Counter perspective: The attackers use your fingerprints to access to your wallets and make a note of the private keys. Then they cut/burn your fingertips off, permanently removing your access to the wallets. They can then move the coins at any time they like since you cannot recover them.

Also, your suggestion can apply to any wallet. If I can prove I was taken hostage on a specific day, and all my regular non-fingerprinted wallets are drained on that day, I can equally serve that as proof.

Quantum computers are not a magical bullet that can instantly solve any problem. They provide an exponential speed up to attempts to solve the ECDLP, and this is the main way they would be used to attack bitcoin. They provide a much smaller speed up to any hash functions, which is the limiting step in attempting to unscramble a seed phrase, since you must use a SHA256 to calculate the checksum, followed by 2048 rounds of SHA512 to generate the seed number, followed by several more rounds of SHA512 to work down the derivation path and generate the necessary addresses to check for funds. They will be able to speed the process up, sure, but they are unlikely to make unscrambling 18 words any less unfeasible for the average person.

The security of your wallet should never depend on there being enough words in your seed phrase so that an adversary with access to all the words cannot unscramble them, but rather on an adversary never having access to your seed phrase in the first place. I would never scramble the words in a seed phrase to begin with, for the exact reasons highlighted above - if you mess up then wave goodbye to all your coins.

Bitcoin should not be treated as a physical asset. With a physical asset, if someone else possesses it then you do not. If you lose cash, a credit card, your wallet, your phone, or any other physical asset, then it is obvious to you that that thing has been lost as it is no longer in your possession. Losing a private key is not the same, since it is entirely possible for two people to both possess the same private key at the same time. A better analogy in this case (ignoring the whole self-custody aspect) would be like someone having a key to your safe, or access to your bank account. If I look at the contents of your safe, and then 5 years later see the same contents in that safe, do I get to take them for myself since you haven't used them in 5 years? If I have access to your savings account with $10k in it, and 5 years later is still has $10k in it (plus interest), is it morally fine for me to clear out your account since you haven't used that money in 5 years? Of course not. Bitcoin is no different.

Coins not moving does not equal coins lost. It is nonsense to suggest otherwise.

That's not entirely true. It would be possible to lock some coins in a way in which the original owner could move them but a quantum attacker reversing the ECDLP could not steal them. This would be done by requiring some proof, ideally a zero knowledge proof, of possession of the seed phrase or master private key which was used to derive the relevant private key. The true owner who had derived the private key in an HD wallet would be able to provide this proof, while a quantum attacker who had obtained the private key from the public key would not.

The downside to this approach is two-fold, though. Firstly, it only protects reused HD addresses, and does nothing for the 1.73 million BTC in P2PK addresses. Secondly, there is no way of knowing which addresses were generated in an HD manner and which were not, which would mean some coins being locked forever and being irrecoverable by anyone, the true owner included.

Even ignoring the very valid points BlackHatCoiner and n0nce have made above, there is absolutely no reason to think that this will provide protection from government sanctions. We have seen absolutely no mention from anyone - not from government, authorities, financial regulators, centralized exchanges, lending platforms, blockchain analysis firms, literally anyone - that once Wasabi start blacklisting and censoring that all outputs from Wasabi coinjoins will be treated as completely clean as if they have just been mined. And given what we know about what the government and authorities think about bitcoin and think about regular people having privacy, I think it is incredibly presumptive to expect this to happen.

The more likely out come is that you coinjoin with Wasabi, pay them to spy on you, feed your data to blockchain analysis companies, and then end up with coins which are treated as suspect by various exchanges anyway. Given that it took major exchanges like Binance and Coinbase years to figure out how to support SegWit or how to batch their withdrawals, are people really expecting them to be able to tell the difference between coins which came from a Wasabi coinjoin or a Samourai coinjoin?

10 years ago I might have agreed with you, that the average person isn't going to leave their hard earned money with an uninsured third party with absolutely no ownership rights or no guarantee of getting it back. Then crypto came along, and with that the rise of centralized exchanges, lending platforms, and web wallets, doing exactly that to the tune of hundreds of billions of dollars. All you have to do is totally promise to pay some interest and people will trust you with their money. Insurance is unnecessary for the majority.

Insert quote about if people understood fiat they would revolt.

Yeah, I also assume this is the reason. Which is a shame really, given all the better options given in this thread for trying to alert the true owner to the situation.

Exactly this. It is entirely possible that this was a back up which the true owner had hidden off site, and is not going to check on for months or even years. He is perhaps entirely unaware it has been lost (which is why the better options I mentioned above were recommended). I have coins which haven't moved in years and I don't plan on moving in years. If they've not moved in 10/20/50 years, does that make them any less mine (or my heir's), or does that make stealing them any less immoral? Of course not.

So make a transaction from somewhere else, paying dust to the paper wallet and including an OP_RETURN output. Or top up the paper wallet with dust then spend that dust making an OP_RETURN output. Anyone looking up the address will notice something going on without invalidating the original output.

Feel free, but you won't get very far.

You can figure out why just by looking at the math without having to run any simulations yourself. You have 24 scrambled words. For the 1st word, you can pick any of the 24. For the second word, there are 23 words left to pick from. For the third word, there are 22 words left to pick from. For the fourth word, 21 words left. And so on. 24*23*22*21*......*3*2*1. Also known as 24!. This gives you the following number:


How many possibilities can your computer try in a second? A few million? Let's say a billion to be generous? The number above divided by a billion a second, 60 seconds in a minute, 60 minutes in an hour, 24 hours in a day, 365 days in a year, comes out to just short of 20 million years.

Pretty much. Even if you assume they have a 100% reliable method of accurately generating the exact same string from your fingerprint every time (which they don't), that doesn't change the fact that fingerprints are not secure at all, which they recognize by the fact they also require the fingerprint string to be XORed with the hash of a password. So, a brain wallet with extra steps.

You don't need anything so extreme. A simple burn or a cut across your finger tip, and there is no guarantee that when you heal your fingerprint will still be identical to what it was before, which is what it needs to be in order to recover your wallet. Good enough for a fingerprint reader maybe, but not good enough to output the exact same string as before.

In the US at least, there have been plenty of court cases where authorities were legally allowed to force you to unlock devices with biometrics, while the same is not true of passwords.

No, I haven't. To follow on from BlackHatCoiner's calculations above, there are this many outputs from SHA256 which generate an invalid private key:

So you would need to test, on average, 1.34*10³⁸ different strings to have a 50% chance of finding a single string whose SHA256 output falls outside of the valid range. That's 134 billion billion billion billion. So probably never going to happen. Although you could get round this near impossible scenario by simply coding your brain wallet generator to perform modulo n on any SHA256 output it generates. (Although technically speaking you will reduce your entropy since the first x number of keys are now twice as likely to be generated than any other key, with x being equal to the number I gave above.)

I would say the easiest and simplest approach would be to write down words instead, which are universal across all platforms.

It easily could. It generates seeds which are 14 emojis in length. Even ignoring the outliers like the clock with >500 possibilities and assuming only 20 possibilities per emoji, that's 20¹⁴ combinations. Write a program which can test a million possibilities a second, and it will take ~52,000 years to try them all.

Educate them to generate wallets in stupid ways? Bad idea.

I think the confusion here is that it seems pbies is talking about taking any arbitrary string, passing it through SHA256 (or some other function) to create a (usually) valid private key in hex, and then encoding that as a WIF. In this case he is correct in saying that there are many different strings from outside the range given which when first SHA256ed will result in the same private key (although it is almost certainly impossible to find such a collision).

However, the point I made above is not incorrect: There is a 1-to-1 relationship between valid hex private keys and WIFs. All you are doing with a WIF is changing the encoding. Just as there is exactly one unique binary representation of each decimal number, there is exactly one unique WIF of each hex private key.

It is. Putting a number outside the range I have given through the same steps you would use to generate a WIF private key does not make it a valid private key.

No, it won't. The process for generating a WIF from a hex key simply involves adding a network byte, an optional compression byte, a checksum, and then converting the whole thing from hex to Base58. There is a 1-to-1 relationship between private keys in hex and private keys in WIF. You will not find two different hex keys which generate the same WIF string.

The whole point of a WIF private key is simply to encode mainnet/testnet, compressed/uncompressed, and to include a checksum. If you import a WIF private key to your wallet, your wallet converts it back to the raw hex or binary before plugging it in to the elliptic curve multiplication equation to calculate your public key.

If you already have a raw private key in binary or hex, then you do not need to SHA256 it at any point to calculate the public key. You only need to use SHA256 to turn in to a WIF private key.

This is simply not correct. A private key must fall between the following hex numbers (inclusive):

Any number outside this range is invalid. This is not an arbitrary limit; it is inherent to the secp256k1 curve which bitcoin uses. n is the prime order of the generator point G, with the largest valid private key being n - 1. Trying to use a private key of zero will output the point at infinity on the curve.

No, but if I come back in 20 years time, will I definitely remember which platform I may or may not have used? What about a family member trying to recover my coins after I have died?

Example: I am shown a clock emoji. I draw a picture of a clock. Only when I come later to restore from my seed phrase do I realize there are hundreds of clock emojis showing different times.
Another example would be that there are dozens of different Planet Earth emojis, all centered on different countries, but there is a good chance that someone backing up their emoji seed would not realize that.

This is the point I don't understand. Testing for what? Why create tools which will most likely end in people losing their wallets and then say "Don't use this"? What's the point?

The private key 000....0002 I have given above is a raw private key. It is not passed through SHA256 as in the case of a brain wallet. It is simply used as-is, and multiplied by the generator point G to find the public key.

No. 0 is not a valid private key.

That's a different address. The address 1LagHJk2FyCV2VzrNHVqg3gYG4TSYwDV4m is generated from the private key "2", or more accurately:

Exactly the same explanation as I gave above for brain wallets though. Malicious entities are constantly watching all addresses generated from such "special" private keys with scripts ready to sweep any coins in seconds.

Doesn't really help.

I just generated a random emoji seed phrase on that site. The first emoji was a "growing heart". Type that in to emojipedia, and there are 21 possibilities. Next was a baguette - 17 possibilities. Then a clock. There are emojis with every time in half hour increments. So if I remember the right time on the clock, 21 possibilities. If I don't, then 21*24 = 504 possibilities! So it is entirely possible to correctly and accurately back up your entire emoji seed phrase and yet still end up in a situation where you can never successfully recover your wallet.

So as I said above: No one should ever use this.

I've had a quick read of the paper, and while I am no expert on the subject by any means, I remain unconvinced.

The basis for their method is to detect various minutiae points on your fingerprint, calculate the Euclidean distance between these points, sort the distances in ascending order, and then concatenate them all. I don't know if I'm missing something, but arranging a set of numerical strings in ascending order does not exactly provide a good source of entropy. They also say their Reed-Solomon correction code can correct up to 20 bits of error, which sounds great except it also means an attacker can be far less accurate than they need to be the Reed-Solomon code will correct their inaccuracies to a significant degree. And their whole system still requires a memorized password (brain wallet) to XOR the fingerprint derived string with, since fingerprints are easily obtained by an attacker.