How do I identify the valid checksums for bip39 if I generate 11/12 of the word?

[BitcoinCanSaveUsAll]

Hi again everyone,

I was hoping to get someone to double check the hash done on entropy in hex that I generated that is converted to F2B173C5D5AAFFEBB80425FF5FE2057C.

As per hosseinimr93's post, this translates to a SHA256 digest of 931258d717865a310cfc24a9161b21f4c0d02e0bb4cf12894516170a10e72339

Also, with the help of o_e_l_e_o , I was able to perform the following commands and was able to successfully load the Linux files into my Windows copy after logging into su:

apt-get install libdigest-sha-perl

I next performed the following commands but see a different SHA256 digest as noted below:

└─# echo -n F2B173C5D5AAFFEBB80425FF5FE2057C | shasum -a 256 -0
362695f3d7e699ecdae3536168fdc0f4e5696a1ee278c4800a626c0bac70746c ^-

I'm wondering why the discrepancy is occurring with hosseinimr93's SHA256 digest as from what I understood from
o_e_l_e_o :

"-a selects an algorithm, in this case 256. -0 tells it to read the input as bits, which is necessary when computing a checksum as above."

TIA

[o_e_l_e_o]

I'm wondering why the discrepancy is occurring with hosseinimr93's SHA256 digest as from what I understood from

Because the -0 argument tells it to run in bits mode, but in your command you are not feeding it a string of bits, but a string of bytes. You need to feed it the entropy in 0s and 1s as I said before:

Code:

echo -n "11110010101100010111001111000101110101011010101011111111111010111011100000000100001001011111111101011111111000100000010101111100" | shasum -a 256 -0

Try this command and see if you get the correct checksum.

[BitcoinCanSaveUsAll]

That did it!  Thank you very much!  So in summary (for the future folks here) on a Windows terminal I had to run through a few hoops here to get things setup.

- I first had to enable Windows Subsystem for Linux

- I then downloaded Kali from the Microsoft store.

- Next I had to setup Kali and create a username and password.

- I next had to log into su via the sudo su command

- Finally I performed the apt-get install libdigest-sha-perl command on the WSL window in sudo su mode and it installed all the necessary commands needed to perform the following line that resulted in the correct SHA256 has of my binary input:

└─# echo -n "1111001010110001011100111100010111010101101010101111111111101011101110000000010 0001001011111111101011111111000100000010101111100" | shasum -a 256
 -0
931258d717865a310cfc24a9161b21f4c0d02e0bb4cf12894516170a10e72339 ^-

Thanks again to everyone who helped me along here.  It was very educational!

[o_e_l_e_o]

Glad you got it all figured out.

For future, if you are planning on using this method (coin flips, calculate checksum, convert to seed phrase manually) to generate a seed phrase, then you should do it on a device which is permanently airgapped. That means it does not have an internet connection and it will never have an internet connection again. Even better if you physically remove things like the WiFi card and Bluetooth chip to ensure it has no wireless connectivity whatsoever. You should also make sure the device is completely clean, which means formatting it and installing a clean OS on it. If you are going through all this trouble anyway, then you would probably be better served simply installing a reputable open source Linux distro rather than Windows and Linux on top. There are a number of very easy to use Linux distros. Mint is probably the closest to Windows in terms of look and feel.

[BitcoinCanSaveUsAll]

Thank you for the suggestion. Question, what are your thoughts about putting into a Linux Tails Distribution on a Windows machine via a USB drive? I'm considering trying to use a persistent drive on a Tails distribution and not connect the Tails OS to any internet connection and then run it through this os. Are you aware of any possible security issues with this configuration? Thanks

[o_e_l_e_o]

Question, what are your thoughts about putting into a Linux Tails Distribution on a Windows machine via a USB drive?

Do you mean running Tails as a virtual machine within Windows? Or do you mean bypassing Windows altogether and simply booting the computer from the Tails USB? I wouldn't recommend the former, but I suspect you are talking about the latter.

If you boot to Tails, therefore completely ignoring Windows, and never connect to the internet or any other methods of communication while within Tails, then this is certainly a safer option than simply using Windows, and a good option if you cannot dedicate a device to be permanently airgapped. It would be even better if you can physically disconnect any connectivity hardware (unplug Ethernet cables, disconnect WiFi modules, etc.) and better still if you can physically disconnect any persistent storage (such as your hard drive(s)) while you are using Tails. But obviously the best option would be if you can dedicate an old machine to do this on which will never boot Windows or go online ever again.

[BitcoinCanSaveUsAll]

Hello, yes I was talking about botting into a USB drive tails OS on pc or laptop that already had an OS installed on it.  But thank you for the clarification and additional pointers.

[BobbysTransactions]

If you select 12 words, there's a big probability that your seed phrase doesn't pass the checksum.
Instead, you can select 11 words and then try to find a word which lead to a valid BIP39 seed phrase. By valid, I mean it passes the checksum
This is completely feasible, but it's not a common method for generating a seed phrase.
If you insist on generating your seed phrase in this way, you should make sure that the words are picked 100% random.

Why is this not a more common way for generating 12 words? 

I intend to flip a coin 121 times, convert to BIP39 words and then enter them into my HW with a random 12th word until it accepts the mnemonic as valid (passing checksum). This way I'm not relying on the HW RNG.

This seems to me to be much better than tyting to use tools like SeedSigner and https://iancoleman.io/bip39/.

[LoyceV]

Why is this not a more common way for generating 12 words?

Probably because it's a lot of work, and not recommended because people will start cherry-picking words to form a sentence.

I intend to flip a coin 121 times, convert to BIP39 words and then enter them into my HW with a random 12th word until it accepts the mnemonic as valid (passing checksum). This way I'm not relying on the HW RNG.

Why stop flipping there, if you can keep flipping coins and find the nearest word that matches the checksum?

[hosemary]

Why is this not a more common way for generating 12 words?  

Your seed phrase represents a large random number and the standard method is that you first generate that random number.
There's nothing preventing you from going to the words list first directly. If you use a method in which words are selected completely randomly, you can achieve the same security.

I intend to flip a coin 121 times, convert to BIP39 words and then enter them into my HW with a random 12th word until it accepts the mnemonic as valid (passing checksum). This way I'm not relying on the HW RNG.

With flipping the coin 121 times, you actually generate a random entropy. This means that you use the common method and the only difference is that you select the last 7 bits in a different way.
By common method, I mean generating the entropy and then go to the word list.

[pooya87]

I intend to flip a coin 121 times, convert to BIP39 words and then enter them into my HW with a random 12th word until it accepts the mnemonic as valid (passing checksum). This way I'm not relying on the HW RNG.

There are a couple of problems with this idea.
The obvious one is that security-wise you want to generate at least 128 bits of entropy, so reducing it to something like 121 bits is not a good idea.

Additionally to do what you described, you need the hardware wallet to have had implemented a special procedure to first accept invalid and shorter mnemonic and brute force them to generate a valid one! Because that's what they have to do, to add the missing 11-bits or the missing word and check for validity, if it fails increment and repeat. They don't have such a feature as far as I know and there is no valid reason to implement such a feature either because then the wallet has to also implement another feature to determine which one of the permutations is the valid mnemonic because more than one word can be added to get a valid checksum and it could be a user trying to recover an already used mnemonic missing last word.

[odolvlobo]

If you select 12 words, there's a big probability that your seed phrase doesn't pass the checksum.
I intend to flip a coin 121 times, convert to BIP39 words and then enter them into my HW with a random 12th word until it accepts the mnemonic as valid (passing checksum). This way I'm not relying on the HW RNG.

Do this to simplify the process. It will give you the full 128 bits of entropy and should make finding the checksum easier:

1. After flipping 121 times to get the first 11 words, flip 7 more times to get a number between 0 and 127.
2. Multiply that number by 16.
3. Only one of the words that corresponds to that number or one of the 15 that follow will give you a valid seed phrase when used as the 12th word. Try each of them until you find one that works.

For example,

Flip 121 times to get 11 words: raccoon weird maze affair stomach fall whisper direct unveil chase enhance

Flip 7 times to get the number 101. 101 x 16 is 1616. Trying each of the words corresponding to numbers 1616 - 1631, you will find that 1619 "skill" works as the 12th word.

So, the phrase is: raccoon weird maze affair stomach fall whisper direct unveil chase enhance skill

This works because a 12-word phrase only has 4 bits of checksum, which means that once you have all the entropy bits, you only need to find the 1 out of 16 possible bit combinations that matches the correct checksum.

[apogio]

Why is this not a more common way for generating 12 words? 

CSPRNG is better than your hand.

When flipping a coin, you will unwillingly (probably) make one or more of the following mistakes:

1. see that you flipped '1' too many times and decide to write a lie on paper that you flipped '0' somewhere in the middle, because it seems more random.
2. the opposite of (1)
3. get bored in the middle of the process and decide to add some bits by yourself.

[LoyceV]

CSPRNG is better than your hand.

My hand is a lot easier to verify than the random number generator inside a piece of hardware.

1. see that you flipped '1' too many times and decide to write a lie on paper that you flipped '0' somewhere in the middle, because it seems more random.
2. the opposite of (1)
3. get bored in the middle of the process and decide to add some bits by yourself.

That's just dumb It's possible to do this properly, and you shouldn't do it if you don't understand randomness.

I've seen discussions about bias in dice rolls or coin flips. For instance: Scientists Destroy Illusion That Coin Toss Flips Are 50–50, showing the coin "landed with the same side facing upward as before the toss 50.8 percent of the time". The article also shows ways to avoid this, but this small bias isn't something I'd worry about. No attacker is going to find out how you flipped a coin, and brute-force the entire 128 flips.

[Cricktor]

I've seen discussions about bias in dice rolls or coin flips. For instance: Scientists Destroy Illusion That Coin Toss Flips Are 50–50, showing the coin "landed with the same side facing upward as before the toss 50.8 percent of the time". The article also shows ways to avoid this, but this small bias isn't something I'd worry about. No attacker is going to find out how you flipped a coin, and brute-force the entire 128 flips.

You can achieve fair results even from slightly biased coins (or unknowingly biased tossing habits):

• Toss the coin twice.
• If the results match, start over, forgetting both results.
• If the results differ, use the first result, forgetting the second.

If you're very paranoid (or simply want to mask off any potential bias), you can XOR your "random sequence" of coin tosses with another supposedly "random sequence" that is produced by another method, like a CSPRNG or a HWRNG or rolling dice.

[Saint-loup]

You can achieve fair results even from slightly biased coins (or unknowingly biased tossing habits):

• Toss the coin twice.
• If the results match, start over, forgetting both results.
• If the results differ, use the first result, forgetting the second.

Actually, the von Neumann method even works with extremely biased coins, it will just take more time and tosses to get enough valid outcomes.
Fundamentally, it just relies on basic probability laws :
p(HT) = p(H) x p(T) = p(TH) and p(H) + p(T) = 1
so
p(T) = 1 - p(H)

p(HT) = p(TH) = p(H) x (1 - p(H))

The probability is the same for HT and TH whatever p(H) and p(T) are. So even if p(H)=99%, we will get the exact same likelihood to get HT and TH. In the same way as for H and T with a perfect fair coin. Then if you only keep HT and TH you will likely get half HT and TH among all the retained tosses, and finally half H and T if you forget the second outcome.

So it's certainly the easisest safest method to create a seed if you use it along with Odolvlobo's procedure IMO.

[Cricktor]

Actually, the von Neumann method even works with extremely biased coins, it will just take more time and tosses to get enough valid outcomes.

Yes, I knew that, but thanks for pointing it out and explanation, anyway. The "von Neumann" method only breaks if you had a coin that produces 100% a particular side. But then it's also apparent that by rule 2 you'd have to always discard the toss results and can't progress at all.

I just wouldn't feel comfortable to use a heavily biased coin for such tosses and therefore wrote that "slightly biased" is still fine with this method, even when "heavily biased" would've worked fine, too.

Probability stuff is somewhat non-intuitive, at least for my wet brain v1.0beta.  

[BobbysTransactions]

Do this to simplify the process. It will give you the full 128 bits of entropy and should make finding the checksum easier:

1. After flipping 121 times to get the first 11 words, flip 7 more times to get a number between 0 and 127.
2. Multiply that number by 16.
3. Only one of the words that corresponds to that number or one of the 15 that follow will give you a valid seed phrase when used as the 12th word. Try each of them until you find one that works.

For example,

Flip 121 times to get 11 words: raccoon weird maze affair stomach fall whisper direct unveil chase enhance

Flip 7 times to get the number 101. 101 x 16 is 1616. Trying each of the words corresponding to numbers 1616 - 1631, you will find that 1619 "skill" works as the 12th word.

So, the phrase is: raccoon weird maze affair stomach fall whisper direct unveil chase enhance skill

This works because a 12-word phrase only has 4 bits of checksum, which means that once you have all the entropy bits, you only need to find the 1 out of 16 possible bit combinations that matches the correct checksum.

Thank you this is want I needed.  Tbh, I don't trust the RNG in any signing device (HW) and in general I think it's bad security practice for anyone to either.  Using webtools or even offline tools to calculate or check the checksum introduces additional risk and time.  It would have been better if BIP-39 did not include a checksum. I don't see how it's valuable. When setting up a new device the backup process using seed words should be tested before significant funds are deposited.

[Cricktor]

Now that you necro-bumped the thread, what is your exact method to safely generate good random entropy when you don't trust signing device's RNGs?

Why exactly would it be better if the mnemonic recovery words don't also encode a partial SHA-256 checksum? Without any checksum or fragment of it, you won't be able to detect any error. Why would no error detection be any beneficial?

[BobbysTransactions]

Now that you necro-bumped the thread, what is your exact method to safely generate good random entropy when you don't trust signing device's RNGs?

Why exactly would it be better if the mnemonic recovery words don't also encode a partial SHA-256 checksum? Without any checksum or fragment of it, you won't be able to detect any error. Why would no error detection be any beneficial?

The thread's corpse is still warm.

I use 100 dice throws (using dice that have already been tested for bias) to generate a key. I used my signing device (HW) to calculate the hash and checksum. Prior to this I test the HW calcs using an sha256 hashing function and word selection using a python script provided by the manufacturer on a computer.

Without the checksum, I wouldn't need to do that second step. As stated above, as long as my dice aren't loaded and I complete enough rolls, I can map throws directly to the word list without a hash or a checksum. Since standard practice should always be to test recovery using seed words then the checksum isn't necessary.