Bitcoin Forum

Can we memorize a full Bitcoin private key?

I added a base26 encoding to pybitcointools to simply things (normal addresses and wallet-import-format private keys are Base58, with hard-to-memorize upper-case letters and numbers). Let's make some private keys. With this encoding, they have a usual and maximum length of 55 characters:

>>>bitcoin.encode(random.randint(1,2**256-432420386565659656852420866394968145599L), 26)
'digiglqzmbsylezyvovztjincftnxmpvcmtkszwcqrzttkgizgwgsrs'
'crbifkrcyokrerdtvfbliynoyyvspncuhenzanzoesdaggzjjccedyo'

Or if we separated them, lets try four or five letter groups:

'digi-glqz-mbsy-lezy-vovz-tjin-cftn-xmpv-cmtk-szwc-qrzt-tkgi-zgwg-srs'
'crbif-krcyo-krerd-tvfbl-iynoy-yvspn-cuhen-zanzo-esdag-gzjjc-cedyo'

We'd better check mistypes, two more letters from a hash of the key, for a 99.85% chance we detect a mistake - for a final form:

'digi-glqz-mbsy-lezy-vovz-tjin-cftn-xmpv-cmtk-szwc-qrzt-tkgi-zgwg-srsc-a'
'crbif-krcyo-krerd-tvfbl-iynoy-yvspn-cuhen-zanzo-esdag-gzjjc-cedyo-bi'

Do you have the brain power to commit a full-strength private to memory?


A private key is much stronger than a bitcoin address though - a private key is 256 bits, but an address hash is only 160 bits; every address probably has about 79228162514264337593543950336 private keys that could spend its money. As crazy as it seems, maybe we could get by only using private keys starting with 0x000000000000000000000000h; let's generate the rest:

>>> bitcoin.encode(2**160, 26)
'bdonjydfhmonirbfouktjpxyqzilesiamaq'

That is the minimum size of a computer-generated "brainwallet" key or password required to give you near the same strength as a regular Bitcoin address - 35 letters. A gifted individual could apply themselves and commit this to memory, just as there are those that memorize 1000 digits of pi.

Electrum cheats - it makes a 128-bit deterministic seed, even smaller than this (although the generated bitcoin private keys are spread around the keyspace in a way hard to reverse).

If you take letters randomly chosen from pages of a book, you need more letters (due to the frequency of certain letters). If you try to use English words, you need about 20 of them, randomly chosen from the entire Oxford dictionary (not ones you picked). If you try to make up your own password...well, you see the point.

Don't use your brain to store bitcoins.

Brainwallets were never a bad idea, they're just as secure as using a normal password. If you forget the password, bad luck, same goes with brainwallets.

It's easy to remember a simple phrase, such as "CandyMadeTheCowGoPoo", I can't understand why you think it's a bad idea.

Let me drop knowledge: http://www.reddit.com/r/Bitcoin/comments/1ptuf3/
 or http://www.reddit.com/r/Bitcoin/comments/1nbmet/
They were always a bad idea.

Be careful with only using 160 bits of entropy for private keys.  The strength of ECDSA keys when the public key is known is half the key size.  For full length key 256 bits length = 128 bits strength.   So 160 bits mean 80 bit of strength.  This is not beyond brute force.  It may not be economical but brute forcing the private key from the public key is feasible.

Take your favorite book.

Now pick your favorite 3 chapters from that book.

Pick a number from 1-10.

If your number is 4, go to the fourth page in each of your 3 selected chapters. Take the first letter of each word from that page, in the order in which the appear.

That's a good brain wallet.

At 28 bits of entropy (as a rough estimate), no it's not a good brain wallet. Given the right resources (a list of popular books and their texts in a certain edition), an attacker would only have to try 2^28 combinations to crack most brain wallets based on this scheme.
You're only short by a factor of 2^100. *cough*

I can memorize a 128-bit key fairly easily, so there's nothing stopping me from memorizing a 256-bit key except that there's no point to it: I feel quite secure with a 128-bit seed securing my wallet.

What if the letters spell out "car" or "btc" or something ridiculously stupid?

That's a very good point I've glossed over, that when you spend, you are releasing more information that can be used to deduce the private key, worse if in conjunction with a weak random generator by the spending wallet. I was comparing directly the possible key size to possible address size.

To simplify the brute force would require some information about how the simplified public key was encoded; here I just showed it was shortened by being a much smaller number, other discoverable encodings of small keys include SHA256 (brainwallet). Putting the small key through 777 rounds of Centrifuge and Lanarea, for example, makes the encoding more obscure and more costly to rainbow-table, but still is not security equivalent to using a full random key. The encoding technique also becomes one more thing to remember.

I must add that I started the topic wanting to challenge people to memorize their own 55-letter random string, and remember it a day, a week, a month later, but the thesis changed as I was typing it.

wait...now i'm totally confused... given what DeathandTaxes just said -- how is it that Electrum keeps the 128 bits of entropy and it doesn't become half that when we generate the
private keys?  Why is it hard to reverse , or, put to it another way: why would it be easy to work backwards in another instance? I'm fuzzy on that now.

---
On another note, it is not hard to memorize a lot of information -- we all
have different talent for memorization, but its mostly a question of effort,
determination, and practice.  The human brain remembers what it deems
important and forgets that which it considers unimportant.    If a 256 bit private
key is in hexadecimal format, that's 64 characters, or 32 pairs of 2 digits
like "E9" or "43" or "5B".  32 is not that many.  You can memorize that in
a less than an hour, or a day, or a week, depending on your talents and
other factors.  For me, I think I have a pretty good memory, so I could
memorize it in  maybe 20-30 minutes, but it would require practice to retain,
and there's no point -- I would rather memorize an electrum seed, which
would only take me 5 minutes to memorize if I really needed to.

Remembering the whole private keys? That's just retarded when you can use a passphrase haha

I have tried, the answer is probably yes
But I would be absolutely terrified of forgetting it. Risk magnified as we age.

I tried doing this once as a test
By day 6, I could substantially remember it but was starting to have doubts about individual characters
Too bloody dangerous unless you have a back up in some form. A back up of course defeating the purpose of the whole exercise.

You can increase the level of entropy in a brainwallet by using the altkeys. Most keyboards only have 94 symbols (26 letters, 26 caps, 10 numbers, and 32 symbols), but you can increase that to almost 256 by using the altkeys. For instance ♥ is alt 3.

So you can do something like: (password:phonenumber)(Q♠)(K♥)(∞)
Which makes private key: 5KJkhonUA3EfX7Cjuc2rJMASq8jh5t7bJLW3axvtYjpP2mab4v9
and public address: 1BJg3A9AnURtRm9DZpV32Xut8cbrsZ6tPo

Other tricks include using Google translator to make words using different character sets to mix with your english words.

Brainwallet: (Hello World)(пpивeт миp)(नमस्ते विश्व)
Private Key: 5JwMiUD1h2uL9Fxj82Ymvxe95wY6Tg6fwvJwdHXoxbqBD6mGADS
Public Address: 1NANoMSZanrBEYSCthGTPrz7VR7PRQxt6V

I don't see any reason in memorizing an entire private key when one can simply use a passphrase instead.

Its possible to memorize an entire private key but its a bit risky if one suddenly develop amnesia due to age or accident.

What's the need to memorize if you can write on a piece of paper.

Why to go for un-necessary hard work?

I agree, it's simple to write it down and keep it safe than to memorize it however I can also understand why many people would not want to write their private keys down so it is easy for them to remember mainly due to being cautious. I personally myself do not feel I could memorize an entire private key to be honest but me being on of those that is over cautious I think I would be a bit dubious about writing it down even if I knew it was a better solution.

This is often repeated around here, but are there any documented, non-theoretical examples of that? Not talking about in 10 years, but today? Not trolling. Do you have any sources for that claim?

If you had the choice to remember your private key or to write it down, which would you choose and why? I am new to bitcoin but I imagine brain wallets are way to easy to break and therefore not a realistic option. Disregard the fact that a private key is difficult to actually remember, I am just trying to ascertain if actually remembering the private key is in any way advantageous over writing it down? Does the capability of remembering a private key solve any current issue or would it serve any good purpose?

Thanks.

i don't see any advantage over using a passphrase. I think OP was just asking out of curiosity.

But wouldn't a passphrase of some sort be exceptionally easier to brute force than the private key? Sorry I actually have no idea but it is a guess. Then there is the issue what is your house burns down, paper is lost etc. But then again as others have mentioned you could simply have an accident etc and lose your memory.

I guess essentially the answer is that remembering your private key has zero advantage?

Not necessarily, no.  There's no reason a passphrase can't be generated with high entropy.

Fair enough. But if you designed such a hard passphrase would that not defy the purpose and it would actually be easier/same to remember the private key. Additionally, passphrase has the same risks associated with forgetting?

It's definitely possible, but I doubt someone would remember it over a long period of time.

No, it wouldn't defeat the purpose and would be easier to remember.    It's how Electrum does it for example.
You have a 1626 word dictionary, so you only need 12 words to get 128 bits of entropy.  Twelve common
words are easier to remember than 32 hexadecimal characters, dont you think?

One verifiable source is that the bitcoin network collectively has completed ~2^80 hashing operations since the genesis block.    This can be verified by looking at the cummulative difficulty of the best chain from genesis block to current.  Granted it is has taken years and involved tens of thousands of specialized devices but it has been done.  It is proven that humans can complete problems requiring on the order of 2^80 operations.

This site reports recommendations from various organizations of the minimum key lengths required to remain ahead of Moore's law.
http://www.keylength.com/en/compare/
if you were only worried about today and today only the min key length for ECDSA is 152 to 224 bits.  Bitcoin's current signature algorithm is good for at least a few decades.  None show any concerns for breaking 256 bit ECDSA keys before 2040 and many show they will be good for decades beyond that.

I personally would not be concerned with using a reduced strength key (at least 80 bits).  The economics of an attack would be incredible and you would only be at risk if you either reuse an address or if the attacker could complete the attack not in months or years but before the txn could be confirmed (i.e. within 10-30 minutes).

Today keys with 80 bit strength are generally considered insecure but honestly it is probably beyond the capabilities of almost all attackers in the world.  Three letter agencies of major world powers are probably the only entities with sufficient resources.  There are no hard and fast rules simply because almost nobody builds computing systems on that scale and if they do they are probably highly classified.  We also don't know the future.  Who knows what systems major governments are building right now.

Still the idea of "probably secure" isn't considered good enough for most cryptographers.  We don't necessarily know how much computing power the attacker has, so it is simpler to reverse it.  How much computing power do we know the attacker can NOT have.  If a brute forcing a key requires more than that then it is infeasible to break it.  In other words I don't know what is the strongest key that the NSA has can crack but I do know they can't brute force a key with 128 bit security* using classical computing (and will not be able to do so for the next couple decades).  Brute forcing a key with 256 bit security would require more energy than will be output by our star in its entire lifetime so it will remain infeasible long after we are dead and gone.

* This doesn't mean all 128 bit keys are forever secure.  Future cryptanalysis may weaken the underlying algorithm such that a 256 bit ECDSA key someday can be brute forced in less than 2^128 operations.  It also doesn't apply to things like weak passwords, brain wallets, etc.  None of those involve a brute force attack against the keyspace.  It also doesn't apply to esoteric concepts like quantum computing or reversible computing as they don't necessarily  have the same energy requirements.

sorry to double post my question...but why exactly is electrum safe with only 128 bits of entropy?  (besides the extra 16 bits of key stretching which I'm aware of)...  ???

Is it because it is hashed in the first place?   Once you hash a passphrase, it retains all the entropy?  You can't reverse the hashing... Is that it?

If it comes to the actual private key in its native form, I think I definitely wouldn't be able to remember a valid private key in its entirety. Maybe if it was for a really huge amount of BTC and I had enough time, I may get around to memorize it, but it'd be very difficult! A brainwallet really is easier!

A hashed value does retain the lesser of the hash length and the original entropy due to the avalanche effect of function.  The issue with using a truncated key isn't that the key has some reduced entropy but rather that the distribution isn't random (i.e. if you pad 160 bits with t the possibility than 96 bits of leading zeroes then the scope of all possible keys has been reduced).  The keys produced from a deterministic function using hashes from a 128 bit seed can never have more than 128 bits of entropy however the possible values are randomly distributed over the key space. 

Electrum wallets "could" be attacked by brute forcing the seed instead of the keys.  They are secure because brute forcing the seed is no faster (and actually is significantly slower due to key stretching) than brute forcing the private key from a known public key.  

The OP talks about using a reduced length key but if you hashed that value then it would in essence be a seed with <256 bits making it very similar to a deterministic wallet except in this case it is a deterministic wallet of one.  Taking a hash of the value to produce the key is fine [SHA-256(seed)=key ] but if you are going to do that then I would use a memory information dense format than hex such as using random mnemonic words.  It would be shorter and easier to memorize than even a reduced length key.

Using diceware (http://world.std.com/~reinhold/diceware.html) each word has 12.9 bits of entropy.  For 128 bit strength we need 10 words.  I rolled the following words.

SHA-256("hi dewar arise belly urn brush gain scam gawky liven") = 76df74f69be8d08324ded37f180010747811eac1a8104e19eed4e7a0c1b44b7a


Please nobody use this address it is just for illustration.

Personally I find it easier to memorize:
then:

or even:

it sounds like you're agreeing with me.  so then the original warning of "160 is really 80 bits"of security only applies to private keys derived without hashing, since there is no avalanche effect to obscure it.

edit: and therefore, this warning doesn't apply to brain wallets in general, assuming they use hashing.

If created properly, brain wallets are much better then trying to memorize your private key. If you are memorizing your private key then you must leave your key in some exposed format while you are trying to memorize it. In order for you to see it while memorizing the key it will need to somehow be out in the open. There is also a good chance that you would forget it after some amount of time after not using it. How many times have you forgotten a password that you used to a certain site and had to reset it? Probably a lot.

yes, and to my mind memorizing would be the easy part... typing it out without mistake would really cause an issue and finding the error and not doubting yourself! aha definitely never worthwhile practice!

Ignoring the difficulty factor, would it be worthwhile remembering the private key? I understand it is difficult to remember, but if there was a way to remember it, would the very fact of remembering the key be of any benefit or solve any current problem. Thanks.

Not a bad idea if the user want to remember data in raw form without using on application to decode the pass phrase.

You can definitely memorize the private key in your head!

Divide the private key into 4-digit groups, and learn 8 (2 groups) today, and then 4 new digits (1 group) a day. :)

Here's a pretty good brainwallet idea, imo.

Chain all  (physical, postal) addresses  of places you lived in for at least 6 months
for the past 10 (or 20) years . One address is easily 25 bits of entropy (even within
one large country), so with 5 addresses  you are good to go.  This is something you are likely to remember for many years (likely you had to write each of the addresses many a time), and even
if you forget some of the addresses you may be able to restore them from bills, letters, etc.
Also, someone has to know you very very well to know all the addresses.
In fact, the closer the person is to you, the less information you'd need to communicate
in case of emergency or in your will.
You might want to chain  a short  password in the end  to protect you from your mom though ;)

Won't work for very young people, or for someone who lived in the same city all their life..
but hey, it's a pretty good idea for a lot of people.

Previous addresses are commonly used in identity verification, so that means
they are stored by credit companies, etc. 

I've heard a podcast about memory training from the world record holder of memory skills.
It's very doable to memorize a private key, in fact, there are people that can memorize 50 of them in just a couple of hours.

Check out https://www.pmemory.com/pages/how-it-works/

Im not in any way affiliated with this site, sharing it just for fun. If I had the time, i'd be ordering that course !

No way, no cant do  ???

While you are typing your private key, you would be vulnerable to attacks. If you somehow mistyped it and are trying to figure it out then an attacker knows that some private key that is close to the one you are typing has some amount of bitcoin and could try to use some automated means to find the "correct" private key.

right!

I think I could memorize an entire private key given the time and motivation. There are people who have memorized pi to thousands of digits, so why would it be impossible to remember a short string of numbers and letters?

It would not be impossible. However the stakes are much higher for you memorizing your private key (that potentially controls thousands of dollars worth of bitcoin) while someone memorizing the first thousand digits of pie for example would not lose anything if he made a mistake. IMO this added pressure will increase the chances of you forgetting some important part of your key