I have a cryptological question. I know it doesn’t fit well here, but I know here are smart people around and I don’t have many social media accounts.
I saw a cool BIP39 tool by Ian Coleman: https://iancoleman.io/bip39/ but in one place it’s sugested to split a BIP39 mnemonic into 3 parts like this:
BIP39 Mnemonic
perfect unlock twenty worth govern rice flat congress office range zoo rescue maximum west audit
never beauty motor club proud myself certain horn pepper
BIP39 Split Mnemonic (Seed Recovery Requires 2 Of 3 Cards)
Card 1: perfect XXXX XXXX worth govern rice flat congress XXXX range XXXX XXXX maximum
XXXX XXXX never beauty motor club proud XXXX certain horn pepper
Card 2: perfect unlock twenty XXXX govern XXXX XXXX XXXX office range zoo rescue maximum
west audit XXXX beauty XXXX XXXX proud myself certain horn XXXX
Card 3: XXXX unlock twenty worth XXXX rice flat congress office XXXX zoo rescue XXXX west
audit never XXXX motor club XXXX myself XXXX XXXX pepper
Time to hack with only one card: 3830854 years
Now this seems dangerous to me. To me it looks like a single card has only very weak entropy - I think one BIP39 word is worth 11 bits of entropy and the last word is a checksum.
So card 1 + 3 have 88 bits of entropy minus what the checksum word gives you. I’m not sure, but it definitely lowers the entropy a great deal. Card 2 has only about 77 bits of entropy.
Why the heck does the program tell the “time to hack” so ridicously high? It seems to me like a big mistake.
I’m not sure but it seems to me that the checksum word could even lower the entropy of card 1 + 3 well below 80 bits, maybe even below 77 bits. So all in all I’d say it’s really not the optimal solution what this program suggests here.
The MMGen wallet supports splitting and joining BIP39 mnemonics via the mmgen-seedsplit and mmgen-seedjoin commands. In your case, you’d just save your seed phrase in a file with the extension .bip39 and use it as the infile argument for these commands. This functionality will be part of the next stable release, but it’s already on the master branch, well tested and safe to use. Just clone from Github and install. If you have any additional questions, I can answer them here or on Reddit.
I’m not sure what this means. Is it 3830854 years on a todays computer or a 1 year on a computer that will be available in 3830853 years? How does Ian know what kind of computer will be available then?
Ian himself has a prototype of tool that does this: Shamir39 - Mnemonic Code Splitter but it’s not standardized in any way and you likely shouldn’t use it.
If you find one card you still need 8 words. Cracking 8 words means 2048^8 combinations, or conservatively 10^25. The fastest ASIC right now can process 3 GH/s which comes out to, conservatively, 10^18 per year. So 10^25 / 10^18 = 10^7. Meaning you’d have to run the machine for 10 million years to go through all possibilities.
Did I miss anything?
True. The last word is a checksum with only 256 options, so that reduce the options with a factor of 10 roughly. So if you have the first two cards you would only have to weight 1 million years