Everything is a brain wallet

Time flies in the cryptocurrency world. I delayed writing a post about brain wallets two weeks ago for personal reasons, and I guess everyone has almost forgotten it. Nevertheless, I still post this article here to remind everyone not to forget to buy and withdraw coins just because the price of the coin has risen slightly. On the other hand, please remember to check frequently when withdrawing coins to your wallet, because in a sense, all Bitcoin wallets are brain wallets.

If you haven’t read the series of posts “Brainwallet.org is dead, brainwallets will live forever!”, you can review it first.

1. http://www.8btc.com/long-live-brainwallet

2. http://www.8btc.com/long-live-brainwallet-ii

3. http://www.8btc.com/long-live-brainwallet-iii

Here, we will start from the last test.

Test Results

Although in the previous article I said that there were three addresses with coins, the actual result is that there are four addresses with coins. The specific transaction information is here.

The generated statements are in the comments at the end of the article. A few minor changes are as follows (perhaps the cracker himself did not notice...):

1. Some of the quoted content already contains a space.

2. Some addresses are generated in compressed format instead of the default uncompressed format.

3. The brothel turned into a red building.

This test took exactly one day from the time the article was published to the time it was cracked. Although I don't know how long the two users who guessed it took, judging from the time it took to get it back, it should have taken more than ten minutes. Although the author did try to add some confusion, if you strictly follow the rules, it actually takes less than a second to find it through the program.

The reason for this experiment is that a year ago, I did use Chinese phrases to directly generate some brain wallets and store coins in them. Later, I found that this little bit of cleverness was completely useless in front of brute force cracking, so I transferred some of it to a brain wallet generated by combining Git commit ID and personal information. Is this safe enough? Perhaps the following concept can help you better evaluate it.

Information Entropy

Information is a very abstract concept. We often say that there is a lot of information, or that there is less information, but it is difficult to say exactly how much information there is, for example, how much information does a Chinese book of 500,000 words have. It was not until 1948 that Shannon proposed the concept of "information entropy" (shāng), which solved the problem of quantitative measurement of information.

In information theory, entropy is the average amount of information contained in each message received. In fact, the size of entropy is closely related to the probability of an event. The probability distribution of an event and the amount of information in each event constitute a random variable, and the mean (i.e., expectation) of this random variable is the average amount of information generated by this distribution (i.e., entropy). Assuming there is an "ideal" coin (with an equal chance of flipping heads and tails), each coin flip is independent and unpredictable, and the result is either heads or tails (0 and 1), then the entropy of this coin flip event is 1 bit/bit, and the entropy of 256 flips is 256 bits/bit. And this will be a perfect Bitcoin private key.

For each Bitcoin private key generated, whether the entropy of the generation method is large enough is an important indicator of its security. However, in the computer world, all random number generators are pseudo-random, which means that hackers may deliberately simulate and generate the same private key. Blockchain.info has suffered a great loss in this regard.

In this regard, the domestic Bitcoin Wallet team has done a lot of popular science (see Article 1, Article 2, and Article 3 for details). When generating a private key, its wallet requires the user to turn on the camera and microphone to obtain information from the user's surrounding environment to obtain higher randomness, so that the generated private key has greater entropy.

How much entropy can a brain wallet have? Vitalik Buterin has made the most explicit statement on this point.   The blog post "An Information-Theoretic Account of Secure Brainwallets" was translated into Chinese by Babbitt, but there are some errors in the translation. I recommend that students who are capable read the original text directly.

The final conclusion of the article is that, from the current situation, 2 ⁸⁰   is the minimum acceptable security level. To have 80 bits of entropy, you need about 17 random English letters or a combination of 12 random letters, numbers, and symbols. From a literal point of view, the suggestions mentioned in the previous article such as "increasing the length of input" and "using an extended character set" can easily meet this condition.

However, can users really be so sure that the input information they construct is random enough? Unfortunately, this is almost an impossible task. Limited by the limitations of human culture, even with a vast sea of ​​books, the words that most people can think of are actually only a small subset. With the rapid improvement of computer hardware and the increasing ability of machine learning, if the input phrase is not long enough or the semantics are too easy to remember, it will be inevitable to be cracked by brute force.

Therefore, it is very unsafe to directly input a phrase consisting of a string of common words as a brain wallet. From this point of view, Brainwallet.org did not die unjustly.

Determinism

If brain wallets composed directly of commonly used phrases are difficult to escape hackers' brute force cracking without specific targets, then when generating a brain wallet, by "adding personal exclusive information" and "encrypting the input", a very "complex" brain wallet can be generated to a certain extent, because this is equivalent to adding some uncertainty to the brain wallet.

However, this step deliberately added by the user does not actually change the nature of the generated brain wallet, which is already determined. At this time, if a hacker wants to break into such a brain wallet, he not only needs to construct the same input, but also needs to know the user's operation steps for the original input. Although personalized attacks on a certain address are usually very costly, when the price of the currency is high and it is determined that a large number of coins in a certain address do belong to a certain person, it is not unthinkable to conduct targeted analysis and cracking through some social engineering.

For example, if the user passes   SHA256("a")   Remove the last three digits to get the string ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee4   It seems very complicated, and it is indeed very difficult to directly exhaust this string by brute force. However, if the attacker determines that the user has the habit of using online tools to calculate the SHA256 value before the transaction through monitoring logs and Internet records, the probability of attempting a collision and succeeding cannot be ignored.

Although users can reduce the possibility of being cracked by reprocessing the above results in some way, this does not solve the above problem, but only hides it deeper. In this case, the security of the brain wallet will not only depend on the complexity of the method used by the user, but also on whether the user has enough memory to clearly remember the generated steps. Although the more customized steps, the less likely it is to be cracked, I tell you as an elder that such cumbersome steps will eventually become an obstacle for you to unlock the address again.

This is the root of the tragedy of all brain wallets. Since it is deterministic and can be mapped from your mind to a specific Bitcoin address, it means that others can generate the same private key in the same way if they know your input content and generation method. Although users can try their best to protect themselves, this inherent original sin is like a sword of Damocles, hanging over every brain wallet address with coins at all times.

It is worth mentioning that although the brain wallet tool cannot avoid the embarrassment caused by the above fundamental problems, it can actually alleviate the situation of being cracked by brute force in another way. The method is to repeatedly execute the fixed operation of the algorithm, which increases the complexity of the generated result and the time required to generate the brain wallet. For users, it seems that there is not much difference between spending 2ms and 200ms to generate a brain wallet address, but for brute force cracking programs, the speed is slowed down to one percent of the original speed. Interested students can go to the Keybase.io provided   Wrap   Wallet experience. (I seem to have   Keybase.io   Invitation, 10mBTC/coin for sale, students who are interested please send me a private message hahaha. )

Everything is a brain wallet

Since the root cause of the problem with brain wallets is that they have a deterministic root and can be deduced unidirectionally, can this problem be solved by using an uncertain generation algorithm?

The answer to this question is yes, but also no.

Indeed, from the perspective of cryptographic security, by introducing random variables in the user environment, even if the attacker knows the encryption method used, he cannot reproduce the operating environment when the user generates the private key, so he cannot break it. However, even if the number of Bitcoin addresses is as vast as the sea of ​​stars, when the user finally chooses the Bitcoin address he wants to use, his private key has also been settled and cannot be changed. Because in the end, every Bitcoin private key will be certain.

If the Bitcoin private key obtained by entering a string of phrases on Brainwallet.org is a traditional brain wallet, then the brain wallet in a broad sense refers to the ability of users to gain control of Bitcoin private keys through their own memory in various ways. In fact, for each Bitcoin private key to be used, it must be converted by the user's brainpower before it can be unlocked.

Don’t believe it? Let’s talk about it:

I use a randomly generated wallet from Bitcoin Core.

You actually need to remember the password you used to encrypt wallet.dat, and you may also need to back up the file regularly and remember which folder it is stored in.

I use the wallet address generated offline by Electrum.

It should let you make a backup, right? The way those dozen random words are generated is the same as the one I introduced in my last post. And you not only need to write down the dozen words, but also remember what software was used to generate them so that you can re-import them.

I used the private key generated by Vanitygen.

Do you keep the private key in your mind or in a notebook? Is it encrypted with BIP38? Do you write down the encryption password?

I use a hardware wallet that supports fingerprint recognition, so I don’t need a password at all!

You still need to remember which hardware wallet you are using, where it is, and which finger you used to identify it...

All my bitcoins are on the exchange website, and I don’t even know the bitcoin password!

In fact, the bitcoins stored in the exchange no longer belong to you. What you get is just an IOU given to you by others. Go download a Bitcoin wallet and store your coins!

Therefore, although each Bitcoin private key is only a few dozen characters, its storage medium and acquisition method vary greatly depending on the user.

Humans are much better at managing physical media than digital information. In many cases, they only need to print the private key on paper and lock it in a safe. At this time, the management of the private key is actually reduced to the memory of the storage location of the paper wallet. Such physical isolation protects the private key from brute force attacks. After all, hackers are unlikely to break into the house to rob. However, while this increases the inconvenience of use, it also increases the burden of private key backup and maintenance. Otherwise, when unexpected disasters such as fire and floods occur, the bitcoins stored in it will also disappear.

At this point, I believe that all readers have already understood that there is no one-size-fits-all method for storing Bitcoin. Traditional brain wallets are convenient for you, but they also give hackers an opportunity to take advantage of them; and the addresses generated by software cannot be used quickly when needed, and may be destroyed by natural disasters or man-made disasters.

Therefore, it is more important to choose the appropriate hosting method based on the characteristics of different storage methods.

1. For small amounts of Bitcoin used in daily life, you can use mobile phone software to randomly generate addresses for storage, but please do not forget the payment password.

2. For large amounts of Bitcoin used for storage, you can use software to generate address storage in an offline environment, but please don't forget to back up the saved location.

3. For some bitcoins that are not used temporarily but are expected to be used in an emergency someday, a brain wallet can be used to generate and store them. However, remember to obfuscate the input content, add personal information, and use brain wallet tools such as WrapWallet to perform multiple calculations to increase the difficulty of cracking.

4. If possible, use a multi-signature address. I use the private key generated by the brain wallet to build a multi-signature address for storage, but unfortunately I haven't found any software that supports importing multi-signature RedeemScript by itself.

Having written this far, I can finally answer the title of this series of articles: Brainwallet.org is dead, but brainwallets live forever. Remember how you manage each Bitcoin address! Because no one except you can reproduce it.