TrAsHeR (OP)
Copper Member
Member
Offline
Activity: 78
Merit: 15
BTC TRADER SINCE 2010
|
|
August 06, 2022, 05:27:31 PM |
|
Hello,
I use Electrum since many years ago, and I've always wondered how the seed is managed.
I explain, if for example I test several words in order, Can-I find the seed of my wallet?
If I find it, I have access to all the funds right?
There is software that allows you to brute-force this kind of manipulation. I've never tried it, for fear of a virus, but even if they are surely "safe", is it possible that a software finds my seed?
|
my btc adress : 1DwrViet9tqH9QAYmZ6boLWYivL9Tnrj7
|
|
|
hosseinimr93
Legendary
Offline
Activity: 2618
Merit: 5736
|
I use Electrum since many years ago, and I've always wondered how the seed is managed.
Your seed phrase actually represents a random number. I explain, if for example I test several words in order, Can-I find the seed of my wallet?
That's impossible. If I find it, I have access to all the funds right?
Yes, the seed phrase is all you need to access the fund. There is software that allows you to brute-force this kind of manipulation. I've never tried it, for fear of a virus, but even if they are surely "safe", is it possible that a software finds my seed?
You can brute-force the seed phrase only if you know some words. For example, if you know 10 words, you can test all combinations and find the 2 missing words. It's not that you can brute-force any seed phrase. A 12 word seed phrase generated by electrum provides 132 bits of entropy and it's secure enough.
|
|
|
|
jackg
Copper Member
Legendary
Offline
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
|
|
August 06, 2022, 05:52:08 PM Merited by NotATether (1) |
|
Most seed phrases have an entropy of (I'm not sure how many words are used for the checksum so just found the entropy of the first 10 words): 1,298,074,214,633,706,907,132,624,082,305,024 (204810)
This isn't as big as the keysize for private keys (unless you use a 256bit seed or you made your wallet a few years ago - it made different length seeds) but it's still very huge and uncrackable.
|
|
|
|
hosseinimr93
Legendary
Offline
Activity: 2618
Merit: 5736
|
|
August 06, 2022, 06:08:07 PM |
|
Most seed phrases have an entropy of (I'm not sure how many words are used for the checksum so just found the entropy of the first 10 words): 1,298,074,214,633,706,907,132,624,082,305,024 (204810)
Given the method used by electrum for generating a seed phrase, even the last word contains 11 bits of entropy. So, a 12 word seed phrase generated by electrum provides entropy of 2048 12.
|
|
|
|
khaled0111
Legendary
Online
Activity: 2744
Merit: 3096
Top Crypto Casino
|
|
August 06, 2022, 11:21:32 PM |
|
There is software that allows you to brute-force this kind of manipulation. I've never tried it, for fear of a virus, but even if they are surely "safe", is it possible that a software finds my seed?
It depends on how much you remember from your seed. If only few words are missing (like 3 or 4 words) and you know their exact position, then recovering the seed using a good tool is possible. The more you remember the faster the tool will find your seed. Once it finds it, you can use it to recover your wallet and you will have full access to your coins. I've seen many reputable members recommending BTCRecover, so I believe it's safe.
|
|
|
|
BitMaxz
Legendary
Offline
Activity: 3472
Merit: 3200
Playbet.io - Crypto Casino and Sportsbook
|
|
August 06, 2022, 11:50:46 PM |
|
If you are randomly guessing 12 seed phrases you have 0 chance and 0 luck to get a wallet with funds you have more chance of winning on the lottery than trying to brute-force a 12 words seed. Unless you are trying to brute-force a wallet with missing 1 to 4 words you have more chance to recover your own wallet by using some software like the one mentioned above. But you can also use this tool " The FinderOuter, a bitcoin recovery tool"
|
|
|
|
pooya87
Legendary
Offline
Activity: 3668
Merit: 11103
Crypto Swap Exchange
|
|
August 07, 2022, 04:06:34 AM |
|
There is no difference in security level of a mnemonic and a randomly generated private key. The minimum security level in bitcoin is 128 bits which a 128+ bit entropy provides. In other words there is no difference between brute forcing the 128 bit entropy and a bitcoin private key (the former is actually harder due to the longer route taken to create a private key).
|
|
|
|
hugeblack
Legendary
Offline
Activity: 2730
Merit: 4032
|
|
August 07, 2022, 04:42:29 AM |
|
Theoretically, if you generate your seeds in cold storage and in a safe environment, the cost and time of hacking those seeds makes it an unacceptable idea in practice. Therefore, the method of stealing your money is often in another form, such as:
- Download a wallet from unknown sources. - social attack. - Viruses, Trojans. - Phishing links.
And other ways in which scammer accesses the seeds or the private key through you and not by trying to guess.
|
|
|
|
NotATether
Legendary
Offline
Activity: 1820
Merit: 7476
Top Crypto Casino
|
|
August 07, 2022, 05:06:27 AM |
|
There is no difference in security level of a mnemonic and a randomly generated private key. The minimum security level in bitcoin is 128 bits which a 128+ bit entropy provides. In other words there is no difference between brute forcing the 128 bit entropy and a bitcoin private key (the former is actually harder due to the longer route taken to create a private key).
The last part is actually dependent on the length of the derivation path, so it's quite long on Bitcoin Core and other wallets that use BIP44, but on Electrum it's quite short at only two paths and the paths are faily easy to predict if you have the master public key and/or just saw the address derived in the Electrum wallet somewhere.
|
|
|
|
TrAsHeR (OP)
Copper Member
Member
Offline
Activity: 78
Merit: 15
BTC TRADER SINCE 2010
|
|
August 07, 2022, 05:18:31 AM |
|
Thanks for you're reply Yes, I know you have to know the words, but I know the words because they are here " https://github.com/spesmilo/electrum/blob/master/electrum/old_mnemonic.py " Dolnc if I test billions and billions of combinations, I can find a bomb ? there are not "that many words".
|
my btc adress : 1DwrViet9tqH9QAYmZ6boLWYivL9Tnrj7
|
|
|
NotATether
Legendary
Offline
Activity: 1820
Merit: 7476
Top Crypto Casino
|
|
August 07, 2022, 05:25:41 AM |
|
Dolnc if I test billions and billions of combinations, I can find a bomb ? there are not "that many words".
The answer is Maybe *subject to whether you can run billions of combos in the first place. Hardware speed, and the expensiveness of creating a cluster, is why there is a ceiling to how many words can be unscrambled.
|
|
|
|
TrAsHeR (OP)
Copper Member
Member
Offline
Activity: 78
Merit: 15
BTC TRADER SINCE 2010
|
|
August 07, 2022, 06:03:52 AM |
|
There are not many words, 1625 is not much when you know the power of today's PCs. On my PC, with a Python script, I can test several billion possible combinations.
That's what I don't understand. If I test the combinations and find for example one that has funds, it's over for the portfolio, right?
It would be easy to take 12 random words from the list of 1625 words and test and then repeat and that several times per second.
|
my btc adress : 1DwrViet9tqH9QAYmZ6boLWYivL9Tnrj7
|
|
|
hosseinimr93
Legendary
Offline
Activity: 2618
Merit: 5736
|
|
August 07, 2022, 06:24:42 AM Last edit: August 07, 2022, 06:45:35 AM by hosseinimr93 |
|
There are not many words, 1625 is not much when you know the power of today's PCs.
Currently, electrum uses a list containing 2048 words. The list you are referring to is for the old version of electrum's seed phrase and contains 1626 words, not 1625. That's what I don't understand. If I test the combinations and find for example one that has funds, it's over for the portfolio, right?
If you find a seed phrase which belongs to a funded wallet, you can spend the fund. It would be easy to take 12 random words from the list of 1625 words and test and then repeat and that several times per second.
Whether there are 1626 words or 2048 words, it's impossible to access a funded wallet.
|
|
|
|
ranochigo
Legendary
Offline
Activity: 3052
Merit: 4443
Crypto Swap Exchange
|
|
August 07, 2022, 06:27:32 AM |
|
There are not many words, 1625 is not much when you know the power of today's PCs. On my PC, with a Python script, I can test several billion possible combinations.
That's what I don't understand. If I test the combinations and find for example one that has funds, it's over for the portfolio, right?
It would be easy to take 12 random words from the list of 1625 words and test and then repeat and that several times per second.
Nope. Python is notoriously slow for loops and there are faster implementations out there. Depending on your type of loops or iterations, the actual rate will probably be far less than a couple of million per seconds. There are actually tons of bottlenecks to be considered when you are bruteforcing seed phrases. First of all, you have to consider that various key stretching functions are used in the various steps of the process which slows it down significantly, because they are far more intensive than just generating random 12 word phrases. You are unlikely to really achieve speeds anywhere near feasible. The other notable bottleneck is trying to find the addresses with any transaction history or funds. You have to get a set of all of the used addresses on the blockchain and search through it which involve both storage and computational complexity when you are searching thousands or billions of seeds per second.
|
|
|
|
TrAsHeR (OP)
Copper Member
Member
Offline
Activity: 78
Merit: 15
BTC TRADER SINCE 2010
|
|
August 07, 2022, 10:06:38 AM |
|
Whether there are 1626 words or 2048 words, it's impossible to access a funded wallet.
Yes, but why ? That the question of my post. @ranochigo : Because when I delete my wallet and recreate it from the seed (the 12 words), all the transactions appear as well as all the addresses with funds. That's what scares me. For the moment I still don't understand. Everything I say is wrong, it's just an example to popularize, same for the Pythonn, I can do it in C or other it was an example, not to be taken literally. If my seed is : word1 word2 word3 And I do a brute force, and the brute script tells me that the words : word1 word2 word3 are a valid wallet, it's over ? What prevents a person from having access to the wallet?
|
my btc adress : 1DwrViet9tqH9QAYmZ6boLWYivL9Tnrj7
|
|
|
hosseinimr93
Legendary
Offline
Activity: 2618
Merit: 5736
|
|
August 07, 2022, 10:15:59 AM |
|
Yes, but why ? That the question of my post.
Because the seed phrase (whether it's BIP39 or an electrum's seed) has enough entropy and you can't brute force that. Because when I delete my wallet and recreate it from the seed (the 12 words), all the transactions appear as well as all the addresses with funds. That's what scares me.
That's exactly how it should work. And I do a brute force, and the brute script tells me that the words : word1 word2 word3 are a valid wallet, it's over ?
If you manage to brute-force someone's seed phrase, you can access the fund. But the problem is that you can't brute-force the seed phrase. Can you access a wallet if you brute-force its seed phrase? Yes. Can you brute-force a seed phrase without any information about that? No. What prevents a person from having access to the wallet?
Big entropy of the seed phrase.
|
|
|
|
ranochigo
Legendary
Offline
Activity: 3052
Merit: 4443
Crypto Swap Exchange
|
|
August 07, 2022, 10:26:29 AM |
|
Because when I delete my wallet and recreate it from the seed (the 12 words), all the transactions appear as well as all the addresses with funds. That's what scares me.
For the moment I still don't understand.
That is a feature of the seed. It is about as secure as your private key, because the number of permutations is similar with both. Everything I say is wrong, it's just an example to popularize, same for the Pythonn, I can do it in C or other it was an example, not to be taken literally.
Nope. Unfortunately the most optimized code ever cannot bruteforce at millions, much less billions of times per second. [1] https://btcrecover.readthedocs.io/en/latest/GPU_Acceleration/Let If my seed is :
word1 word2 word3
And I do a brute force, and the brute script tells me that the words : word1 word2 word3 are a valid wallet, it's over ?
What prevents a person from having access to the wallet?
Nothing. However, you have correctly demonstrated why we have a 12 word seed instead of a 3 word seed. A simple demonstration would be using the word list to randomly generate a 12 word seed and iterate through the permutations and determine the number of iterations it takes to find that exact set of 12 words. The problem is there are 2048^12 (5.4445179e+39) possible permutations of it. You need to iterate at a rate of (10^30) to be able to find a seed in 5 centuries. That would be a factor of 21 over a billion, which is impractical, especially given that we established that the overheads makes this a very inefficient process.
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18771
|
What prevents a person from having access to the wallet? Math. The sheer size of the numbers we are dealing with here are incomprehensible. You are wondering about a single person or a single machine generating millions of seed phrases a second. Let's take that to the extreme. Let's say every single one of the 8 billion people in the entire world are generating and checking a billion seed phrases a second, and they all keep doing that for the next 1 million years. In that entire time, the entirety of the human race will have checked approximately 0.00000074% of all possible 12 word seed phrases. So feel free to set up your computer to generate as many seed phrases as possible from now until the day you die. You will generate billions or even trillions of empty seed phrases, which will be akin to a single grain of sand from all the beaches on the planet.
|
|
|
|
NeuroticFish
Legendary
Offline
Activity: 3878
Merit: 6623
Looking for campaign manager? Contact icopress!
|
|
August 07, 2022, 10:44:48 AM |
|
For the moment I still don't understand. [~snip~] And I do a brute force, and the brute script tells me that the words : word1 word2 word3 are a valid wallet, it's over ?
What prevents a person from having access to the wallet?
Your wallet private key is a number within a hugely big interval. Let's say bigger than the number of stars and planets in the universe. And yes, if somebody finds out that number, you're screwed. Just the chance is smaller than winning the big prize at lottery many times in a row (!). The seed is indeed "just words". But keep in mind that being a rather big set of words in the list your seed words are taken from, and even more, a word can be used multiple times in your seed, makes it, again very (very-very-very) difficult to brute force it. So difficult that the electricity needed for the job doesn't worth it, no matter how many coins are in your wallet (!), plus it takes an awfully lot of time (many generations!). Again, the chances to "guess" or brute force it are extremely low. Clearer?
|
|
|
|
pooya87
Legendary
Offline
Activity: 3668
Merit: 11103
Crypto Swap Exchange
|
|
August 07, 2022, 12:47:17 PM |
|
There is no difference in security level of a mnemonic and a randomly generated private key. The minimum security level in bitcoin is 128 bits which a 128+ bit entropy provides. In other words there is no difference between brute forcing the 128 bit entropy and a bitcoin private key (the former is actually harder due to the longer route taken to create a private key).
The last part is actually dependent on the length of the derivation path, so it's quite long on Bitcoin Core and other wallets that use BIP44, but on Electrum it's quite short at only two paths and the paths are faily easy to predict if you have the master public key and/or just saw the address derived in the Electrum wallet somewhere. When brute forcing a random private key all you have to do is a single EC point multiplication (or multiply once and then increment it by adding G). But when brute forcing a mnemonic (regardless of the derivation path) you first have to perform a single SHA256 to verify its validity so that you can feed it to PBKDF2 (which performs a couple of thousands of SHA hashes) to derive the BIP32 seed then get started on the derivation path. This is the main reason for the speed difference.
|
|
|
|
|