https://github.com/noandrea/safecmb

A study on improving security for mnemonic storage
https://github.com/noandrea/safecmb

backup mnemonic mnemonic-phrase

Last synced: 3 months ago
JSON representation

A study on improving security for mnemonic storage

• Host: GitHub
• URL: https://github.com/noandrea/safecmb
• Owner: noandrea
• License: mit
• Created: 2022-10-28T20:20:20.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2023-01-20T22:25:21.000Z (over 2 years ago)
• Last Synced: 2024-10-29T07:22:19.737Z (8 months ago)
• Topics: backup, mnemonic, mnemonic-phrase
• Language: Rust
• Homepage:
• Size: 94.7 KB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# SAFECMB

SAFECMB stands for SAFE Crypto Mnemonic Backup. It is a simple technique to improve the security of a mnemonic phrase. 

Before continuing, a word of warning: this technique is nothing more than a personal consideration related to securing mnemonic phrases, it has not been peer-reviewed or validated in any way. **USE AT YOUR OWN RISK**.

The concept of SAFECMB is to leverage the order of the mnemonic phrase to create two separate components that are:

- A scrambled mnemonic phrase

- A decoding sequence to reconstruct the correct mnemonic phrase

Given a mnemonic phrase `M`, we defined the function `SAFCMB(M)` that performs:

```

SAFECMB(M) -> (M', O)

```

where `M'` is `M` with different world order and `O` is the correct sort order to reconstruct `M` from `M'`. 

In a practical scenario, you would store `M'` and `O` in two separate places, ideally `M'` as a physical copy and `O` in a secure digital storage such as a password manager. 

The idea is that for a 24 words mnemonic there are 24! possible arrangments (permutations), that is ~6.2x10^23 arrangements, making it very difficult to guess or brute force the right combination.  

The positive aspect of this approach is that in a case where an attacker has had access to a mnemonic backup (`M'`), it will not be enough to get to the correct mnemonic (`M`) without having the correct order (`O`). 

The negative aspect is that two pieces of information need to be secured. It is also important to consider what is the actual risk of a mnemonic backup being exposed.

### Future work 

The security of the approach can be further improved by deriving a Bitcoin or Ethereum account from the `M'` mnemonic, to top it up with some small amounts and monitor its balance. If the balance changes it will indicate that the mnemonic backup has been compromised.

### Usage 

to run `safecmb` first compile the binary by running:

```

cargo build --release

```

then run 

```

./target/release/safecmb

```

the command will generate a pdf file containing your mnemonic phrase and decoding sequence as shown in the following example:

![](example.png)