search

merland / seedpicker

Create your own BIP39 seed phrase, securely and transparently.
http://seedpicker.net
MIT License
44 stars 20 forks source link

Controversial suggestion: make last word deterministic #13

Closed mflaxman closed 4 years ago

mflaxman commented 4 years ago

While many words can serve as a checksum, the fact that a user who hits the Calculate! button twice will likely see two different results is very dangerous.

How this can cause loss of funds:

  1. User goes to http://seedpicker.net/calculator/last-word.html, enters their 23 words, and hits Calculate!
  2. User copies down Zpub to Electrum. It works and the user thinks they're doing everything correctly. They follow the next few steps on Electrum, perhaps say configuring their hardware wallet(s).
  3. User remembers they need to write down their entire mnemonic (including checksum word) on a piece of paper, USB, cryptosteel, etc.
  4. User assumes that the calculation is deterministic and instead of finding their old website tab (perhaps they even closed it), the user enters their 23 words into a new instance of this webpage.
  5. Webpage generates a different 24th word which they copy down to their cryptosteel, but the user is unaware that this does not match the Zpub they previously used in their Electrum multisig construction.

Years later, the user goes to use this key in recovery (perhaps another key was lost) and discovers that the seed they wrote down doesn't have access to their funds (which was the whole point of using this tool)! While it is theoretically possible for them to then try all the different valid 24th words, they don't know to do this and lose their life savings :(

Obviously, there is a competing argument that using some deterministic scheme slightly reduces the entropy of their seed. If you think more critically, you realize this reduction is very small (and any motivated attacker with a script could brute-force these few possibilities). When weighted against the risk of loss of funds, this tradeoff seems very worthwhile. To mitigate this, I recommend the following:

  1. Default to 23 words (not 11). Adding more entropy mitigates this problem.
  2. Link to this issue (or write your own copy and/or link to somewhere else on the internet) and explain how the checksum is calculated.
  3. In the advanced section, show all the other potential words that were not chosen. Very advanced users could figure out how to make this work for their use-case.

My suggestion is to use the alphabetical first valid word. The alphabetical last word would also be a good choice.

merland commented 4 years ago

This is a fair point, and not that controversial really. The fact that there are several valid words does complicate things. And the added entropy is - as you point out - both minimal and easily brute-forceable. As I see it, the only issue is how to clearly communicate this decision to the user. We will try to work out a suggestion and take it from there!