AES

3nigma3nc

They can grab it if they want but good luck cracking an AES 256 bit encryption with a decently strong password. Ain't gonna happen.

3nigma3nc

Why? Just encrypt the private key with a strong password and place it on different forms of media. Why do people think they have to pay for more than a simple USB drive? Shit, place it on a floppy; who cares so long as you encrypt it with AES 256 bit.

OmeIetteDuFrornage2

What's cute is not realizing that quantum computers won't be able to "crack" secret phrases, and any cryptographic primitive that is based on scrambling (SHA, BIP-32, AES, etc...). At best, it will reduce their security by some factor, which can easily be remediated by increasing the block size.

Frogolocalypse

Yes. EDIT: In one of my past lives I was an electronics designer. I know what I could do with the tech of the day, and it was pretty awesome. But the types of [microcontrollers](https://dronebotworkshop.com/esp32-2024/) available today is mind blowing. Multiple cores, wifi, bluetooth, RAM... > Here is Espressif’s list of features for the ESP32-S3 Series: > > Xtensa® 32-bit LX7 dual-core processor that operates at up to 240 MHz > > 512 KB of SRAM and 384 KB of ROM on the chip, and SPI, Dual SPI, Quad SPI, Octal SPI, QPI, and OPI interfaces that allow connection to flash and external RAM > > Additional support for vector instructions in the MCU, which provides acceleration for neural network computing and signal processing workloads > > Peripherals include 45 programmable GPIOs, SPI, I2S, I2C, PWM, RMT, ADC and UART, SD/MMC host and TWAITM > > Reliable security features are ensured by RSA-based secure boot, AES-XTS-based flash encryption, the innovative digital signature, and the HMAC peripheral, “World Controller.”

SmoothGoing

>we use what's called asymmetric encryption. There is no encryption in bitcoin itself. Wallet file on disk uses AES but algos for keys and sigs don't encrypt anything. RSA is not in bitcoin either.

moonstone4759

> U2FsdGVk This is base64 for "Salted", which is the usual string at the beginning of an AES-encrypted message created by OpenSSL If the top part is the encrypted privkey for the 1Petz address, then it requires some tricky decoding of the emoji string Then the animated bottom part is a clue, or a cryptic encoding of the passphrase to decrypt the privkey

ShieldScorcher

Just encrypt it and store it anywhere. You can put it on a billboard if you want. I have a container for this purpose with disabled network. Encrypt it with AES256 or something, then make an armored output, then make a QR code, then make a tattoo of that QR code 😁 Or just print that QR code Or engrave that QR code Numerous possibilities really as long as it is encrypted properly - you are safe. Much safer than putting it on a crypto steel which can be found by someone.

moonstone4759

There's a passphrase option, labeled BIP38 That was a not-standard which specified using AES to encrypt a private key, and a base58 encoding format for writing the encrypted key Bitaddress and BTCRecover are probably the only apps which can be used to decrypt a BIP38 prvkey these days

ThatBoyNeedsTherapy1

ENCRYPTED. Ffs. FBI can’t crack AES

SmoothGoing

I recall cryptography was classified as ammunition or something. Now it's going to be fine. You can use AES as much as you like, or any of the other algorithms.

bbien12

Honestly given the current political situation I would get a laptop, take out to WiFi card, do random data disk format and use Vera Crypt with decoy partition to encrypt it with AES-Twofish-Serpent and store my backup there and just memorize the seed. Jokes aside you should be OK with coldcard just don’t lose the damn seed

Technical-Total5565

AES-256 is not quantum safe. You need 6.8k qubits to break it. We are at 1.2k qubits currently. Assuming moore's law applies to quantum computers, it'll take 2-3 years to have a quantum computer powerful enough. Bitcoin hopefully swaps to a quantum safe encryption by then, but doing so is non-trivial. Apple's pq3 is not completely quantum safe, and dilithium is weak against classical computers.

Areshian

I mean, you say people are not imagine its magical, yet your comment make it look like that. Let's assume you have a big QC available. Its good enough to break known algorithms vulnerable to Shor, like RSA, ECDSA or Diffie Hellman. It is not good enough to break other stuff, even if it can get an advantage via Grover like SHA or AES. Company A is your target. It's one of those systems you want to fill with trojans, rootkits, backdoors, escape hatches and who the fuck knows. Let's make things easy for you, one of Company A employees have connected to company A VPN from a public wifi that you got access to. You were able to steal the traffic and get that employee credentials. Because Company A is not making use of two factor authentication for the VPN, so you can now connect to Company A VPN as that user, and to make things simpler, you now have shell access to one server in the company as that user. Now what? QC helped you get to this point, but now you have a problem. QC will not give you root access out of the blue, and every action you do from now on has the chance to expose you. Just the act of connecting to the VPN itself can be easily flagged by the security team (two connections from different geographical zones or you connecting via VPN from the outside while the employee is known to be in the office). You could set up an alternative access bypassing the VPN, but that will most likely be flagged by the networking team too. Even if you manage to get a local privilege escalation and become root (that could be quickly flagged, btw), you still need to potentially do multiple jumps to different computers in the company before you can set all your stuff. And this is not a wifi, this is now a wired network. You won't see traffic that wasn't directed to your server. I guess your best bet would be to try to connect to a kerberos AS or go back to the VPN, see if you can snoop more credentials of users. But unless someone connects to those servers from the one you are on right now, you don't really have a way to do it. QC helped you with the initial step, getting those initial credentials, but the rest? No, everything else is up to you. How long until you get find out?

y-c-c

> Open AI's Q-star cracked AES-192 last November. *Allegedly*. Don't just talk about rumors as if they are proven truths.

davew111

Yawn, quantum computers are like nuclear fusion, always decades away, if ever. AI is the real risk. Open AI's Q-star cracked AES-192 last November. It's very possible they could train a model that can take any wallet address and tell you what the private key is. 

cl3ft

>God forbid for instance if someone figures out how to use quantum computing to instantly mine BTC and solve for all the “lost” wallets. Bitcoin price would finally stabilise, at $0... But if they crack AES-256 Encryption or hashing, society is going to have bigger issues than the value of Bitcoin.

MacDaddi8810

on a text file with a very vague and personalised password reminder, encrypted with AES 256. Then put it inside a [Veracrypt](https://www.veracrypt.fr/code/VeraCrypt/) container with a long password and PIM. Then upload and give to people on UISB sticks to keep safe.

SmoothGoing

This is not AES key. It's some proprietary blockchain.com wallet identifier. Look at their help pages and deal with them directly.

dollhousemassacre

Personally, I find AES-256 sexier than any traditional art. Checkmate, ECB.

Areshian

We are working on a hypothetical scenario on which a QC computer with enough qbits to break ECDSA can actually be built. Whether our current inability to produce one is a technical limitation or a physical limitation I don't know. The number of qbits on existing QC has been increasing, and the pace has increased too, but they are still very far from the amount of qbits that will be needed to effectively break ECDSA. Whether that point is reachable or not is still to be determined. It is clear based on the amount of investment there is enough people that believe it can be scaled, but it is also true that just because enough people believe something can be done, it doesn't mean it can. Regarding bank and session cookie, yes, that is the whole point of decrypting the traffic, either get the username/password or pick the session cookie. But that doesn't change anything. I don't know how is it with your bank, but in mine, logging into my bank allows me to do some basic operations (like check my accounts), but when I want to send a transaction, it will not go through without a second validation, be it SMS or 2FA (authenticator). I put the example of SMS because it may be simpler to hijack (and I didn't even mentioned banks blocking transactions that look suspicious, which would be another hurdle), as 2FA is based on a shared secret and is QC resistant. I assume there are banks out there that allows for transfers without the extra security, but I wouldn't be confident using them. After all, stealing credentials or cookies can happen without a QC. Regarding AES, you mention that nothing is resistant if you have the private key. And that is true, whether you have a Quantum Conputer or not. But having a QC does not magically break AES and tell you the private key. It does reduce it's security when performing Grover's attacks, but that means AES-256 would be as secure to a QC as AES-128 is to a regular computer. And we are very still far from breaking AES-128 with classical computers. So that leaves us with the idea of "If you have a QC, is Bitcoin worth attacking?" It certainly represents a lot of money, and by carefully choosing what wallets to attack, a lot of money could be extracted from the system before being detected. Sure, other targets exists, but as we discussed, it is not "point & click", you don't "just hack the bank and get the money".

equity_zuboshi

> But if that machine were to be built, it would be vulnerable you mean if it **could** be built. Seems the laws of physics are not allowing for it. >, there is an SMS that needs to be sent.  they dont need to use it anyway; they can just take your session cookie straight up and use your session >(not so easy honestly, most wifi are protected by AES, which is QC resistant its nothing resistant if you have the private key. > don't need to attack your communication to the bank and your SMS or your DNS or something like that. I just need to look for wallets I can hack bitcoin is a tiny fraction of the economy compared to what fiat / government assets you could attack, and it would immediately show your hand and lose value. Noone is going to bother when they could get so much more by attacking higher value targets. but its all moot; because Qubits cannot scale.

Areshian

Sorry, but I don't agree with you here. First, the non-controversial part, ECDSA is vulnerable to a machine that as of today or the near future, cannot be built. But if that machine were to be built, it would be vulnerable. That is different to other cryptographic schemes, were even if this QC computer were built, it wouldn't be vulnerable. Now, into the meat part. QC as an instrument to break cryptography doesn't mean you immediately have access to every bank/military/etc. It will be extremely powerful, but doesn't mean you have a button that says "hack" and it works. Let's imagine I do have that computer, one that can instantly hack non-QC resistant ciphers like RSA, ECDSA or ECDHE. What would it take for an attacker to steal money from the bank? So, what does the hack allow them? Well, if they get access to my traffic while I connect to the bank, they can decipher it. That means they are able to see my user and password. But having my user and password is not enough to get access to my money, there is an SMS that needs to be sent. So they also need to hijack my phone company, or the cell network in my area. Or alternative, instead of just capturing my traffic (not so easy honestly, most wifi are protected by AES, which is QC resistant), but to establish a MITM attack. With that approach, they could create a "fake" website of my bank that would look like legit (thanks to the computer, they will present what my computer will consider a valid TLS certificate), wait for me to do a transfer or another operation that requires the SMS and use that code for them). Establishing a MITM attack would require some extra work, mostly hijacking a DNS so they can redirect my traffic to them, but let's assume they already control my traffic, maybe because they are an ISP or I'm accessing my bank through a public wifi or something like that. Also, they don't know how much money they will be able to steal from me. Do I have $100 on my bank or $100000? And even after all that, there is a possibility that the transfer will be rolled back, and if the bank detects there is a QC attack, they can block access via web to the accounts, force customers to go to the office (yes, horrible, but possible) and eventually, bring the web back online with some QC safe approach. That's not the case for Bitcoin. I don't need to attack your communication to the bank and your SMS or your DNS or something like that. I just need to look for wallets I can hack, and start getting money. Sure, if I get greedy and go for high profile wallets like Satoshi (actually, these may not be possible, you need wallets that have signed a transaction already to hack) or big exchanges I will be noticed and Bitcoin value will tank, but I can get a lot of money from less prominent wallets. You could try to sell the magic QC computer itself, selling to someone that is interested in using it to attack other, more specific targets, like military ones. But I'm not sure that is a great idea, there is a good chance you get "silenced" instead of paid.

guestn47

I can restore seed phrase from encrypted wallet if I know the password. Isn't seed phrase single point of failure? It is basically private key sitting in the open in plain text form. But to use encrypted wallet (which is AES-256) you need password, so it's safe to leave around.

guestn47

My 2 cents: 1) download veracrypt portable from official website, verify installation checksums and signatures 2) disconnect your computer from internet 3) create encrypted container disk, mount it, write you seed there in text file or store you wallet/primary keys/etc there (does not mater) 4) imagine yourself 17+ character password containing symbols, numbers, lowercase uppercase letters. Learn about strength of padded passwords ( [https://www.grc.com/haystack.htm](https://www.grc.com/haystack.htm) ) 5) never write this password anywhere, don't tell anyone. it must exist only in your head. Memorize it, repeating makes master. 6) for several days or weeks, try at at least once a day disconnect your computer from the internet, and mount encrypted container using memorized password 7) when you are sure that you know this password by heart and never forget it, make as many copies of this volume as you want, upload it to 25 cloud service... does not matter - AES is unbreakable if you use strong password. It is industry-strength protection. It would take about 100 trilion years to brute-force long strong password. Now you have your secure encrypted container which contains your seed/wallet/primary keys, and only "physical copy" of password for it exists in your head.

GKQybah

https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-and-the-bitcoin-blockchain.html This is the only quantum-vulnerable part about bitcoin. The 51% attacks you’re talking about aren’t possible with a quantum computer since mining is based on AES256 encryption which isn’t quantum-vulnerable.

Aussiehash

Any SD card will work for PSBT exchange and firmware upgrades. The industrial MicroSD cards are only for the case that you want to store an AES encrypted .7zip of your mnemonic seed words on an more durable MicroSD Coldcards don't come with a power cable, but any USB-C cable/charger will work

TissueUnflawed

Wallet encryption is not part of the Bitcoin protocol. Wallet files are not accessible to quantum computers When you did your research, what specific quantum computing risks are relevant to Bitcoin Hint: they don't include breaking the AES cipher used to encrypt wallet files

Competitive_Hippo_17

Turn your seed into a AES cipher with a strong password. Stamp the cipher into several metal plates. Keep one for yourself, and leave the others with trusted family members. Now, you can recover your seed with any one of the metal plates as long as you have your password (store this in password manager). Now, your seed is backed up in multiple locations. Even if one of your trusted family members betrays you, they can't do anything with the metal plate, since they won't have the password to decipher your seed.

Necessary-Mechanic27

Wallet Backup (WB): Exported data from Copay, containing an AES encrypted JSON with many wallet parameters (like extended private key, wallet name, extended public keys of copayers, etc. See #export-format). This data can be created from Copay v1.2+ (Settings -> Advanced -> Export) and it was the default backup format on previous Copay versions. WB can be a file (standard format for Copay desktop versions) or a text (standard for Copay mobile versions).

SmoothGoing

AES256 is encryption. SHA256 is not. It's just a very simple fact.

TissueUnflawed

An AES encrypted file is encrypted with a key. The user creates a passphrase. The cryptography app makes a random salt and hashes the passphrase+salt to create a key. This is key stretching, or PBKDF2 The hashing algorithm used for PBKDF2 in OpenSSL until 2013 was MD5. The default in OpenSSL today is SHA2. The user with a 2013 file may need to specify *md5* to successfully decrypt his 2013 wallet

thr0wmyl1f34wy

Maybe you misunderstood me. AES is the decryption part. MD5 is used for the key.

thr0wmyl1f34wy

What you have is a base64 encrypted private key, either from multibit or any of the android wallets or some online wallets. The good news is that the vast majority use the same decryption process which is 3x MD5 AES CBC. You can download openssl and you can Google the openssl md5 decryption command for the file. If your file starts with u2fsd, that confirms it.

Organic-Ad-5058

>Blaming Vitalik Buterin for Tornado Cash is like blaming the Bjarne Stroustrup (the creator of C++) for every piece of malware that might be written in the language he created. I mean, you could do a similar comparison between tornado cash and encryption algorithms, where both can be used for maintaining privacy of good intentioned actors or bad intentioned ones. I don't see the creators of AES being indicted because their algorithm is used in ransomware.

Digiff

ahahahahaa you are mixing anything and everything that comes under your hand dude. Excel password protected files cannot be read! Again, if you put a basic 4c password for sure someone can break it, but with a proper password no Zip tricks help here! You are confusing with something else. This is why multibillion businesses buy cyber trainings which advice staff to use password protected files, excels, pdf...Your trick is about smth else. *Encryption takes security a step further by converting the file's contents into a complex code that’s difficult to decrypt without the encryption key. That means even if someone accesses your file, all they’ll see is scrambled data. Microsoft uses AES-256 encryption, one of the most advanced encryption algorithms.* [*https://www.dashlane.com/blog/how-to-password-protect-excel-files*](https://www.dashlane.com/blog/how-to-password-protect-excel-files)

SmoothGoing

Seems to be using H2 Database Engine and its encryption option would be AES, like most things. AES is very strong and very fast. It might be difficult to find someone trustworthy.

SmoothGoing

It is attempting to find a password for a multibit wallet file encrypted with AES. It is going through all possible combinations within limitations set. i.e. don't attempt 100 character long password if the file owner is sure the pw was never that long.

TissueUnflawed

> if I use AES-256 encryption, the only vulnerability would be the password I use That's incorrect. Using AES safely also requires a completely random IV And if you're key-stretching a password (should really be a passphrase), you need a completely random salt That's why you don't make your own encryption from "libraries". You don't have the knowledge to understand IV and Salt Also, "the only vulnerability would be the password" is dismissive, as though you're going to make a best effort with a password and hope it's good enough. Use a passphrase, long and random Where are you going to store the passphrase?

Jolly_Schedule5772

Thank you for your insight. So, if I use AES-256 encryption, the only vulnerability would be the password I use. Provided I use a strong enough password, I can't see why I couldn't just store this encrypted file in the "cloud" in case the usb is lost for some reason.

Aussiehash

Mnemonic seed security has not changed for 10 years. It is hacker proof because it never ever exists in digital form outside of your hardware wallet. You can write it down on paper with a pencil, or stamp it into metal with a hammer. There are some newer options now from SeedQR (you stamp the unencrypted seed into a QR code grid for a stateless signer like Seedsigner), Trezor T's SLIP39, BlockchainCommons' SSKR, and Coldcard can write an AES encrypted .7zip of your mnemonic seed to MicroSD

nou_spiro

Actually AES encryption is safe even in with quantum computing. Because current know attack on AES cut key length to half. So 256bit encryption effectively becomes 128bit which is still safe. But basic 128bit AES can become vulnerable because 64bit key length can be cracked today.

crypto-lizard7665

Bitcoin core wallet encryption is AES256

VernChallenger

Unless you're confident the password is less than 10 characters, you've got practically 0% chance of brute forcing it. The main problem is that the passphrase is converted to AES 256 and then several rounds of hashing/salt are used to make things hard. Therefore you can't just attempt a single combination, it has to be attempted as many as 1000 times to compensate for the hashing/salt.

QuackPhD

Seed phrase > Plain TXT file > create 7zip archive of TXT file with password you will never forget (AES256 encryption) > upload to cloud storage. Have a dedicated laptop for interacting with your crypto, not your daily driver. Problem solved.

igadjeed

IV and Salt are different things in AES encryption

igadjeed

> eyJpdiI6IlZQaV That's base64 for {"iv":"VPi which would appear to be JSON. Also, the "iv" tag might be the initialization vector for an AES-encrypted file It's easy to base64 decode the file, but you won't be able to decrypt it without the passphrase or AES key. Decode all of it, and tell us if it has a salt > I did not label which wallet it belonged to You'll never know if you can not decrypt it JSON is not "standard" for AES. I might guess that means your wallet is a javascript one

SmoothGoing

Wallet file is encrypted with AES. There is no bypassing that, otherwise file encryption would not be worth much. Need to know that password. Or start brute forcing it. That's off topic for bitcoin sub. Once you get to the keys try any of the guides you can find using google.

ParkerGuitarGuy

What I did for a while was store the keys in an encrypted 7-zip archive (AES-256) with a rediculous password, nested that inside another 7-zip archive with a different rediculous password, then I kept a copy of that on a couple flash drives (used BitLocker To Go, so 3 layers in that case) and one in my Google Drive. This doesn't facilitate transacting, but for long-term holding it gives you redundancy in case your house burns down and you are relying on industry-standard encryption instead of some company making hardware trying to handle your keys.

Cuvex_io

Hi, Halo22B! Firstly, we find it important to clarify that Cuvex is not a cryptowallet. Cuvex is a cold encryption device, without internet connection and multi-signature with which you can encrypt your seeds, private keys or any secret and record them on an NFC card. Customers can encrypt any plaintext, whether it's a seed phrase, the latitude coordinates of a buried treasure, or an inheritance for their children. Our firmware is updatable and accessible for anyone to audit; we invite you to explore our profile on GitHub. It's crucial to note that the Cuvex device does not store any user data. There is no risk for customers of an attacker accessing the device; absolutely no information is stored on it. Ciphers created with hardware-based AES 256 are stored on NFC cards, making any attack on the Cuvex device ineffective. We would greatly appreciate your assistance in improving and evolving Cuvex in the future!

Cuvex_io

H, Aussiehash! Cuvex is not a Hardware wallet! It’s a cold encryption device, that works without an internet connection. It designed for encrypting seed phrase or private key and storing it securely on an NFC card. It's crucial to note that the Cuvex device doesn’t store any user data. There’s no risk for customers of an attacker accessing the device; absolutely NO information is stored on it. Ciphers created with hardware-based AES 256 are stored on NFC cards, making any attack on the Cuvex device ineffective. Codes you can check on out GitHub https://github.com/Cuvex You are welcome to ask more questions 👌

Competitive_Hippo_17

Noooo, don't ever put it online. Use a proper secure airgapped computer running Linux. Use OpenSSL in the Linux terminal to AES encrypt your seed. Write down the cipher on paper and bring it with you. That way, your seed has not been exposed to the internet, and the cipher you wrote down can only be decrypted with your secret password.

proof-of-conzept

Use a passphrase and encrypt the seedphrase with AES-256 on a computer that has no internet connection.

bchpleez

You didn't answer my question... you only gave me a lecture on stuff that doesn't matter in this context. Humans are making breakthroughs in maths every year to speed up proofs and calculations. If you understand superintelligence basics and what's going on with A\* learning with synthetic data, you would realize that computers will speed up math breakthroughs on their own. We'll never hear more about AES192 being broken by openAI because it'll be muted by national security letters... but with AI, if you have enough GPUs, you can do it yourself. If it can be done once, it will be done again. Please try to leave your bitcoin bias out of it. What is actually BS about novel math dehashing?

Real-Hat-6749

Sure on USB, but this isn't the main problem. If you reaaaally want secure communication between PC and MCU, then you need AES encryption. Anything else is tricky. AES key can be exchanged using ECDH protocol. So far so good. Now the problem is that AES encryption must be done inside MCU, not inside the secure chip, because MCU is the one who needs valid data to be decrypted. According to the ECDH protocol (or RSA for instance), AES key is calculated from the exchange of public components, and then computed using private keys on each side. Private key is stored on the I2C-connected crypto chip and never leaves the chip (which is the only correct way). This means that AES crypto key MUST be computed on the secure chip (remember, connected via I2C to the main MCU, which needs this AES key for the future). Now, AES key must use I2C communication between main MCU and secure chip, to perform the task. That being said, if someone, for some reason, has access to sniff I2C lines between MCU and secure chip they can have an access. Company behind the wallet may say "we use personalization, light encryption to transfer AES key". Sure they can, but main MCU is NOT physical attacks resistant, making it prone do hack. Code is open source, so it is just a matter to analyze the code to find address of where in memory is this "personalized algo key stored". For an attacker, this definitely isn't a one day task, but way way more. they have to do many tricks to gain access to the main MCU. Still, if there is an organized group to go towards them, they are less secure than Ledger in that sense. Because in case of Ledger, EVERYTHING is in one chip. All the crypto apps, all the crypto keys.

_artemisdigital

I have encrypted my seed with AES and it requires a key for decryption. The key is not stored anywhere, it's in my head and easy to remember. I'll never forget it. I have a QR code as an output, that must be deciphered using the key. So I can replicate that QR code in several places to make sure I never lose it, and simply decipher it using the key I memorized, and recover my seed. I don't care if somebody finds the QR code. They can't do shit with it. They don't even know what it is. Engraving your seed in clear is retarded, because then you have to hide it and make sure not to lose it either. It's much better to hide a decryption method in your head, and re-generate it whenever you need it.

proof-of-conzept

But just to be sure use a passphrase and encrypt the seedphrase with AES256 on a computer that never touched the Internet amd then stamp down the bas64 encoded version.q

dove-3

I read that Q* is able to decode AES encryption. So also asking myself whether it could be a threat for SHA-256 encryption.

treemeizer

Quantum computing has implications for all encryption - banking, SSL certs, at-rest encryption of phones, tablets, PCs, block chain, communications, etc. This is like if someone developed a way to remove all oxygen from the planet - having someone from the scuba diving sub worried about what they're going to put in their diving tanks. I.E. if quantum computers suddenly break AES-256 encryption, we have bigger problems on our hand than whether BTC is safe.

SmoothGoing

Use any software with encryption capabilities. Like WinZip or WinRAR (buy the license, you'd be part of a very small club), or gpg on Linux. There's about half dozen ultra common ciphers AES is the fastest but you can use blowfish or something slow since your clear text is just a few bytes long. Encrypt wallet option in many wallets uses AES to encrypt the file. But it's unusable unless decrypted so must be done on secured environment. Do not invent your own "ROT 7 plus backwards" or whatever. It will be weak even if it seems clever.

Jacmac_

I think a whole lot depends on this Q* thing. Is it real thai ASI or AGI could break SHA256 and AES256? I don't know, but if it is legit, the crypto world, and a lot more, is going to undergo a dramatic change in "support".

igadjeed

> Are the two situations completely equivalent They're not A recovery mnemonic (if using BIP39) uses a word list chosen for error tolerance. That is, you can make errors when writing the words. Years later, the recovery function can prompt for corrections, because of the way the word list is built The passphrase lacks this error tolerance > PBKDF2 This is just a 512-bit hash created by iterating SHA2 2048 times When PBKDF2 is used for AES key stretching, the purpose of the salt is to avoid key reuse. Key reuse is a mathematical issue, a potential pattern weakness for AES. Salting also defeats rainbow tables of passphrase-key pairs. In this use case, the salt is recorded in the metadata stored with the cipertext. It's not secret. Similarly, when PBKDF2 is used for passphrase-based authentication, the salt is recorded alongside the hash. It's partially secret, depending on whether the shadow file is leaked BIP39 PBKDF2 does not record the salt. It's not necessary to record it. The 512-bit "seed" is nothing more than the starting entropy for BIP32 HD key chains. So the salt and the payload are equal components of PBKDF2's initial SHA2 payload

pgh_ski

Indeed it is. Can use any strong, modern encryption with a very strong, unique, long passphrase. IIRC 7zip supports AES, as does Office. Better yet, use a well vetted password manager or key storage program like KeePass, OnePassword, etc. depending on your threat model. I would only recommend storing encrypted seed phrases for hot wallets (spending money wallets) that are already PC/mobile based. Don't type a cold wallet (hardware wallet) seed into a PC/mobile, even in encrypted form. This is b/c it breaks the security model of generating and storing keys offline and away from general-purpose compting devices.

pgh_ski

That's not quite what obscurity means in the context of cryptography. In crypto, we generally say that an algorithm is secure if all details of the algorithm and its workings are public/known information, and the only *secret* is the key/passphrase. For example, modern symmetric encryption like AES. AES is everywhere, people know all of the very standard operations involved. AES is secure provided proper implementation and a good secret key. Contrast this with "security through obscurity" like the above. Just encoding a seed as base64. If an attacker finds out or guesses the implementation details (that the secret is just encoded as base64) then the "security" is completely broken. All the attacker has to do is decode the base64. I can encrypt a piece of information with AES and publish the ciphertext, and challenge people to decrypt it. They can't, without doing attacks to guess the secret key. If I publish base64 encoded information, tell people nothing about the methods of encoding that information, and someone will be able to extract the plaintext almost immediately.

BastiatF

I would speculate that your speculation about the algorithm that is speculated to have speculatively cracked AES 192 is pure speculation

igadjeed

> AES256 hashing No such thing

WatIsWijsheid

So you're assuming its in a rainbow table which isn't necessarely the case. Same for the password. Both can still have special meaning for me, making them easy to rember. And yes AES256 hashing.

bitsplease_

You can crack easy to remember pass-phrases very fast with rainbow-tables. You would have to use a strong encryption (like AES256) but it doesn't matter if you use an easy to guess password. So you create a strong password. Now you have the same problem: you have to store securely a key.

bchpleez

No, but the claim is that the AI invented new math that lets you reverse AES 192 encryption.... and that's with a KEY. They haven't even bothered trying to 256 hash data backwards... but there is no principal that says it cannot create new math to do it.

SmoothGoing

Elliptic not elliptical. And it's ECDSA, digital signature algorithm, not asymmetric encryption. RSA256 is basically not a thing, too weak. RSA is not in bitcoin at all. AES is not in bitcoin but is used in wallet clients to encrypt the wallet file.

analogOnly

There seems to be a lot of confusion between Eliptical Curve Asymmetric Encryption, SHA256 (Which is a hashing algorithm not an encryption algo), RSA256, and AES encryption in this sub.

uclatommy

It is speculated that Q* is the algorithm that permitted AI to find a way to defeat AES-192.

BastiatF

> But the idea that Q* is a combination of Q-learning and A* pathfinding is entirely plausible What does that have to do with your claim of cracking AES 192? Reading research papers, building your own models and doing your own research will give you a sense of what is scientifically realistic and what is science fiction, futurology and clickbaiting.

BastiatF

David Shapiro didn't say that Q* cracked AES 192 encryption!😆 Admit you read that on some lowbrow infotainment website

uclatommy

I believe in inverse Cramer so much that I'm honestly scared by this. There is an ongoing rumor that OpenAI's Q\* algorithm enabled it to break AES 128-bit encryption in a way that we cannot comprehend. This would normally be impossible because the amount of computing power necessary to brute-force the decryption would take an astronomical amount of time. That means if it's broken by AI, it found a vulnerability in the encryption algorithm beyond human comprehension. If that's true, I can see how it could have a real impact on cryptograpy-based finance like the BTC blockchain.

SuleyGul

Not sure as I haven't used a nokia in a decade or more lol. I just have old Samsungs from a few years ago a few of them. I use them. Install any program which has some kind of AES 256 encryption. Put the seed phrase in there and Choose a super a long password with numbers and all sorts of different charactes and that's it. Nothing complicated. I store each phone in seperate locations in case I lose or damage one. So i am sweet. The idea of writing my seed phrase in plain sight terrifies me.

proof-of-conzept

I thought about making a batch encryption bith AES-256 and different passwords. Then base64 so i can write it down. Then each family member gets a letter with an encryption and all the passwords of the other people but not the one for their own encryption. Then if someone would break into their homes and steal the encrypted file they cannot decrypt it. Unless they steal one from another family member. Also it needs two family members to come together in order to recover the seed phrase. How about this?

proof-of-conzept

Have you thought about encrypting your seed phrase with AES-256 for example? Hand out the encryption and give the passwords for decryption to the other one?

proof-of-conzept

I am always affraid that someone can find the seedphrase and use it. I would at least encrypt it with AES-256 and then use base64 so i can write it down.

proof-of-conzept

I also thought about buying a raspberry pi, where I can savely encrypt the seedphrase offline with different passwords using AES-256 and base64. Then I will give each member a letter with instructions on how to decrypt it together with the keys in a letter. The only clue is, that everyone only gets the keys for the other peoples encryptions, but not to the one of their own letter. So if someone breaks into one of their homes and steal the encrypted seedphrase, they cannot decrypt it if they don't break into another persons home as well.

telejoshi

SHA256 is just the hash algorithm used by the miners, the keys are ECC and I'm not sure about that (I see different opinions about whether it's secure or not). A lot of our communication may be broken in the future, that's a real problem. Let's just hope it lasts long enough that most of the data is no longer relevant. I've also heard that AES is considered to be safe. I must dig deeper into this topic because I can only rely on stuff I read somewhere

thegatman-pc

Snark is a cryptographic protocol designed to interact and support only the Ethereum network. It’s not a DES, DDDES, AES, or any other know standard of cryptographic algorithm set by IEEE. Don’t pass off 11 year old software as innovation. It makes you look desperate.

AvatarOfMomus

Even discounting human error I still wouldn't bet that no one ever finds a vulnerability or a trick to make even AES-256 decryptable within a human meaningful amount of time. When the service in question is talking about persisting data for, at a minimum, 200 years then I wouldn't want to take that bet. And of course there's always the far more reliable way of cracking something like this, which is get the key from the user(s). Yeah at that point the encryption algorithm doesn't matter, but it's still a risk when talking about any publicly posted data. The more valuable the data the greater the risk, hence why anyone pushing for stuff like government documents or medical information on the blockchain is a moron!

jawni

>Hard to brute-force algorithms like AES-256 are difficult to crack for specific messages in a timely manner, but they can be broken with enough time and computing power. "Enough time" is still more than millions of years even with a quantum computer. >If there's anything close to a master key then you only need someone to slip up once, or compromise one person's computer, to compromise the entire thing. I said excluding human error, because the keys are going to be an attack vector no matter what encryption you're using. >Plus even if that's not the case it's possible a computing improvements and math and cryptography research may eventually make some attack on these encoding systems feasible. Since the data is public it's basically not a question of "if" but "when". Maybe, but not very likely by the opinion of cryptography experts, even with advances in quantum computing.

uptokesforall

M8 if you can create a quantum computer with 256 qubits you can crack AES encryption in one step.

AvatarOfMomus

Hard to brute-force algorithms like AES-256 are difficult to crack for specific messages in a timely manner, but they can be broken with enough time and computing power. That's the issue with public permanent data like is on a lot of blockchains, and like a lot of idiots want to make happen for things like sensitive personal information. If there's anything close to a master key then you only need someone to slip up once, or compromise one person's computer, to compromise the entire thing. Plus even if that's not the case it's possible a computing improvements and math and cryptography research may eventually make some attack on these encoding systems feasible. Since the data is public it's basically not a question of "if" but "when".

Areshian

The fortification has some cost, so there is an incentive to wait as much as possible. It’s not just that QC safe encryption is more computational intensive, but over the years we’ve invested a lot of effort to optimize our current one. Sure, it is not as crazy as AES, where we basically have a lot of hardware (including basically every cpu out there) optimized for it, but still significant.

north0

Anything really critical is protected by symmetric encryption, and as far as I understand there aren't any algorithms that claim to be able to break AES.

telejoshi

Checked again and it's true, AES256 is believed to be quantum resistant, but it doesn't seem sure. RSA is definitely not resistant.

jawni

Considering this is generally used in a complementary fashion to public immutable ledgers, seems like something that isn't going to be a factor to that many people. Although without human error, you can probably be safe from having the encryption broken for quite a while. In fact, a lot of people think AES-256 will *never* be broken, even with the advent of quantum computers.

SearchingForDelta

Bitcoin doesn’t use AES, it uses SHA-256 for mining and ECDSA for keys. SHA-256 is probably quantum resistant unless there’s an unforeseen development. No issue there. ECDSA on the other hand is vulnerable to quantum attacks. It would be feasible to figure out private keys from public keys and drain people’s wallets. Sure you could fork BTC and upgrade the cryptology but the risk is that by the time this is completed enough private keys for all the high-value wallets have already been figured out and the value tanks. Either way the current chain as we know it would be dead

CrazyTillItHurts

You're the delusional one, homie. AES is quantumproof as far as we can tell, with what we *do* know about the function of quantum computing and how AES and family operate

igadjeed

> I don't see this as a rational response Your claims are not rational. You made them up. There is no risk to AES. A quantum computer is not a cracking tool. RSA is not relevant to Bitcoin. Bitcoin has no encryption > If in 10 years quantum computers can break 32 bit ECC There's no such thing as 32-bit ECC > Peter Shor has already solved the discrete logarithm problem back in 1994, theoretically at least. And it will probably take another 30 years before any practical application of his algorithm can be used Most likely never going to happen. The "30 years from now" estimates are now more than 30 years old. In 30 years, we will still be predicting useful quantum computers in 30 years time. Eventually, the infinite 30-year timeframe leads to a realization that it's not possible > will the bitcoin protocol have time to switch Ask again in 30 years

proof-of-conzept

Then you can store it on paper, in your DollarWallet. In a text file on a computer - which you might want to then encrypt another time with AES or something. Just make sure that you have not used a computer that is traceable to you finding or generating your cypher key that you use for encryption, or invent one by your own. And also make sure that you never type the clear text seed phrace into a computer. Then you should be fine.

kamill85

No, the truncation of 256 bits will not give you GUARANTEE of a unique number translated from a sequence of numbers. Translation via matrix, like in AES, does that. If you keep adding 1 to an input and hash it once with AES, the resulting 128 bits are guaranteed to be unique, with no repetitions, no matter what key you choose. But if you truncate AES output to 66 bits, it is possible number 747374 AESed first 66 bits will be exactly same as +1, so 747375 AESed could in theory result in the same first 66 bits followed by different bits. Next, hashing algos in general are lossy in nature , o by design, you also could have collisions of your sequence inputs resulting in the same 66 bits. The best solution would be getting AES-like 64 bit algo (3DES for example), running it on 0..64bit sequences and the remaining 2 bits reserve for your threading, so choose assign each combo of them to each cracking thread, or if its one, run through them for each sequence number. For a single thread, assuming you're using 3DES it would go like: Input seed value (default 0) -> x For (unsigned int128 i=x, i<=0xffffffffffffffff, i++) { X0=3DESEncrypt(i); X1=3DESEncrypt(i^1<<64); X2=3DESEncrypt(i^2<<64); X3=3DESEncrypt(i^3<<64); ValidateBtckey(X0); ... ValidateBtckey(X3); ... } This way, you run through all sequences of 0..64bit in unique random way, no repetitions possible.

Amber_Sam

I would use it with a computer, running a solid GPU - more processors, less time. You're dealing with a AES 128 (or 256) after all.

kamill85

May I introduce you to the birthday paradox. After a short while chance for hitting same values skyrockets. Random is the least optimal approach. What you need is a psudorandom matrix translation where as input you take seed that you +1 and output is pseudorandom but assured to be unique. It's like AES encryption, but instead of 128bits your target is 66. Goog luck

michael676767

I’d like to add some notes for the points and offer alternatives here since some things are actually a little more flexible than mass opinion suggests. - Good tactic, suggest keeping these links stored on password managers. - Another good one, if it’s crypto I suggest to keep the connection restrained to a VPN. Any time you need to visit something anonymously you should be on Tor or if you need to quickly visit somewhere privately - Mullvad Browser paired with a VPN. Do not leave a trace that you were you. - Proton Mail’s the most popular name with good reason. Tutanota and Skiff are also good alternatives. Ultimately ensure the fact your communicative method’s encrypted. Blockchain counts on the same encryption method as Proton and Signal - end to end encryption. Make that your standard. - Password managers are your best friend. Let them make your passwords for you. Bitwarden’s the most affordable password manager out there, Proton Pass is arguably the highest security password manager out there, and 1Password is definitively the easiest to maneuver for most people in a casual limbo between Pass and Bitwarden’s best features. These 3 have pretty good encryption practices as well. Remember to make a good passphrase to avoid a breach if your vault’s stolen and make a habit to export your backups once in a good while - a frequency maybe of a month or 2. If something happens you need to move, don’t lose your accounts. - This will rile some people for sure as I’ve seen it before but this isn’t as hardcore as the general opinion. You CAN store your seed digitally but NOT over a simple solution. If you’re really unwilling to store it physically over a risk that something may happen in your situation where someone physically wants your coins, then I suggest storing it digitally on an encrypted drive. Best solution to still be closer to keeping it offline would be to encrypt a thumb/hard drive with Veracrypt with AES and make a solid passphrase. This will protect against both keyloggers and physical threat actors. Either encrypt the whole drive or make a hidden folder within a drive. Then store your seed there but don’t make a point to constantly open it every time you inject your drive to a computer. To harden insanely - buy a hardware encrypted drive to encrypt its software. Then you have 2 whole layers of encryption protecting your files. If you need a cloud storage, find one that’s encrypted preferrably over a lousy solution like Google Drive or Dropbox. Filen or Skiff Drive are very generous about space unlike Proton Drive but all 3 are very good options. If you feel like you REALLY need to, encrypt the file with Cryptomator if you’re on mobile or encrypt your document yourself before you drop it into Dropbox or Google Drive. Don’t let your files be so easy to access. Think of this as highly as you do for your card info. Most people naturally think so highly that the vigilance is instinctive - treat your seed the same. - SIM Swap is a danger no matter what, so I recommend if you have a phone newer than 2017 to make a PIN on your phone since most new phones have an eSIM. Don’t be a victim of a SIM swap because it just hasn’t happened yet. 2FA solution’s correct but Google and Authy are the worst. Bitwarden and Proton Pass have it better in comparison. Yubikey’s 2FA for normal TOTP is far superior because you need your physical key to access the codes. Dramatic security improvement there. Otherwise, Google keeps a backup on their servers unless you turn on the feature for yourself. Even then, they still keep a copy. Not good. - No notes for that point. If you never interact with social media and just read for your answers - you won’t be a target for asking. - Cold wallets are especially helpful if you think you’re going to be socially engineered. You don’t have access to your own private key yourself and instead trust it to a Ledger or Trezor. It’s a placebo to an extent but it’s just a decimal point better than holding onto your seed yourself with a paper. And about the same as keeping your seed on an encrypted thumb drive really.

boiledpangolin

ELI5: Bitcoin not directly affected Bitcoin uses ECDSA to generate key pairs and sign coins. To deploy this attack in a Bitcoin context you basically need some way to prompt a signer running on a variable time implementation of secp256k1 to get it to leak bits of a private key. Core introduced libsecp256k1 in 2016 (I think), which is a constant time C implementation of secp256k1. Most C/C++ software wallet use it. Anything running on libbtc/libbitcoin uses it too. &#x200B; I don't know if hardware wallets sign in constant time, don't ask me. But then again, this specific attack is about padding a message erroneously and measuring the response time from the signer, which is specific the PKCS #1. I'm not quite sure how to set that up for an attack on Bitcoin signer, we don't really have dynamic padding in Bitcoin sigs. &#x200B; This affects ancient SSL servers, which nobody uses these days. AES-GCM and RSA are too expensive, they eat too much power. End user internet is targetted at mobile nowadays, so the industry has moved to newer crypto, like ed22519 and chacha20poly1305, which is designed to be both lighter and immune to padding attacks. P.S.: I'm mentioning ciphers cause padding oracle attacks originally went after the cipher (the encryption mechanism) instead of the key exchange, which this attack does.

spamz_

If your end goal relies on needing to "educate people" to push them in a direction, you've already lost since both of the following are wrong: 1) You need to understand tech to use it. 2) It's possible to educate a large enough portion of the general public into something technical. You don't even need to look far: billions of devices use things like RSA, AES, ECDH, etc on a daily basis. Yet how many people can explain them? Just even one of them? Rounded to an integer, the number is 0% without question. How many *could* understand it? Well good luck explaining modular arithmetic, finite fields and elliptic curves to people who can't solve a linear equation if their life depended on it.

loksfox

I have this one insane friend that used 3 different usbs and encrypted his seed in AES-256 encryption in them in a offline fresh install linux machine