Bitcoin Forum
March 28, 2024, 05:17:03 PM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: [Wiki] An Informal Introduction to Plausible Deniability  (Read 321 times)
AlcoHoDL (OP)
Legendary
*
Offline Offline

Activity: 2324
Merit: 4056


Addicted to HoDLing!


View Profile
September 17, 2020, 08:45:44 AM
Merited by Welsh (20), JSRAW (13), o_e_l_e_o (6), DdmrDdmr (3), zasad@ (3), hugeblack (2), JayJuanGee (1), Jating (1), TravelMug (1), witcher_sense (1), VB1001 (1), arcmetal (1)
 #1

Hello to the Bitcoin community,

At the suggestion of fellow Wall Observer (WO) Thread brother, JSRAW, I'm re-posting here in the [Beginners & Help] section, something I posted about plausible deniability, in response to a question asked by another brother, Karartma1, in the above thread. I hope it helps to better understand the different ideas and concepts involved, and make better use of available tools and techniques to safeguard ourselves and our coins.



Plausible deniability, as it applies to Bitcoin, is the ability to plausibly deny ownership of your Bitcoin when required to reveal your stash (legally, or by force).

Case 1 (legally): You cross the border to another country, and, upon inspection, customs find your Trezor in your briefcase, or find a wallet s/w on your phone. They may force you to reveal information about your stash. In fact, there are laws that make it a punishable crime not to reveal your passwords in such cases, and if you don't, you may be arrested and detained. What do you do? Can you just say "guys, it's empty!"? They will say "OK, show us!" How can you circumvent this?

Case 2 (by force): You are a coiner. You tell about your coins to friends and relatives. All in good faith. They are impressed by your newfound wealth. They are so excited that they tell their friends about you and how smart you are. Word spreads. You end up being kidnapped and forced (by torture) to reveal your stash. Can you just say "guys, it's empty!"? I don't think so. How can you circumvent this?

Deniability won't help you in such cases, unless it's paired with plausibility. With Trezor (and Ledger, etc.), in addition to the 24 words that make up your seed, you are allowed to enter another (25th) passphrase (word, sentence, any alphanumeric string). This will result in a wallet (key) that is totally different to the one without the 25th passphrase. In fact, when you connect your Trezor and are asked for the 25th passphrase, you can type anything you want, and it will lead to different valid wallets, depending on what you typed. In this way, you can have (in fact, you already have) an infinite number of wallets, all of which have your seed in common, but are cryptographically unrelated, in the sense that access to one such wallet is completely isolated from any other wallet.

The central idea that you must understand, is that you already have all these wallets, whether you want them or not. There is no switch that you can use to enable or disable a wallet. It's already there. Think of this as driving on the highway, and there are infinite number of exits. Your 24-word seed is the highway, and the 25th passphrase determines the exit you want to take. The exits are all there, an infinite number of them, and they all lead to valid wallets. Of course, all these wallets will be empty when you visit them (well, not necessarily, but that's another discussion). The highway itself is also a wallet (no passphrase entered). This is why it's not advisable to use a seed without a 25th passphrase. Because, in this case, if someone finds your seed, he can enter your highway, and if your coins are on that highway, he can steal them from you. But if you use a 25th passphrase, the highway will be empty, and containing an infinite number of exits. Which exit to take? He needs to know the 25th passphrase, which he won't. Your coins are safe.

How is all this related to plausible deniability? You can use the 25th passphrase to plausibly deny ownership of your coins. You set up your Trezor as normal, writing down and backing up your 24 seed words. What you then do, is transfer a very small amount of Bitcoin (say, 0.1 BTC) to the wallet without a 25th passphrase (the highway). You put that 0.1 BTC there. Then, you reconnect your Trezor, but this time you enter a 25th passphrase, let's call it {normal_pass}. You end up on a different, empty wallet. In there, you transfer a bigger amount of Bitcoin, large enough to persuade someone that it's everything you've got, let's say, 10 BTC. You don't transfer all your stash there, just that 10 BTC. You then reconnect your Trezor, but this time you enter a very strong 25th passphrase, let's call it {really_strong_pass}. You end up on yet another empty wallet. In that wallet you transfer the remaining of your stash, say, 100 BTC.

What have you achieved by doing the above? With just one seed (written on paper and backed up) and 2 passphrases in your head, you have spread your stash in the following three different, cryptographically unrelated wallets (i.e., having access to one of the wallets does not grant access to any of the other wallets, and does not prove that you are using any other wallet):

No passphrase: 0.1 BTC
{normal_pass}: 10 BTC
{really_strong_pass}: 100 BTC

Case 1: "Sir, can you please unlock your wallet for us?" -- "Why?" -- "We want to see how many coins you have." -- "But, isn't this private information?" -- "Yes, but Law XYZ, that was passed after 9/11, to combat terrorist activities, gives us authority to do whatever we want!" -- "Oh, hmmm, I'm not comfortable with this..." You play difficult, you ask to see the law, trying to stall them. After a while, and when the pressure on you becomes too much, you say "OK, I don't like this at all, but here you are." You connect your Trezor to your laptop, and just enter the PIN (no 25th passphrase). You have just entered the "highway" wallet, which contains 0.1 BTC. "There you go, motherfuckers! Fuck you!", you scream! They say, "Sir, I'm afraid we'll have to confiscate your wallet and the coins." -- "Sure," you reply, "take it and stick it up your bum, you fucks!" You hand them your Trezor and they let you pass. When you arrive safely at your destination, you simply enter your seed to any wallet you want (Trezor, Ledger, Mycelium), and you log-in with the two "25th" passphrases, confirming what mathematics have guaranteed for you, which is that your 110 BTC are there, untouched, waiting for you.

Case 2: You are tied to a chair, and a big guy asks you for your Trezor PIN, "or else I'm going to cut your fingers one by one!" You try to resist at first, but quickly reveal the PIN. They see the 0.1 BTC. But they're smart. They know you have more! They begin to torture you, at which point you have to be prepared to take some beating and even lose a finger! You have to resist as much as you can. When you can't take it anymore, and you're screaming and crying like a little girl, all humiliated and seemingly completely wrecked, you reveal {normal_pass} to them. They enter the 25th passphrase and see your shiny 10 BTC in there. "Gotcha!" they shout! They transfer the funds, destroy (or take with them) your Trezor, and leave. The next day, you enter your seed in another wallet, enter {really_strong_pass} and confirm that your 100 BTC are there, untouched, waiting for you.

The above are idealized scenarios. You can be sure that, if you go out and about boasting to colleagues, friends and family that you own 100+ BTC, the thieves will cut your fingers, arms, legs, and even your dick (if you have one), before they get your entire stash! Plausible deniability is a great tool to protect us and our Bitcoin, but we also need to exercise common sense and maximise our OPSEC. No need to go out boasting about how much Bitcoin we have. A fool and his BTC are soon parted. Don't be a fool.

That's the best way I can describe plausible deniability, while keeping my typing and word count to reasonable levels. I hope it helps someone out there.

Stay safe!
1711646223
Hero Member
*
Offline Offline

Posts: 1711646223

View Profile Personal Message (Offline)

Ignore
1711646223
Reply with quote  #2

1711646223
Report to moderator
1711646223
Hero Member
*
Offline Offline

Posts: 1711646223

View Profile Personal Message (Offline)

Ignore
1711646223
Reply with quote  #2

1711646223
Report to moderator
1711646223
Hero Member
*
Offline Offline

Posts: 1711646223

View Profile Personal Message (Offline)

Ignore
1711646223
Reply with quote  #2

1711646223
Report to moderator
You get merit points when someone likes your post enough to give you some. And for every 2 merit points you receive, you can send 1 merit point to someone else!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711646223
Hero Member
*
Offline Offline

Posts: 1711646223

View Profile Personal Message (Offline)

Ignore
1711646223
Reply with quote  #2

1711646223
Report to moderator
DdmrDdmr
Legendary
*
Offline Offline

Activity: 2268
Merit: 10633


There are lies, damned lies and statistics. MTwain


View Profile WWW
September 17, 2020, 10:27:31 AM
Merited by o_e_l_e_o (2), JayJuanGee (1)
 #2

Nicely laid out. Just a few more things to consider:

- Do not lose your passphrases. As obvious as it may seems, the 24 word recovery phrase is obviously not enough to access your hidden accounts.

- Adding a passphrase will add your personal input to the 24 word recovery phrase that your wallet will give you. It therefore enhances the number of potential combinations needed to crack your recovery phrase, making it more secure in the event. The more complex the better, but within reason.

- If you use a Ledger device (presumably something similar will happen on other devices), tying those hidden accounts to it can become your weak point in providing cover for plausible deniability (you can be forced to open Ledger Live and show your linked accounts, so hidden accounts should better remain unlinked from Ledger Live).

..JAMBLER.io..Create Your Bitcoin Mixing
Business Now for   F R E E 
▄█████████████████████████████
█████████████████████████
████▀████████████████████
███▀█████▄█▀███▀▀▀██████
██▀█████▄█▄██████████████
██▄▄████▀▄▄▄▀▀▀▀▀▄▄██████
█████▄▄▄██████████▀▄████
█████▀▄█▄██████▀█▄█████
███████▀▄█▀█▄██▀█▄███████
█████████▄█▀▄█▀▄█████████
█████████████████████████
█████████████████████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
      OUR      
PARTNERS

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
▄█████████████████████████████
████████▀▀█████▀▀████████
█████▀█████████████▀█████
████████████████████████
███████████████▄█████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████▀█████████
████████████████████████
█████▄█████████████▄█████
████████▄▄█████▄▄████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
   INVEST   
BITCOIN

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
AlcoHoDL (OP)
Legendary
*
Offline Offline

Activity: 2324
Merit: 4056


Addicted to HoDLing!


View Profile
September 17, 2020, 10:47:25 AM
 #3

Nicely laid out. Just a few more things to consider:

- Do not lose your passphrases. As obvious as it may seems, the 24 word recovery phrase is obviously not enough to access your hidden accounts.

- Adding a passphrase will add your personal input to the 24 word recovery phrase that your wallet will give you. It therefore enhances the number of potential combinations needed to crack your recovery phrase, making it more secure in the event. The more complex the better, but within reason.

- If you use a Ledger device (presumably something similar will happen on other devices), tying those hidden accounts to it can become your weak point in providing cover for plausible deniability (you can be forced to open Ledger Live and show your linked accounts, so hidden accounts should better remain unlinked from Ledger Live).

Good points, thanks.
o_e_l_e_o
In memoriam
Legendary
*
Offline Offline

Activity: 2268
Merit: 18497


View Profile
September 17, 2020, 11:16:55 AM
Merited by JayJuanGee (1)
 #4

I'm a big fan of using analogies to explain to newbies some of the more difficult to understand aspects of bitcoin. I really like your "infinite highway" analogy here - it's both simple to understand while at the same time not compromising on what passphrases actually do and achieve.

A minor correction which does not alter the essence of your post - passphrases are not infinite. Trezor devices have a limit of 50 ASCII characters, and Ledger devices 100 ASCII characters. I know Electrum sets no limit, but I suppose theoretically the upper limit would be a number with length just less than 2128 bits, since it's being fed in to HMAC-SHA512.

- If you use a Ledger device (presumably something similar will happen on other devices), tying those hidden accounts to it can become your weak point in providing cover for plausible deniability (you can be forced to open Ledger Live and show your linked accounts, so hidden accounts should better remain unlinked from Ledger Live).
If you want to take this a step further, then you should probably only be accessing your hidden accounts on a temporary and non-persistent OS like Tails. Even if you don't use Ledger Live at all, and pair your Ledger with Electrum (for example), Electrum will still create a wallet file when you open your passphrase protected wallets which will be left behind on your computer long after you've disconnected your Ledger device.
Coyster
Legendary
*
Offline Offline

Activity: 1974
Merit: 1227


'Life's but a walking shadow'!


View Profile
September 17, 2020, 11:17:43 AM
 #5

+1 to everything in the op, but I'd like to add that it's also possible to avoid (prevent) the second case if Bitcoin users do not go about telling people that they own Bitcoin, many times when that is done, the person is already attracting attention to themselves and an incident of a $5 wrench attack becomes possible. It's a topic the community has discussed severally, see: why it's important to avoid telling everyone about your crypto holdings.

People think being a Bitcoin holder means you are a multimillionaire, even if you have just a few sats; passphrases is a good layer of extra security, but users should start first with keeping their Bitcoin holdings private.





████
████████
██████████
████████████
█░████████
███████████
████████████
██████████
 Ladies.de  ███████████████
████▄▄▄███████▄▄▄▄
▄███████████████████▄
██████████████████
████████████████
▐████████████████▌
░████████████
░███
███████████████
▐████
██████████████▌
░█████
██████████████
██▀███████
█████████▀
███████████████████
██████████████████
▬▬▬▬▬▬▬▬
 LadiesStars  
▬▬▬▬

  

▀▀▀▄▄▄▄▄█████████▄▄▄▄▄▀▀▀
░░▐▌░░▀▀▀▀█▀▀▀▀░░▐▌░░
▀█▄▐▌▄█▀████████▀█▄▐▌▄█▀
▀████▀███████████▀████▀
███████████████
▀████▀███████████▀████▀
▀███▀




███████
AlcoHoDL (OP)
Legendary
*
Offline Offline

Activity: 2324
Merit: 4056


Addicted to HoDLing!


View Profile
September 17, 2020, 03:58:55 PM
Merited by JayJuanGee (1)
 #6

I'm a big fan of using analogies to explain to newbies some of the more difficult to understand aspects of bitcoin. I really like your "infinite highway" analogy here - it's both simple to understand while at the same time not compromising on what passphrases actually do and achieve.

A minor correction which does not alter the essence of your post - passphrases are not infinite. Trezor devices have a limit of 50 ASCII characters, and Ledger devices 100 ASCII characters. I know Electrum sets no limit, but I suppose theoretically the upper limit would be a number with length just less than 2128 bits, since it's being fed in to HMAC-SHA512.

Many thanks for this. I was suspecting there were hard limits in the number of characters, imposed by the devices and the algorithm, but was not aware of them. It's good to know. 50 characters can still make a very strong passphrase, and may even be too long to ensure you remember it, so the principle still holds, I guess.


- If you use a Ledger device (presumably something similar will happen on other devices), tying those hidden accounts to it can become your weak point in providing cover for plausible deniability (you can be forced to open Ledger Live and show your linked accounts, so hidden accounts should better remain unlinked from Ledger Live).
If you want to take this a step further, then you should probably only be accessing your hidden accounts on a temporary and non-persistent OS like Tails. Even if you don't use Ledger Live at all, and pair your Ledger with Electrum (for example), Electrum will still create a wallet file when you open your passphrase protected wallets which will be left behind on your computer long after you've disconnected your Ledger device.

Very true. Plausibility can be killed by leaving behind traces of hidden wallet activity which cannot be explained. Tails is an excellent way of dealing with this.


+1 to everything in the op, but I'd like to add that it's also possible to avoid (prevent) the second case if Bitcoin users do not go about telling people that they own Bitcoin, many times when that is done, the person is already attracting attention to themselves and an incident of a $5 wrench attack becomes possible. It's a topic the community has discussed severally, see: why it's important to avoid telling everyone about your crypto holdings.

People think being a Bitcoin holder means you are a multimillionaire, even if you have just a few sats; passphrases is a good layer of extra security, but users should start first with keeping their Bitcoin holdings private.

I can't stress this enough! Case 2 would most likely be caused by the coin holder himself, who may have been boasting and showing off his stash. Big mistake! Even the mere mention of being involved in Bitcoin, combined with a few major changes in one's life (something expensive they've bought, resigning from a job, etc.) would point to a healthy Bitcoin stash, and a $5 wrench is too damn cheap.

Stay safe, and, when it comes to Bitcoin, apply the Manhattan Project's motto:

hatshepsut93
Legendary
*
Offline Offline

Activity: 2926
Merit: 2126



View Profile
September 17, 2020, 05:23:10 PM
 #7

They enter the 25th passphrase and see your shiny 10 BTC in there. "Gotcha!" they shout! They transfer the funds, destroy (or take with them) your Trezor, and leave. The next day, you enter your seed in another wallet, enter {really_strong_pass} and confirm that your 100 BTC are there, untouched, waiting for you.

If the kidnappers are smart, they can make some sort of estimate on how much coins you have, which might or might not be accurate, depending on how much info you revealed about your coins prior to that. So, in worst case no amount of decoys will be plausible. Also, there's a good chance kidnappers will kill their victim after getting what they want, to leave less evidence, so you should rely on plausible deniability to protect your coins, instead focus on privacy to not let anyone in this world know how many coins you have.


.BEST.CHANGE..███████████████
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
███████████████
..BUY/ SELL CRYPTO..
o_e_l_e_o
In memoriam
Legendary
*
Offline Offline

Activity: 2268
Merit: 18497


View Profile
September 17, 2020, 06:27:16 PM
Merited by JayJuanGee (1)
 #8

Many thanks for this. I was suspecting there were hard limits in the number of characters, imposed by the devices and the algorithm, but was not aware of them. It's good to know. 50 characters can still make a very strong passphrase, and may even be too long to ensure you remember it, so the principle still holds, I guess.
Given there are 95 printable ASCII characters, provided you use the full set, then a random passphrase of 20 characters has more entropy than a 12 word seed phrase (>2128), and 39 characters more entropy than a 24 word seed phrase (>2256), so still plenty for a very strong passphrase.

I would comment that I don't think people should be relying on their memory for their passphrase, however. Ideally, you should have your different passphrases securely backed up completely separately from one another and also completely separately from your seed phrase.

If the kidnappers are smart, they can make some sort of estimate on how much coins you have, which might or might not be accurate, depending on how much info you revealed about your coins prior to that.
One of the most important things is to not obviously link your various wallets together from a blockchain analysis point of view, as well as from a general privacy point of view.

Also, there's a good chance kidnappers will kill their victim after getting what they want, to leave less evidence
That's not true. How does turning a robbery in to a murder scene leave less evidence? All that will achieve is exponentially increase the number of law enforcement individuals and resources assigned to the case.
hatshepsut93
Legendary
*
Offline Offline

Activity: 2926
Merit: 2126



View Profile
September 18, 2020, 04:39:50 PM
 #9

One of the most important things is to not obviously link your various wallets together from a blockchain analysis point of view, as well as from a general privacy point of view.

It goes farm beyond that, there are other ways how adversaries can guess the size of your stash, this can happen due to a leak from exchanges, banks and other financial services, it can happen through a gossip if you tell everyone that you own a lot of coins, especially on social media, and some people are literally buying lambos with BTCN signs - no comments here.

That's not true. How does turning a robbery in to a murder scene leave less evidence? All that will achieve is exponentially increase the number of law enforcement individuals and resources assigned to the case.

Kidnapping and torture is already a very aggravated crime, and criminals tend to kill their victims in general if they are committing a serious crime like that. If they get a suspicion that the victim might provide some information to the police, like the location where they were kept, the faces, the voices and so on, it's safer for them to get rid of the victim.

.BEST.CHANGE..███████████████
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
███████████████
..BUY/ SELL CRYPTO..
hugeblack
Legendary
*
Offline Offline

Activity: 2464
Merit: 3551


Buy/Sell crypto at BestChange


View Profile WWW
September 18, 2020, 08:57:37 PM
 #10

I have never thought or heard of bitcoin Plausible deniability before, but is the same thing true for memorizing the 24 words and then mistyping the last word?
What is the probability that the last word will be guessed? I mean, you give the user 24 words out of 25, so I think that the number of attempts to guess the last word will decrease to about 2048 attempts ?!
Also, intentionally giving false information to the court is a crime that deserves a few months imprisonment, so be careful.
It is also related to kidnapping because the person who kidnapped you will certainly know a lot of information about you.

.BEST..CHANGE.███████████████
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
███████████████
..BUY/ SELL CRYPTO..
Upgrade00
Legendary
*
Offline Offline

Activity: 1988
Merit: 2147


Professional Community manager


View Profile WWW
September 18, 2020, 09:45:35 PM
 #11

What is the probability that the last word will be guessed? I mean, you give the user 24 words out of 25, so I think that the number of attempts to guess the last word will decrease to about 2048 attempts ?!
In my understanding, for there to be any attempt to guess the last word, there needs to be suspicion that such a word is actually necessary or exists. The 24 word seed controls a wallet address without the addition of a passphrase, so on discovery there is a wallet with a balance in it, no need to look further or attempt to guess a possible last word, right?
Also, the 25th passphrase does not have to be picked from the 2048 word list, it can be customized with alterations like lower and upper case as well as special characters, to make it more difficult to guess.

Also, intentionally giving false information to the court is a crime that deserves a few months imprisonment, so be careful.
It is also related to kidnapping because the person who kidnapped you will certainly know a lot of information about you.
• It would count as an omission and technically not a lie, although I can see the possibility of a case depending on which country you are in, especially if there are srict laws on money laundering.
• The best solution is maintaining optimum privacy. If a kidnapper has an idea that someone holds Bitcoin, but no idea how much they actually own, they can be convinced by a 20 or 30BTC wallet and would not suspect the user holds much more than that, except he/she had revealed sensitive information to the wrong person.

.BEST..CHANGE.███████████████
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
███████████████
..BUY/ SELL CRYPTO..
o_e_l_e_o
In memoriam
Legendary
*
Offline Offline

Activity: 2268
Merit: 18497


View Profile
September 19, 2020, 07:29:12 AM
Merited by JayJuanGee (1)
 #12

this can happen due to a leak from exchanges, banks and other financial services
Well, if you are using a centralized exchange, then you have no privacy.

What is the probability that the last word will be guessed? I mean, you give the user 24 words out of 25, so I think that the number of attempts to guess the last word will decrease to about 2048 attempts ?!
The passphrase is often referred to (inappropriately, I think) as the "25th word", but it does not have to be a word from the BIP39 wordlist, and it does not have to be a word at all. Anything you like can be a passphrase. 6HeH!fg~ks3e5#CU' is a perfectly valid passphrase (and quite a strong one). This sentence is a valid passphrase.

• It would count as an omission and technically not a lie
Dependent on what they ask. You cannot answer "Do you have any other passphrases you have used with this seed phrase" without lying. You can always claim you did, but you forgot or lost it though.
zasad@
Legendary
*
Offline Offline

Activity: 1708
Merit: 4226



View Profile WWW
September 23, 2020, 08:30:11 AM
Merited by JayJuanGee (1), AlcoHoDL (1)
 #13

Great information. Translation into Russian here:
https://bitcointalk.org/index.php?topic=5277630.0

Everything seems to be simple: everyone understands that bragging is dangerous.
But history tells us that alcohol, talkative tongue and penis have ruined many people and wealth.
This can also include gambling, but that's another story.

.BEST..CHANGE.███████████████
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
███████████████
..BUY/ SELL CRYPTO..
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!