If you follow us on Twitter you might have noticed the tweet where we put together a puzzle and invited our followers to play. The prize was 1 million satoshi (0.01 BTC) waiting to be swept by anyone who managed to solve it first.
😍There's 1 million Non-KYC sats (0.01 #Bitcoin ) buried in this image waiting to be swept. 😍
Retweet to receive a DM with instructions on where to look and start playing 🧐🧐🧐.
Don't forget to enable Twitter DM first (in case you have it disabled).
There’s 1 million Non-KYC satoshis (0.01 BTC) buried in this image in a single P2PKH address waiting to be swept. They’re protected by a single private key which is hidden in this image somewhere. Are you able to find it ?
Hurry up because they’re not going to sit there forever.
When you manage to find and sweep the BTC, reply to the original tweet describing how you did it and how long it took.
Good luck! 🙂
What is it?
The image features 3 metal wallets from our recently released Coldbit Steel – 3x System Shock Bundle. You can use these Coldbit Steel wallets as a backup for your Bitcoin seeds. They’re made of stainless steel, they’re extremely heat and corrosion resistant. Ideal for long term, cold storage of your most valuable Bitcoin stash in geographically distributed locations.
Coldbit Steel – 3x System Shock Bundle
3 Coldbit Steel metal wallets
you save 50 EUR
each wallet stores up to 24 words (each word up to 8 letters)
extra line that can store up to 16 letters for Wallet ID
each of the 3 wallets has 2 stainless steel plates – heat and corrosion resistant (AISI 304)
4mm thick stamping plates and 2mm thick covers
2 nickel binding posts (countersink hole on the back – the wallet lays flat on the table)
no loose parts
3 metal boxes for convenient storage
1x testing plate and a jig to practice stamping and provide support
Solving the puzzle started at around 11 AM CEST. To be honest we expected this puzzle to be solved in less than 2 hours but to our surprise 4 hours had passed and the coins were still there unclaimed.
4 hours have passed and the funds are still $SAFU and no one managed to sweep it yet. Surprising and interesting. The expectation was this wouldn't last that long.
As more and more people joined we started receiving questions about the way this puzzle was constructed.
At at 5:45 PM we sent out a hint:
Is this an actual puzzle or a scam? You can verify yourself using bitcoin-cli verifymessage "1Q7QWSMhQWdJ46o6MRPdtr7FLaDbwpaShq" "H2qVLGDMR8JdAsi32LM+9hcYUzATf15UTukMt2mU8Z9ZT9MoAZggOyLekKeBKA/s3yvop+gx/vK36h483nxfPO0=" "Coldbit Steel"
the public address containing 1 million sats 1Q7QWSMhQWdJ46o6MRPdtr7FLaDbwpaShq
the signature confirming that we knew the private key for this address and that this was an actual puzzle and not some crypto Twitter scam
Knowing the public address would make solving this puzzle somewhat easier because one wouldn’t have to scan the entire pool of unused outputs looking for just one special P2PKH address containing 0.01 BTC matching our private key.
Steganography
The other common dillema was whether the solution relied on steganography. Steganography is the practice of concealing a file, a message, image, or video within another file, message, image, or video. In other words was the private key protecting this address concealed somewhere in the binary stream of the image ?
Questions about steganography started popping up, the others were focused on tiny parts of the image thinking the answer is hidden in a tiny area. We didn’t want the players to waste more time figuring out fancy steganographic tools or using magnifying glasses so we tweeted some more hints:
Tip 2: You don't need PNG/JPEG hex viewer to find it.
“Call me Ishmael” is an opening line from Herman Melville’s novel “Moby-Dick”. It’s also the title of a blog post by BitMEX Research describing the exact same brainwallet setup used in this puzzle. You could find this blog post by searching for “Call me Ishmael Bitcoin” using your favourite search engine.
The reasoning behind giving out this hint was directing the players towards the exact wallet setup we used instead of letting them wonder about BIP39, wordlists, BIP32 and dozen other ways a Bitcoin wallet can be constructed.
There was another, subtle hint that this was a brainwallet setup:
wouldn’t guarantee solving this because “Some secret passphrase” was still unknown at this point. Obviously the answer was staring at you from the image, it only took your eyes, a clear head and some basic knowledge about P2PKH address construction to find it 🙂
We love solving puzzles and Bitcoin is a perfect tool for constructing and solving them. Follow us on Twitter if you’d like to play next time we announce something similar. Hopefully you learned a thing or two reading this walk-through. Below are some resources you might find interesting to learn to be better prepared not just for solving puzzles but for making decisions and understanding the pros and cons of your specific wallet setup in general and brainwallets in particular. Personally we don’t use brainwallets, they’re not secure but they are an excellent substrate for constructing puzzles fun and engaging puzzles! 🙂
If you own a Trezor wallet (either Trezor One or Trezor Model T) chances are you’ve used the official web wallet. When you use wallet.trezor.io your xpubs are sent to the third party servers (in this case servers owned and operated by Satoshi Labs). This is not ideal because, although I don’t imply SL do nefarious things with your data, it’s possible at some point they can be coerced by The-Powers-That-Be to release this data at which point your privacy might be in danger.
In this short guide I’ll present an alternative way of using either of the Trezor hardware wallets in such a way that it doesn’t leak your private data to third parties. I think very few Trezor owners know about the method presented in this guide. According to my rough guesstimates 99% of Trezor owners either use the offical web wallet for both initial setup and subsequent transactions or use the web wallet for initial setup (leaking their xpubs) and then switch to using something like Electrum.
Benefits of this method:
You don’t leak your past and future transaction history and your balance to any third party (your xpubs stay private)
You can generate addresses offline without any Internet access (provided the tool is already setup on your computer)
You can generate any type of the address be it a legacy address (1…), a P2SH-wrapped-segwit (3…) or a native segwit (bc1…). You’re not limited to the functionality of the web wallet.
If wallet.trezor.io ever gets compromised or shut down you’ll still be able to use your Trezor hardware device
Things you’ll need:
1x Trezor One or Trezor Model T + USB cable
A laptop/PC running Linux/Mac OS (or Windows if you can setup Python on it and run a terminal)
A piece of paper and a pen
0.5 hour of free time
WARNING: It’s best to go through this guide using a wiped device. The point is to start using a wallet that no third party knows about. Make sure you have your seed, your passphrase and your PIN backed up before starting this guide. If you already have coins on your Trezor it’s best to either recover them using a different BIP39 compliant wallet or send them to another wallet so that you can transfer them later to your freshly and privately setup Trezor.
Step 1 – trezorctl
Begin by installing trezorctl. The link contains detailed setup instructions for every major operating system. Then proceed to learn about various commands that are available:
$ trezorctl --help
$ trezorctl device --help
$ trezorctl btc --help
Step 2 – verify the connection
Connect your Trezor to your laptop via the USB cable. If your device is not wiped it’ll ask you for a PIN. Enter it to unlock the device. Check that the link between your laptop and Trezor is working properly by issuing the following in a terminal:
$ trezorctl ping hello
hello
Step 3 – wipe the device
WARNING: It’s best to go through this guide using a wiped device. The point is to start using a wallet that no third party knows about. Make sure you have your seed, your passphrase and your PIN backed up before starting this guide. If you already have coins on your Trezor it’s best to either recover them using a different BIP39 compliant wallet (eg. Electrum) or send them to another wallet so that you can transfer them later to your freshly and privately setup Trezor.
$ trezorctl device wipe
Before wiping it clean make sure you can recover your coins on a different wallet.
Step 4 – Setup new seed
The gist of this guide – setting up new seed privately without leaking its xpubs to a third party:
You have a few options here. I’ll go through the most important ones:
–strength 128|192|256 – this is the length of the private key in bits. The longer the key the more words in the seed. 128 bits corresponds to 12 words in a standard BIP 39 wallet. 256 to 24 words. If you use Shamir Secret Sharing 128 will give you 20 words and 256 will give you 33 words per share. Bear this in mind when deciding on th backup method you want to use. 128 bits is secure and makes backup (especially by stamping on metal) easier. When in doubt pick 128 bits
–passphrase-protection – whether or not the wallet should ask for a passphrase. Recommended
–pin-protection – Whether or not the device should setup a new PIN
–backup-type single|shamir|advanced – Besides a simple type which gives you a single list of mnemonic words to backup you have the option to pick a shamir backup and advanced (shamir with groups) backup. When in doubt pick single but learn more about Shamir Secret Sharing before deciding because it’s a great way to increase the security and recoverability of your backup.
To recover the seed you’ll need any 3 of the 5 shares.
Write down the mnemonic words for each share on a piece of paper.
Step 5 – Generate receive addresses
Once you setup a new seed you can generate some receive addresses. Because you’re controlling the device directly you have some options here that aren’t available using the web wallet:
You can generate a Bech32 (native segwit):
You can use custom derivation paths for your addresses and display xpubs for any given path
Let’s generate a first Bech32 address now. But before we do that brief explanation on how BIP32 derivation paths work.
Derivation paths are specified in BIP32 and BIP44. We define the following 5 levels in BIP32 path:
The purpose level determines the further structure beneath this node. For example if we want to use legacy address types (beginning with 1…) the purpose level is set to 44' meaning the levels are defined in BIP44. The apostrophe means hardened derivation is used at this level.
If we want to use P2WPKH-nested-in-P2SH address types (beginning with 3…) the purpose level is set to 49'
If we want to use P2WPKH (native segwit, addresses beginning with bc1…) addresses the purpose is set to 84'
coin_type is always set to 0 for Bitcoin.
account – corresponds to “Accounts” in the web wallet (you can have multiple accounts on a single wallet). 0 corresponds with Account #1 in web wallet, 1 with Account #2 and so on
change – 0 means “default receive addresses” and 1 means “change receive addresses”.
address_index – index (starting from 0) of a generated address
Knowing all the above we should be able to generate different address types now.
First legacy address:
$ trezorctl btc get-address --address "m/44'/0'/0'/0/0" --script-type
Please confirm action on your Trezor device
Passphrase required:
Confirm your passphrase:
1CEmanepxWEdJC2LBhFvdhWrPHzbTxfW6V
P2SH-wrapped-segwit address:
$ trezorctl btc get-address --address "m/49'/0'/0'/0/0" --script-type p2shsegwit
Please confirm action on your Trezor device
Passphrase required:
Confirm your passphrase:
3K1VvtdaSMZhZ48mW2Pe5XEayKy9xDUDuh
Native segwit (Bech32) address:
trezorctl btc get-address --address "m/84'/0'/0'/0/0" --script-type segwit
Please confirm action on your Trezor device
Passphrase required:
Confirm your passphrase:
bc1q3ga68qn3pywxa72vqzytdrv0qd0wm865ene4aj
To generate subsequent addresses you increment the last number. For example to generate a second native segwit address use:
How do we know that the addresses we generated are compatible with other wallets (follow the HD standard defined in BIP32 and related BIPs)? We can export the public key of our wallet (so called xpub) and use this in a different wallet to check that the addresses we just generated match.
Let’s export the public key of your Trezor (the so called xpub) for legacy addresses:
The derivation path follows until all the hardened levels are exhausted and only non-hardened levels are left (default or change address type and the address index) so that we can derive all the available addresses from these levels.
Once we have the xpub we have to import it into a watch-only wallet. The easiest way would be to import it into something like Samourai Sentinel or BlueWallet or Electrum in read-only mode. But doing so leaks your xpub to third parties which we wanted to avoid in the first place. We’re going to use a different approach that doesn’t rely on third party servers but instead on your own Bitcoin node.
Output descriptors
Recent versions of Bitcoin Core support output descriptors which is a handy way of describing the types of addresses and derivation paths we use in our wallet (Trezor in this case).
This is a simple, 2 step process that consists of running two bitcoin-cli commands:
bitcoin-cli getdescriptorinfo
bitcoin-cli deriveaddresses
The first command analyses an output descriptor and calculates its checksum. The second command derives addresses based on the descriptor and its checksum.
You can see that the first derived address 1CEmanepxWEdJC2LBhFvdhWrPHzbTxfW6V matches with the address generated using trezorctl earlier for this legacy address type. It’s safe to send to this address now. Let’s check the second address:
$ trezorctl btc get-address --address "m/44'/0'/0'/0/1" --script-type address
Please confirm action on your Trezor device
Passphrase required:
Confirm your passphrase:
13UtN7MfqyvUUijUAM4cGGrRnwMZfyUSNX
P2SH-wrapped-Segwit
If you export the xpub of your P2SH-wrapped-Segwit address types it becomes an ypub. I’m not going to dive into why we have xpubs, ypubs and zpubs and where they came from. Suffice to say that xpubs in general refer to legacy addresses (1..), ypubs to P2SH-wrapped-Segwit (3…) and zpubs to native Segwit (bc1…). You can read more about the different types and their purpose here.
Bitcoin Core understands only xpubs so before importing we have to convert this ypub into an xpub. We can use this tool in offline mode (save the page locally, disconnect the Internet and then open the saved page in your browser). If you want you can write your own terminal tool that does the conversion. It’s not difficult, the source code is here. All you need is a Base58 encoding library in your favourite programming language and 1 function.
After conversion our ypub becomes xpub6DM7PEfPHhKVgJTPJtXgVvPGgxXEg2RAiSMY12xNfyQh9Nwt3vyBbn9JDJGypaepGvovyNTjMour7DjpUbgpJKYUZoyPEncHKKBBucqRZEs
This crucial step is often overlooked by Bitcoin users. They often rely on pieces of paper (which can be destroyed or lost quite easily). A much more robust solution is to use a piece of stainless metal that can withstand extreme temperatures, floods and weather as a backup material of your seed.
We offer a range of products aimed at Bitcoin users who would like to securely and privately backup their seeds, passphrases, PIN codes etc. on stainless steel or titanium.
If you’ve followed this guide and find Shamir Secret Sharing Scheme useful in your situation we have a special line of products designed just for that:
Coldbit Hex – 3x Bundle
Coldbit Hex – 3x Bundle
A great addition to your 2-of-3 Shamir Secret Sharing Scheme. Let’s you stamp your shamir shares on 3 different steel/titanium rods and store them in separate geographical locations. Such a setup increases the security and recoverability of your funds tremendously.
Coldbit Hex – 5x Bundle
Coldbit Hex – 5x Bundle. No compromise setup.
No compromise setup for serious, self-sovereign individuals at an affordable price.
Wiping your Trezor
This step is optional but recommended for increased security of your funds and smaller attack vectors. The idea is to wipe your Trezor after you’ve backed up your seed/passphrases and PINs in multiple locations in order minimise the attack surface on the device itself. Trezor is vulnerable to seed extraction provided physical access is possible so wiping your Trezor mitigates this and a whole bunch of other attack types. Remember: The best hardware wallet is a wiped hardware wallet.Make sure your seed is backed up safely and that you can in fact recover your seed before wiping the device!!!
The only drawback of wiping your Trezor after setting it up is that you cannot sign transactions with a wiped device (obviously), you have to recover it first using the backup (and wipe again after use). This method is recommended for a portion of your coins that don’t move very often.
Summary
The method presented above lets you generate receive addresses on your Trezor completely offline, without any Internet access and without leaking your transaction history and balance to any third party. You have total control on the type of addresses generated and you can verify that they are correct by using your own Bitcoin node.
Sending transactions privately requires a few more things. It’s a topic for a future blog post. If you want to learn more about Bitcoin wallet/key security and best practices for safe storage sign up to our newsletter below:
There are essentially four types of mnemonic seed phrases used in Bitcoin:
BIP39
Electrum
Shamir Shares (SLIP39)
LND (AEZEED)
Why do they exist? What makes them different from each other? Can we identify them easily? In this short guide we’ll try to address these questions.
BIP39 mnemonic seed stamped on Coldbit Steel
What’s the purpose of mnemonic seed phrases?
The main purpose of mnemonic seeds is to convert a very large number (a private key) into a human readable form which can be copied and backed up by humans without using electronic devices. Why is it important? Well, electronic devices and especially Internet connected devices can be hacked into more easily than physical seed backups (for example paper or metal). Internet connected devices and storage enable remote attacks and physical backups require physical access and are much harder to perform.
Electrum uses 2 seed formats. The “old” version from circa 2011 to circa 2014. Starting with version 2.0 Electrum uses a “new” seed format.
Electrum old seed format (Electrum versions prior to 2.0): The wordlist contains 1626 English words. There is some overlap between this list and the BIP39 wordlist but they’re not the same This format uses bidirectional encoding between seed phrase and entropy. “Bidirectional” here means that you can turn binary entropy into a mnemonic and vice-versa. This format doesn’t use a checksum. Current versions of Electrum can still recognise this format and import such wallets (the process is automatic upon entry of the seed).
Electrum new seed format: Starting with Electrum version 2.0 it introduced a new seed format, the “Seed Version System” to fix some of the perceived shortcomings of BIP39. This format derives keys and addresses from a hash of the UTF8 normalised seed phrase with no dependency on a fixed wordlist. Even though it doesn’t depend on a fixed wordlist it uses the same 2048 English wordlist as BIP39. Another distinctive feature of this format is the version number encoded in the seed. The purpose of the version number is to enable forward compatibility with future releases of the wallet. The version number also encodes the type of output addresses (Legacy, P2SH-Segwit, Native Segwit) , network (mainnet or testnet) used and whether it’s a single or a multisig wallet which makes future recovery easier. The full description of this format is here.
Shamir Secret Sharing aka SLIP39
In 2019 SatoshiLabs released a seed splitting format codenamed SLIP39 based on the idea of secret sharing published by Adi Shamir in 1979. The main purpose of this format is the ability to encode the seed in N lists of words in such a way that to recover the seed only M number of shares is required (where M <= N). It’s a threshold seed splitting scheme where one can encode the seed in for example 3 different shares (seed phrases) where only 2 shares are required to recover the seed. Up to 16 shares are supported.
This encoding scheme supports a robust checksum based on Reed-Solomon code that guarantees detection of any error affecting at most 3 words and has less than a 1 in 10^9 chance of failing to detect more errors. Like BIP39 it also supports an optional passphrase for extra protection/multi account setups.
This format doesn’t support versioning. The wordlist contains 1024 English words. The typical mnemonic seed length is 20 words. 33 words are also possible but no hardware wallet currently supports it. Trezor Model T uses 20 words.
LND (AEZEED)
Neither BIP39 nor the Electrum format was robust enough to cover the needs of the Lightning Network Daemon developers who created a new format in 2018. The main reasons against using BIP39 were:
lack of versioning (so future versions of the wallet may not necessarily know how to derive all the required addresses)
lack of wallet birthday (so wallets may not know how far back to look in the chain)
And so LND AEZEED was created. It is a versioned scheme which encodes a birthday. It supports an optional passphrase and uses the same BIP39 wordlist. The mnemonic seed phrase is 24 words long.
Interestingly no other Lightning Network wallet uses AEZEED format. For example Eclair uses BIP39 and C–Lightning uses Bitcoin Core built-in wallet.
There are a few interesting properties of AEZEED which are worth mentioning:
The mnemonic itself is a cipher text, meaning leaving it in plaintext is advisable if the user also sets a passphrase. This is in contrast to BIP 39 where the mnemonic alone (without a passphrase) may be sufficient to steal funds.
A cipherseed can be modified to change the passphrase. This means that if the users wants a stronger passphrase, they can decipher (with the old passphrase), then encipher (with a new passphrase). The end result is the users upgraded the passphrase but uses the same HD key path as before (same wallet addresses). Compared to BIP 39, where if the users used a passphrase, since the mapping is one way, they can’t change the passphrase of their existing HD key chain (changing the passphrase in BIP39 generates a completely new HD key chain and thus addresses).
The downside of the above is you can’t use multiple passphrases with a single mnemonic (like you can with BIP39). Using a new passphrase in AEZEED creates a new mnemonic because the passphrase is used to encode the final mnemonic. In BIP39 the passphrase is used only in the final step of turning the mnemonic into binary seed.
SUMMARY
Direction
Default length
Wordlist
Passphrase
Used since
BIP39
Unidirectional
12 or 24 words
2048 words
Optional
2013
Electrum (old seed)
Bidirectional
12 words
1626 words
None
2011-2014
Electrum (new seed)
Unidirectional
12 words
BIP39 wordlist
Optional
2014
Shamir Secret Sharing (SLIP39)
Bidirectional
20 words
1024 words
Optional
2019
LND (AEZEED)
Bidirectional
24 words
BIP39 wordlist
Optional
2018
Does it mean having a mnemonic seed might not be enough to recover a Bitcoin wallet?
Correct. In some cases having just a 12 or 24 word seed might not be enough to recover a wallet. You may not remember which wallet you used to create the seed so recovering may mean trying out a few different combinations and formats. Hopefully the list above will guide you.
Coldbit Steel has it covered
Regardless of which type of mnemonic seed you use, our metal wallet Coldbit Steel can backup them all. It provides space to stamp up to 24 words on a 4mm thick stainless steel plate and a line to stamp the wallet ID. The wallet ID can be a name of the wallet used to generate the seed (eg. Mycelium).
Additionally on the back of the 2mm cover plate there’s space to stamp some of the metadata above to enable easier recovery in the future. The data includes:
Type of mnemonic seed (BIP39, Electrum or LND)
Whether the seed it’s passphrase protected
Types of output addresses used (Legacy, P2SH-Segwit or Native Segwit)
Whether the seed is part of a multisig setup or a Shamir share.
Coldbit Steel is the only metal wallet currently available on the market that lets you record this metadata along with the main seed, securely stamped in waterproof, fireproof and acid proof stainless steel and can even withstand 20 tonnes of pressure and store safely for decades.
Coldbit Steel – Spiderweb
In addition to the main seed backup each wallet comes with a passphrase backup on a stainless steel, hex rod which can store up to 6 passphrases (each up to 4-6 words long):
Coldbit Passphrase
If you want to learn more about Bitcoin wallet/key security and best practices for safe storage sign up to our newsletter below:
In a recent post about BIP-39 I described how mnemonic sentences in the context of Bitcoin work and what makes them secure. 128 or 256 bit cryptography is considered secure and unbreakable now and for the foreseeable future. It’s the basis on which Bitcoin wallet security depends on. Can the same thing be said about the optional BIP-39 passphrase, the so called 25th word ? Let’s find out.
make it more difficult to steal your funds in case your seed words get compromised
have multiple accounts in your wallet (each passphrase corresponding to a separate account)
pass on the Bitcoins to the relatives after your death
Then I stumble upon your BIP-39 mnemonic backup stashed in your office drawer, import it into a new Electrum wallet, check the wallet balance but none of the addresses have ever been used. I know you have some Bitcoins though because I also happen to know your Twitter handle, check your tweets and see many references to “HODL” and “TO THE MOON”. I assume you must be using a BIP-39 passphrase.
The question then arises: “How easy is it to crack this extra passphrase?” and “What makes a good, hard to crack passphrase?“
While looking for answers I did some research and found some answers although they seemed a bit vague:
Here’s a page from Trezor’s wiki describing multi-passphrase encryption, the $5 wrench attack and example passphrases: “lonelypumpkins” and “funnyspirit“. – how good are such passphrases (2 English dictionary words)?
What does it mean a complex passphrase exactly? We can do some research ourselves by looking at the BIP-39 spec but this time we start where we finished last time:
The last step of BIP-39 is creating the actual binary seed which is then used as a master key in BIP-32 deterministic wallet or using other methods.
To create a binary seed from the mnemonic, we use the PBKDF2 function with a mnemonic sentence (in UTF-8 NFKD) used as the password and the string “mnemonic” + passphrase (again in UTF-8 NFKD) used as the salt. The iteration count is set to 2048 and HMAC-SHA512 is used as the pseudo-random function. The length of the derived key is 512 bits (= 64 bytes).
The passphrase is used in the final step of the BIP-39 key derivation process. It uses Password-Based Key Derivation Function 2 to turn the mnemonic sentence (the 12 or 24 seed words) + an optional passphrase into a binary seed. Below is a quote from Wikipedia describing the input parameters and the operation of this function (scroll down for a simpler explanation of PBKDF2):
Having a salt added to the password reduces the ability to use precomputed hashes (rainbow tables) for attacks, and means that multiple passwords have to be tested individually, not all at once. The standard recommends a salt length of at least 64 bits.[6] The US National Institute of Standards and Technology recommends a salt length of 128 bits.
The PBKDF2 key derivation function has five input parameters:
DK = PBKDF2(PRF, Password, Salt, c, dkLen)
where:
PRF is a pseudorandom function of two parameters with output length hLen (HMAC-SHA512 in BIP-39)
Password is the master password from which a derived key is generated (mnemonic words)
Salt is a sequence of bits, known as a cryptographic salt (BIP-39 passphrase)
c is the number of iterations desired (2048 iterations in BIP-39)
dkLen is the desired bit-length of the derived key (512 bits)
DK is the generated derived key
A simpler explanation of PBKDF2 is this: It’s a cryptographic function designed to turn some password and an optional passphrase (salt) into a cryptographic hash. This function is designed to run slowly (think 2048 times slower than a single invocation of HMAC-SHA512 in the context of Bitcoin). In the case of BIP-39 final key derivation this is the gist of what PBKDF2 does: it runs HMAC-SHA512 2048 times. This is the only thing that we need to keep in mind for now.
BIP-32 (Hierarchical deterministic wallet)
Once we run PBKDF2 on our mnemonic sentence + a passphrase we end up with a key. This key is then used as a seed to BIP-32 private/public key generation. I’m not going to dive into the details of BIP-32 here, suffice to say that the cost of generating private/public keys and associated addresses and checking them against a database of addresses ever used is negligible compared to the PBKDF2 function above.
Classes of attack
Let’s define a few classes of attack. Each class represents the level of attack on BIP-39 passphrase and requires more and more expensive hardware.
Class A (10,000 hashes/s): My laptop can run about 500 PBKDF2-HMAC-SHA512 hashes per second on a single CPU core. Let’s assume I can run it on all 8 cores and get 4000 hashes/s and I have 2 laptops.
Class B (1,000,000 hashes/s): GeForce GTX 1080 can run approx. 240,000 hashes/s. We have a few gfx cards at our disposal for this kind of attack.
Class C (100,000,000 hashes/s): Hypothetically we can assume cracking BIP-39 passphrases will be profitable in the near future and some company will create a specialised ASIC just for this purpose. Let’s assume it will be 10x faster than the GFX card above so roughly 2,4M hashes/s. A typical attacker will own a few such specialised devices.
Class D: (1,000,000,000 hashes/s): A supercluster of ASIC (like a mining pool but for cracking PBKDF2-HMAC-SHA512)
It’s worth mentioning that no devices of Class C or Class D exist today. It’s possible that such devices might appear one day though so we need to keep this in mind when deciding about the length of our passphrase we want to use.
BIP-39 passphrase cracking times
Let’s consider a few typical dictionaries and charsets people use when generating passwords in general and BIP-39 passphrases in particular:
Alphabet (either upper or lower case letters) – 26 characters
Alphanum (either upper or lower case letters + numbers) – 36 characters
Let’s bear the following in mind:
An attacker doesn’t know what dictionary/charset you used for your passphrase. He/she may start with the easiest dictionaries/combinations (for example 1 or 2 word dictionary lookups) and then move on to more difficult strategies. The actual time it takes to crack your passphrase might be longer than the time given in the tables below.
On the other hand on average it’ll take half the time given in the tables below for an attacker to obtain the correct passphrase
A general formula for calculating passphrase entropy in bits is log2(no_of_combinations). So for example log2(2048^2) = 22 bits of entropy. Recollect that the PKCS standard recommends a salt length of at least 64 bits.
PBKDF2 weakness (optimisation)
Andrea Visconti, Simone Bossi, Hany Ragab an Alexandro Calò published a paper called “On the weakness of PBKDF2“. The gist of it is that there are a few optimisations in PBKDF2 that can be implemented and the whole scheme gets optimised. The authors mention 50% optimisation in the first case. So we can bear this in mind when reading the cracking times below. (Eg. We can assume the actual optimisation will in fact be 50% in which case instead of 2 milleniums the cracking time will be 1 millenium etc.).
If you want to use BIP-39 wordlist as your dictionary use at least 6 words.
You don’t have to limit yourself to dictionary words. The more uncommon word you use the more difficult it is to crack and the harder to remember.
Don’t make the common mistakes people make when coming up with a passwords. Don’t use your birthday, people’s names, pets’ names and favourite places as your passphrases.
Don’t rely on your memory or paper or electronic devices to store your passphrases. Order Coldbit Passphrase coupled with Coldbit Steel to have a durable, fireproof, waterproof and pressure-proof backup of your seed words and passphrases.
Coldbit 7-Word Passphrase from the short diceware list
BTCRecover
You can see a practical example of using BTCRecover to recover a forgotten password below. In these examples the public address is known and there is no need to look it up in the blockchain (which will slow the process down).
If you want to learn more about Bitcoin wallet/key security and best practices for safe storage sign up to our newsletter below:
How I checked over 1 trillion mnemonics in 30 hours to win a bitcoin
I appreciate the time, money and effort put into testing all these metal wallets. I can see that Mr. Lopp tried hard to be as objective as possible and I believe these results reflect that. For example, when ordering Coldbit Steel + Coldbit Passphrase he used his opsec skills and didn’t reveal his identity to me (knowing that this could potentially influence the quality of the product I’d send – I could prepare a special version of the metal wallet with extra durability features to withstand the extreme conditions for example).
As a sidenote I should mention that I wasn’t very impressed with the quality of stamping on Coldbit Steel to be honest. This is how it looked like in the test:
Hand/template etching and stamping on Coldbit Steel.
This is how it looked like when I stamped the seed words and a wallet ID using a 1.5kg (3 lbs) club hammer:
Stamping on Coldbit Steel using a 1.5kg (3 lbs) club hammer and Gravurem stamp set.
There are 2 possible reasons I can think of that can explain such poor quality stamping:
Using a hammer lighter than 1.5kg (3 lbs). I recommend using at least 1.5kg (3 lbs) or 2 kg (4 lbs) club hammers. When you swing it it has enough momentum to leave deep marks on the first try. In practice you can stamp the words using a 1kg (2 lbs) hammer but it requires a little bit longer swing and using more muscle force than just relying on gravity and momentum. I don’t know the weight of the hammer Mr. Lopp used but I can assume it was a lighter version.
Unstable stamping surface/support. Examples include a wobbly table and surfaces that bend when hit with a hammer. The best stamping surfaces are: concrete, metal or hard wood.
Stamping with a hammer is best learned by practice – that’s why every Coldbit Steel comes with a testing plate on which you can practice stamping for as long as required until you get deep and clearly visible words.
The stress test consisted of 3 parts:
Extreme heat 2000°F / 1093°C (2x the house fire temperature)
Corrosion – muriatic (hydrochloric) acid for 12 hours
Crushing with a 20 ton hydraulic press
Heat:
Coldbit Steel: “Discoloration but no data loss“:
Coldbit Steel after exposure to 2000°F / 1093°C (propane torch)
Coldbit Passphrase: “Performed admirably; while the freehand etching was barely readable, the stamping was quite readable other than the fact that they were partial stamps.”:
Coldbit Passphrase after exposure to 2000°F / 1093°C (propane torch)
Corrosion (hydrochloric acid):
Coldbit Steel: “No data loss; even the freehand etchings were legible.”:
Coldbit Steel after exposure to hydrochloric acid for 12 hours.
Coldbit Passphrase: “Freehand etching was wiped clean. Template based etching was readable, as was stamping.”:
Coldbit Passphrase after exposure to hydrochloric acid for 12 hours.
Crushing
Coldbit Steel: “Hard to read, but no data loss.”:
Coldbit Steel after crushing with a 20 ton hydraulic press.
Coldbit Passphrase: “No additional data loss (the acid caused the freehand etched words to disappear.)”:
Coldbit Passphrase after crushing with a 20 ton hydraulic press.
Stamping with a hammer is vastly superior to hand engraving or etching. A 1.5 kg (3 lbs) hammer and a stamping set make the deepest marks in the metal and thus the letters can survive the most abuse (fire, scratching, crushing, corrosion etc.)
Rail-based metal wallets like Cryptosteel and all its clones (Billfodl, Blockstream Metal, The HODL Wallet, Steeldisk) don’t do well in such extreme conditions.
Have you ever wondered how your Bitcoin wallet seed words (mnemonic words) guard access to your wallet funds and what makes such setup secure ? In this article we’ll dive into the basics of BIP-39 which describe what seed words are and how we can use them to backup our wallet keys in a recoverable way. Let’s go!
In the early days of Bitcoin there were no mnemonic words or easy ways to backup your wallet keys. The default wallet implementation would randomly create private keys which were stored inside a wallet file and you were responsible for backing up that file frequently (by default every 100 transactions). It wasn’t ideal from a user experience point of view to say the least. People would often times forget to backup their wallet file or they did back it up but then the backup would get lost because it was stored on electronic devices which would fail sooner or later. This resulted in a lots of Bitcoins being lost forever.
With time Bitcoin developers came up with better ways to backup private keys. One of the ideas proposed by Pieter Wuille in 2012 in BIP-32 and later widely adopted was called “Hierarchical Deterministic Wallets”. It described a way to generate an unlimited number of private and public keys in a deterministic fashion such that given the same seed (a random list of bytes of certain length) the same list of keys would be generated. This solved the problem of having to backup a list of private keys every 100 transactions. Having a backup of a single seed was enough to take care of the backup of all the private/public keys one would ever need.
Another idea that further simplified the backup of the wallet seed was proposed in BIP-39 by Marek Palatinus, Pavol Rusnak, Aaron Voisine and Sean Bowe. BIP-39 described a method to encode a random list of bytes (a seed) as an easy to remember/write down list of words. Compared to raw binary or hexadecimal representations of the seed (which still required electronic devices to store it) having a human-readable representation enabled much better handling of the seed by humans. From this point forward the seed could be written on paper or spoken over telephone and this opened up new, physical ways of backing up the seed (multiple paper copies in different locations, durable copies on metal plates with extra protection from fire/flood etc.).
In this article we’ll dive into the step-by-step process of transforming a random list of bytes (entropy) into a mnemonic sequence of words according to BIP-39 specification.
Step 1 – Entropy
First we need a good source of randomness. We can flip a coin or roll a dice. If we use a computer (or a hardware wallet) it has a built in random number generator which can act as a source of randomness. To keep things simple we’re going to flip a coin. BIP-32 specifies the entropy length to be between 128 and 256 bits and a multiple of 32 bits. Each coin flip is 1 bit of entropy. We want to have a 24-word seed so let’s toss the coin 256 times and write heads as “0” and tails as “1”.
The following table describes the relation between the initial entropy length (ENT), the checksum length (CS) and the length of the generated mnemonic sentence (MS) in words. So if we wanted to have 12-word seed we’d generate a 128-bit entropy.
Each group (except for the last 24th group which only has 3 bits) contains a 11-bit number (0-2047 in decimal) and this number describes an index into a BIP-39 wordlist.
The first binary number is 00110010100. This binary number converted to decimal is 404. We can convert the binary sequence above into a decimal sequence (you can use a calculator, a web tool or do it by hand on paper if you have time).
The words in the wordlist are 0-indexed meaning you start counting from 0. The number 404 corresponds to the word “crater”. Converting the full list of decimal numbers to words gives us:
crater cloud drill young animal century earth siren because detail knock unfold error jaguar merry pistol fatigue nation wise clinic boss assault grape
Step 4 – Checksum (24th word)
The last step is to calculate a checksum. The purpose of a checksum is to quickly verify if the list of words is correct (valid) or not. It can detect errors like using a wrong word, missing a word or having it in the wrong position.
To calculate the checksum we take all the 256 entropy bits we started with in Step 1 and calculate a SHA256 digest from them.
$ echo 0011001010000101011111010000101111111111101000001001000001001010110100010101111001001011000100111100011110001001111011110111011010010100110011001110111001100010111011010010101101010011110100100110101111110001100101011001000110100010000110110001100101110001 | shasum -a 256 -0
NB: shasum calculates the SHA digest from the input. Option -a 256 means using the 256 algorithm, -0 means reading the input in BITS mode where each ASCII '0' is interpreted as 0-bit and ASCII '1' is interpreted as 1-bit.
This is a number in hexadecimal format. We need the first 8 leftmost bits (1 byte) from this hash. We can use this online hex to binary converter:
f3 (hex) -> 1111 0011 (binary)
Next we add these bits to the 3 leftover bits from 24th group from Step 2 and end up with:
00111110011
This is the last word (499 – dinosaur)
The full 24-word list is now:
crater cloud drill young animal century earth siren because detail knock unfold error jaguar merry pistol fatigue nation wise clinic boss assault grape dinosaur
The last step of BIP-39 is creating the actual binary seed which is then used as a master key in BIP-32 deterministic wallet or using other methods. We’re not going to dive into the details of what this step involves but only quote from the BIP-39 spec:
To create a binary seed from the mnemonic, we use the PBKDF2 function with a mnemonic sentence (in UTF-8 NFKD) used as the password and the string “mnemonic” + passphrase (again in UTF-8 NFKD) used as the salt. The iteration count is set to 2048 and HMAC-SHA512 is used as the pseudo-random function. The length of the derived key is 512 bits (= 64 bytes).
If you followed the steps above now you should be able to create and verify the correctness of BIP-39 seeds yourself (with minimal assistance from tools like binary to hex to decimal converters).
In the video below you can watch the seed stamping process where I punch all the 24 words onto 4mm thick stainless steel Coldbit Steel plate using a 1.5kg hammer and a A-Z letter stamping set:
You should be able to check if the last word of the seed in the video above is correct or not. You have to assume the first 256 bits of entropy are correct and calculate the missing 8 bits. The first person who comments on this post with a correct answer (the last word) and a little bit of description on how they did it can receive 1x Coldbit Steel + 1x Coldbit Passphrase + a Stamping Set + 1.5kg (3 lbs) hammer for free and create a long lasting, corrosion and fire resistant backup of their BIP-39 seed.
Since we have the seed word metal backup covered wouldn’t it be nice to be able to backup your BIP39 passphrase(s) as well on a piece of meta that lasts a very long time and is resistant to fire and flood ?
The fact that we were offering a product that let you stamp your seed words and store safely but there was no way to actually do the same with the passphrase bothered me greatly. Coldbit Steel has an additional line at the bottom:
Coldbit Steel – Wallet ID line
That line in theory could be used for stamping the passphrase but in practice it’s a very bad idea to store the passphrase together with the seed and I advise anyone to NOT DO THAT. Instead this line can be used to label your wallet (useful if you have multiple hardware wallets and thus seeds), say eg. “TREZOR A” or “LEDGER B” etc.
Because, unlike the seed, the passphrases change fairly often so I wanted to be able to store more than just one passphrase and decided to use a stainless steel hex rod. A hex rod has 6 sides which means you can store up to 6 different passphrases. It’s 10 cm (4”) long and will fit a maximum of ~ 28 characters per side.
Coldbit Passphrase for BIP39 passphrase backup
The hexagonal rod form and small size allows for creative ways to hide it in your house or the area where you live. For example you can drill a hole in your door frame and hide it there (you need a 16mm (0.63”) drill.
If you own any cryptocurrencies like Bitcoin you probably know how important it is to write down your seed words on something durable that can survive a flood or a house fire.
After evaluating current cold storage seed backup solutions, I must say I wasn’t thoroughly pleased with their quality and design.
So I decided to create my own metal wallet. After months of testing I came up with a design that I’m very satisfied with and would like to share it with you.
Coldbit Steel Wallet
It is called COLDBIT. It’s made of thick, 4mm stainless steel that can withstand extreme temperatures of up to 1200 C. This type of stainless steel is also waterproof, shockproof and doesn’t corrode. Instead of assembling individual letters (like in Cryptosteel or Billfodl) you stamp the words from the seed onto Coldbit metal plate using the most reliable and bulletproof technique known to man – a hammer and a letter stamp set. The letters will not scramble even if a heavy log from the roof of your house hits it during a house fire. The steel plates are securely bound with nickel binding posts.
I believe this wallet will survive the most catastrophic events. I know that my seed words are safer inside COLDBIT than in any other cold storage solution available on the market today.
Coldbit Steel – Bionic€90.00 – €114.00
Coldbit Steel – Shodan€90.00 – €114.00
Coldbit Steel – Cortez€90.00 – €114.00
