Bitcoin Forum
November 06, 2024, 05:05:54 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 »  All
  Print  
Author Topic: Electrum: the blockchain is the cloud  (Read 15969 times)
ThomasV (OP)
Moderator
Legendary
*
Offline Offline

Activity: 1896
Merit: 1353



View Profile WWW
November 16, 2011, 02:15:50 PM
Last edit: December 16, 2011, 08:48:13 PM by ThomasV
 #1

The new Electrum Bitcoin client uses a deterministic wallet. This allows users to recover their complete list of addresses and transaction history from a secret seed.  (except for labels, which are not stored in the blockchain)

For the moment this feature allows users to restore their wallet in case of loss, or to easily transport their wallet on another machine. However, it does not automatically synchronize a wallet that is being used on two different machines. I would like to add this functionality. This would very much ressemble "cloud" services.

The idea, of course, is to use the blockchain as the only source of information; we do not want users to be tied to a third-party storage.

In order to achieve this, the client needs to watch the next addresses that are going to be used in its deterministic sequence. The Electrum wallet actually uses two distinct sequences: one for receiving addresses, one for change addresses. The sequence of receiving addresses might contain gaps (unused addresses), and the maximal size of these gaps is a parameter set by the user. The sequence of change addresses does not have gaps.

The problem of synchronization between two wallets is the following: If bitcoins are received at one of the addresses that are at the end of the current sequence, then the client needs to extend that sequence, in order to know whether the next addresses have been involved in transactions. For this, the client needs to generate new private keys, and therefore it needs the user's password.

So, we are left with the following dilemma: should the client pre-generate the next 100 addresses of its sequence and store them, or should it occasionally ask the user for his password when the wallet receives some bitcoins? both solutions seem awkward to me. Is there a third solution?

UPDATE: this question has been answered below. Version 0.34 of Electrum implements a "type 2" wallet and multiple instances of the same wallets are synchronized automatically.

Electrum: the convenience of a web wallet, without the risks
jim618
Legendary
*
Offline Offline

Activity: 1708
Merit: 1066



View Profile WWW
November 16, 2011, 06:51:32 PM
 #2

What exactly is a sequence ?
Is it something like a process that can make a new address A(n+1) from A(n) that is valid for a fixed, maximum number of n ?

If it is, is there any mileage of having a "sequence sequence" / a "synchronisation sequence" so that one client can effectively say:

"I have run out of addresses I can create from my current sequence, can we move onto the next one please?"
and then any other client can see the switch to a new sequence and move in step.

If there is a finite length you can safely create in a sequence you will, of course, run to the end of a "synchronisation sequence" but that will be O(n^2) and hence not too frequent.


MultiBit HD   Lightweight desktop client.                    Bitcoin Solutions Ltd   Bespoke software. Consultancy.
Maged
Legendary
*
Offline Offline

Activity: 1204
Merit: 1015


View Profile
November 17, 2011, 01:17:29 AM
Last edit: November 17, 2011, 01:42:47 AM by Maged
 #3

The problem of synchronization between two wallets is the following: If bitcoins are received at one of the addresses that are at the end of the current sequence, then the client needs to extend that sequence, in order to know whether the next addresses have been involved in transactions. For this, the client needs to generate new private keys, and therefore it needs the user's password.

So, we are left with the following dilemma: should the client pre-generate the next 100 addresses of its sequence and store them, or should it occasionally ask the user for his password when the wallet receives some bitcoins? both solutions seem awkward to me. Is there a third solution?
Yes: Use a different type of deterministic wallet - one that takes advantage of the properties of ECC keys:
https://bitcointalk.org/index.php?topic=19137.0

In a nutshell: that allows you to determine a large number of future public keys by just using a master public key that is based off the master
private key. Yes, reading that made my head explode.

Also....

WARNING: This Bitcoin client does not check that an address is valid before sending to it. Use copy and paste ONLY until this is resolved.

For more info:
https://bitcointalk.org/index.php?topic=52035.msg621172#msg621172

finway
Hero Member
*****
Offline Offline

Activity: 714
Merit: 500


View Profile
November 17, 2011, 01:21:49 AM
 #4

I think deterministic wallet is a bad idea.

Think about online bank, do they use your passphrase to generate keys? of course not, that's stupid.

Keys are keys, and passphrase are passphrase,  your keys are stored in USB-keys, and protected by passphrase and the thrid-party ---BANK.


ThomasV (OP)
Moderator
Legendary
*
Offline Offline

Activity: 1896
Merit: 1353



View Profile WWW
November 17, 2011, 01:23:52 AM
 #5

Use copy and paste ONLY until this is resolved.
well, this was resolved before your post...

Electrum: the convenience of a web wallet, without the risks
ThomasV (OP)
Moderator
Legendary
*
Offline Offline

Activity: 1896
Merit: 1353



View Profile WWW
November 17, 2011, 01:26:12 AM
 #6

Yes: Use a different type of deterministic wallet - one that takes advantage of the properties of ECC keys:
https://bitcointalk.org/index.php?topic=19137.0

In a nutshell: that allows you to determine a large number of future public keys by just using a master public key that is based off the master
private key. Yes, reading that made my head explode.
nice. thanks for that link

Electrum: the convenience of a web wallet, without the risks
MoonShadow
Legendary
*
Offline Offline

Activity: 1708
Merit: 1010



View Profile
November 28, 2011, 06:22:19 AM
 #7

I see a potential problem with any phase based deterministic wallet.  It reduces the namespace of an attacker trying to force an address collision by searching for English phrases in the same way that a dictionary attack works against common passwords.  It's more than conceivable to have an accidental collision as well, if two fans of classical lit both choose "Call me Ishmael" or more than one Tolkien fan chooses the same quote from TLOTR.  Hell, an attacker who was just using the King James version of the Bible would get quite a few hits from Christians using their favorite verses.  It would be better to do it in reverse, by having the client generate a random number sequence and translating that into a set of English words that can be printed, saved as an encrypted file to be stored elsewhere, or memorized.

"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."

- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
ThomasV (OP)
Moderator
Legendary
*
Offline Offline

Activity: 1896
Merit: 1353



View Profile WWW
November 28, 2011, 06:36:47 AM
 #8

I see a potential problem with any phase based deterministic wallet.  It reduces the namespace of an attacker trying to force an address collision by searching for English phrases in the same way that a dictionary attack works against common passwords.  It's more than conceivable to have an accidental collision as well, if two fans of classical lit both choose "Call me Ishmael" or more than one Tolkien fan chooses the same quote from TLOTR.  Hell, an attacker who was just using the King James version of the Bible would get quite a few hits from Christians using their favorite verses.  It would be better to do it in reverse, by having the client generate a random number sequence and translating that into a set of English words that can be printed, saved as an encrypted file to be stored elsewhere, or memorized.

the Electrum client generates a 128 bits random sequence and translates it into a set of English words...
see https://bitcointalk.org/index.php?topic=51397.0

Electrum: the convenience of a web wallet, without the risks
MoonShadow
Legendary
*
Offline Offline

Activity: 1708
Merit: 1010



View Profile
November 28, 2011, 04:19:30 PM
 #9

I see a potential problem with any phase based deterministic wallet.  It reduces the namespace of an attacker trying to force an address collision by searching for English phrases in the same way that a dictionary attack works against common passwords.  It's more than conceivable to have an accidental collision as well, if two fans of classical lit both choose "Call me Ishmael" or more than one Tolkien fan chooses the same quote from TLOTR.  Hell, an attacker who was just using the King James version of the Bible would get quite a few hits from Christians using their favorite verses.  It would be better to do it in reverse, by having the client generate a random number sequence and translating that into a set of English words that can be printed, saved as an encrypted file to be stored elsewhere, or memorized.

the Electrum client generates a 128 bits random sequence and translates it into a set of English words...
see https://bitcointalk.org/index.php?topic=51397.0

Oh, sorry.

"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."

- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
MoonShadow
Legendary
*
Offline Offline

Activity: 1708
Merit: 1010



View Profile
November 28, 2011, 07:32:22 PM
 #10

I see a potential problem with any phase based deterministic wallet.  It reduces the namespace of an attacker trying to force an address collision by searching for English phrases in the same way that a dictionary attack works against common passwords.  It's more than conceivable to have an accidental collision as well, if two fans of classical lit both choose "Call me Ishmael" or more than one Tolkien fan chooses the same quote from TLOTR.  Hell, an attacker who was just using the King James version of the Bible would get quite a few hits from Christians using their favorite verses.  It would be better to do it in reverse, by having the client generate a random number sequence and translating that into a set of English words that can be printed, saved as an encrypted file to be stored elsewhere, or memorized.

Electrum doesn't work that way it uses a predefined list of words based on a key but still even if the passphrase is freeform there are ways to overcome that.

The first is used of salt.  Including a non-secure semi-unique value in the key generation process like user's email address.  This doesn't need to be secure but it should be semi-unique.   This prevents using a pre-computation attack as each user's hash is unique even w/ same passphrase.


I was thinking more along these lines, and wondering if a passphrase plus a salt created by a standardized questionaire of usually secret personal info could be used, of the kind of questions that don't change.  For example, one such question could be "How old were you when you lost your virginity?" with multiple choice answers including each age from 12 to 24, and an option like "does not apply/refuse to answer" so that the multiple choice questionaire could take all such answers, as well as the numbers of the answers that users refuse to answer, and create a salt that could produce a unique.  The questions would have to be high in number, and of a standardized order so that a user could concievablely reproduce the wallet.dat while be unique enough that it won't produce wallets that could collide.  It would have a bias, as all such questionaires do, but it should a long enough of a questionaire that such a bias isn't predictable and of such personal info that users aren't going to answer such a questionaire outside of the context of the client.

"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."

- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
ALPHA.
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
November 28, 2011, 09:45:28 PM
 #11

I am going to say it right here and right now: This is the future.
Ean
Full Member
***
Offline Offline

Activity: 199
Merit: 100



View Profile
November 29, 2011, 03:02:22 PM
 #12

I don't seem to be able to make a second payment until the first is in the block chain ...

Quote from: Douglas Adams
The World Wide Web is the only thing I know of whose shortened form takes three times longer to say than what it's short for
netrin
Sr. Member
****
Offline Offline

Activity: 322
Merit: 251


FirstBits: 168Bc


View Profile
November 29, 2011, 07:01:41 PM
 #13

Deterministic wallets are much more elegant as far as backup regimes. Personally, I'd prefer to have a two part seed = (random + memorized). But the only real show stopper the Satoshi/C++ client presents me is regarding bandwidth. I'm often in situations where even one MB is prohibitively expensive for bitcoin to be practical. Can Electrum quickly and cheaply discover a wallet balance and send and verify a transaction from cold startup?

Greenlandic tupilak. Hand carved, traditional cursed bone figures. Sorry, polar bear, walrus and human remains not available for export.
netrin
Sr. Member
****
Offline Offline

Activity: 322
Merit: 251


FirstBits: 168Bc


View Profile
November 29, 2011, 08:03:25 PM
 #14

Thanks. I'm looking through the API to get an overview of the separation of concerns/tiers. It'd be nice to see a schema:

==============
Generic Servers:
blockchain instance
==============
Interface:
address balance check --> any server
signed transactions --> any server
==============
Client:
private seed,
cache of private keys
public address/transaction labels
==============

Greenlandic tupilak. Hand carved, traditional cursed bone figures. Sorry, polar bear, walrus and human remains not available for export.
grondilu
Legendary
*
Offline Offline

Activity: 1288
Merit: 1080


View Profile
November 30, 2011, 07:52:52 AM
 #15

On the main page I read:
Code:
sudo easy_install ecdsa
sudo easy_install pycrypto
git clone git://gitorious.org/electrum/electrum.git
python ./electrum/client/electrum.py

On debian I see a python-pycryptopp package that should do the job for pycrypto I guess.

But what is the equivalent of ecdsa on debian?

ThomasV (OP)
Moderator
Legendary
*
Offline Offline

Activity: 1896
Merit: 1353



View Profile WWW
November 30, 2011, 08:16:54 AM
 #16

On the main page I read:
Code:
sudo easy_install ecdsa
sudo easy_install pycrypto
git clone git://gitorious.org/electrum/electrum.git
python ./electrum/client/electrum.py

On debian I see a python-pycryptopp package that should do the job for pycrypto I guess.

But what is the equivalent of ecdsa on debian?

pycrypto is no longer used.
see the announcement in the main thread: https://bitcointalk.org/index.php?topic=50936.msg635247#msg635247

Electrum: the convenience of a web wallet, without the risks
miscreanity
Legendary
*
Offline Offline

Activity: 1316
Merit: 1005


View Profile
December 05, 2011, 09:35:01 AM
 #17

Would it be possible to generate the seed from camera input, perhaps using facial recognition data?
finway
Hero Member
*****
Offline Offline

Activity: 714
Merit: 500


View Profile
December 05, 2011, 10:42:30 AM
 #18

Would it be possible to generate the seed from camera input, perhaps using facial recognition data?
of course, but must make the original data solid, constant,

little difference will totally change the hash.

slush
Legendary
*
Offline Offline

Activity: 1386
Merit: 1097



View Profile WWW
December 05, 2011, 11:50:08 AM
 #19

Teoretically it's possible (OpenCV library provides face detection algorithms with python binding).

But I cannot imagine it will work in reality. I mean - to be secure enough to generate the same seed for the same face (aging, beard, face injuries, ...) and generate enough entropy for different faces.

miscreanity
Legendary
*
Offline Offline

Activity: 1316
Merit: 1005


View Profile
December 07, 2011, 02:08:51 AM
 #20

Yes, that's what I thought. I've been looking for methods of collapsing the complexity after acquisition, but so far the only solutions result in a decrease of data quality/resolution.

Thinking out loud here: it would probably be more appropriate currently to offer facial recognition at the device or application level for unlocking access to a pre-generated seed.

Thanks to both for your input!
Pages: [1] 2 3 4 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!