1

Given a 12 or 24 word seed with one one or more missing words what would be the difficulty of brute-forcing the missing words? E.g. for:

  • one missing word
  • two missing words
  • three missing words

By difficulty I mean the number of permutations against a dictionary wordlist.

And the related question: how many words would have to be missing in order to make the attack reliably unfeasible?

ccpizza
  • 287
  • 3
  • 12
  • The answer is "very difficult" but, pending details of that answer: did you mean words missing at the end, or at unknown positions? It makes a difference because word order is significant. – brec Dec 16 '17 at 19:43
  • I'm also unsure of what you mean by "number of combinations that would have to be checked against a dictionary." Assuming that you mean the standard words-generating protocol, called BIP39, the dictionary consists of 2048 words. Checking whether a specific word is "in the dictionary" is trivially easy. The only way to check whether a given string of words is valid for a given wallet is to enter it and see whether you get the expected coins balances. – brec Dec 16 '17 at 19:49
  • Do I understand correctly that the seed dictionary is made of 2048 predefined words? So, in that case for one missing word in a known position (e.g. the first position) an attacker would only need to check 2048 iterations? right? – ccpizza Dec 16 '17 at 19:55
  • Commenting requires a minimum of nine words, so: right. – brec Dec 16 '17 at 20:04
  • got it; so hiding a single word in a known position is basically like no hiding at all; how about the related question: where the attack becomes unfeasible? (apart from the obvious answer of zero words being exposed) – ccpizza Dec 16 '17 at 20:07
  • @Chak: That's assuming a CPU, if it is e.g. an AntMiner S9 then that can probably be reduced from thousands of years to months or weeks, no? Could you please add this as an answer so that I can accept it? – ccpizza Dec 16 '17 at 22:56
  • 1
    @ccpizza, AntMiner S9 is great at computing SHA-256 on some input. However SHA-256 is a cryptographic hash function, not an encryption function. So no. – Chak Dec 16 '17 at 23:10

2 Answers2

2

A wallet was brute forced with 8/12 words and their order known in 2020

https://medium.com/@johncantrell97/how-i-checked-over-1-trillion-mnemonics-in-30-hours-to-win-a-bitcoin-635fe051a752

Czs
  • 21
  • 1
2

Missing 3 words in known positions and there will be 8.577.355.766 permutations.
Based on the speed of an average PC, approximately 10 permutations/second. This would take close to 9927 years(if unlucky and have to try every permutations) Sorry, I forgot we are not dealing with wallet password encryption here.

Anyway, a computer will have to get the private key, calculate a public key and then check it for balance, this process will take time.
Missing 4 words(17.540.692.561.920 permutations) or more, and I don't think anyone will want to try their luck. So maybe 5 words or more and even the government will let it slide.

Chak
  • 1,301
  • 8
  • 14