NoBrainr - a secure and transparent cold address generator in 1024 bytes

[flatfly]

A 90-bit passphrase, *IF* randomly generated (as this script is doing), has
NEVER been cracked and it will most likely not be in our lifetimes.

Bitcoin has now done ~2^74 hash operations. I'm reasonably confident that it will do 2^90 of them in my lifetime, I am not confident that it will be the only 2^90 search.

Yes bitcoin has done 2^74 operations but at what total cost? In the tens or hundreds of millions USD, if I'm not mistaken.  

Also the workfactor to break one of your 90 bit keys is less than 2^90 the moment two of your keys have been used... If your scheme were widely used, it would be much easier to find one at random. It may also turn out that your RNG is less uniform than believed and after careful analysis doesn't require a 2^90 search to match even a single key.

The script is feeding straight from /dev/urandom (SystemRandom in python). That's easy to verify from the 25-line source code.  It will also support another randomness method that totally bypasses the OS provided RNG, which should cater to the most paranoid amongst us...

In general symmetric cryptography applications 128 bits has arisen as a general standard. Is 128 meaningfully better than 90?  Is it meaningfully better than 120? Meaningfully better than 65?  Part of the purpose of having a standard size is so that you don't have to constantly engage in a complicated tradeoff discussion: you just demand that everything is 128 bits.

The objective of this tool is to provide keys that can be remembered by a normal human being and can't be cracked easily. 2^90 achieves this, which is also the view that many password strength experts hold (eg: agilebits, diceware, Schneier, us gov internal recommendations, etc)

Also as stated earlier, just changing one digit in the code makes it generate much stronger passphrases, if required for whatever reason or belief.

Your scheme also only generates a single address, so users are stuck reusing it, compromising their privacy.

This is a well-known brainwallet limitation that affects all commonly used brainwallet generators (bitaddress, brainwallet.org, etc). This is why it is recommended to use a brainwallet address only once (just like any other bitcoin address, really). At least NoBrainr provides random generation for brainwallets, which the other approaches don't, and provides strong 90-bit + keys, compared to the 30 to 40 bit (song lyrics, poems, etc) that many people use to generate their brainwallets on those sites. The slightly confusing thing with the "brainwallet" moniker is that it is actually just one address, so not a wallet in the regular bitcoin-client sense.

This is part of the reasons that only advanced users should even consider using brainwallets, and only after researching them properly.

Is 128 bits more to memorize than 90? Yes. But relying on memorizing keys which can never be recovered via any other means is already skating on thin ice. People are used to it being possible to recover access if you forget— though sometimes with great effort. Crypto is different. Memory is just reliable enough for its unreliability to be surprising, especially since you don't remember all that you've forgotten by definition.

Of course, once you're up to that size you could just use the scheme electrum uses (or the one that it will use). Of course, the implementation isn't 1024 bytes— but neither is yours: The dictionary is an utterly essential part of the implementation.

Of course the dictionary is essential, but the point is that 1024 bytes / 25 lines of code makes NoBrainr orders of magnitude easier to audit and review, compared to any other alternative. This can make all the difference for non-developers or anyone who doesn't have days to waste just to make sure nothing malicious is going on in the source code.

[1714126055]

1714126055

[1714126055]

1714126055

[flatfly]

Just a little example to help measure and understand the safety of a 7-word NoBrainr brainwallet more intuitively:

consider a random 15-character password with upper case, lower case, and digits.
For instance:  uhTmb41M5k9ijWr

this is 89-bit strong (but hard to remember): log((26+26+10)^15,2) == 89.31294465580312
(2^89 = 7.82 x 10^26)

Test it at:
https://www.grc.com/haystack.htm

Time required by Massively Cracking Array Scenario:
 (Assuming one hundred trillion guesses per second)   
-> 2.48 thousand centuries

At 90 bits, any 7-word NoBrainr brainwallet is at least as safe:
 log(7776^7,2) == 90.47368752524046

Code:

1LGHodpRUXaE4q3Z3LiHSU8TT7czxsxccc == salt dorm reduce fab! truck kind pi!

[whiskers75]

Could someone with a Raspberry Pi try it out and let me know if it works fine? That would be great.

Code:

whiskers75@WhiskPi ~$ python NoBrainr.py 
13PVpJfC1umtPybToQdPbAx81ayqLgzxbU == gnaws smoke amount styx stem spam sews

[flatfly]

Could someone with a Raspberry Pi try it out and let me know if it works fine? That would be great.

Code:

whiskers75@WhiskPi ~$ python NoBrainr.py 
13PVpJfC1umtPybToQdPbAx81ayqLgzxbU == gnaws smoke amount styx stem spam sews

Great news! Thanks for trying it

[flatfly]

OK, version 1.052 is out, which has a much-improved dictionary (again!) and adds support for one of the cheapest forms of physical randomness available: dice!   This is the simplest way to apply the diceware method to bitcoin address generation and be totally free of any potentially backdoored RNG.

Required equipment: Six Five regular dice. Or, just one, but five is much more fun, really

To generate a secure storage address using dice, simply throw them and record the result on the NoBrainr command line as shown below. 5 throws yield a word. Example of a 90-bit strong (seven words) address generated by throwing dice:

Code:

07/11/2013 15:29:32.27> nb_create 35412 13263 66533 45163 13165 41255 62216
18FmQmp5EezkXUv22ZY2PeCpsdAuN1aGV1 == knobs bands future pens bacon aliens unix

Another example: this one's a ridiculously strong 130-bit (10 words) address:

Code:

Thu 11/07/2013 21:36:21.37> nb_create 23541 25631 55422 25321 56411 53151 42323 55221 16246 52131
1FkDV5eRKsoaQfbtb32rfsLLoTWZ1BWjff == duly flop store fennel tear seems mixes 789 ssd roomy

Enjoy!

It would be nice if somebody could make a little video tutorial, or blog post out of this at some point

PS: GPG signatures coming soon.

[dserrano5]

I know one of NoBrainr's selling points is its reduced size, however: is there any chance to get BIP38 encryption into the mix? Being able to generate an encrypted privkey from real life entropy would be really nice. Right now bitaddress.org doesn't support encrypting arbitrary keys so we can't generate a key with NoBrainr and feed it to ba.org to encrypt it.

[RoxxR]

Any chance you could release a commented version of the script? Would be great for educational purposes.

[gmaxwell]

Of course the dictionary is essential, but the point is that 1024 bytes / 25 lines of code makes NoBrainr orders of magnitude easier to audit and review, compared to any other alternative.

Not so, it just means that the security is outsourced.  E.g. your security depends on python randrange doing the right thing. Look how well that worked out for that PHP bitcoin shopping cart interface package.

This is a well-known brainwallet limitation that affects all commonly used brainwallet generators [...] At least NoBrainr provides random generation for brainwallets, which the other approaches don't, and provides strong 90-bit + keys

Electrum provides a whole wallet, and an easily memorable, strongly generated, 128 bit key which also has strengthening to help preserve security even if someone shoulder surfs the key.  Electrum has an enormous number of users.

[flatfly]

Of course the dictionary is essential, but the point is that 1024 bytes / 25 lines of code makes NoBrainr orders of magnitude easier to audit and review, compared to any other alternative.

Not so, it just means that the security is outsourced.  E.g. your security depends on python randrange doing the right thing. Look how well that worked out for that PHP bitcoin shopping cart interface package.

Mersenne Twister? That was definitely a pretty poor choice for a cryptographic RNG...
Are you aware of any flaws with python's randrange?  Electrum is using it too, IIRC.
EDIT: Electrum seems to be using the ecdsa randrange.

This is a well-known brainwallet limitation that affects all commonly used brainwallet generators [...] At least NoBrainr provides random generation for brainwallets, which the other approaches don't, and provides strong 90-bit + keys

Electrum provides a whole wallet, and an easily memorable, strongly generated, 128 bit key which also has strengthening to help preserve security even if someone shoulder surfs the key.  Electrum has an enormous number of users.

Certainly Electrum is a great client, but the latest versions have been a little unstable, the codebase is growing at fast rate and hard to constantly review, and wallets generated with it unfortunately can't be  
used in other clients (yet.)  That said, of course I'm not claiming that NoBrainr can compete with a full-fledged client.

[flatfly]

I know one of NoBrainr's selling points is its reduced size, however: is there any chance to get BIP38 encryption into the mix? Being able to generate an encrypted privkey from real life entropy would be really nice. Right now bitaddress.org doesn't support encrypting arbitrary keys so we can't generate a key with NoBrainr and feed it to ba.org to encrypt it.

The BIP38 spec is still not final and has been reported to be a little flaky on slower devices.
We have no plans to implement this right now, although it certainly has a lot of potential.

[flatfly]

Of course the dictionary is essential, but the point is that 1024 bytes / 25 lines of code makes NoBrainr orders of magnitude easier to audit and review, compared to any other alternative.

Not so, it just means that the security is outsourced.  E.g. your security depends on python randrange doing the right thing. Look how well that worked out for that PHP bitcoin shopping cart interface package.

Mersenne Twister? That was definitely a pretty poor choice for a cryptographic RNG...
Are you aware of any flaws with python's randrange?

I'm not aware of any flaws with python's randrange. But I haven't reviewed the code for it, either. I'd say it's misleading to say that there are only 25 lines of code to review.

Yes, of course all applications re-use existing code to a certain extent. Perhaps I should have said 25 "unique" or "non-library" lines of code.

That said, I don't think there are many open-source projects that receive more expert scrutiny than Python, and especially its security related libraries. I for one consider it even more trustable and robust than any major web browser.

Also, there's a new bounty program that gives you nice rewards (starting at USD 5000, IIRC) for finding a security bug anywhere in Python (and reporting it responsibly.)

I'm still looking for something really simple that runs on stock ubuntu and can give me a private key in WIF format and a public address, given a sha256 hash.

So far it looks like bitaddress.org in offline mode is going to be the best I can do.

I'm surprised you couldn't find any such tools. I thought I'd seen some on this forum. Actually, this should be rather quick to cook up in a few lines of Python as well. I guess it would take me a day or two to do it, if you're ok with the ecdsa dependency - it's much smaller than the bitaddress source code anyway.  

[EDIT] Just some additional info on the python ecdsa library that we are using:
  it is part of the official python repository,
  it is maintained by a non-anonymous Mozilla engineer
  it is getting close to 200,000 downloads per month
  it is extensively used by Electrum
  it is very small
  
[EDIT2] Check out the hexwif script by bkkcoins on github. It's just 10 lines and has no dependencies, but only outputs the WIF - for the bitcoin address you would still need to use ecdsa.

[Financisto]

Nice app.

Congratulations!

Just posted an idea here https://bitcointalk.org/index.php?topic=251037.msg3526933#msg3526933 that might give you (or anyone else) some additional insights! 

Keep up the good work in order to provide security enhancement to brainwallets.

[flatfly]

Nice app.

Congratulations!

Just posted an idea here https://bitcointalk.org/index.php?topic=251037.msg3526933#msg3526933 that might give you (or anyone else) some additional insights! 

Keep up the good work in order to provide security enhancement to brainwallets.

Thanks, we'll check it out.

[flatfly]

New release of NoBrainr: 1.07

Main changes:
 - improved handling of "leading 1s" in bitcoin addresses
 - removed *tons* of obscure words from dictionary


GPG sig for Windows executable:

Code:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQBSi/7m0dQqIfkZdf4RAsxhAJ4gvGNpwo3p0ym9Sg0byML1aP9KDgCePFLq
FAAM1SPBdnsYAkQPkiX6TO8=
=6JDj
-----END PGP SIGNATURE-----

[Dabs]

Suggestions:

1. Have it print or save the private key in WIF format as well, as an option.
2. Make it generate compressed keys (private keys begin with letter L or letter K instead of number 5.)

If size is a problem (to fit in 30 lines), make it a separate app?

[flatfly]

Suggestions:

1. Have it print or save the private key in WIF format as well, as an option.
2. Make it generate compressed keys (private keys begin with letter L or letter K instead of number 5.)

If size is a problem (to fit in 30 lines), make it a separate app?

Great suggestions. We'll look into that - or anyone can contribute a patch, of course.

Also you may want to have a look at Urandom2Wif - it has a small WIF format function (courtesy of JeromeS), which could very easily be added to NoBrainr:
 https://bitcointalk.org/index.php?topic=338219.0  

[flatfly]

Suggestions:

1. Have it print or save the private key in WIF format as well, as an option.
2. Make it generate compressed keys (private keys begin with letter L or letter K instead of number 5.)

If size is a problem (to fit in 30 lines), make it a separate app?

Great suggestions. We'll look into that - or anyone can contribute a patch, of course.

Also you may want to have a look at Urandom2Wif - it has a small WIF format function (courtesy of JeromeS), which could very easily be added to NoBrainr:
 https://bitcointalk.org/index.php?topic=338219.0  

Shouldn't this sort of application be using /dev/random rather than /dev/urandom?

It's a good question, and one which I've actually researched quite a bit. I won't elaborate on this too much right now, but the short answer is no - it doesn't make a difference in practice, at least for this tool.

[moderate]

Suggestions:

1. Have it print or save the private key in WIF format as well, as an option.
2. Make it generate compressed keys (private keys begin with letter L or letter K instead of number 5.)

If size is a problem (to fit in 30 lines), make it a separate app?

Great suggestions. We'll look into that - or anyone can contribute a patch, of course.

Also you may want to have a look at Urandom2Wif - it has a small WIF format function (courtesy of JeromeS), which could very easily be added to NoBrainr:
 https://bitcointalk.org/index.php?topic=338219.0  

Shouldn't this sort of application be using /dev/random rather than /dev/urandom?

It's a good question, and one which I've actually researched quite a bit. I won't elaborate on this too much right now, but the short answer is no - it doesn't make a difference in practice, at least for this tool.

You might not want to elaborate too much, but at least elaborate a little then.

I will start it. urandom may reuse the entropy pool or whatever else a specific OS might want to do to ensure a call to that never blocks. Why do you say it doesn't make a difference when compared to /dev/random which doesn't reuse the pool and is thus considered safer for crypto purposes ?

[Dabs]

I'm guessing, this should be run offline. When you turn off the offline computer immediately after generating the cold wallet address, then how much does the reuse of entropy pool matter?

Let it run a few hundred times, pick one or two in the middle and use those.

I still prefer the compressed private key shown in WIF (with corresponding compressed public key or bitcoin address.)

[moderate]

When you turn off the offline computer immediately after generating the cold wallet address, then how much does the reuse of entropy pool matter?

That has no meaning whatsoever.