0
Given a 12 or 24 word seed with one one or more missing words what would be the difficulty of brute-forcing the missing words? E.g. for:
By difficulty I mean the number of permutations against a dictionary wordlist.
And the related question: how many words would have to be missing in order to make the attack reliably unfeasible?
1
Missing 3 words in known positions and there will be 8.577.355.766 permutations.
Based on the speed of an average PC, approximately 10 permutations/second. This would take close to 9927 years(if unlucky and have to try every permutations) Sorry, I forgot we are not dealing with wallet password encryption here.
Anyway, a computer will have to get the private key, calculate a public key and then check it for balance, this process will take time.
Missing 4 words(17.540.692.561.920 permutations) or more, and I don't think anyone will want to try their luck. So maybe 5 words or more and even the government will let it slide.
The answer is "very difficult" but, pending details of that answer: did you mean words missing at the end, or at unknown positions? It makes a difference because word order is significant. – brec – 2017-12-16T19:43:58.810
I'm also unsure of what you mean by "number of combinations that would have to be checked against a dictionary." Assuming that you mean the standard words-generating protocol, called BIP39, the dictionary consists of 2048 words. Checking whether a specific word is "in the dictionary" is trivially easy. The only way to check whether a given string of words is valid for a given wallet is to enter it and see whether you get the expected coins balances.
– brec – 2017-12-16T19:49:52.627Do I understand correctly that the seed dictionary is made of 2048 predefined words? So, in that case for one missing word in a known position (e.g. the first position) an attacker would only need to check 2048 iterations? right? – ccpizza – 2017-12-16T19:55:29.357
Commenting requires a minimum of nine words, so: right. – brec – 2017-12-16T20:04:44.047
got it; so hiding a single word in a known position is basically like no hiding at all; how about the related question: where the attack becomes unfeasible? (apart from the obvious answer of zero words being exposed) – ccpizza – 2017-12-16T20:07:30.027
@Chak: That's assuming a CPU, if it is e.g. an AntMiner S9 then that can probably be reduced from thousands of years to months or weeks, no? Could you please add this as an answer so that I can accept it? – ccpizza – 2017-12-16T22:56:16.407
1@ccpizza, AntMiner S9 is great at computing SHA-256 on some input. However SHA-256 is a cryptographic hash function, not an encryption function. So no. – Chak – 2017-12-16T23:10:04.727