I REGAINED access to Bitcoins in my made-up brainwallet!

[LoyceV]

Now, seriously, were you doing an experiment (for fun) ?

Kinda

Personally, if I used something like that, I would definitely keep the phrases in paper backups

What's the fun in that? I wanted it to be more than a hypothetical "I remembered it". If I would have written it down, I would have looked at it and never known if I could recover it from memory alone.

Another flaw in this whole thing is "inventing your own method". It is never a good idea specially when it comes to cryptography related stuff. There are a lot of things that could go wrong, from small bugs that could not be reproduced when trying to recover to serious bugs that could be categorized as security flaw.

Yep, I agree
The reason I did this, was because I wanted to add heavy encryption to a brainwallet, and at the same time avoid the brute-forcers who can attack all "standard" brainwallets at the same time.
Now, there's WarpWallet for that.

but in his case it's not because it is cryptographically weak. its because after a few years, you won't remember what the

I did: I wrote down the steps, and that's not a weakness in the system. I've posted my steps here, it now serves as an additional backup of the steps I took, but doesn't help anyone to gain access to my coins.

you could have just eliminated the bip38 part since the final step was just hashing some string to get the private key. anyone else finds any other string with the same hash they don't need to reproduce your bip38 step at all   but i think your premise is you think your string is the only one that anyone could ever use to get that hash. it's an assumption.

It's a very good assumption!
You're saying anyone could use any different random number to gain access to your Bitcoin address. Duh There are about 2⁹⁶ valid private keys for each Bitcoin address. If anyone could find them, Bitcoin wouldn't exist.

to get even more security why not iterate this entire procedure 10 times? taking the output of step 3 as the input to step 1.

If that would be necessary, they would have included 10 more rounds in the BIP38 protocol. Adding just one more character to the BIP38-passphrase adds much more "strength" than doing 10 rounds of encryption.

[Quickseller]

I do remember the passphrases used.

As an example (I did this online because it's only for testing):

• Go to bitaddress.org
• Click Wallet Details
• In privkey field, enter "longpassphrasetoremember"
• Tick "BIP38 Encrypt"
• Enter "extrapassphrase" and click Encrypt BIP38
• Click OK to use it as brainwallet
• The resulting encrypted privkey is 6PRKrgToVFyMzHL3qYa9Pq7e1ZugAiaYGYUxK2ccVaUoSeK9PYnqFti5Br
• Now create a new brainwallet out of "6PRKrgToVFyMzHL3qYa9Pq7e1ZugAiaYGYUxK2ccVaUoSeK9PYnqFti5Br-1", and use compressed addy 14ut6qNTdRaexXRtMjYQc7bkStr2FLNfhk to store funds (don't use this one, obviously)
• Before funding anything, see if you can reproduce your address from scratch

This is what I did. By now, a Segwit version would be better.

Maybe I am missing something, but if you remember the passphrases used? Why couldn't you just use the passphrasees to generate the private key and address?

I don't really see much value in knowing the details of the transaction if you don't know the private key, and the private key can lead you to information that will allow you to get the details of the transaction so you can create a new transaction to spend the coin.

[larry_vw_1955]

The reason I did this, was because I wanted to add heavy encryption to a brainwallet,

what does that even mean though? i don't think you're really encrypting anything. encryption is typically encrypting a final output. your final output is a clear private key.

and at the same time avoid the brute-forcers who can attack all "standard" brainwallets at the same time.
Now, there's WarpWallet for that.

so why not use warpwallet then? its harder to brute force than your scheme. and now that you have published your scheme, so that the whole world can know, your bitcoin private key is more likely to be broken than someone using warpwallet.

I did: I wrote down the steps, and that's not a weakness in the system. I've posted my steps here, it now serves as an additional backup of the steps I took, but doesn't help anyone to gain access to my coins.

it makes it more likely they will gain access to your coins than if you never published your "brainwallet algorithm". since according to you that's the only way they could come up with the same private key.

to get even more security why not iterate this entire procedure 10 times? taking the output of step 3 as the input to step 1.

If that would be necessary, they would have included 10 more rounds in the BIP38 protocol. Adding just one more character to the BIP38-passphrase adds much more "strength" than doing 10 rounds of encryption.

now those are some pretty big statements you made there which i'm not so sure i can agree with. for example, if adding one more character is more secure than doing 10 rounds of encryption then i don't know what to say. except maybe we disagree. 

[LoyceV]

Maybe I am missing something, but if you remember the passphrases used? Why couldn't you just use the passphrasees to generate the private key and address?

You must have missed this part:

my mind had added a character to my passphrase

Now I can reproduce it again.

I don't really see much value in knowing the details of the transaction if you don't know the private key

Without knowing the address, I had to search the list of all funded addresses each time to see if I had the correct one. It added a manual step to the checking process.

The reason I did this, was because I wanted to add heavy encryption to a brainwallet,

what does that even mean though? i don't think you're really encrypting anything. encryption is typically encrypting a final output. your final output is a clear private key.

The final output is produced from encrypted data. I don't see the point of going into semantics.

so why not use warpwallet then?

When I created this, I didn't know WarpWallet exists. And I'm not entirely sure I can trust it. I do trust BIP38 (for this reason).

it makes it more likely they will gain access to your coins than if you never published your "brainwallet algorithm". since according to you that's the only way they could come up with the same private key.

Good luck with that
What you're suggesting is called security through obscurity:

Criticism

Security by obscurity alone is discouraged and not recommended by standards bodies. The National Institute of Standards and Technology (NIST) in the United States recommends against this practice: "System security should not depend on the secrecy of the implementation or its components."[9]

I trust my passphrase to be difficult enough.

now those are some pretty big statements you made there which i'm not so sure i can agree with. for example, if adding one more character is more secure than doing 10 rounds of encryption then i don't know what to say. except maybe we disagree. 

If you don't understand that one random character added to the passphrase adds more "difficulty" than 10 rounds of the same encryption, I give up
But here's a hint:

First wallet was cracked in under 3 hours. [pwd: BarT]
Second wallet was cracked in under 10 hours. [pwd: grAce]
Fourth wallet was cracked in under 2 days. [pwd: pxrmg]
Third wallet was NOT CRACKED in two years. [pwd: zLwMiR]

[larry_vw_1955]

What you're suggesting is called security through obscurity:

yes i think you're relying partly on security through obscurity

I trust my passphrase to be difficult enough.

i could say the same thing about my simple sha256 brainwallet.

If you don't understand that one random character added to the passphrase adds more "difficulty" than 10 rounds of the same encryption, I give up

i imagine you're not talking about step 3 in your algorithm:

Code:

3. Take this 6P encrypted key, add -1, use this as brainwallet and fund the compressed addy

a bip 38 encrypted private key is already long enough. adding -1,-2 and so on was your idea of having some type of way to generate extra addresses in a sequential manner. it doesn't really do anything for security. so we're back to where we started which is the original passphrase. if it's long enough, its not feasible to hack no matter what brainwallet algorithm you use. i think you would probably agree with that statement.

so the real issue is why we would need to invent a new rather obscure algorithm to do a brainwallet when we could achieve the same thing by just increasing the length of our passphrase

[LoyceV]

so the real issue is why we would need to invent a new rather obscure algorithm to do a brainwallet when we could achieve the same thing by just increasing the length of our passphrase

Every existing "classic" brainwallet is attacked by many people doing billions if not trillions of password hacking attempts per second. See Collection of 18.509 found and used Brainwallets. By adding BIP38 to the equation, suddenly an attacker would only be able to do a few attempts per second. It's not worth the electricity to even try.

[larry_vw_1955]

As an example (I did this online because it's only for testing):

• Go to bitaddress.org
• Click Wallet Details
• In privkey field, enter "longpassphrasetoremember"
• Tick "BIP38 Encrypt"
• Enter "extrapassphrase" and click Encrypt BIP38
• Click OK to use it as brainwallet
• The resulting encrypted privkey is 6PRKrgToVFyMzHL3qYa9Pq7e1ZugAiaYGYUxK2ccVaUoSeK9PYnqFti5Br

based on this small test vector of yours and the results below, I'm not sure you are doing things correctly.

• Now create a new brainwallet out of "6PRKrgToVFyMzHL3qYa9Pq7e1ZugAiaYGYUxK2ccVaUoSeK9PYnqFti5Br-1", and use compressed addy 14ut6qNTdRaexXRtMjYQc7bkStr2FLNfhk to store funds (don't use this one, obviously)
• Before funding anything, see if you can reproduce your address from scratch

This is what I did. By now, a Segwit version would be better.

Before you start funding an address like that, you should probably make sure whatever software you are using to generate that compressed address works with other software tools the same way.  1BsQ1rYAi2nNpnqpCLyQS4fkV4dEf3jegB would be the correct compressed address for a brainwallet corresponding to the passphrase "6PRKrgToVFyMzHL3qYa9Pq7e1ZugAiaYGYUxK2ccVaUoSeK9PYnqFti5Br-1".


That's another issue with trying to use bip38 and brainwallets is that bip38 is pretty well DEPRECATED by now and not really recommended. It's a fact of life that not all Bip38 tools produce the same output. So you better stick with the software you originally used to encrypt which apparently is bitaddress.

Every existing "classic" brainwallet is attacked by many people doing billions if not trillions of password hacking attempts per second.

i wouldnt say "every". maybe just the sha256 one.

See Collection of 18.509 found and used Brainwallets (https://bitcointalk.org/index.php?topic=4768828.0). By adding BIP38 to the equation, suddenly an attacker would only be able to do a few attempts per second. It's not worth the electricity to even try.

so would making your sha256 brainwallet "unclassic" by making a few small modifications to how it worked like having a second passphrase (which your's has anyway)...

[LoyceV]

Before you start funding an address like that, you should probably make sure whatever software you are using to generate that compressed address works with other software tools the same way.

Before funding, I indeed reproduce my steps using different software.

1BsQ1rYAi2nNpnqpCLyQS4fkV4dEf3jegB would be the correct compressed address for a brainwallet corresponding to the passphrase "6PRKrgToVFyMzHL3qYa9Pq7e1ZugAiaYGYUxK2ccVaUoSeK9PYnqFti5Br-1".

You're right, I copied the addy from the previous step instead of the final step. There's another reason to verify everything twice, which I didn't do for this example. I've edited my post.

That's another issue with trying to use bip38 and brainwallets is that bip38 is pretty well DEPRECATED by now and not really recommended.

Says who? It's a standard that's widely used, but just in case, I keep my own copies of the software. And so do many other people, I'm pretty sure someone would share it if I'd ask for it 20 years from now.
I've actually thought about creating an archive site with all kinds of old Bitcoin-related software, but I didn't want to deal with potential copyright issues.

It's a fact of life that not all Bip38 tools produce the same output.

That's what I thought, but I couldn't find evidence for it. This would indeed mess up my system.

[apogio]

That's another issue with trying to use bip38 and brainwallets is that bip38 is pretty well DEPRECATED by now and not really recommended. It's a fact of life that not all Bip38 tools produce the same output. So you better stick with the software you originally used to encrypt which apparently is bitaddress.

That's what I thought, but I couldn't find evidence for it. This would indeed mess up my system.

Any info about it? Sounds like an intriguing case-study.

[Cricktor]

It's a fact of life that not all Bip38 tools produce the same output.

I'd like to see proof for this claim! Which commonly used tools or wallets have a flawed BIP38 implementation?

[LoyceV]

Which commonly used tools or wallets have a flawed BIP38 implementation?

I've used Mycelium to decrypt BIP38 in the past, but I've only used BitAddress (and the (now phishing) site that's based on it) to create them. It makes sense BIP38 was mostly used for paper wallets, which would explain why other wallets don't create them.
Not that it matters much for me, BitAddress is widely used and that's what I'll use in the future to decrypt this. I've already tested 2 different BitAddress versions, both produce the same.

[Pmalek]

I'd like to see proof for this claim! Which commonly used tools or wallets have a flawed BIP38 implementation?

If they are using the same standard in the exact same way, the results have to be identical. If you have input 1 that is being encrypted with said standard, it has to spit out result 1. If you are getting results 2 and 3 as well, there is some deviation somewhere. A flawed tool or wallet would produce different results. But that's not a problem with the implementation, but rather the scheme that buggy software is using.

[nomachine]

It must be the same result. If it is used:

Code:

prefactor = hexstrlify(scrypt.hash(password, salt, 16384, 8, 8, 32))

Maybe there are different tools that have different prefixes. (nothing else can cause confusion)

Code:

Range in base58check encoding for non-EC-multiplied keys without compression (prefix 6PR):
Minimum value: 6PRHv1jg1ytiE4kT2QtrUz8gEjMQghZDWg1FuxjdYDzjUkcJeGdFj9q9Vi (based on 01 42 C0 plus thirty-six 00's)
Maximum value: 6PRWdmoT1ZursVcr5NiD14p5bHrKVGPG7yeEoEeRb8FVaqYSHnZTLEbYsU (based on 01 42 C0 plus thirty-six FF's)
Range in base58check encoding for non-EC-multiplied keys with compression (prefix 6PY):
Minimum value: 6PYJxKpVnkXUsnZAfD2B5ZsZafJYNp4ezQQeCjs39494qUUXLnXijLx6LG (based on 01 42 E0 plus thirty-six 00's)
Maximum value: 6PYXg5tGnLYdXDRZiAqXbeYxwDoTBNthbi3d61mqBxPpwZQezJTvQHsCnk (based on 01 42 E0 plus thirty-six FF's)
Range in base58check encoding for EC-multiplied keys without compression (prefix 6Pf):
Minimum value: 6PfKzduKZXAFXWMtJ19Vg9cSvbFg4va6U8p2VWzSjtHQCCLk3JSBpUvfpf (based on 01 43 00 plus thirty-six 00's)
Maximum value: 6PfYiPy6Z7BQAwEHLxxrCEHrH9kasVQ95ST1NnuEnnYAJHGsgpNPQ9dTHc (based on 01 43 00 plus thirty-six FF's)
Range in base58check encoding for EC-multiplied keys with compression (prefix 6Pn):
Minimum value: 6PnM2wz9LHo2BEAbvoGpGjMLGXCom35XwsDQnJ7rLiRjYvCxjpLenmoBsR (based on 01 43 20 plus thirty-six 00's)
Maximum value: 6PnZki3vKspApf2zym6Anp2jd5hiZbuaZArPfa2ePcgVf196PLGrQNyVUh (based on 01 43 20 plus thirty-six FF's)

I have my own tool that only encode/decode  EC-multiplied keys  (prefix 6Pn).

Code:

import scrypt
from binascii import hexlify, unhexlify
from Crypto.Cipher import AES  # pip install pycryptodome
from gmpy2 import mpz  # pip install gmpy2
import secp256k1 as ice # https://github.com/iceland2k14/secp256k1
import hashlib

# Utility function to decode base58
def b58d(s, check=True):
    b58_digits = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"
    zero_digit = b58_digits[0]
    assert s   
    n = 0
    for c in s:
        n = n * 58 + b58_digits.index(c)   
    h = hex(n)[2:]
    if len(h) % 2:
        h = "0" + h   
    res = unhexlify(h.encode("utf8"))
    pad = 0   
    for c in s:
        if c == zero_digit:
            pad += 1
        else:
            break   
    o = b"\x00" * pad + res   
    if check:
        double_sha256 = hashlib.sha256(hashlib.sha256(o[:-4]).digest()).digest()
        assert double_sha256[:4] == o[-4:]
        return hexlify(o[:-4]).decode("ascii")
    else:
        return hexlify(o).decode("ascii")


def simple_aes_decrypt(msg, key):
    assert len(msg) == 16
    assert len(key) == 32
    cipher = AES.new(key, AES.MODE_ECB)
    decrypted_msg = hexstrlify(cipher.decrypt(msg))
    decrypted_msg = decrypted_msg.rstrip('7b')
    padding_length = (32 - len(decrypted_msg)) // 2
    decrypted_msg += '7b' * padding_length
    assert len(decrypted_msg) == 32
    return unhexlify(decrypted_msg)

def dechex(num, zfill=0):
    if isinstance(num, mpz):
        hex_num = num.digits(16)
        if len(hex_num) % 2:
            hex_num = '0' + hex_num
        hex_bytes = hex_num.rjust(zfill * 2, '0')
        return hex_bytes
    else:
        raise TypeError('Input must be mpz.')

def multiplypriv(p1, p2):
    result = (mpz(p1, 16) * mpz(p2, 16)) % ice.N
    return dechex(result, 32)

def strlify(a):
    return str(a).replace("b'", "").rstrip("'")

def hexstrlify(a):
    return strlify(hexlify(a))

def privtopub(priv, outcompressed=True):
    priv_int = int(priv, 16)
    pub = ice.scalar_multiplication(priv_int)
    return ice.point_to_cpub(pub)

def hash256(hexstring):
    return hashlib.sha256(hashlib.sha256(bytes.fromhex(hexstring)).digest()).digest().hex()

def bip38decrypt(password, encrypted_private_key, target):
    encrypted_private_key = b58d(encrypted_private_key)
    owner_entropy = encrypted_private_key[14:30]
    enchalf1half1 = encrypted_private_key[30:46]
    enchalf2 = encrypted_private_key[46:]
    owner_salt = owner_entropy
    salt = unhexlify(owner_salt)
    prefactor = hexstrlify(scrypt.hash(password, salt, 16384, 8, 8, 32))
    passfactor = prefactor
    passpoint = privtopub(passfactor, True)
    password = unhexlify(passpoint)
    combined_salt = unhexlify(encrypted_private_key[6:14] + owner_entropy)
    encseedb = hexstrlify(scrypt.hash(password, combined_salt, 1024, 1, 1, 64))
    key = unhexlify(encseedb[64:])
    tmp = hexstrlify(simple_aes_decrypt(unhexlify(enchalf2), key))
    enchalf1half2_seedblastthird = mpz(tmp, 16) ^ mpz(encseedb[32:64], 16)
    enchalf1half2_seedblastthird = dechex(enchalf1half2_seedblastthird, 16)
    enchalf1half2 = enchalf1half2_seedblastthird[:16]
    enchalf1 = enchalf1half1 + enchalf1half2
    decrypted_enchalf1 = hexstrlify(simple_aes_decrypt(unhexlify(enchalf1), key))
    seedb = mpz(decrypted_enchalf1, 16) ^ mpz(encseedb[:32], 16)
    seedb = dechex(seedb, 16) + enchalf1half2_seedblastthird[16:]
    factorb = hash256(seedb)
    priv = multiplypriv(passfactor, factorb)
    dec = int(priv, 16)
    caddr = ice.privatekey_to_address(0, True, dec)
    uaddr = ice.privatekey_to_address(0, False, dec)
    if caddr == target or uaddr == target:
        wifc = ice.btc_pvk_to_wif(priv)
        wifu = ice.btc_pvk_to_wif(priv, False)
        with open("KEY.txt", "a") as file:
            file.write("\nPrivate key (wif) Compressed : " + wifc)
            file.write("\nPrivate key (wif) Uncompressed: " + wifu)
            file.write("\nBitcoin address Compressed: " + caddr)
            file.write("\nBitcoin address Uncompressed: " + uaddr)
            file.write(
                "\n-------------------------------------------------------------------------------------------------------------------------------------------\n"
            )
        return wifc
    else:
        return False

pwd = "Satoshi"
encryptedSecret = "6PnRY7S41Qe6i9SLxRrmSJ1AQhkz4yLjPXw76qtHShLsb1Ch8JrbMWGvPr"
target = "15aAb6P6ysSAR3SEtit6MWWgNPXZgn5YFj"

test = bip38decrypt(pwd, encryptedSecret, target)
print(test)

result form KEY.txt

Private key (wif) Compressed : KxSomWg95w2qRi5S3cuC5FPcQdXiWhHRaWpZZcLkXgvE1UAyhfZq
Private key (wif) Uncompressed: 5J6Pq9Y56ecm3szePoCNYKfevqc44ZEh1Lu1afpXFf3YVh13Ccb
Bitcoin address Compressed: 15aAb6P6ysSAR3SEtit6MWWgNPXZgn5YFj
Bitcoin address Uncompressed: 13XDLESCf3UDBLjGoSEdLH9ksHNuYAybPR

bip38 is pretty well DEPRECATED by now and not really recommended.

The tools, for example, in python, are outdated.
But that doesn't stop me from updating them myself. BIP38 is unhackable.
I barely manage to encode/decode  100 per second with all possible accelerations around.

The scrypt function is slow by design.

It can NOT be accelerated. The parameters that include N=16384, r=8, and p=8.
The N parameter defines the CPU/memory cost, and larger values like that make the function more memory-intensive.

This is a deliberate design choice to prevent attackers from using specialized hardware, like GPUs or ASICs, which might have less memory available per processing unit.

[larry_vw_1955]

It's a fact of life that not all Bip38 tools produce the same output.

I'd like to see proof for this claim! Which commonly used tools or wallets have a flawed BIP38 implementation?

none that i know of that are commonly used tools such as bitaddress.

but there's this piece of bip38 python software that only implements EC non-multiply mode. It is completely unaware of the multiply mode. So when it comes across encrypted private keys of that type, it decodes them but incorrectly. I woudn't call it a bug, I would call it more like being an incomplete implementation of bip38. but that could certainly lead to confusion. i can't really say the name of the software but it's definitely not commonly used. it's just something someone wrote but didn't really complete it, i guess. i just happened to come across it and i became aware of that bug when i tried testing it out on some EC multiply test addresses.

if this particular software developer made that mistake though, it's possible someone else might too if they are just a hobbyist programmer so it's something to lookout for...
 

even software like bitaddress for bip38 it is not a complete implementation. it can decode EC multiply but I think it uses the non-multiply mode to encode. but i guess it is ok.

[mamuu]

TL;DR
Years ago, I sent some Bitcoin to an address without any physical backup, to see if I could find it back years later. Now, I can't find them back. Lol.

Long version
I combined a brainwallet with BIP38 encryption to make it very hard to crack. A bit like this proposal, but my own version. I kept notes of what I did:

Code:

1. Passphrase > brainwallet > uncompressed privkey
2. BIP38 compress this key with passphrase2
3. Take this 6P encrypted key, add -1, use this as brainwallet and fund the compressed addy

I don't remember the address.
I remember the amount on 2 addresses used to fund it.
I don't remember the transaction fee.
I don't remember the year I did all this. I guess it was somewhere between 2017 and 2020.
I'm pretty sure all addresses involved were legacy.
Blockchair's transaction search gives thousands of potential transactions. I can narrow it down to less than a thousand by making some assumptions. I can't select all search options I'd need for a lower number of transactions.
I do remember the passphrases used. I won't say I'm 100% certain, so let's say I'm 99% certain those are correct. That makes it likely there's something in my method that I can't reproduce.
I am 100% certain nobody brute-forced my private key. The passphrase was too long for heavy BIP38 encryption, and the setup was too complicated (so automated searches (which are used to attack all regular brainwallets at once) can't be used.

Questions
Why did I do step 1 and 2? That could have been done in one step, unless I'm missing something now.
Does BIP38 encryption always produce the same encrypted key, or could the same privkey and passphrase produce a different encrypted string if I use different software? I probably used bitaddress.org or the other (now scamming) paper wallet site from back in those days.
The annoying part: to try anything, takes me several manual actions on an air-gapped system. I can't quickly test a lot of options.

How much?
I wasn't dumb enough to use a large amount, but I'd still like to find it back. I won't lose sleep over the amount, but I already know if I can't recover it, it's going to torment me for years. I rarely lose data, and I don't like it.

No spam
Self-moderated to prevent spam. Discussion is of course allowed. I already know I was stupid, but feel free to rub it in Telling me "I told you so" is allowed too

Hello.
Can you simulate the process step by step?
For example.
let's say you chose brainwallet Passphrase ‘mamu’ in the first step. can you write each step and share the result of each step? I need to understand the process you are doing, then I can write suggestions for you.

[larry_vw_1955]

Hello.
Can you simulate the process step by step?

he already did in post 11: https://bitcointalk.org/index.php?topic=5497667.msg64125626#msg64125626

[LoyceV]

can you write each step and share the result of each step?

See this post. Reading the topic before responding helps. Also, there's no need for long quotes.

I need to understand the process you are doing, then I can write suggestions for you.

Why? Even the topic title shows I regained access.