Brute-forceable puzzle - free crypto for whoever manages to crack it [SOLVED]

[NotATether]

It means it could be BTC or ETH or both.

Oh, so I gave up. I processed around 10% dates & BTC addresses - first ones from the seed in BIP44: m/44'/0'/0'/0/0, but if your coins could be anywhere and even we do not know which coins we look for - it is waste of energy.

Unfortunately, the BIP39 wordlist is the same for both BTC or ETH but the paths are different: For eth it's m/44'/60'/0'/0'/0.  Only the Coin Type (second) number changes with each coin so in the wacky situation he is also hiding e.g. LTC (and at this point I strongly doubt it's a meager amount less than $100 if it's stored across multiple cryptos) then you just have to change the coin type to the number for LTC paths to search it was well.

[PawGo]

It means it could be BTC or ETH or both.

Oh, so I gave up. I processed around 10% dates & BTC addresses - first ones from the seed in BIP44: m/44'/0'/0'/0/0, but if your coins could be anywhere and even we do not know which coins we look for - it is waste of energy.

Unfortunately, the BIP39 wordlist is the same for both BTC or ETH but the paths are different: For eth it's m/44'/60'/0'/0'/0.   Only the Coin Type (second) number changes with each coin so in the wacky situation he is also hiding e.g. LTC (and at this point I strongly doubt it's a meager amount less than $100 if it's stored across multiple cryptos) then you just have to change the coin type to the number for LTC paths to search it was well.

Yes, I know all of that, the problem is that first we must check if any generated address contains coins, so for each seed you must generate several addresses. Anyway - it is doable, generation of shifted seeds is easy, the problem lies in fact that you do not know what to generate from the given seed - too many possibilities. If it would be known that is it (for example) BTC on first address - it would make it easy. The knowledge that BTC is created using BIP44 is already a lot. But I do not want to waste time not knowing the stake.
Later maybe I will commit to github Worker I created (based on my LostWord program) to solve 'shifted' seeds.

[f3tus]

Remember also that not all seed words generated are valid, the 12th/24th are checksums, so if it fails the checksum test it's obviously not the right mnemonic seed/date.

[NotATether]

Remember also that not all seed words generated are valid, the 12th/24th are checksums, so if it fails the checksum test it's obviously not the right mnemonic seed/date.

D'oh! And here we are trying to derive all seeds formed by the date shift combinations... 

I have no idea how I'm going to fit a checksum function in the code though.

[PawGo]

Remember also that not all seed words generated are valid, the 12th/24th are checksums, so if it fails the checksum test it's obviously not the right mnemonic seed/date.

D'oh! And here we are trying to derive all seeds formed by the date shift combinations... 

I have no idea how I'm going to fit a checksum function in the code though.

It does not matter - you create words by shifting and then you try to generate address - seed is correct and it works or incorrect - so you may skip it. I would not focus on that during shifting.
Still the questions are:
- which address (derivation path) should be used?
- what is the stake?
- why do we do it?

[NotATether]

It does not matter - you create words by shifting and then you try to generate address - seed is correct and it works or incorrect - so you may skip it. I would not focus on that during shifting.
Still the questions are:
- which address (derivation path) should be used?
- what is the stake?
- why do we do it?

I definitely agree with the second point, IMO it's not worth the expenses paid for all this cracking material being used if the reward is less than say $500.

[f3tus]

It is less than $500.

[j2002ba2]

It is less than $500.

For 12 word BIP39 on average every 16th try will have a valid checksum. If I got it correctly there are only 2 dates 1900-2021, so the complexity is around 365.24²*121²/16 = 2^26.9 PBKDF2. Single address derivation (the usual non-hardened) is about 10 times faster than PBKDF2. Generating all the master keys would take about 1-2 minutes on 4xV100 (amazon p3.8xlarge), but to develop and test it would cost much more time.

Not worth it.

Let's look at the "hardest" 12 word "encryption". If only valid dates are supplied (i.e. no 37th day of 185th month), then the complexity is 365.24³*2048³/16 = 2^54.5 PBKDF2. Going through all combinations would take ~461 years on 4xV100.

Of course this scheme has an enormous weakness - since the dates are to be easy remembered, then the range would be significantly smaller. For example 3 dates in interval 1900-2021 give complexity 2^42.3, or about 35 days on 4xV100. Inserting a memorable date from the past doesn't help either.

It looks more like security through obscurity.

[f3tus]

It looks more like security through obscurity.

As I wrote on my github:

Note that the encrypted words/numbers are not cryptographically secure, as they can be bruteforced to get the original words, but they do give you some protection from the common thief and some extra time to react in case of theft, etc.

Is the above true? Yes. Is it safer than writing it down in plain text? Yes.

[j2002ba2]

It looks more like security through obscurity.

As I wrote on my github:

Note that the encrypted words/numbers are not cryptographically secure, as they can be bruteforced to get the original words, but they do give you some protection from the common thief and some extra time to react in case of theft, etc.

Is the above true? Yes. Is it safer than writing it down in plain text? Yes.

No. It was "safer" before you published it. Now it's no more. The obscurity is gone.

Way "safer" would be to use the dates as an additional passphrase, maybe as text and together with other words. This way you wouldn't need additional software, it already works, not only with BIP39, but electrum seeds as well.

[f3tus]

No, it's still safer than writing down your seed words in plain text, there's no debating this, otherwise this puzzle would already be solved.

The obscurity is still there, because in the real world you wouldn't know what method someone used to encrypt their seed words. Here in this controlled environment I gave out the exact algorithm used and hints and still nobody solved it. In the real world you wouldn't know any of this. If I just posted an encrypted seed word mnemonic here without the method I used and without any hints whatsoever it would be impossible to crack, same is when a thief comes across your encrypted mnemonic.

I know about using an extra passphrase, as I wrote on github:

The purpose of this is to be able to safely write down your mnemonic seed words, not having to worry about a thief stealing your private keys, and in case something happens to you, allow your family to regain access to your wallet without needing to know a complex passphrase (TREZOR/Ledger), as all they need to know is the dates you used and the method to decrypt the words (pretty easy if it's in-family birthdays). Gather them around the table and do a couple of examples by hand. If you have a TREZOR or Ledger hardware wallet, having a complex passphrase as the "25th" word is more secure, but the more complex the passphrase is, the easier it is for your family or even you to not remember it at all (unless you wrote it down, which is a security risk in itself). If something were to happen to you, having a simpler passphrase (such as names or birthdates) would make it easier for your family to remember and access your wallet, and you could use both a passphrase and encrypt the seed words with a date shift cipher for extra security.

MetaMask for example does not support the 13th/25th passphrase, so if someone has a MetaMask seed how would you safely write it down? Most wallets generate 12 or 24 seed words without the possibility of adding an extra passphrase, how would you safely write them down? My method works and is secure.

[PawGo]

Could you confirm that coins are not BTC on the first address of the first account (m/44'/0'/0'/0/0)?
I have processed all the dates in the range you mentioned and checked addresses but without result - so coins are somewhere else or I did something wrong...

[bob123]

No, it's still safer than writing down your seed words in plain text, there's no debating this, otherwise this puzzle would already be solved.

It is way less secure than using a strong cipher with the same secret data.
Your mechanism leaks bits of the plaintext, which is always bad.

You could have just used your 4 dates or whatever shit you are using and use a proper encryption cipher.
Then no single bits would have been leaked and you'd be pretty fine.

With this however, you are wasting yours and our time.


Do whatever you want.. when storing 20$, no one will care. You could also just store it in plaintext.

The obscurity is still there

And security by obscurity is proven to be bad.

[f3tus]

Could you confirm that coins are not BTC on the first address of the first account (m/44'/0'/0'/0/0)?

Yes, I can confirm that.

[f3tus]

It is way less secure than using a strong cipher with the same secret data.
Your mechanism leaks bits of the plaintext, which is always bad.

You could have just used your 4 dates or whatever shit you are using and use a proper encryption cipher.
Then no single bits would have been leaked and you'd be pretty fine.

See:

How do I explain to my mother to AES decrypt "71TjQQYPkadCq8qUA6Lqt7FhUBEjPSzgDSbBA6spbtD/j8v3JXp9Vpco0H8rS/TK2/IOMS0aHF5QIyLihGuP2dSgdoKdyDrb82O72tNPdT4=" and ensure to type it out correctly?

Birthdays and anniversaries everyone remembers, and with 24 seed words you can shift it with up to 8 dates. Never said it's unbreakable, but it's not easy to break either, it gives you plenty of time to react in case of theft and it's simple enough by knowing the dates to do it by hand.

The point ot mnemonic keys is to be able to write them down easily on a piece of paper and recover them if needed, both by yourself and your family if anything happens to you. You really expect anyone to write down 100-300 random characters (or even engrave them on metal plates) and then think your family members will know how to decrypt them? It's pretty much guaranteed your crypto is gone if you die if you use this approach. Some of us actually thought about these what-if scenarios to ensure our families get a piece of the pie if something happens to us.

Do whatever you want.. when storing 20$, no one will care. You could also just store it in plaintext.

But in the real world you wouldn't know how much crypto a wallet holds. What if it's thousands or millions?

[f3tus]

The puzzle has been solved!

I will give out more details later!

[pooya87]

The point ot mnemonic keys is to be able to write them down easily on a piece of paper and recover them if needed, both by yourself and your family if anything happens to you. You really expect anyone to write down 100-300 random characters

There were no mnemonic at first, there were BIP32 which needed an octet string and could only produce a Base58 string that had 111 characters and was hard to write down. Then someone came up with the idea to encode that octet string as a set of words.

If you think writing down the encrypted result as Base64 (or different encodings like Base16, Base58, etc) is hard then you should focus on changing the encoding to something easier to write down instead of changing the encryption!
For example the Base64 you posted above is 80 bytes, encoding it as mnemonic is trivial, you just select a word list such as the 2048 words used by BIP39 then split the bits to small chunks that corresponds to the word list word count (11 bits) then print the corresponding words. That turns the 80 bytes into 59 words. (keep in mind the encrypted 256-bit mnemonic will be slightly bigger than 256-bit -or the same 24 words as BIP39- certainly not 640 bit).

Code:

71TjQQYPkadCq8qUA6Lqt7FhUBEjPSzgDSbBA6spbtD/j8v3JXp9Vpco0H8rS/TK2/IOMS0aHF5QIyLihGuP2dSgdoKdyDrb82O72tNPdT4=
ef54e341060f91a742abca9403a2eab7b1615011233d2ce00d26c103ab296ed0ff8fcbf7257a7d569728d07f2b4bf4cadbf20e312d1a1c5e502322e2846b8fd9d4a076829dc83adbf363bbdad34f753e

first 2 words

Code:

11101111010 10100111000
1914        1336 
urban       poem

[f3tus]

So AES encrypt the seed words with a password, then encode the encrypted text as seed words, so to get my original seed words I have to 1st unencode the encrypted text and then decrypt the encrypted text with a password.

Yes, I'm sure my mom will figure that one out.

[bob123]

See:

How do I explain to my mother to AES decrypt "71TjQQYPkadCq8qUA6Lqt7FhUBEjPSzgDSbBA6spbtD/j8v3JXp9Vpco0H8rS/TK2/IOMS0aHF5QIyLihGuP2dSgdoKdyDrb82O72tNPdT4=" and ensure to type it out correctly?

Birthdays and anniversaries everyone remembers, and with 24 seed words you can shift it with up to 8 dates. Never said it's unbreakable, but it's not easy to break either, it gives you plenty of time to react in case of theft and it's simple enough by knowing the dates to do it by hand.

You didn't get it.

First, you could just write that down.
"Dear mother, decrypt the following thing by pasting it into the software called XXX on my PC: ..."

Second, that is not what i wrote.

Your secret data you have used for the shift cipher were some dates.
You could use exactly these dates (the secret information) as a key in an AES cipher. That would be already way more secure than your approach since it wouldn't leak anything about the plaintext at all.
And when decrypting, that is exactly the same effort (Taking secret info X and doing Y).

[pooya87]

Yes, I'm sure my mom will figure that one out.

Well if someone is not capable of filling out 2 textboxes in a UI (one with the words and the other with the passphrase used) then they also won't be able to use any other method such as your shift cipher which requires the same 2 inputs (mnemonic and a date)!