Brilliant!

As I said, this challenge uses simple rules, I thought you'd notice that C1 and C2 have the same "URU" starts and "5ef" ends.
C1:
URU/Yw
...
K>I5ef

C2:
URUd53
...
ee15ef

I think this implies enough that these two lines are rules about decoding, but when you don't know which table to use to interpret these two lines, the easiest (and therefore most beautiful) way is to make the two cards perfectly overlap.

In this combination, you can interpret the rules: card with serial number ending in FC is placed below, card with serial number B4 is placed on top and the letter in the upper left corner and the lower right corner are m and D respectively. For the four substitution tables around each index letter, numbered clockwise from the upper right corner as 1, 2, 3 and 4.

So let's go to this particular combination and encode all the rest of the information in the order of 234134.

I hope that answers your questions.

Well done, man, well done!

Folks, we have a winner for my challenge. Congratulations to the winner and thanks to everyone for participating.

Although our mystery winner decided not to spoil anything, I am still PM him or her hoping our winner will share with you guys.

I don't know how he or she made it yet, but I know he or she is smart enough, and I hope you'll all continue to participate in my next challenge, complex rules, double rewards.

That's good for you, I believe you have skills that most people don't have, and I hope all technology becomes more accessible, which is good for everyone.

Thank you for your reminder. However, as far as I recall (and it might just be a problem with my memory), there isn’t a 24-hour limitation rule on this forum. Considering that I am serious about replying to each friend who participates in the discussion and seldom post unnecessary replies to myself, it would be hard for the moderators to mistakenly think that I am trying to artificially boost the thread’s position on the forum. Moreover, it’s clearly difficult to add replies to new questions by editing past content.

You are right about one thing. I created this puzzle hoping to engage more people to validate my idea. Indeed, I am looking for individuals who enjoy brute-forcing, or are familiar with AI tools, or have significant computational power to approach this from different angles. If testing proves the security of the multi-table substitution method, I will share the principles behind this method as a reward. Everyone will then be able to create their own tools, not necessarily for encrypting seed phrases but for managing various passwords in everyday life. This is not a patent or product that could be sold; at least, I don’t see any profit model for it at the moment. It’s just a shareable thought process, and I don’t think this will displease the moderators since everyone appreciates valuable contributions.

Of course, everyone has their own judgment standards. As you said, if the moderators don’t like my style of communication or don’t recognize the value of this method, that’s beyond my control. It will be what it will be. Once again, thank you for your kindness.

Your observation is correct, however B4 and B9 are two sides of the same card, and flipping this card causes a slight change in the position of the through-hole, so moving the two cards will produce different combinations.

The index letters on the silver card, which correspond to the plaintext, and the letters on the black card are the results of substitutions, and for each definite combination there are four possible substitution results for each plaintext letter.

Following the simple rules of this puzzle setup, once one side of the silver card has been selected to be used as a mask, and a particular combination placed on the black card has been determined, there is no longer any need to consider the other side of the card, or any other possible combination. The combination determined by this picture can then be used to translate between plaintext and ciphertext.

As for the issue of special characters, as mentioned earlier, this card/set was originally designed to manage strong passwords, so as many characters as possible were retained that could be entered directly via the keyboard.


Unplugged is a better option for seed phrases, I mean, of course there are other options to generate seed phrases, but when saving them, write them down and don't give them to any electronic device, you should know that even just taking a picture of a note with a seed phrase written on it with your cell phone is extremely risky behavior. Not to mention that in certain circumstances, you can't decrypt/unzip an electronic copy of the seed phrases on a device you can trust.

When you go from C1 to S1, you don't know nothing.
But when you go from S1 to C1, think differently, what practices would you, as a normal person, employ? I said it's simple and straightforward, but put in a little bit of interference like moving positions as well.

The next step is to verify the most promising approaches one by one, until you find some strings that are related to the topic, and you can be more sure of the remaining hidden information.

Correct, it's 5 letters for each seed word, not 6 letters, you're one step closer.

But considering that there are 3-letter words, what would you do with them if you were coding them? Add placeholders, use a fixed-length structure? Or add length descriptors and use a variable-length structure?
Maybe try them all?

No, in this scenario, complexity is just the enemy of usability (or ease of use?). As long as it is written on a piece of paper, then the custody of that piece of paper becomes a complex system.

Of course, we have some other methods, such as Shamir's secret-sharing (SSS), such as opening multiple safe deposit box services at banks in different countries, and then putting a copy in each safe deposit box... I'm just offering here another low-cost, unplugged, off-the-grid, third-party-independent solution that allows you to keep more backups, in secret, to prevent loss, damage, or theft, and to reduce the complexity of keeping this piece of paper on which the seed phrases are kept.

Although the process of writing down and restoring is more complicated, after all, it's a low-frequency operation, and that's an acceptable price to pay.

In fact, during the eight years of practice I've used this method to manage my strong passwords, I've encountered the same doubts: simple passwords are enough, to reuse them has no big problem, do you have to take out your PassCard and look up the table, reading a letter and entering it every time you enter a password?

Actually not, I will follow the rule of extracting plaintext when registering a new service account, write down the plaintext on a piece of paper, take out the PassCard, write down the corresponding ciphertext according to the fixed substitution rule, then enter the ciphertext, and then choose to remember the password. Just scribble it off afterward, tear it up, burn it down, and flush it. Since I know the rules are secure, and the software or browser doesn't know about my PassCard or any of the rules, it doesn't make any sense to just get a string of seemingly random characters, does it? It's only when I change devices and log back in or similar scenarios that I need to use the PassCard again to recover my login password, it's a matter of ease-of-use issue, not security one.

Of course, I recognize that a well-designed multi-signature scheme can greatly improve security when spending, but introducing a new co-signer is one more uncontrollable factor, and 3 co-signers with 3 master private keys and 3 seed phrases magnifies the problem of properly and stealthily storing the seed phrases by 3, doesn't it?

It's not actually relying on a third party, it's being indifferent to a third party, that's not the same thing, as if I had to lock every seed phrase card into a safe and now I can put it in a desk drawer and just put a piece of paper in the safe that explains the rules. In my experience, managing such a piece of paper can be much easier than managing a bunch of cards. Does it come down to the fact that I'm still relying on the safe?

The cards used in this puzzle have index letters in two layouts, the common IBM keyboard layout and (for those unfamiliar with computer keyboards) the alphabetical layout.

In practice everyone can define any layout to suit themselves, make their own customized cards, and both will work well.

Your understanding is partially correct in that the 10th word could appear anywhere in the cipher, not just located in the tail.
Why is it only partially correct? Because in a ciphertext of 6 columns x 12 rows, if two rows are taken out to mark the rule, the remaining 10 rows cannot possibly correspond to the 12 seed words.
So it's impossible to use 6 letters for each seed word, right?

This actually comes down to personal habits, I've been using PassCards for quite a few years, and the cards themselves have been iterated through a few versions, and every time I upgrade I change all of my old passwords with the new card, so there are always a few characters in my password rules that are version descriptions, and I've found that it's a good habit to have, so that I can manage my business- and work-related accounts on one card, and my family- and personal-life related ones with another card, and my digital asset accounts with a completely different card.

I'm assuming that there are others out there who have the same habit as I do of using multiple cards/multiple sets of cards for separate purposes, so it wouldn't be a bad idea to add a card identifier to the rules when it comes to secretly writing seed phrases.

The answer to this question really varies, and I read a story here named "How do you safely keep your recovery phrase written on paper?". I believe many people, especially newbies, are faced with this choice of keeping their seed phrases so secret that they can't find them themselves many years later, or keeping them all over the place so that they are stolen or discarded by mistake.

Never mind the newbies, I myself have a small safe with backup seed phrases for all my hardware wallets, written down on cards that come with the hardware wallet manufacturers, and I have dozens of these. One day one of my Ledger Nano S's broke, as we all know, the OLED burn-in problem, and I opened the safe and rummaged through a dozen or so cards with different seed phrases written on them, having absolutely no idea which one was the one I needed. The outrageous thing is that the cards didn't even have the Ledger logo on them, I had to use the process of elimination to get rid of those Trezor or Jade backup cards, yet it still didn't help much.

Imagine writing down the name of each wallet in a small notebook, with the corresponding seed phrase below in ciphertext, and then keeping a copy of the CipherCard in your safe with the rules for substitution encryption written on the back of the copy.

You could even keep a picture of the CipherCard in Gmail's drafts folder, the rules in Outlook's drafts folder, and the ciphertext of the seed phrases in the drafts folder of all your email services, and then use another CipherCard to manage the passwords for all your mailboxes.

Doesn't that make sense?

The good news is that you are on the right track, the better news is that the rule is indeed simple.

Yes, you correctly understood that each index letter corresponds to the four optional substitutions around it, which is the way to counteract the frequency analysis, I use a 1-to-2 substitution table in password management, which has been calculated to prove validity, and I hope this 1-to-4 works better.

Here's a new tip:
Recovering a seed phrase requires information not only about the seed word itself, but also about the order of the words. Usually we write down the words in order, so we ignore the important information about the "position" of the words. If you encode the word's sequential number with the word, then each word and its sequential number form a "block" that can be placed out of order, which is a very important way to write seed phrases in secret.

I say the rule is simple because it uses one or two "blocks" of information about how to choose the cards (even the black ones need to be chosen because I may have several different sets of cards for myself, for different purposes, and sometimes they tend to get mixed up with each other), how to place them, and how to rotate the 4 substitution tables. Based on this information, 11 of the 12 combinations given can just be left alone and the correct one used to decode the remaining information.

It's not a simple substitution like that way, so please don't make the mistake of thinking that a=U, r=R, e=U, no, not that game.

It's like, you need a starting point.
Look closely at the two cards and what features each have on the front and the back, and these features will be used to uniquely determine the placement.
However, with an unknown placement, how can we determine which substitute table to use for decoding? This requires a default value.
That is our starting point.

Simplicity is beauty, and by decoding the ciphertext message from this simplest starting point, we can find out from it how the cards were chosen and placed, and how to use this 1-to-4 substitution table.

Then from the 12 possible ways of placement, we choose that combination we need to decode the rest of the cipher message, and since you already know the plaintext, it's easy to verify that the decoding is correct, and that's when you need a little bit of patience, and a little bit of luck.

Not necessarily, and the seed phrase here, surely, is in English.

In fact the puzzle is as simple as it is literally and needs no additional explanation.

You got plaintext, you got ciphertext, you got substitution table, and then you backpropagate from another ciphertext to another plaintext, and now you have two plaintexts, and you're the winner.

But not everyone here can figure out multisig wallets and BIP39, I guess.
So what's the harm in writing more?

Yes, I will of course follow up with some tips one by one, as I said earlier, the reverse derivation is not difficult, the point is to understand the forward process.

I just wrote a paragraph to explain why this puzzle challenge exists.
This card was originally designed as a multi-table substitution encryption for generating multiple high-strength passwords, initially as a one-to-two mapping.

But that's not safe enough if it's going to be used for seed phrases, so this time I've upgraded to a set of two cards, and as you can see, for each index letter, that now translates to four possible substitutions, which is a one-to-four multi-table substitution.

Think about it differently, what would you do if you were the one using such a one-to-four multi-table substitute encryption?
Would you leave yourself a hint: in what way should these two cards be placed? And in what order to use the four substitution tables once they've been placed?

Just a little additional explanation, not an official hint to solve the puzzle

I've been using PassCard to manage my strong passwords for over 8 years (with two or three versions iterated in that time). These passwords are used to sign up for various websites or services, and that's odd, I never thought of saving seed phrases in this way (considering I've been into bitcoin mining for 13 years now).

A chance encounter made me want to share my approach to password management, and I've even written an article about this approach, which I call the "Rule-Based Multi-Table Substitution Strong Password Management Method and Tool". In that article I compare the password management tools available on the market and give a lot of examples to illustrate what the "rule-based" approach is. I claimed that the security of passwords depends on the security of the rules, not the substitution tables. Even if the information on the PassCard is made public, it still doesn't compromise the security of all my passwords, and even if it is coupled with one password compromised by a phishing attack, it doesn't compromise the security of other passwords with the same rules and the same substitution table.

I realize I may have blown it a bit.

Using it myself is one scenario, and letting more people use it is another, the attack exposure increases so many times that I need to perform a more extensive security validation for the sake of prudence, but haven't been able to come up with a proper test plan.

Just about 1 month ago, I happened to see Asanoha's nostr post on the Seed Cipher, which I think is a tool/artifact related to seed phrase encryption, and he then launched a Puzzle challenge. By the way, that was a brute force cracking challenge that still has no challenger declared successful, anyone interested can learn about it from this link.

That inspired me, but there are still some differences between passwords and seed words, at the most basic level, (BIP39) seed words are limited to a 2048 word dictionary, and even including SLIP39 and Electrum, there are only 3210 selectable words, which makes brute force cracking considerably less difficult. In order to make rule-based multi-table substitution encryption work for seed words, I've made a simple upgrade to the CipherCard, which makes the two cards you just saw very different from the stainless steel one I had in my poket, and a new set of two cards (laser-cut + laser-engraved) is being customized to be received very soon, I think.

So I decided to put up 0.1 BTC to start this challenge, I'm not sure if that reward is attractive enough, after all there are hundreds of BTC worth of challenges out there. Let's see, maybe I'll pump more prizes into the pool, maybe someone else will offer a sponsorship to the pool, maybe this challenge will only survive for a week or two before it's cracked, who knows?

I just hope this challenge lasts a little longer, because I need time to update my article, add chapter about seed phrases, and also replace the pictures in the article with pictures of the new CipherCard so that all the examples I've given will need to be rewritten based on the new CipherCard as well.

As I said, security depends on the rules, not the information on the card, and even if this challenge is solved, it only means that the rules I set were too simple, and maybe I'll re-initiate a more difficult challenge with more complex rules while offering higher prizes, who knows?

If luck isn't on the challenger's side, I think I'll offer to end the game at some point, reveal the real method, share the revised and finished article to make this kind of method available to everyone for free, And maybe a little extra bonus for some of the active challengers/sponsors, who knows?

Great, you noticed that the ciphertext is split into 12 lines of 6 letters each, but that's just a misdirection to make you think that the 6 letters in each line correspond to exactly one seed word.
No, in fact, these letters contain more information, and as we all know, to record the BIP39 seed phrases, it's enough to record the first 4 letters of each seed word, so we have room to cram in more information that is necessary to perform substitution encryption.

It's not really hard to derive backwards, the point is to understand the process of going forwards.

Happy hunting

Thanks for the quote, I'm a de facto newbie here, although I've been in the industry for many years.

Later on I'll briefly tell a little story about why I started this challenge, which doesn't directly help solve the puzzle, but it allows one to cut through it in a different way.

Sorry, but this looks like an S1 scramble.

Basically, each private key exists uniquely, and it is rare for the seed phrases computed from it to have the same words but in a different order, especially when considering that part of the last word is the checksum value of the individual words that preceded it.

Yes, having the cards in your hand does make it more intuitive, but it's really just a matter of making "choice" rather than decoding and "moving", so I've put pictures of all 12 combinations at the end, hopefully that helps.

I appreciate your effort, but frequency analysis won't work well here because this isn't a simple Caesar Cipher, and also, since this seed phrase satisfies BIP39, there shouldn't be words outside of BIP39's seed words list.

Hey, guys.

Here's a challenge to win 10,000,000 sats, worth about $6,400 when posted here.

This is a reverse deduction puzzle, NOT a brute force one, nevertheless, any attempt at a brute force solution is welcome, and any analysis with the help of AI tools is also welcome.

The puzzle is as follows

---

1. Here's the BIP39 seed phrase named S1, and the 12 seed words are:

2. Here's a set of two cards called CipherCard used for encryption, the black card is a data card with a lot of substitution characters laser-engraved, and the silver card is covered with cut-out holes and index characters laser-engraved.


3. Now using the CipherCard as the picture shows to perform substitution encryption on the seed phrase S1, to get ciphertext C1 as follows:

---

You can claim the prize if you can derive the substitution RULE for converting from plaintext to ciphertext based on plaintext S1, ciphertext C1, and the CipherCard mentioned above.

Bitcoin transaction fees will be paid out of the prize, receiving the prize is completely tax-free in some countries, while in others you will be taxed when you exchange bitcoin for local fiat currency.

Here's How

---

Let's assume you've tried to recover this wallet by entering S1 plaintext into Electrum or whatever software/hardware wallet you prefer, if you're not sure about the derivation path, here's a hint:

Now you can see that the entire balance in this wallet was spent to a 2-of-3 multisig wallet address:
And this is our jackpot.
 
You already control the first Master Private Key of this multisig wallet because you know S1, you can easily verify that the first Master Public Key is:

If you're not sure about the derivation path of this multisig wallet, here's another hint:

To create an observation wallet, the other two Master Public Keys you need are as follows:

But to spend the balance of this 2-of-3 multisig wallet, you have to control at least one more private key, and the only information you can get about this second private key is the following ciphertext C2:

As mentioned, you have derived the substitution RULE for converting from plaintext to ciphertext by using plaintext S1, ciphertext C1, and CipherCard, it will not be difficult to invert plaintext S2 from ciphertext C2 and CipherCard.

When you get S1 and S2, you'd better sweep up all your prize at the first opportunity in case some other smart guy gets there first. After that, please take some time to detail your analysis process so I can improve the rules, thanks in advance.

The puzzle won't be too easy, requiring basic math knowledge about bitcoin and blockchain, a bit of patience, and a bit of luck. Yet it won't be too hard either, as you can see from the short ciphertext (compared to the plaintext), that I haven't used too many tricks to interfere with your analysis.

If you do put in a little effort but can't solve the puzzle, you can forward it to the guy you think is the smartest among the people you know and then share the prize with them.

Of course sponsoring this challenge is also appreciated, and I'm really thinking about how to give the challengers and sponsors a little surprise, any offers?

Additional useful information

---

Considering that not having a physical card in your hand will inconvenience you in recognizing and reading the substitution table, I list all the possible combinations regarding the stacked placement of the two cards below.




Have fun solving the puzzle, and, well, good luck!