Is there a standard way to deterministically create your own private key?

[dscotese]

Suppose you have a long string of basically random data that you've already memorized.  Such strings are relatively easy to create through some simple memorization techniques: Start with the address number from where you lived as a child, then add the thing your street name reminded you of, then go to your childhood haunts and add stuff from them, favorite candy, codes or passwords with friends, then grow up a little to when you met a friend, add their name and then where you met them, or some subject that was important to you then... You create this journey that is easy for you to take and generates these bits of data along the way and you end up with a whole bunch of garbage data that is easy for you to memorize.

I assume that this long string of essentially garbage-to-everyone-else data be deterministically turned into a private key, but is there a standard method to do so?  For example, is there a feature that says "Enter data from which your private key can be derived through the [Standard data-to-private-key-algorithm-name] method."  While it encourages people to make themselves vulnerable (by using not-so-random data), it could easily provide a warning of some sort about how "complex" the data entered appears.

It would be nice to have a bitcoin address whose private key was stored nowhere but my brain... at least until I fire up a fresh bitcoin client and enter the long string of data in order to add that address to a new bitcoin wallet.

Perhaps you wonder Why not just use that memorized data to encrypt the random private key from the fresh bitcoin wallet?  Because you are then at risk of losing it by losing access to whatever device or devices you stored it on.  But really, even if someone made this capability completely useless, I'd still be curious about it.

[1713565958]

1713565958

[1713565958]

1713565958

[DannyHamilton]

Generally SHA-256 on the stream of data is sufficient.  If you want to slow down brute-force attempts, I suppose you could do a significant number of iterations of SHA-256 (maybe 10,000,000 iterations?

[grue]

third party bitcoin clients like armory has deterministic wallets that can be restored by a passphrase.

[theymos]

This isn't "standard", but I made a utility to properly hash data like that:
https://bitcointalk.org/index.php?topic=148620.0

Then you can turn the hash into an address using Bitcoin Address Utility, brainwallet.org, etc.

[CIYAM]

This is also something that might be of interest: http://ciyam.org/memory_key.html

It creates a code which you could then hash or use as a password for a brainwallet.

(for real use only offline of course)

[Dabs]

I prefer to use actual randomly generated passwords instead of seemingly random data that is connected to my life. We all know the usual guidelines of not using your dog's name, or your birthdate, anniversary date, any date for that matter. Banks routinely request publicly known or easily guessable information like mother's maiden name, social security numbers, or other numbers based on a public or government records.

I tried it a long time ago. I could generate 8 character passwords using dice rolls. I'd make one. Memorize it for a week. Make another one, memorize that next week. In about a month, I had managed to memorize 4 different 8 character passwords (alphanumeric with 1 symbol in each).

I could then combine them in several ways, but the most obvious is 1234 (each number represents 8 characters), which is a 32 character password. Or 2134, 2341, 1324, 4321, etc.

Each 8 character password was being used for 4 different online services, so they all stuck to memory without too much effort.

People do not compute pi to so many digits in their head, they memorize the sequence.

Try it. Start with 8 character password generated using dice rolls.

If I wanted to, I might be able to actually memorize 64 character passwords, but, even if I just stick to 16 (which is two 8 character passwords) I feel I am secure enough for the not too distant future.

More often, I now use software to generate passwords. Just pick one that you believe is reasonably secure, and generate it offline (or cold, as they say.)

[dscotese]

Generally SHA-256 on the stream of data is sufficient.  If you want to slow down brute-force attempts, I suppose you could do a significant number of iterations of SHA-256 (maybe 10,000,000 iterations?

Does every number with the right number of bits represent a valid private key?  That seems doubtful to me.

grue and theymos have the only answers which really address my question.  It seems there is no standard way, but Danny's method would work if you picked a number of iterations AND every SHA256 hash represented a valid private key (I suspect that most random strings of bits the same length as a SHA256 hash are NOT valid private keys, but I don't know enough about ECC to know - see my question above).

CIYAM has the right idea, but is severely hampering the process by providing prompts to the user.  The journey I take through my own memory is my own journey that I made up and no one can ever know about (at least not until they get brain-reading equipment), so even if they knew every intimate detail of my life, they still wouldn't know what data I used or what order it was in.

I like the idea of a deterministic wallet, though it makes it very easy for a user to make his wallet very insecure.

[theymos]

Does every number with the right number of bits represent a valid private key?

Yes. An ECDSA private key is just a random number.

[CIYAM]

CIYAM has the right idea, but is severely hampering the process by providing prompts to the user.  The journey I take through my own memory is my own journey that I made up and no one can ever know about (at least not until they get brain-reading equipment), so even if they knew every intimate detail of my life, they still wouldn't know what data I used or what order it was in.

Actually I should provide more detailed instructions - for example choose a memory that no-one knows about except yourself (e.g. you nearly forgot your anniversary whilst on holiday but luckily remembered and never told anyone about it) - it can only be as good as the effort you put into using it (and clearly you put in a lot of effort into your own approach).

[nimda]

Generally SHA-256 on the stream of data is sufficient.  If you want to slow down brute-force attempts, I suppose you could do a significant number of iterations of SHA-256 (maybe 10,000,000 iterations?

Does every number with the right number of bits represent a valid private key?  That seems doubtful to me.

Almost. Virtually every number, though a relatively small number of very large ones (and 0) do not work due to the technical details of ECDSA.

[Dabs]

Does every number with the right number of bits represent a valid private key?  That seems doubtful to me.

I think there is a range. I found it on the wiki: Specifically, any 256-bit number between 0x1 and 0xFFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFE BAAE DCE6 AF48 A03B BFD2 5E8C D036 4141 is a valid private key.

The range of valid private keys is governed by the secp256k1 ECDSA standard used by Bitcoin.

CIYAM has the right idea, but is severely hampering the process by providing prompts to the user.  The journey I take through my own memory is my own journey that I made up and no one can ever know about (at least not until they get brain-reading equipment), so even if they knew every intimate detail of my life, they still wouldn't know what data I used or what order it was in.

Computers can go through thousands or millions of whatever intimate detail of your life they may have, in thousands or millions of combinations or order. Per second. That's what password cracking is, essentially. They try every combination or order of every detail.

However, as we have seen, such is in diceware word lists, passphrases of 6 to 8 words are:
1. Easy to remember
2. Hard to crack the millions of possible combinations

Still, I personally prefer making completely random passwords. The popular comic book shows an example passphrase as "correct horse battery staple". My completely randomly generated password is more like a bitcoin private or public key in full. This is just my opinion, since I have been able to memorize passwords and passphrases, I just prefer passwords. It contains no link to my life, and I am sure no one else knows them.

More examples of passphrases:
mudd sort writhe five oat adapt
vary cloud mew area astral palm
kink kline pooh geese loin agenda
cheer roy sift amber vicar anode

Example of passwords:
8SUrKCNLdQeG9y7FZ8HMcqcqDhHO9Es1
x6YKPSdvGTcIKyCVPIFAplXrDCb6w8a8
mnVYJfFKu8zeO0Pw9Gv1a405InnzeDGr
A9rwxhJXoE3uD3GqHkjCayQ8jI7vxZKC

Note: I just made this up using software. But now that this is publicly posted, don't use these.

With those, the only recourse is pure brute force. With life details, well, even if it takes a long time, they might get lucky. And if they have you (or someone you love) then of course, rubber hose might work unless you are either willing to die for it, or willing to let someone else die for it. (Or they know you won't die for it, but you can't stand it anymore and break.)

[dscotese]

Does every number with the right number of bits represent a valid private key?  That seems doubtful to me.

I think there is a range. I found it on the wiki: Specifically, any 256-bit number between 0x1 and 0xFFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFE BAAE DCE6 AF48 A03B BFD2 5E8C D036 4141 is a valid private key.

The range of valid private keys is governed by the secp256k1 ECDSA standard used by Bitcoin.

Thanks!

... With life details, well, even if it takes a long time, they might get lucky. And if they have you (or someone you love) then of course, rubber hose might work unless you are either willing to die for it, or willing to let someone else die for it. (Or they know you won't die for it, but you can't stand it anymore and break.)

Well, the string of data I was talking about would look something like this:
kaiser4704libertybellspeedwobblehelmetwagonfootballericholmespeeweesoccerglasse sfacelymebaseballamazingpitcher.

That is far more random than all of the examples you provided.  Could I reproduce that on command?  Not right now, but after I read it a few times, it'd be snap for me.  Useless now since it's public, but a similar string of random memories is easy enough to create without using any of the data I already used above.

[CIYAM]

I used a simply picture linking memory technique to memorise a list of 20 basically random English words in just a few minutes.

By recalling the picture journey daily (without writing anything down) I was able to remember the list for a couple of weeks which was pretty impressive but now I can't remember much of that at all as I didn't keep it up so the important thing is to use memories that don't fade as at least an initial starting point (and recent memories are not a good choice).

[Dabs]

Precisely my point. If your life history word list is composed of less than 8000 words (like the diceware word lists), it can be brute forced. I don't want to attempt to prove it, but that's what dictionary attacks are based on. They are based on words, and combinations of words.

If the attacker gets your life word list, and they analyze it, and come up with even 1000 words to choose from, they are now in a much better position to attempt a brute force dictionary attack of combining the words. If you used only 2 words from those 1000, then the possibilities are 1000 * 1000. If you used something like diceware, then the possibilities are 8000 ^ 7 (for 7 words).

It is based on your life.

The examples I provided are not based on your life, and were generated completely randomly.

Of course, your own personal life history password is plenty secure, due to the number of words and the length of the entire sequence. But it is not random.

Perhaps there is a negligible difference - for all practical purposes, but a random number from 2^256 is a lot more than 2^200. I am merely using an arbitrary number to assign the entropy of bits in the life-phrase example.