in the order of 234134.

I hope that answers your questions.

Well done, man, well done!