Plausible Deniability: BIP-39 and Electrum Wallet

[butka]

In "Mastering Bitcoin" Andreas Antonopoulos talks about seed derivation in a BIP-39 compatible wallet (e.g., Trezor) from a mnemonic phrase + salt.

The mnemonic (typically 12 words phrase) is derived for you automatically by the wallet. (Or you can provide it yourself as discussed in this post.) The standard allows adding some salt words at the end, and then the seed is generated. It is derived by repeatedly hashing the combination of mnemonic phrase + salt with a key stretching function called PBKDF2.

Code:

PBKDF2(mnemonic phrase + salt)=seed 

The principle is illustrated in this image [1]:

Every salt we choose to extend the initial mnemonic phrase yields a different seed, which means each time a totally different (HD) wallet is obtained with different public and private keys.

Andreas Antonopoulos mentions the possibility to use this salting procedure to create a situation with 2 wallets derived from the same mnemonic phrase. This will serve as a form of plausible deniability to help us protect our wallet in case of attack.

Here is what he says:

A form of plausible deniability or "duress wallet," where a chosen passphrase leads to a wallet with a small amount of funds used to distract an attacker from the "real" wallet that contains the majority of funds. [1]

Now, Electrum does not follow the BIP-39 standard, but we can use more or less the same trick with Electrum as well.

Here is how I think it could work (please feel free to correct me if this guide is wrong at some point):

Step by Step Guide for Electrum

In principle, we can use one and the same computer with the same Electrum installation, but it is much better to have Electrum installed on 2 computers: computer A which can be air gapped and serve for cold storage and computer B - any other computer.

Computer A

1. Here we create the wallet that will keep the majority of our funds. It should preferably be on an air gapped computer. Verify your Electrum installation files (if you don't know how, here is a guide how to do that on Windows and LInux).  Check "Standard wallet" and click "Next"

2. Choose "Create a new seed" and click "Next"

3. For Seed type choose "Standard" and click "Next"

4. Write down the mnemonic phrase

5. Then choose Options and mark the checkbox like this:

6. Enter the passphrase you are going to extend your mnemonic with.

I think you can choose something easy to remember, it doesn't have to be a complicated password. The point here is not to increase the entropy or improve the cryptographic security. The point is to create a totally different wallet from the same initial mnemonic phrase.

7. Now confirm the seed

8. Then confirm the passphrase

9. You may encrypt the wallet if you like

At this point, it is important NOT to confuse the wallet encryption with the mnemonic seed extension from the previous steps. They are two very different things with two different purposes.

10. Now you have installed your real wallet on the air gapped computer.

Computer B

11. Go to the other computer, probably the one you use daily.

12. Rather than creating a new seed, choose "I already have a seed"

13. Enter the same mnemonic from before, but now don't click on "Options" and don't extend it with a passphrase.

14. Finish the remaining steps and again, you can encrypt this wallet too if you like.

Similar procedure can be followed for a BIP-39 type of wallet.

What have we achieved?

We have created 2 wallets from the same initial 12 words. They hold different keys and different addresses, which is easy to check.

Our real wallet with (hopefully) significant funds is extended with a passphrase.

The other, decoy wallet, is not extended at all. It may hold small amount of funds which you can afford to lose in case of attack.

Say someone (a possible attacker) came into possession of your mnemonic. After all, there's no other way but to keep this phrase on paper (or in memory which can be risky).

So, in case of attack, you can give the attacker access to your fake wallet, while your main wallet remains protected.

You can also feel more at ease, having several copies of your mnemonic at different locations, and knowing that compromising the security of your mnemonic is not the end of the world.

I would appreciate your thoughts, and especially if there's something that is not done correctly.

Reference:

[1] https://github.com/bitcoinbook/bitcoinbook/blob/develop/ch05.asciidoc

[1715130486]

1715130486

[1715130486]

1715130486

[1715130486]

1715130486

[1715130486]

1715130486

[pooya87]

So, in case of attack, you can give the attacker access to your fake wallet, while your main wallet remains protected.

sorry but i can't help but remember this meme:


in reality if someone really attacks you, they know you own certain amount of bitcoin. lets say you are CEO of a company who owns 50000BTC. being attacked means a gun to your head. and in that situation when you give the attacker your "decoy" he is going to see it is empty and will beat you until you give up the password too so he can get that 50kBTC!
in other words your deniability is not so plausible

[butka]

being attacked means a gun to your head. and in that situation when you give the attacker your "decoy" he is going to see it is empty and will beat you until you give up the password too so he can get that 50kBTC!
in other words your deniability is not so plausible

Great point there. I guess my intention was more to test the principle than to provide a real life example. The CEO with that amount of BTC will have to come up with more elaborate schemes to protect their money. Maybe they can split the funds something like 90:10, 80:20, ...?

[TheQuin]

Great point there. I guess my intention was more to test the principle than to provide a real life example. The CEO with that amount of BTC will have to come up with more elaborate schemes to protect their money. Maybe they can split the funds something like 90:10, 80:20, ...?

I would agree with pooya87 that this is unlikely to be of any practical use. It's an interesting theoretical exercise for nerds though. I reality using multisig wallets that require a number of different individuals to all sign a transaction is the preferred option for these large companies. Then the $5 wrench attack is far more difficult to achieve.

[pooya87]

being attacked means a gun to your head. and in that situation when you give the attacker your "decoy" he is going to see it is empty and will beat you until you give up the password too so he can get that 50kBTC!
in other words your deniability is not so plausible

Great point there. I guess my intention was more to test the principle than to provide a real life example. The CEO with that amount of BTC will have to come up with more elaborate schemes to protect their money. Maybe they can split the funds something like 90:10, 80:20, ...?

the CEO might have been an exaggerated example. in a case like that you want to hold your funds in a multi signature wallet as @TheQuin said above. which is mostly because there are more than one owners or a board but also because of the increased security and the fact that you keep the keys separated from each other.

[butka]

@pooya87, @TheQuin, Thanks for the suggestion. Multi signature wallets are something I've never considered before (probably because I don't have large funds to protect ), but I would definitely have to look into the principles of their operation next. Just off the top of my head (and somewhat off topic), how do you choose the individuals to co-sign with you?

[TheQuin]

Just off the top of my head (and somewhat off topic), how do you choose the individuals to co-sign with you?

That's really going to be dependant on the individual situation. An example would be a company with 2 partners might choose someone they both trust to be the third person using a 2 from 3 multisignature wallet. A larger organisation would select certain members of the board or high-level management. Bitfinex is an example of that, they use 4 from 7 in different locations.

https://support.bitfinex.com/hc/en-us/articles/213892469-Bitfinex-Security-Features

Cold Wallet
Our cold storage maintains approximately 99.5% of user funds in an offline, multisignature wallet; requiring 4 of 7 hardware security modules (HSMs) in possession by globally-distributed management team members to approve all transactions. In the event an administrator is compromised and forced to log into the platform, a single HSM would not be sufficient to initiate transfer of funds. The challenge to acquire enough of these devices to access cold storage is tantamount to impossible.

For an individual, you would just store the keys in separate locations. Use a safety deposit box or ask a trusted family member to look after it.

[buwaytress]

Yeah, I did come across this some months back too (although strangely I'd already read that great work by Andreas) and thought it was a fantastic way to have a decoy wallet at the very least: 1 without the salt to hold some transactions, regularly receiving and sending and somewhat known to others as a wallet to identify yourself... but the wallet without the salt would have to be absolutely secret and only known to you, to be effectively "denied".

But yeah, if anyone somehow knew that you owned an estimate figure, showing them wallets that don't correspond simply won't be enough to deter the hammer from coming down hard on your knuckles.