Forget brainwallet - could you memorize an entire private key?

[cryptohill]

But wouldn't a passphrase of some sort be exceptionally easier to brute force than the private key? Sorry I actually have no idea but it is a guess. Then there is the issue what is your house burns down, paper is lost etc. But then again as others have mentioned you could simply have an accident etc and lose your memory.

I guess essentially the answer is that remembering your private key has zero advantage?

[jonald_fyookball]

But wouldn't a passphrase of some sort be exceptionally easier to brute force than the private key? Sorry I actually have no idea but it is a guess. 

Not necessarily, no.  There's no reason a passphrase can't be generated with high entropy.

[cryptohill]

Fair enough. But if you designed such a hard passphrase would that not defy the purpose and it would actually be easier/same to remember the private key. Additionally, passphrase has the same risks associated with forgetting?

[BitcoinBarrel]

It's definitely possible, but I doubt someone would remember it over a long period of time.

[jonald_fyookball]

Fair enough. But if you designed such a hard passphrase would that not defy the purpose and it would actually be easier/same to remember the private key. Additionally, passphrase has the same risks associated with forgetting?

No, it wouldn't defeat the purpose and would be easier to remember.    It's how Electrum does it for example.
You have a 1626 word dictionary, so you only need 12 words to get 128 bits of entropy.  Twelve common
words are easier to remember than 32 hexadecimal characters, dont you think?

[DeathAndTaxes]

This is often repeated around here, but are there any documented, non-theoretical examples of that? Not talking about in 10 years, but today? Not trolling. Do you have any sources for that claim?

One verifiable source is that the bitcoin network collectively has completed ~2^80 hashing operations since the genesis block.    This can be verified by looking at the cummulative difficulty of the best chain from genesis block to current.  Granted it is has taken years and involved tens of thousands of specialized devices but it has been done.  It is proven that humans can complete problems requiring on the order of 2^80 operations.

This site reports recommendations from various organizations of the minimum key lengths required to remain ahead of Moore's law.
http://www.keylength.com/en/compare/
if you were only worried about today and today only the min key length for ECDSA is 152 to 224 bits.  Bitcoin's current signature algorithm is good for at least a few decades.  None show any concerns for breaking 256 bit ECDSA keys before 2040 and many show they will be good for decades beyond that.

I personally would not be concerned with using a reduced strength key (at least 80 bits).  The economics of an attack would be incredible and you would only be at risk if you either reuse an address or if the attacker could complete the attack not in months or years but before the txn could be confirmed (i.e. within 10-30 minutes).

Today keys with 80 bit strength are generally considered insecure but honestly it is probably beyond the capabilities of almost all attackers in the world.  Three letter agencies of major world powers are probably the only entities with sufficient resources.  There are no hard and fast rules simply because almost nobody builds computing systems on that scale and if they do they are probably highly classified.  We also don't know the future.  Who knows what systems major governments are building right now.

Still the idea of "probably secure" isn't considered good enough for most cryptographers.  We don't necessarily know how much computing power the attacker has, so it is simpler to reverse it.  How much computing power do we know the attacker can NOT have.  If a brute forcing a key requires more than that then it is infeasible to break it.  In other words I don't know what is the strongest key that the NSA has can crack but I do know they can't brute force a key with 128 bit security* using classical computing (and will not be able to do so for the next couple decades).  Brute forcing a key with 256 bit security would require more energy than will be output by our star in its entire lifetime so it will remain infeasible long after we are dead and gone.

* This doesn't mean all 128 bit keys are forever secure.  Future cryptanalysis may weaken the underlying algorithm such that a 256 bit ECDSA key someday can be brute forced in less than 2^128 operations.  It also doesn't apply to things like weak passwords, brain wallets, etc.  None of those involve a brute force attack against the keyspace.  It also doesn't apply to esoteric concepts like quantum computing or reversible computing as they don't necessarily  have the same energy requirements.

[jonald_fyookball]

Be careful with only using 160 bits of entropy for private keys.  The strength of ECDSA keys when the public key is known is half the key size.  For full length key 256 bits length = 128 bits strength.   So 160 bits mean 80 bit of strength.  This is not beyond brute force.  It may not be economical but brute forcing the private key from the public key is feasible.

sorry to double post my question...but why exactly is electrum safe with only 128 bits of entropy?  (besides the extra 16 bits of key stretching which I'm aware of)...  

Is it because it is hashed in the first place?   Once you hash a passphrase, it retains all the entropy?  You can't reverse the hashing... Is that it?

[minerpumpkin]

If it comes to the actual private key in its native form, I think I definitely wouldn't be able to remember a valid private key in its entirety. Maybe if it was for a really huge amount of BTC and I had enough time, I may get around to memorize it, but it'd be very difficult! A brainwallet really is easier!

[DeathAndTaxes]

sorry to double post my question...but why exactly is electrum safe with only 128 bits of entropy?  (besides the extra 16 bits of key stretching which I'm aware of)...  

Is it because it is hashed in the first place?   Once you hash a passphrase, it retains all the entropy?  You can't reverse the hashing... Is that it?

A hashed value does retain the lesser of the hash length and the original entropy due to the avalanche effect of function.  The issue with using a truncated key isn't that the key has some reduced entropy but rather that the distribution isn't random (i.e. if you pad 160 bits with t the possibility than 96 bits of leading zeroes then the scope of all possible keys has been reduced).  The keys produced from a deterministic function using hashes from a 128 bit seed can never have more than 128 bits of entropy however the possible values are randomly distributed over the key space. 

Electrum wallets "could" be attacked by brute forcing the seed instead of the keys.  They are secure because brute forcing the seed is no faster (and actually is significantly slower due to key stretching) than brute forcing the private key from a known public key.  

The OP talks about using a reduced length key but if you hashed that value then it would in essence be a seed with <256 bits making it very similar to a deterministic wallet except in this case it is a deterministic wallet of one.  Taking a hash of the value to produce the key is fine [SHA-256(seed)=key ] but if you are going to do that then I would use a memory information dense format than hex such as using random mnemonic words.  It would be shorter and easier to memorize than even a reduced length key.

Using diceware (http://world.std.com/~reinhold/diceware.html) each word has 12.9 bits of entropy.  For 128 bit strength we need 10 words.  I rolled the following words.

Code:

hi dewar arise belly urn brush gain scam gawky liven

SHA-256("hi dewar arise belly urn brush gain scam gawky liven") = 76df74f69be8d08324ded37f180010747811eac1a8104e19eed4e7a0c1b44b7a

Code:

private key (hex): 76df74f69be8d08324ded37f180010747811eac1a8104e19eed4e7a0c1b44b7a
private key (WIF): L1CnSP3scSGqqBSy3ci8XoAyUkSzENbKHDDaKXcVihGc84AhG1Uf
public key: 02b4410f9ff2d8798351ce0fe3ba7396d7d0dbd5aa1df192a3e46e6d08ad3de01a
address: 175mxfk6K6DD1Fz9ZmFitZaeHUzxDzBULS

Please nobody use this address it is just for illustration.

Personally I find it easier to memorize:

hi dewar arise belly urn brush gain scam gawky liven

then:

76df74f69be8d08324ded37f180010747811eac1a8104e19eed4e7a0c1b44b7a

or even:

180010747811eac1a8104e19eed4e7a0c1b44b7a (24 padded zeros assumed)

[jonald_fyookball]

it sounds like you're agreeing with me.  so then the original warning of "160 is really 80 bits"of security only applies to private keys derived without hashing, since there is no avalanche effect to obscure it.

edit: and therefore, this warning doesn't apply to brain wallets in general, assuming they use hashing.

[wasserman99]

Brainwallets were never a bad idea, they're just as secure as using a normal password. If you forget the password, bad luck, same goes with brainwallets.

It's easy to remember a simple phrase, such as "CandyMadeTheCowGoPoo", I can't understand why you think it's a bad idea.

Let me drop knowledge: http://www.reddit.com/r/Bitcoin/comments/1ptuf3/
 or http://www.reddit.com/r/Bitcoin/comments/1nbmet/
They were always a bad idea.

If created properly, brain wallets are much better then trying to memorize your private key. If you are memorizing your private key then you must leave your key in some exposed format while you are trying to memorize it. In order for you to see it while memorizing the key it will need to somehow be out in the open. There is also a good chance that you would forget it after some amount of time after not using it. How many times have you forgotten a password that you used to a certain site and had to reset it? Probably a lot.

[djarot]

If created properly, brain wallets are much better then trying to memorize your private key. If you are memorizing your private key then you must leave your key in some exposed format while you are trying to memorize it. In order for you to see it while memorizing the key it will need to somehow be out in the open. There is also a good chance that you would forget it after some amount of time after not using it. How many times have you forgotten a password that you used to a certain site and had to reset it? Probably a lot.

yes, and to my mind memorizing would be the easy part... typing it out without mistake would really cause an issue and finding the error and not doubting yourself! aha definitely never worthwhile practice!

[cryptohill]

Ignoring the difficulty factor, would it be worthwhile remembering the private key? I understand it is difficult to remember, but if there was a way to remember it, would the very fact of remembering the key be of any benefit or solve any current problem. Thanks.

[hodap]

Remembering the whole private keys? That's just retarded when you can use a passphrase haha

Not a bad idea if the user want to remember data in raw form without using on application to decode the pass phrase.

[SwingFirst]

You can definitely memorize the private key in your head!

Divide the private key into 4-digit groups, and learn 8 (2 groups) today, and then 4 new digits (1 group) a day.

[trout]

Here's a pretty good brainwallet idea, imo.

Chain all  (physical, postal) addresses  of places you lived in for at least 6 months
for the past 10 (or 20) years . One address is easily 25 bits of entropy (even within
one large country), so with 5 addresses  you are good to go.  This is something you are likely to remember for many years (likely you had to write each of the addresses many a time), and even
if you forget some of the addresses you may be able to restore them from bills, letters, etc.
Also, someone has to know you very very well to know all the addresses.
In fact, the closer the person is to you, the less information you'd need to communicate
in case of emergency or in your will.
You might want to chain  a short  password in the end  to protect you from your mom though

Won't work for very young people, or for someone who lived in the same city all their life..
but hey, it's a pretty good idea for a lot of people.

[jonald_fyookball]

Here's a pretty good brainwallet idea, imo.

Chain all  (physical, postal) addresses  of places you lived in for at least 6 months
for the past 10 (or 20) years . One address is easily 25 bits of entropy (even within
one large country), so with 5 addresses  you are good to go.  This is something you are likely to remember for many years (likely you had to write each of the addresses many a time), and even
if you forget some of the addresses you may be able to restore them from bills, letters, etc.
Also, someone has to know you very very well to know all the addresses.
In fact, the closer the person is to you, the less information you'd need to communicate
in case of emergency or in your will.
You might want to chain  a short  password in the end  to protect you from your mom though

Won't work for very young people, or for someone who lived in the same city all their life..
but hey, it's a pretty good idea for a lot of people.

Previous addresses are commonly used in identity verification, so that means
they are stored by credit companies, etc. 

[Joerii]

I've heard a podcast about memory training from the world record holder of memory skills.
It's very doable to memorize a private key, in fact, there are people that can memorize 50 of them in just a couple of hours.

Check out https://www.pmemory.com/pages/how-it-works/

Im not in any way affiliated with this site, sharing it just for fun. If I had the time, i'd be ordering that course !

[Moneyunmaker]

No way, no cant do 

[wasserman99]

If created properly, brain wallets are much better then trying to memorize your private key. If you are memorizing your private key then you must leave your key in some exposed format while you are trying to memorize it. In order for you to see it while memorizing the key it will need to somehow be out in the open. There is also a good chance that you would forget it after some amount of time after not using it. How many times have you forgotten a password that you used to a certain site and had to reset it? Probably a lot.

yes, and to my mind memorizing would be the easy part... typing it out without mistake would really cause an issue and finding the error and not doubting yourself! aha definitely never worthwhile practice!

While you are typing your private key, you would be vulnerable to attacks. If you somehow mistyped it and are trying to figure it out then an attacker knows that some private key that is close to the one you are typing has some amount of bitcoin and could try to use some automated means to find the "correct" private key.