7

I have managed to lose 5 words of my 24 word Ledger Nano S recovery phrase. I have words 1-19 but I am missing words 20-24. I have significant holdings on the wallet so would very much like to recover it if possible. The passphrase is a BIP39 mnemonic (see https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki). I have the bitcoin and ethereum public addresses for this mnemonic. I am wondering if it's feasible to brute force the passphrase.

Each word is 11 bits (2^11 = 2048 possible words). The last (24th) word of the passphrase is of the following form [3 random bits][8 bit checksum]. Therefore I only have to check 2^(55 - 8) = 2^47 = 1.4x10^14 combinations. I would have to compute SHA-512-HMAC with an iteration count of 2048. As far as I understand, that means I'd have to compute 1.4*10^14 * 2048 = 2.87*10^17 hashes in total.

Is there any hardware out there designed for this? I am aware of ASICs that compute sha-256 hashes but not sha-512 hashes. Perhaps I could tweak one to work with sha-512 since they are very similar.

Assuming a fairly typical ASIC hashrate of 1TH/s (10^12 hashes per second), I could exhaust the search space in 2.87*10^5 = 287000 seconds = 3.3 days. I'd probably get there sooner, of course (expected 1.65 days). Time is not something I am worried about. Even if I have to wait months, I don't mind - so if I can get 10GH/s at a reasonable price, that would be great.

I would really appreciate any help/information you could provide to help me out and make sure I haven't missed anything. I could also use GPUs for this (I calculate I can run them at roughly $1/10TH - so it would cost me $28.7k to exhaust the search space, which I will do if there are no cheaper options).

Many thanks, James

Glorfindel
  • 529
  • 3
  • 8
  • 20
JGoodwin10
  • 81
  • 1
  • 3
  • Something I feel should be mentioned is that changing a single bit within hashed data will change the entire hash, so trying to iterate through all the hashes is probably not feasible –  Apr 26 '19 at 20:53
  • 1
    @Thegs I'm not following. By permuting every hash, I can find the one that matches up with my address. – JGoodwin10 Apr 26 '19 at 21:44
  • @ChrisW.Rea Thanks I've asked there now – JGoodwin10 Apr 26 '19 at 22:11
  • @JGoodwin10 you should also check in the cryptography exchange. –  Apr 26 '19 at 22:11
  • 2
    I doubt those ASICs exist (unless there's a coin that does exactly those hashes or maybe someone builds them just to do exactly this kind of key recovery, which i guess may one day become lucrative). You're likely gonna be doing CPU or GPU speeds (if you can make/find the right software to do it). Also I think you'll also need to do further checks every time you happen to land on a valid checksum (1 in 256). – Jannes Apr 27 '19 at 00:10
  • 1
    I would not expect it to be possible to "tweak" an SHA256D ASIC. They are designed in hardware to do only one thing. If there were gates to spare, the designers would have used them for more SHA256 units instead of adding an SHA512 option. – Nate Eldredge Apr 27 '19 at 00:11
  • 1
    You can not "tweak" the operation of an ASIC, and truly there's no mining ASIC doing a complete SHA256 hash either. It really depends how much money you have to blow on recovering the seed as to how far you can go, but I think your cost estimates are off by orders of magnitudes. You're forgetting that once every 1:256 attempts you need to do a computationally expensive bip32 dervice and see if any of the addresses match your wallet. – Claris Apr 27 '19 at 00:23
  • https://www.xkcd.com/936/ Obviously if you can do TH/s it gets quicker, but I still wouldn't think you'd be able to brute force what's essentially a 5 word passphrase (with the added bonus of having to hash 19 other words every time which adds to the time per hash). 4 Word passphrases are considered extremely safe at this point – xyious May 01 '19 at 16:01
  • @xyious if I can do TH/s, wouldn't the calculations I showed apply? In that case, it would be brute-forceable. The issue is that TH/s are not really achievable. – JGoodwin10 May 01 '19 at 23:32
  • Yes, we're in complete agreement. – xyious May 02 '19 at 15:45
  • 1
    @xyious It would be good to note that a "4 Word passphrases" from the set of "all words" is not the same as BIP39's 2048 word list. 2048^5 is "only" 36,028,797,018,963,970 possibilities compared to diceware's 7776^5 which is 789 times larger. Diceware is still a very limited set of words, so the comparison to passphrase strength doesn't seem applicable IMHO. – Jonathan Cross May 21 '19 at 17:57
  • 1
    Just wanted to note regarding @Jannes comment that the checksummed last word will have only 1 of 8 potentially valid checksums (the range of 256 possible checksums includes theoretically invalid ones that we dont' have to search through). In other words, once you reach 253 bits of entropy for the first 23 words, only the next three bits will need to be brute-forced, and each of those 8 options (2^3) will map to a distinct word after the checksum is computed. The last word of a 12-word mnemonic has essentially more security (as you must crack first 7 bits of last group). 2^7 = 128 combinations. – Steven Hatzakis Aug 17 '20 at 12:33

4 Answers4

3

With 4 unknown words there is around 1.76 trillion possible mnemonics and John Cantrell was able to write and setup network of CPU and GPU solvers which successfully checked 1 trillion mnemonics in 30 hours (as part of a challenge to win a bitcoin) by renting bunch of GPUs (it cost him less than $500).

The last 5th word you can just pre-calculate to reduce the number of calculations as it contains a checksum.

So if you are able to reproduce similar setup, you can brute-force and recover your wallet in just few days.

Read more at: How I checked over 1 trillion mnemonics in 30 hours to win a bitcoin.

Project repositories:

kenorb
  • 189
  • 12
2

You have three options here:

  1. Using a GPU implementation of the Gurnec´s Seed Recovery script
  2. Use Hashcat / JTR, where PBKDF2-HMAC-SHA512 is already implemented.
  3. Use brainflayer, similar to Gurnecs software, no multithread, no GPU.

Gurnec´s script runs at aproximately 40kh/s under my i7-8700k without OC. So if you only had lost the last 4 words of your seed, it will be 2^36 hashes.

2^36 h / 40.000 h/s = ~ 20 days

So it will take roughtly 3 weeks to test every combination.

But to crack the last 5 words of your seed it would take 2048 * 20 days.

On the other side according to the benchmarks PBKDF2-HMAC-SHA512 hashes at a 4.800 kh/s under a usual 8 x 1080´s rig so it should be possible to recover in several days the 5 missing words.

tldr; Implement GPU in btcrecover or brainflayer or understand how to make it work under Hashcat. Up to 3 words + checksum word doable in CPU, more need GPU.

fran2k
  • 51
  • 7
1

You can try btcrecover on github, look here: https://github.com/gurnec/btcrecover

it has a special feature to find missing mnemonic.

I also have a GPU version of it, if you need help

/KX

KeychainX
  • 328
  • 1
  • 10
0

You may be able to find some luck writing an OpenCL wrapper for either john the ripper or OCLHashCat, as I'm fairly certain you can't retool ASICS (unless you get your hands on a good FPGA and gate it for ripping through the SHA512 space).

0xDEADCE11
  • 1
  • 1