I think we have a problem with 12 seed recovery phrase

[Wrathofcoins]

Well the other day i was talking with a friend and he is one of that guys who follow so much the news about crypto and also he is in a ton of telegram groups, in one moment he said to me one very interesting thing.

He said to me, one guy in one group of telegram claim to open another person wallet charging his seed and changing only the last word by mistake, so i think like always pure luck, and shit can happen for the owner of that wallet. But after that we keep talking and he said this guy after that start to try to do more tries and obviusly he was unncesufull but...... A few days has passed and this same guy claim again to reach another wallet, so yes its more a luck thing but the main problem its another.

The days has passed and i keep thinking on my head and also my friend, i know we have a ton of possibilities, but we already know all the words who are used to make the 12 prhase seed, so we can know the possibilities of combination who are pretty high, but what if every person in the world have one or more wallets?.

The chances of open another wallet can be increasing really fast.


Now we are 8.000 millions of person in the world imagine every person having 2/3 wallets and in a few years more we can have a lot more of population and that population increase very fast.

IF im not making bad my maths the  actual number of combination with 12 words its:

11005261717918037175659349191168

A HUGE number i know, and we are far to that number but i think we need to be MORE far like with the 24 words.

41731122174410236047796743722730466018640279171473593600

Because in that way we are making the chance of being lucky/unlucky very very low.

And i repeat most of you guys here im sure you have more tha 5 wallets. And im only taking into account the "persons" wallet, we have to add the ton of wallets from enterprises, companies, exchange, etc, etc.

What do you think about my claiming? I know its pretty paranoid, and the chances of lost your funds are very/extremetly low, but that chances are increasing and we think we are far far from the total number of combinations but i think that its not so true, with a little bit of luck an trying a lot of times you can start to open some wallets.

[1714274254]

1714274254

[hosseinimr93]

IF im not making bad my maths the  actual number of combination with 12 words its:

11005261717918037175659349191168

Wrong.
The number of possibilities is 2048¹² which equals to 5.44*10³⁹
If we exclude those that don't pass checksum, the number of valid seed phrases would decrease to 3.4*10³⁸

The number is big enough.

A HUGE number i know, and we are far to that number but i think we need to be MORE far like with the 24 words.

41731122174410236047796743722730466018640279171473593600

Again wrong.
The number of possibilities is 2048²⁴ which equals to 2.96*10⁷⁹
If we exclude those that don't pass checksum, the number of valid seed phrases would decrease to 1.16*10⁷⁷

[o_e_l_e_o]

He said to me, one guy in one group of telegram claim to open another person wallet charging his seed and changing only the last word by mistake, so i think like always pure luck

He's lying. Taking your own randomly generated seed phrase and changing the last word will never result in you stumbling across another active wallet.

Now we are 8.000 millions of person in the world imagine every person having 2/3 wallets and in a few years more we can have a lot more of population and that population increase very fast.

This is an utterly irrelevant number when compared to the number of valid seed phrases.

Let's say we have 8 billion people in the world. Instead of 2 or 3 wallets, let's say that every one of those 8 billion people is generating a thousand new wallets every second. Let's also say that each one of those 8 billion people continues to generate a thousand new wallets a second every second for a million years.

8 billion * 1,000 * 60 * 60 * 24 * 365 * 1,000,000 = 2.5*10²⁶

Number of valid 12 word seed phrases = 3.4 * 10³⁸

So in my scenario, after a million years we will have generated approximately 0.00000000007% of all possible seed phrases.

There will never be a seed phrase collision.

[Wrathofcoins]

Well nice to hear, i do bad the maths, and also nice to hear the other guy is lying about it. This make me feel more secure. Thanks guys.

[hZti]

Even if it is highly unlikely, it is also highly unlikely to win in the lottery and still every month somebody wins it. So you can never rule out that possibility 100% that at some point in the next few hundred years somebody will randomly create a new wallet that was already previously used. What however then will be the case is, that most of the addresses that were used at some point are now completely empty or just have a dust balance. So even if this highly unlikely event does happen, I think the chances are pretty high that it will not damage anybody.

[robelneo]

Well nice to hear, i do bad the maths, and also nice to hear the other guy is lying about it. This make me feel more secure. Thanks guys.

I'm not good in math but let's do common sense instead, so Bitcoin is already 12 years old and we have never heard of successfully hacking or cracking the 12-seed recovery phrase, even by pure luck, we're all going to be busted if someone can crack that 12 seed recovery phrase but because you've read in the telegram where all unusual stories are being told, I can assure you that guy is lying and do not know a thing about hacking.

[LoyceV]

Even if it is highly unlikely, it is also highly unlikely to win in the lottery and still every month somebody wins it.

This is a bad analogy. It may be unlikely that you win the lottery, but it's very likely that someone wins it. Depending on the rules of the lottery it could even be a given that someone's going to win.
With random Bitcoin addresses, it's not only unlikely that you recreate an existing one, it's unlikely that anyone does it. It's so unlikely, it's safe to say it's not going to happen. I literally bet my money on this.

So you can never rule out that possibility 100%

Some people would argue that 99.9999999999999999999999999999% is certain enough. There are much larger risks that are much more likely to happen, and many of those events still don't happen.

that at some point in the next few hundred years somebody will randomly create a new wallet that was already previously used.

Based on math, I can rule this out. There's really no point in assuming something with a 0.0000000000000000000000000001% probability is going to happen.

So even if this highly unlikely event does happen, I think the chances are pretty high that it will not damage anybody.

It's simply irrelevant.

[hZti]

Based on math, I can rule this out. There's really no point in assuming something with a 0.0000000000000000000000000001% probability is going to happen.

You are completely right with your statements and its not only you, but me and basically everyone in the crypto world that does somehow bet his money on that this will not happen. I am just saying that it is theoretically possible. Same as it is theoretically possible that a cosmic ray hits a bit in a computer chip and changes the current value to another valid one. It is impossible until it then eventually still happens https://www.johndcook.com/blog/2019/05/20/cosmic-rays-flipping-bits/

Still don't get me wrong, I will still fully trust my money into the bitcoin network and don't see anything like this as a real threat since as I said most addresses are empty which makes this whole thing even more unlikely.

[LoyceV]

I am just saying that it is theoretically possible.

And I'm saying it's not possible It's more of a philosophical discussion than technical.

Saying it's theoretically possible doesn't help new Bitcoin users. It's theoretically possible (and billions of times more likely!) to guess my creditcard and phone number, but it's still not going to happen.

[hZti]

Saying it's theoretically possible doesn't help new Bitcoin users.

Well you actually got a point there, it may be a little bit weird to educate yourself about bitcoin to find people that tell you that it is theoretically possible that somebody can steal als your money if they are lucky enough.

So to clear that up: Bitcoin is safe!  Just look at the exchange wallets, they wouldn't just put all their money in one wallet if they would worry about some dude randomly guessing the private key to those addresses.

[DannyHamilton]

I am just saying that it is theoretically possible.

There comes a point where probability gets SO small, that even though the mathematically calculatable number is a non-zero number, no reasonable person would ever use the words "possible" to describe it.

For example...

Oxygen molecules bounce around randomly in the atmosphere that we breathe. If you are in a large room, there are a VERY large number of arrangements of those oxygen molecules that are possible within that room.  Any single arrangement at a moment in time is just as likely as any other arrangement.  There are a VERY large number of arrangements that provide enough molecules in front of your face that you can breathe. There are a much smaller number of arrangements that result in all of the oxygen molecules gathering together in the corner of the room and you suffocating to death.

If you calculate the exact probability, then there is a non-zero probability at any moment that you will find yourself standing in a perfectly normal room with a perfectly normal amount of oxygen molecules, but still suffocate to death because those molecules just so happen to randomly be all gathered together in the corner.

Even though the mathematically calculated value is not exactly 0, it is SO SMALL that no reasonable person would say that it is "possible" for them to suffocate to death in a normal room with normal amounts of oxygen present due to this scenario.

We humans have a difficult time wrapping our heads around REALLY BIG (or really small) numbers. The probability of stumbling into someone else's randomly generated address or wallet (assuming that it was truly random) is MUCH MUCH MUCH smaller than the probability of winning the lottery. I don't think it's as small as the oxygen molecule example that I gave (though I've never tried to estimate it, so I suppose I could be mistaken about that), but it definitely is plenty small enough to also be considered "not possible" by any reasonable person.

[pooya87]

One of the problems some people think a 12-word seed phrase is not safe is the number "12" since they think it is short. But what they don't know is what these words represent which is a randomly generated "entropy" that is 128 bits. And this size of entropy is strong enough that makes collisions impossible.

So when someone claims they changed the last word and found a valid seed with funds in it, this is not about changing a word out of 12 and getting lucky, it is about changing 7 bits in 128 bits and finding 2 collisions: first a 4 bit checksum collision (to get a valid mnemonic) and second is a 128 entropy collision (to find a funded wallet). This is obviously impossible.

[DaveF]

Add the other point to think about is that even F through some bizarre are accountable bad luck your 128 bit entropy words were an exact match to an already existing wallet. Is there an active wallet? Or is it just a wallet that somebody created and then abandoned years ago. Maybe I'm a unique case camera but I probably have created used and then abandoned 50 plus wallets generated from 12 word seeds over the years. I have several hot wallets that I don't keep a lot of funds in, but I do like to have immediate available funds on several devices at a time that are all totally unrelated to each other. And when I'm done after what could be weeks or months, I archive out the seed and create a new one.

I don't think I'm alone in doing this. So yes you could find day's wallet #37. You get to see all my transactions from 2020. Have a blast with that.

Yes it's a privacy issue but it's not a real security issue.

realistically, bad programming and bad RNGs are probably going to cause more duplicate wallets from duplicate seeds than actually being able to brute force it or properly written software creating a duplicate seed just by random chance.

-Dave

[LoyceV]

I don't think I'm alone in doing this.

Only 47.3 million out of all 1.16 billion used Bitcoin addresses are still funded. That's 4.08%. It doesn't matter much compared to how small the chance is of finding a duplicate.

realistically, bad programming and bad RNGs are probably going to cause more duplicate wallets from duplicate seeds than actually being able to brute force it or properly written software creating a duplicate seed just by random

See these brain wallets, or posted private keys that still receive funds.

[o_e_l_e_o]

I don't think it's as small as the oxygen molecule example that I gave (though I've never tried to estimate it, so I suppose I could be mistaken about that), but it definitely is plenty small enough to also be considered "not possible" by any reasonable person.

The oxygen example is an extreme one. Because I'm a nerd who loves this kind of stuff - some very rough calculations would put a small 5m*5m*3m room at 75,000 liters, 21% O₂ gives 15,750 liters, with the molar gas volume of 22.4 liters at STP giving 703.125 moles of oxygen, times Avogadro's constant giving 4.234*10²⁶ molecules of oxygen. If you give each molecule a 12.5% chance of being gathered in a specific corner of the room (given that there are 8 corners), then your chance of them all being gathered in same corner is going to be 0.125^(4.234*10²⁶). My software won't calculate that number. I get as far as about 10^{-1,000,000,000} and then it gives up and says zero. Heh.

So yeah, a bit on the extreme side, but the principle is the same as I outlined above. Even if everyone in the world did literally nothing but constantly generate new wallets for millions of years, we still wouldn't get a collision. It is safe to assume the chance of a random collision is zero, just as it is safe to assume the chance of randomly suffocating is zero.


It's probably worth pointing out that if you think a 12 word seed phrase is insecure, then swapping to 24 words doesn't change anything. Bitcoin private keys "only" provide 128 bits of security at most, regardless of the number of bits in the seed phrase used to generate them. If you think all private keys are insecure, then your best mitigation to this (other than learning the math to see why they are not insecure) would be to use a multi-sig set up.

[NotATether]

It's probably worth pointing out that if you think a 12 word seed phrase is insecure, then swapping to 24 words doesn't change anything. Bitcoin private keys "only" provide 128 bits of security at most, regardless of the number of bits in the seed phrase used to generate them.

Why only 128 bits? There is some factor in brute forcing I vaguely recall that cuts the attack time by half, whose name I can't seem to recall.

[o_e_l_e_o]

Why only 128 bits? There is some factor in brute forcing I vaguely recall that cuts the attack time by half, whose name I can't seem to recall.

Because the most efficient way to attack a private key is not to blindly brute force 256 bits, but rather to solve the ECDLP and reverse the elliptic curve multiplication, calculating the private key from the known public key. Such an attack would require (at least for the foreseeable future) on average 2¹²⁸ operations.

The security of the secp curves is defined in Standards for Efficient Cryptography. SEC 2: Recommended Elliptic Curve Domain Parameters. (Table at the bottom of page 4.)

[LoyceV]

It's probably worth pointing out that if you think a 12 word seed phrase is insecure, then swapping to 24 words doesn't change anything.

It gets even better when you realize every seed phrase can create every Bitcoin address (but you'll never be able to produce enough addresses to reach a collision).

Bitcoin private keys "only" provide 128 bits of security at most, regardless of the number of bits in the seed phrase used to generate them. If you think all private keys are insecure, then your best mitigation to this (other than learning the math to see why they are not insecure) would be to use a multi-sig set up.

Other than peace of mind, I don't see how this protects against collisions. As far as I know, any multisig can be brute-forced in the same way as a single address. To find a collision, you don't need to find all original private keys, you'll just need to find one that matches the other random private key you created. Not that it matters: you'll never find a collision.
With multisig, I'm more afraid of messing something up by myself, in which case it increases instead of decreases the risks.

[DaveF]

realistically, bad programming and bad RNGs are probably going to cause more duplicate wallets from duplicate seeds than actually being able to brute force it or properly written software creating a duplicate seed just by random

See these brain wallets, or posted private keys that still receive funds.

Yes, but that is more an example of humans being humans and doing insecure things.

I was thinking more along the lines of some chip manufacturer doing something stupid in an otherwise good RNG and for some reason instead of spitting out one of close to trillions of possible numbers, spitting out one of 10.

Or some wallet that had some things set in testing that still made it into production so once again instead of just about infinite choices it's one of only a few.

Which is why I'll let others play with the 1st wallets that use the tropic square chip. Considering the people making it and their security choices I'll let others figure out what they missed in the 1st generation of their security chip. Because, you can be open source and auditable all you want. But, without specialized tools and knowledge you can't really know whats in the silicon. Which leads to the next thought, even with tons of people over a decade looking at their stuff, you still had spectre and meltdown hit so many processor manufacturers.

-Dave

[o_e_l_e_o]

As far as I know, any multisig can be brute-forced in the same way as a single address. To find a collision, you don't need to find all original private keys, you'll just need to find one that matches the other random private key you created.

I'm not sure I follow. Do you mean finding the ephemeral key used in signing? Finding an ephemeral key would only allow an attacker to calculate a single one of the private keys in the multi-sig, not all of them (assuming of course you do not reuse your k value across all your keys, which no good wallet software would do anyway).

You can still brute force multi-sig addresses in far less time than brute forcing all the individual private keys by simply finding any script which hashes to the same output as the multi-sig script. So for a P2SH output, where the script hash is RIPEMD160(SHA256(script)), then you have a script hash which is 160 bits, which is obviously far less than trying to brute force 256 bits.

Unless you are meaning finding an individual private key which can be used as I've explained above in order to create a script with a hash which matches that of your multi-sig? And actually, since there are 2⁹⁶ private keys on average per address for the same reason, then I suppose the chance is in fact identical.