Proposal for Generating Valid Palindromic Mnemonic Recovery Phrases

[hatgit]

I thought this could be a good to place to discuss/explore this experimental idea I have been working on which would allow mnemonic recovery phrases (not their entropy) to also be used in reverse order.

User Story

When users create accounts on services such as MetaMask or other popular crypto applications (wallets,etc..) which require that an existing account (mnemonic recovery phrase) is imported or a new one created, this results in a user potentially acquiring a large number of recovery phrases over time (despite the possibility to create an almost unlimited number of child cryptocurrency addresses thanks to the HD structure under BIP32). There may be times where a user wants to attach another entire account structure such as via the use of a passphrase, however, some wallets are not compatible with passphrases. In an effort to provide convenience in such situations or other potential use-cases, I would like to propose a method to generate palindromic mnemonics and explore their value/potential including any risks or reduced security in terms of bits. While a palindromic mnemonic doesn't provide any added security, it provides some additional conveniences to the user, by providing them another mnemonic recovery phrase by reversing the order of the words in their existing palindromic mnemonic.

Why Is this Needed

Users who choose to generate such mnemonics could get more versatility from their experience, in cases where they wanted to separate accounts but keep them linked to the same recovery phrases (except in reverse order).

Summary:

There are 2^132 possible 12-word mnemonics of which only 2^128 are valid, as the 4-bit checksum is deterministicaly generated by hashing the leading 128 bits as a bytearray, and then taking the first 4 bits of that hash digest and appending it to the end of the 128-bit entropy, making it 132-bits long. The 132 bits are divided into 12 groups of 11 bits each, with each 11-bit group representing a binary number that corresponds to an index value on a specific word list (i.e. English wordlist as per BIP39). Considering that one still must search within the space of 2**128 to randomly find a valid mnemonic, I do not believe there is any entorpy loss happening on the security of the initial entropy, as a brute force search of 2^128 would still be needed. Given that any randomly generated 128-bit string can only produce 1 valid checksum, and there are only 2^4 valid checksum for any 128-bit string, there is a 1/16th chance that the first 4 bits of a mnemonic will be the same as the 4-bit checksum derived from those 128 bits (a palindromic checksum). However, for a mnemonic to be palindromic in the sense of its words, that first condition is not required (even though it will produce its own 4-bit checksum and total 132 bits), instead only the following second condition must be met:

• After the initial 12-words are put into reverse order (last word ---> first word), the checksum contained in that 132-bit sequence must match the last four-bits of the first word (which are bits positions 8,9,10 & 11 from the original 128 bits of entropy created). One in every 256 randomly generated mnemonics should also be palindromic, and therefore can be generated within minutes by brute force using an if loop statement.

Description

Using Python we can build an if/loop statement that will randomly generate valid mnemonics until one is found that satisfies the requirement of a palindromic mnemonic, where the original unreversed words are put into reverse order and the last 4 bits (the checksum) matches the last 4 bits of the first (11-bit group) word in the unreversed mnemonic

Current Behavior

Currently users cannot use their mnemonics backwards as there is a very high chance that they will not be valid when put into reverse order (unless they happen to have a palindromic mnemonic by chance already).

Expected Behavior

Users could check their existing, and create new palindromic mnemmonics, adding another layer of obscurity, potentially without reducing the security (although testing is needed to be sure there are not 4-8 bits of security lost due to known bit relations) or to a neglible degree (or non-negligible?).

Definition of Done

Building out the code should be relativly easy, I was thinking to post this as a job and would be happy to fund it, then if we had sufficient opinions/testing in terms of whether it is safe and useful, there could be a push for broader adoptions or an EIP/BIP related effort.

Additional Information

(To be completed later)

[hatgit]

In case anyone wants to see a working version of this idea as an app, works offline too (all code inline) if you download the page as an .html file, here is the link: https://stevenhatzakis.com/reversible-mnemonic.html