Risk Of Losing Bitcoins Through Seed Creation

[ps1234]

I know it's very unlikely, but there is nothing to stop a hacker from generating wallets using the 12 word Electrum seeds, to steal bitcoins.

With luck, they might generate a valid wallet, which had been previously created, and which contains bitcoins

Similarly, a non malicious user might accidentally generate a duplicate wallet.

Should users be encouraged to add some random words to reduce these (admittedly minuscule) risk?

[1713939688]

1713939688

[DaveF]

The 12 words are 128 bits of entropy, which is considered more then enough.
Obviously more words would make it more secure.
However, it is more likely to loose money due to carelessness / not keeping good security practices then it is to loose BTC due to someone randomly generating your seed phrase.

-Dave

[hosseinimr93]

Hackers take the advantages of the mistakes made by people. If your seed phrase is generated on an air-gapped computer, there's nothing a hacker can do.
As stated by DaveF, a 12-word seed phrase provides enough entropy.

Anyway, if you want your seed phrase to have more words for any reason, you can ask electrum to generate a 24 word seed phrase. (As humans may not be good at generating random words, I think that's a better option.)
To do so, go to console and use the following command.

Code:

make_seed(256)

The 12 words are 128 bits of entropy, which is considered more then enough.

A 12 word seed phrase generated by electrum provides 132 bits of entropy.

[pooya87]

With luck, they might generate a valid wallet, which had been previously created, and which contains bitcoins
Similarly, a non malicious user might accidentally generate a duplicate wallet.

Imagine if you could see atoms that are in the entire universe. Now imagine if you randomly selected one atom out of the whole set. The chances of someone else also selecting the same atom is the same chance of someone else finding your seed phrase if chosen randomly.

[Charles-Tim]

The 12 words are 128 bits of entropy, which is considered more then enough.

128 bits of entropy is very enough, with the additional of 4 more bits during checksum which makes it 132 bits before the generation of the 12 word seed phrase.

Obviously more words would make it more secure.

Yes, but also the use of passphrase can help, especially to ease ps1234's mind of any uncertainty (which its chance is negligible and highly impossible). ps1234, know that the additional of passphrase will result to generation of different keys and addresses entirely. If you do not have the passphrase anymore, only seed phrase can no be used to recover backup your wallet during wallet recovery.

However, it is more likely to loose money due to carelessness / not keeping good security practices then it is to loose BTC due to someone randomly generating your seed phrase.

Carelessless and hack have been the reason people are losing bitcoin.

A 12 word seed phrase generated by electrum provides 132 bits of entropy.

DaveF meant the BIP39 standard which is 128 bits of entropy. It is quite new to me that it is 134132 bits on electrum, I only thought what is different about the seed phrase between Electrum and BIP39 is how they are generated and inclusion of version number to Electrum seed phrase after generation, I do not know if the entropy is not the same.

[NeuroticFish]

Should users be encouraged to add some random words to reduce these (admittedly minuscule) risk?

Adding extra words is a nice addition, just one has to be careful with all his steps because
* the chance is millions¹ of times higher somebody steals the seed and extra words than find the same wallet by collision, hence it's important how the wallet was created (safely) and how the wallet and backup are stored
* the chance is millions of times higher the user makes something overly complicated he doesn't understand and he cannot recover his own wallet at a later time.

Notes:
¹ Maybe you go on with reading this topic

[hosseinimr93]

It is quite new to me that it is 134 bits on electrum, I only thought what is different about the seed phrase between Electrum and BIP39 is how they are generated, inclusion of version number to Electrum seed phrase during generation, I do not know if the entropy is not the same.

132 bits of entropy, not 134.

In a seed generated by electrum, there is no checksum. So, unlike a 12 word BIP39 seed phrase (in which the last 4 bits are checksum) in a 12 word electrum seed phrase, all 132 bits are generated randomly.
For more information, click here and read the post made by o_e_l_e_o in response to my question on another thread .

[ABCbits]

Should users be encouraged to add some random words to reduce these (admittedly minuscule) risk?

There's good reason to add random words passphrase (Electrum call it "Extend with custom words") after 12/24 words sequence, but avoiding possibility of duplicate generated seed isn't one of them.

The 12 words are 128 bits of entropy, which is considered more then enough.

To be more specific, Electrum use cryptographic secure PRNG which provided by the OS (for example, /dev/urandom for linux) through function os.urandom.

[bitmover]

Imagine if you could see atoms that are in the entire universe. Now imagine if you randomly selected one atom out of the whole set. The chances of someone else also selecting the same atom is the same chance of someone else finding your seed phrase if chosen randomly.

This image illustrates this idea.



source

The chances of a "hacker" to generate a seed that was used before is virtually zero. The only risk would be if you generate the seed by yourself or bad software, seeds with poor randomness. For example, a seed with 12 words like this:

Code:

 word word word word word word word word word word word word

Some of those repeated word lists passes the checksum. This is why you should always use a decent software to generate your wallet.

[o_e_l_e_o]

Should users be encouraged to add some random words to reduce these (admittedly minuscule) risk?

I think everyone should be using passphrases, since they are the best way to provide plausible deniability to your wallets, and also provide extra security should an attacker discover your seed phrase back up. However, they do absolutely nothing to prevent someone from brute forcing or stumbling across one of your private keys (which is already so rare as to essentially be impossible before the the death of the sun).

The security of a bitcoin private key is 128 bits. It doesn't matter if you add an entire paragraph or 10,000 random characters to your seed phrase - your private keys will still have a security of 128 bits. Further, given the way in which private keys are generated from a seed phrase, there is just as much chance as a completely different seed phrase generating an address which is the same as an address from your wallet, with or without an additional passphrase. In fact, I would say this is more likely, since many wallets will generate a single seed phrase, but then generate 20+ addresses from that single seed phrase, meaning that there are 20x as many chances of an address being duplicated than of a seed phrase being duplicated.

[hosseinimr93]

The security of a bitcoin private key is 128 bits.

128 or 256?

Isn't that any integer between 1 and 2²⁵⁶ (or any 64 character number in hexadecimal format) can be turned into a valid private key?
I know the exact number is a little smaller due to secp256k1 ECDSA standard, but the number of valid private keys should be much bigger than 2¹²⁸.

What I am missing here?

[o_e_l_e_o]

128 or 256?

128.

Isn't that any integer between 1 and 2²⁵⁶ (or any 64 character number in hexadecimal format) can be turned into a valid private key?
I know the exact number is a little smaller due to secp256k1 ECDSA standard, but the number of valid private keys should be much bigger than 2¹²⁸.

Correct.

What I am missing here?

That a length of 256 bits does not equate to 256 bits of security.

The best known attack against a private key is not random brute force (which would indeed equate to around 256 bits of security), but rather attempting to solve the ECDLP, which provides 128 bits of security.

This can be seen in Standards for Efficient Cryptography. SEC 2: Recommended Elliptic Curve Domain Parameters. (Table at the bottom of page 4.)

[Lucius]

I think everyone should be using passphrases, since they are the best way to provide plausible deniability to your wallets, and also provide extra security should an attacker discover your seed phrase back up. However, they do absolutely nothing to prevent someone from brute forcing or stumbling across one of your private keys (which is already so rare as to essentially be impossible before the the death of the sun).

Nicely said, and I think it sums up what matters in all doubts about how safe the seed is and the way it is generated. I think that these things are not completely clear to a large number of users, and they are very important if someone has doubts as an OP. When I made my first wallet I didn't have any doubts like this because MultiBit didn't have a seed, but later I had the same doubts as an OP until I learned that seed is just a simple presentation of something much more complicated and not as simple as it seems at first glance.

However, it is quite logical that people feel safer if the seed has 24 words and a passphrase, and if it helps a person sleep more peacefully, it is good that such things exist

[PrimeNumber7]

The 12 words are 128 bits of entropy, which is considered more then enough.
Obviously more words would make it more secure.

The difference between the chance of a single 12-word seed being made twice and the chance of a single 24-word seed being made twice is approximately ~2.93 * 10^-39. Although technically about a bitcoin private key, and not an electrum seed, the image that bitmover posted nicely illustrates the risk of a collusion.

It is important to make sure that your computer is capable of generating random numbers. In 2013, for example a flaw in Android devices prevented them from generating cryptographically random numbers, which resulted in the risk of malicious actors being able to steal any coin stored on Android devices. The above did not ever affect electrum.

Today, most computers and mobile devices can generate cryptographically random numbers. However, if your device is infected with malware, the malware may cause your computer to generate numbers in a predictable manner, which could lead to a hacker stealing your money, even if you generated the seed on an offline computer (that was infected with malware).

[DaveF]

But how would people know their computer OS is capable of generating secure random number? Most people simply assume the OS is secure and some of them only know about it after such vulnerability is disclosed.

Drifting a bit from the original thought but don't we kind of have the same issue with hardware wallets. We hope that the ATECC608A or the Infineon secure elements are not vulnerable. But in the end we still have to have some trust someplace.
Is it easier to hack / find vulnerabilities in an OS then a chip. 100% yes. But you can also more or less code around them. If some of the hardware encryption devices are found with issues, it's a bigger deal.

-Dave

[PrimeNumber7]

It is important to make sure that your computer is capable of generating random numbers. In 2013, for example a flaw in Android devices prevented them from generating cryptographically random numbers, which resulted in the risk of malicious actors being able to steal any coin stored on Android devices. The above did not ever affect electrum.

But how would people know their computer OS is capable of generating secure random number? Most people simply assume the OS is secure and some of them only know about it after such vulnerability is disclosed.

I was hinting at things such as malware that would prevent the OS from generating a secure random number.

Today, most computers and mobile devices can generate cryptographically random numbers. However, if your device is infected with malware, the malware may cause your computer to generate numbers in a predictable manner, which could lead to a hacker stealing your money, even if you generated the seed on an offline computer (that was infected with malware).

While it's possible, it's not practical when the malware could simply copy wallet file, steal password using keylogger or read private key from RAM when the wallet opened by user. Are there any known malware which specifically mess with system cryptographic secure PRNG?

If the malware is targeting users who are going to be generating private keys on offline computers that will never touch the internet in the future, stealing information is not going to do very much because it would have no way of transmitting the stolen information.

My guess is that any malware that targets PRNG is going to be state-sponsored whose targets are embassy employees and spies, so their communications can be intercepted and decrypted.

[Pmalek]

You could fall out of an airplane in midflight, be hit by another airplane on your way down, land face first, and still survive. Theoretically, there is a miniscule chance of that happening. Remember that Russian paraglider who crashed, fell, and got a tree branch stuck in his shoulder that probably saved his life?

Sorry for making such a ridiculous comparison, but my point is that the chances for both these scenarios from happening are so small that they are not worth worrying about.     

[o_e_l_e_o]

Sorry for making such a ridiculous comparison, but my point is that the chances for both these scenarios from happening are so small that they are not worth worrying about.

I always find it amusing just how many threads we see popping up along these lines, of people wondering "What if someone guesses my seed phrase" or "What if someone generates the same private key as me". The 128 bit security provided by your seed phrase and private keys is probably the strongest part of your entire security set up for most users. They go around splashing their KYC data and their addresses all over the place, advertising to the entire world who they are and how much bitcoin they own. They keep their coins in web wallets or software wallets on their daily use computers, which are running outdated version of bad OSs filled with vulnerabilities, have installed hundreds of pieces of unnecessary software, and which they use to visit all manner of websites and download a variety of questionable things. They use 2FA linked to their email address, the email address which has the same password as every online account they own, which also happens to have been leaked months ago but they didn't even realize. They keep their seed phrase backed up in the cloud, but that's ok because they've used some outdated and non-open source ZIP software to add a (weak) password to it. And as they do all this, they worry about the one thing in their set up which is orders upon orders of magnitude more secure than literally every other part of their set up.

The weakest part of bitcoin is almost always the user. Rather than worrying about the impossible (someone breaking 128 bits of security), worry about all the other ways you are risking your coins instead.

[ps1234]

My paranoid thought experiment relies on the fact that the words for the Electrum passphrase are fixed and known.

By default, the 12 words from 2048 do offer a huge combination. As has been pointed out, the risk of accidental duplication is small.

However, if my understanding is correct, in my thought experiment it is easily possible to generate the private keys and addresses that would be created by a real Electrum wallet using the 12 words. A large number of addresses that would result from these keys could be generated relatively easily.

In the attack, the blockchain could be scanned for one of these addresses, and finding any one would confirm that there exists (or existed) a valid wallet with potentially unspent coins. The wallet funds could then be stolen by generating new spends and sent to addresses owned by the attacker.

While large amounts of computing power might be needed, this attack would work against airgapped wallets as well as those on-line.

Is this a feasible (if computationally expensive) attack, or have I misunderstood?

Adding more words would make the computation exponentially more expensive.

[o_e_l_e_o]

However, if my understanding is correct, in my thought experiment it is easily possible to generate the private keys and addresses that would be created by a real Electrum wallet using the 12 words.

If someone knows your 12 words, it is trivial for them to generate your private keys and addresses.
If someone does not know your 12 words, it is impossible for them to generate your private keys and addresses.

While large amounts of computing power might be needed, this attack would work against airgapped wallets as well as those on-line.

Even if you used every piece of computing hardware in the world for this task, and consumed every single joule of electricity in the world to run it all, you would not find a collision.

Is this a feasible (if computationally expensive) attack

No.