I noticed, that the BIP39 tool available at https://iancoleman.io/bip39/ recently started showing a crude splitting option for a seed. For example the 24 word seed:
comic giraffe honey midnight trim state
oppose glove lunch steel bright bless
soap garage mandate air lava board
voyage traffic feed stem mandate noble
can be split into 3 "cards" that are:
Card 1:
XXXX giraffe honey midnight trim XXXX oppose XXXX
lunch steel bright bless XXXX garage mandate XXXX
lava board XXXX traffic XXXX XXXX mandate noble
Card 2:
comic XXXX honey midnight trim state XXXX glove
XXXX XXXX XXXX XXXX soap XXXX mandate air
XXXX board voyage traffic feed stem mandate noble
Card 3:
comic giraffe XXXX XXXX XXXX state oppose glove
lunch steel bright bless soap garage XXXX air
lava XXXX voyage XXXX feed stem XXXX XXXX
The site then claims, that cracking the seed, if the attacker is in possession of only one of these cards takes 3830854 years. Unfortunately there's no explanation on how Ian Coleman arrived at this conclusion.
My understanding is, that such a 24 word seed represents 256 bits of entropy. Any 8 words would thus be equivalent to 256/3 = 85 bits of entropy. Now 85 bits of entropy isn't particularly much. So how can the time to crack a seed with only one card, which is then missing only 8 words to be completed, take 3830854 years?
Notice: this is not the Shamirs Secret Sharing Scheme using BIP39 words, developed by the company that also develops the Trezor hardware wallet. This here is simply splitting the seed into 3 chunks.
EDIT: The math seems to be as follows:
85 bits of entropy means there are 2^85 possibilities, that's 38685626227668133590597632.
3'830'854 years is 117'830'939'673'600 seconds.
So 38685626227668133590597632 / 117'830'939'673'600 is 328'314'671'297.
That means, Ian Coleman assumes, that an attacker can make at most 328 billion guesses per second. Is that realistic?
EDIT 2
I did some testing. To get a ballpark estimate of how long the key stretching used in BIP32 takes, I tweaked gpg in symmetric mode to get it to take about 1 second to encrypt a file:
time gpg --batch -v --output test-file.txt.gpg --symmetric --cipher-algo AES256 --s2k-mode 3 \
--s2k-digest-algo SHA512 --s2k-count 54930000 --passphrase-file ./keyfile.key test-file.txt
I'm running that on a an 8 year old Intel Core i5 that I manually clocked down to a maximum cpufreq of 1.199 GHz.
The key stretching used here in gpg does roughly 30'000 more rounds than used in BIP32 (that's the --s2k-count option).
This means, ballpark, my system can try out 30'000 seeds per second.
That means it would take 2^85 /30000 / 60/60/24/365 = 40890438681367 years to test all possible combinations if I have only one card.
Granted, my system is very anemic. If I want to have 100 years of security, how much faster is the attackers system allowed to be? Asking WolframAlpha because I'm lazy: 2^85 /x / 60/60/24/365 = 100; solve for x comes out to be
12'267'131'604'410'240.
Even if you cut that in half again, because on average the attacker will find the missing words after having searched through 50% of the search space, that's still a big margin.
Add to that, that the attacker also has to do some additional hashing to actually get an extended private key and addresses, in addition to looking up if the produced address holds a balance, makes me a little more confident, that this scheme is relatively safe.
[link] [comments]
No comments:
Post a Comment