Cold / Brain wallet security question

[User705]

If I have a private key written down somewhere and for further security change one or more of the digits and then have the public address from the resulting private key written next to it.  How secure is that?  Would a brute force attack or any other attack be easier or no?  
Example private key  6108A178B39FF904C9F408741935554E042BDE257DB7F5621555175BACAC2A9C
Bitcoin Address        1GHVFk9HB2ke2UJsqTWWYiqVHemUyn8jTL

[Dabs]

One or more digits are different, but I have the rest of the private key? Someone is going to run a program against all the possibilities, and if it's below a few million someone will get the correct one.

Change more than one. Change maybe 30 digits.

[User705]

Even if it's only one digit aren't the possible combinations just as large as any other random key?  Also an attacker doesn't know how many digits are changed.  The question is are there attack vectors that utilize the fact that the public address is visible along with at least part of the private key?

[Dabs]

He'll try everything. He might get lucky. I dunno about you, but I'd rather not display the private key at all. You're better off encrypting it before printing it.

[klintay]

How about if you remember the last four digits and the first four digits?? That might help...i am not a math whiz but that must be more than 1 million possibilities 

[User705]

He'll try everything. He might get lucky. I dunno about you, but I'd rather not display the private key at all. You're better off encrypting it before printing it.

It wouldn't be displayed it's more of an issue if it's a weak way to store on a computer in case it gets hacked.

[Dabs]

He'll try everything. He might get lucky. I dunno about you, but I'd rather not display the private key at all. You're better off encrypting it before printing it.

It wouldn't be displayed it's more of an issue if it's a weak way to store on a computer in case it gets hacked.

If it's in cold storage offline, printed, you better put it somewhere you can physically control or protect, like a bank vault, or a safe at home, or buried under your house or something like that.

I put a bunch of private keys on paper, put it in an envelope, seal it, lock it in my office desk, behind a locked door, with an armed guard. I would know immediately if it has been compromised. If the building burns down though, I'll have to dig up my backup copy under ... where ever I hid it.

If its on a computer, you had better have it in an encrypted container (such as TrueCrypt)... Or if you use the reference client or even Armory, you had better have a good strong password.

I dunno, you can never be too paranoid when it comes to bitcoins or even when it comes to fiat.

[User705]

So if someone finds it you are SOL.  With my way you perhaps still have a chance.  And how much of a chance is the question.

[Abdussamad]

The best brain wallet is an electrum wallet. 12 words are all you have to remember.

[inform]

One or more digits are different, but I have the rest of the private key? Someone is going to run a program against all the possibilities, and if it's below a few million someone will get the correct one.

Change more than one. Change maybe 30 digits.

maybe all 700 symbols


i Rusia
just say what i do see this topic
morning
Double lol



Private key:     HFTFK&T^RTG#&HFG&#H(G*J*(#J*)TJ*JT*(HDG&(H#


After Procedure Masturbation key:   77777777777777777777777777777777777777





HaHaHa i very positive morning thanx plug brother

[piotr_n]

If I have a private key written down somewhere and for further security change one or more of the digits and then have the public address from the resulting private key written next to it.  How secure is that?  Would a brute force attack or any other attack be easier or no?  

Now after you announced it; it is a security risk, but only if the attacker gets to know one of your private keys.
Then he will try to brute force the remaining ones by changing one or more of the digits.

Without disclosing any of your private keys, you should be safe; you can even use them in a sequence and it shouldn't matter.
I mean: assuming that there isn't any secret math behind ECDSA, that we don't know and they do.. which has been a concern.

[User705]

If I have a private key written down somewhere and for further security change one or more of the digits and then have the public address from the resulting private key written next to it.  How secure is that?  Would a brute force attack or any other attack be easier or no?  

Now after you announced it; it is a security risk, but only if the attacker gets to know one of your private keys.
Then he will try to brute force the remaining ones by changing one or more of the digits.

Without disclosing any of your private keys, you should be safe; you can even use them in a sequence and it shouldn't matter.
I mean: assuming that there isn't any secret math behind ECDSA, that we don't know and they do.. which has been a concern.

I'm not sure you are understanding me.  A regular brute force without knowing which digit or how many digits I changed is worthless since the total possible combinations should be exactly the same as a completely random number unless there is a relationship that can be derived from seeing a partial private key and a full public address next to it.  That's the question here. 

[piotr_n]

oh, right - sorry.
so you are asking whether publishing a part of your private key creates a security risk?
yes it does - even bigger if you publish a corresponding public key along with it.

in other words: never publish any parts of your private key - the bigger part you publish, the more risky it is that someone will find it.
publishing one or two bits probably would not change much, but from what I understand you only change "one or more of the digits", which makes you pretty much exposed.

[Jesse James]

If the private key is represented in hex and n characters are mutated then there are 64! * 15 ⁿ / (64 - n)! possibilities to search through.

The attacker knowing the address (or even the full public key) doesn't tell him anything beyond giving him a way to know if a private key guess is correct or incorrect.

Assume a hardcore attacker (one e.g. with a repurposed GPU mining rig) can test 14e9 keys for 1 USD, then here are the attack costs:

mutations   possibilities   cost to crack
-----------------------------------------
1           960             ~0
2           907e3           ~0
3           844e6           0.06 USD
4           772e9           55.14 USD
5           695e12          49652.86 USD


As you can see, changing at least 5 digits in totally random locations makes an attack prohibitively expensive.  However, most humans will make less than totally random choices about which characters to mutate ... e.g. if I were attacking someone who I suspected of using the scheme you described I would assume they would be more likely to mutate successive digits ... especially at  the very beginning or end.  E.g. if I knew for sure only the last 8 digits were mutated it would only cost 0.19 USD to check.

[User705]

But if an attacker is unaware of which digit was changed or how many digits changed there is no way to deduce that from seeing the public address.  Is there?  Maybe I should send some BTC to the address to see if someone will crack it.

[Jesse James]

But if an attacker is unaware of which digit was changed or how many digits changed there is no way to deduce that from seeing the public address.  Is there?  Maybe I should send some BTC to the address to see if someone will crack it.

That is true, but he is simply going to try all 1 mutation variations, then 2, ... then 3 ... up to whatever budget he's allocated for the attack.

No need to create a bounty ... the corrected version of your private key is:

6108F178B39FF904C9F408741935554E042BDE257DB7F5621555175BACAC2A9C

[User705]

How did you go about figuring it out?  Also I guess Shrem is doing it wrong too.
http://www.wired.com/wiredenterprise/2013/03/bitcoin-ring/

[Dabs]

6108F178B39FF904C9F408741935554E042BDE257DB7F5621555175BACAC2A9C

Example private key  6108A178B39FF904C9F408741935554E042BDE257DB7F5621555175BACAC2A9C
Bitcoin Address        1GHVFk9HB2ke2UJsqTWWYiqVHemUyn8jTL

Well, there you go. That didn't take long. Make another one, and this time change 2 digits, or 3 digits, but don't tell us. Show the public bitcoin address as well. I'm sure someone will get to work on it.

Put a token bounty.

Then do another one where you change 5 digits, and another one with 8 digits. heheheheh.

Let's see how fast it will get cracked, then you will find your answer.

In other words, don't do this with actual bitcoins unless you do change at least 30 or more digits. (and then, you might as well change everything.) What I meant was your true bitcoin savings or stash.

[Dabs]

How did you go about figuring it out?  Also I guess Shrem is doing it wrong too.
http://www.wired.com/wiredenterprise/2013/03/bitcoin-ring/

1. You'd have to get him.
2. You'd have to get his finger, or the ring.

I don't think the father has that piece of paper anymore, and probably there is no other copy of that private key. A ring on a finger makes sense. You'd never lose it unless you got mugged or murdered.

[adam3us]

Well firstly the number of combinations of 2 transposed hex chars from a 256-bit (64 hex nibbles) is c(64,2) = 2016.  Secondly you need to swap about half the digits c(64,32)>2^64 for reasonable security and that will be really hard to remember, or not randomly chosen enough.

And thirdly for paranoia you probably dont want to do that directly   Because there are algorithms for finding discrete log knowing some of the digits, at least for non-EC discrete log.  So I think it would be safer to make x' the private key x'=H(shuffle(x)) and you publish shuffle(x).

In Shrem's case omitting one digit thats even worse - I presume they were in base58, so 44 chars, but actually you can use 128-bit private keys if you use them as a seed, then only 22 base-58 chars.

Then if Shrem missed one char there are 22 chars to choose from and each can hold 58 values 22*58=1276 which is laughably grindable.

I do like the private key on a physical object though.  Good unless you check out in a plane crash where the ring may get lost.  You want durable material, but I guess the jewelers know about that.

If you swap chars in 22 base-58 (128-bit private key) representation its weaker still 231 combinations.

Adam