Reposting a thread from my buddy @SPA which he just shared on Twitter here: https://twitter.com/superphatarrow/status/1687445412909645824
In RHR rip #264 https://twitter.com/rabbitholerecap/status/1687165706222313473, at about 1h27 @ODELL mentions to @MartyBent that someone is going for the @HRF @BorderWallets Bounty by removing the entropy grid. I am not sure if Matt is still referring to @stack_wallet at this point or if it is some other wallet team.
We called the grid the entropy grid because that is where the seed entropy comes from. There is no entropy in the pattern because there is no randomness in the pattern. The pattern is picked by the user to be easy to remember.
Matt mentions that the team's rationale is that this is OK for a short time it takes to cross a border.
No, it's not and people will lose funds if everyone that uses this version is sharing the same default wallet grid.
I guarantee it.
Humans are terrible at randomness and there will be a list of most common patterns, just as there is lists of most common passwords each year.
An attacker can generate millions of the most common patterns and generate addresses from them to look for in the UTXO set
As soon as one of them turns up, it can automatically be swept to the attacker's wallet
Please don't make a 0-entropy wallet.
"We are implementing border wallets as is. However we've also come up with a novel approach for border wallets. But there seems to be a misunderstanding, it doesn't utilize a grid at all. We're writing up a paper that will be available for public scrutiny. We'll be sure to tag you. :)"
reply
The seed used to create entropy grid is random. After the grid is created, a person picks the pattern. So, the same pattern used on a entropy grid created by a different seed would create a different wallet.
Oh I see what you're saying. If an attacker finds an actual entropy grid, they can run all possible patterns easily. That makes sense.
Can you help me understand better. Sparrow uses the border wallet implementation now, so I want to make sure it is secure.
reply
Hi - the ability to reproduce Entropy Grids using 12 words as entropy (128-bit/Deterministic Entropy Grids) uses Gibson Research Corporation’s Ultra-High Entropy Pseudo-Random Number Generator. Details here: https://www.grc.com/otg/uheprng.htm
reply
How difficult is it to run all possible word configurations that result in a valid checksum using a found grid? Once that tool is built, it would be trivial to treat every seed phrase found as a potential border wallet, and could be run through that hypothetical program.
reply
For any and every 11-cell pattern/shape, there are 39,916,800 possible combinations that an attacker could face just within that one pattern - e.g. A1 to A11, and 258,520,167,388,849,766,400 combinations if you use 23 cells. The checksum is calculated post hoc and pursuant to the 11-cells selected, and there are an additional 128 possible checksums for every 11-cell combination.
I haven't run all the numbers for the total number of possible 11-cell patterns but it is an extremely - extremely - large number. You would be far better off applying that energy to mining bitcoin directly.
reply
deleted by author
reply
Using multi-sig (two patterns on one grid) would help some, but still not sure how much compute power it would take to run all patterns of different n-of-n wallets
reply
I think this entropy grid idea is a bad one because it usually is going to be words, or very common pixel patterns.
With a strong Argon2 parameter for the password expansion hashing, and about 8 words, you are still unlikely to see any break of the key in any sane amount of time.
For the border crossing situation, you don't want to have anything on you that would hint you are carrying a key in your memory. I'd suggest that using a common text as a codebook would make this a lot easier. Especially books like a given edition of the bible or the official, supposedly unmodified text in original arabic of the Qu'ran are both good options because you can get them from anywhere to refresh the memory and thus have nothing physical to signify you might be transporting a wallet.
Kinda cool in a way, I mean, this is a little like the concept of Mnemonic Courier, the basis of the Johnny Mnemonic short story/movie.
reply
reply