Hi all,

regarding my previous thread about memorizing a 128/256 bit key,
I came up with the following idea to create Argon2id keys.

Now we only need to memorize our Diceware passphrase.

This task shoulb be carried out on an offline Computer.

I am using four Golang programs, called dwp (diceware passphrase),
dice2bip, leetspeak and argon2id, which you can find on my GitHub
page at:

https://github.com/stefanclaas/

Usage of leetspeak is optional.

First we start with dwp:

$ dwp -r 6 -d eff_large_wordlist.txt -p
Diceware number 1: 51534 - reselect
Diceware number 2: 25455 - envelope
Diceware number 3: 42252 - nuptials
Diceware number 4: 35561 - lapping
Diceware number 5: 26225 - expand
Diceware number 6: 24453 - earpiece

Complete passphrase: reselect envelope nuptials lapping expand earpiece

Now we use the Diceware passphrase for dice2bip:

$ dice2bip -passphrase "reselect envelope nuptials lapping expand earpiece"
24-word mnemonic:
project clock spirit taste shoulder trumpet what system
radio boat local sock pond gauge cancel hundred
annual ugly fuel void execute sausage angle knee

Optionally we can use leetspeak for eight words:

$ echo "annual ugly fuel void execute sausage angle knee" | leetspeak
4nnu41 u61y fu31 v01d 3x3cu73 54u5463 4n613 kn33

Lastly we create our Argon2id key, used as an 256 bit encryption key,
or as final passphrase for a password mananger etc. The -p parameter
uses the first sixteen words from the dice2bip output and the -s parameter
uses the last eight words, wich we had run through leetspeak.

$ argon2id -p "project clock spirit taste shoulder trumpet what system radio boat local sock pond gauge cancel hundred" -s "4nnu41 u61y fu31 v01d 3x3cu73 54u5463 4n613 kn33"

Our final result: b3ff9d34181c4771dd9ec993c78b2d5b2cc809024c9447f97468893f0d70e611

So, all in all, we only have to remember the Diceware passphrase to reconstruct
our encryption key.

Hope you like the idea!

--
Regards
Stefan

Stefan Claas wrote:
>
> Hi all,
>
> regarding my previous thread about memorizing a 128/256 bit key,
> I came up with the following idea to create Argon2id keys.
>
> Now we only need to memorize our Diceware passphrase.
>
> This task shoulb be carried out on an offline Computer.
>
> I am using four Golang programs, called dwp (diceware passphrase),
> dice2bip, leetspeak and argon2id, which you can find on my GitHub
> page at:
>
> https://github.com/stefanclaas/
>
> Usage of leetspeak is optional.
>
> First we start with dwp:
>
> $ dwp -r 6 -d eff_large_wordlist.txt -p
> Diceware number 1: 51534 - reselect
> Diceware number 2: 25455 - envelope
> Diceware number 3: 42252 - nuptials
> Diceware number 4: 35561 - lapping
> Diceware number 5: 26225 - expand
> Diceware number 6: 24453 - earpiece
>
> Complete passphrase: reselect envelope nuptials lapping expand earpiece

I have updated dwp, so that instead of blanks between the words, one can
use, with the -s paramter, a special character as seperator, along the -p
parameter.

--
Regards
Stefan

Stefan Claas wrote:
> Stefan Claas wrote:
> >
> > Hi all,
> >
> > regarding my previous thread about memorizing a 128/256 bit key,
> > I came up with the following idea to create Argon2id keys.
> >
> > Now we only need to memorize our Diceware passphrase.
> >
> > This task shoulb be carried out on an offline Computer.
> >
> > I am using four Golang programs, called dwp (diceware passphrase),
> > dice2bip, leetspeak and argon2id, which you can find on my GitHub
> > page at:
> >
> > https://github.com/stefanclaas/
> >
> > Usage of leetspeak is optional.
> >
> > First we start with dwp:
> >
> > $ dwp -r 6 -d eff_large_wordlist.txt -p
> > Diceware number 1: 51534 - reselect
> > Diceware number 2: 25455 - envelope
> > Diceware number 3: 42252 - nuptials
> > Diceware number 4: 35561 - lapping
> > Diceware number 5: 26225 - expand
> > Diceware number 6: 24453 - earpiece
> >
> > Complete passphrase: reselect envelope nuptials lapping expand earpiece
>
> I have updated dwp, so that instead of blanks between the words, one can
> use, with the -s paramter, a special character as seperator, along the -p
> parameter.

Example:

$ dwp -r 6 -d eff_large_wordlist.txt -p -s "$"
Diceware number 1: 13325 - basically
Diceware number 2: 53463 - seltzer
Diceware number 3: 43121 - outwit
Diceware number 4: 62222 - thorn
Diceware number 5: 33612 - header
Diceware number 6: 13351 - battery

Complete passphrase: basically$seltzer$outwit$thorn$header$battery

--
Regards
Stefan

Stefan Claas in sci.crypt:

>regarding my previous thread about memorizing a 128/256 bit key,
>I came up with the following idea to create Argon2id keys.
>
>Now we only need to memorize our Diceware passphrase.
>
>This task shoulb be carried out on an offline Computer.
>
>I am using four Golang programs, called dwp (diceware passphrase),
>dice2bip, leetspeak and argon2id, which you can find on my GitHub
>page at:
>
>https://github.com/stefanclaas/
>
>Usage of leetspeak is optional.
>
>First we start with dwp:
>
>$ dwp -r 6 -d eff_large_wordlist.txt -p
>Diceware number 1: 51534 - reselect
>Diceware number 2: 25455 - envelope
>Diceware number 3: 42252 - nuptials
>Diceware number 4: 35561 - lapping
>Diceware number 5: 26225 - expand
>Diceware number 6: 24453 - earpiece
>
>Complete passphrase: reselect envelope nuptials lapping expand earpiece

Calculated entropy: 77 Bits:

number of positions: 30 (6 x 5)
character pool: 1..6

| user15@o15:/tmp$ bc -lq
| 30 * l(6)/l(2)
| 77.54887502163468544431

Quote from <https://en.wikipedia.org/wiki/Diceware>:

| The level of unpredictability of a Diceware passphrase
| can be easily calculated: each word adds 12.9 bits of
| entropy to the passphrase [...]. Originally, in 1995,
| Diceware creator Arnold Reinhold considered five words
| (64.6 bits) the minimal length needed by average users.
| However, in 2014 Reinhold started recommending that at
| least six words (77.5 bits) be used.

[...]

>Our final result: b3ff9d34181c4771dd9ec993c78b2d5b2cc809024c9447f97468893f0d70e611

This result has an entropy of 77 Bits, too. IMHO.

Not 256 Bits, as you might think, as reshaping doesn't
add any amount of entropy, AFAIR.

Marcel (Lines: 63)
--
────╮ ╭────────╮ ╭──╮ ╭───────╮ ..60..╭───╮
╭──╯ ╰──────╮ ╰───╮ ╭─╯ ╰─╮ ╭───╮ ╰──╮ ╭─╯ ╭──╮ ..58..╭─╯ ╰──
╰─╮ ╭──╮ ╰──╮ ╰─╯ ╭───╯ ╰─╮ ╰───╮ │ │ │ ╰──╮ ╭───╯ ..67..
╰──╯ ╰───────╯ ╰────────╯ ╰─╯ ╰─────╯ ╰─╯ ..67..

Marcel Logen wrote:
> Stefan Claas in sci.crypt:
>
> > regarding my previous thread about memorizing a 128/256 bit key,
> > I came up with the following idea to create Argon2id keys.
> >
> > Now we only need to memorize our Diceware passphrase.
> >
> > This task shoulb be carried out on an offline Computer.
> >
> > I am using four Golang programs, called dwp (diceware passphrase),
> > dice2bip, leetspeak and argon2id, which you can find on my GitHub
> > page at:
> >
> > https://github.com/stefanclaas/
> >
> > Usage of leetspeak is optional.
> >
> > First we start with dwp:
> >
> > $ dwp -r 6 -d eff_large_wordlist.txt -p
> > Diceware number 1: 51534 - reselect
> > Diceware number 2: 25455 - envelope
> > Diceware number 3: 42252 - nuptials
> > Diceware number 4: 35561 - lapping
> > Diceware number 5: 26225 - expand
> > Diceware number 6: 24453 - earpiece
> >
> > Complete passphrase: reselect envelope nuptials lapping expand earpiece
>
> Calculated entropy: 77 Bits:
>
> number of positions: 30 (6 x 5)
> character pool: 1..6
>
> | user15@o15:/tmp$ bc -lq
> | 30 * l(6)/l(2)
> | 77.54887502163468544431
>
> Quote from <https://en.wikipedia.org/wiki/Diceware>:
>
> | The level of unpredictability of a Diceware passphrase
> | can be easily calculated: each word adds 12.9 bits of
> | entropy to the passphrase [...]. Originally, in 1995,
> | Diceware creator Arnold Reinhold considered five words
> | (64.6 bits) the minimal length needed by average users.
> | However, in 2014 Reinhold started recommending that at
> | least six words (77.5 bits) be used.
>
> [...]
>
> > Our final result: b3ff9d34181c4771dd9ec993c78b2d5b2cc809024c9447f97468893f0d70e611
>
> This result has an entropy of 77 Bits, too. IMHO.
>
> Not 256 Bits, as you might think, as reshaping doesn't
> add any amount of entropy, AFAIR.

You left out the important step of BIP39 usage, prior
generating the final key. My BIP39 program accepts any
strings, not only diceware passphrases.

Let alone leetspeak usage, so that Eve would never figure
out what combination was used.

People might argue that this is security by obsurity,
which I do not think, because it is made public, for
discussion and I also strongly believe that through
BIP39 usage the entropy is much more to generate a 256
bit Argon2id key.

The way you IMHO calculate the entropy, with bc, is
not what public entropy calculators do.

--
Regards
Stefan

Stefan Claas wrote:
> Marcel Logen wrote:
> > Stefan Claas in sci.crypt:
> >
> > > regarding my previous thread about memorizing a 128/256 bit key,
> > > I came up with the following idea to create Argon2id keys.
> > >
> > > Now we only need to memorize our Diceware passphrase.
> > >
> > > This task shoulb be carried out on an offline Computer.
> > >
> > > I am using four Golang programs, called dwp (diceware passphrase),
> > > dice2bip, leetspeak and argon2id, which you can find on my GitHub
> > > page at:
> > >
> > > https://github.com/stefanclaas/
> > >
> > > Usage of leetspeak is optional.
> > >
> > > First we start with dwp:
> > >
> > > $ dwp -r 6 -d eff_large_wordlist.txt -p
> > > Diceware number 1: 51534 - reselect
> > > Diceware number 2: 25455 - envelope
> > > Diceware number 3: 42252 - nuptials
> > > Diceware number 4: 35561 - lapping
> > > Diceware number 5: 26225 - expand
> > > Diceware number 6: 24453 - earpiece
> > >
> > > Complete passphrase: reselect envelope nuptials lapping expand earpiece
> >
> > Calculated entropy: 77 Bits:
> >
> > number of positions: 30 (6 x 5)
> > character pool: 1..6
> >
> > | user15@o15:/tmp$ bc -lq
> > | 30 * l(6)/l(2)
> > | 77.54887502163468544431
> >
> > Quote from <https://en.wikipedia.org/wiki/Diceware>:
> >
> > | The level of unpredictability of a Diceware passphrase
> > | can be easily calculated: each word adds 12.9 bits of
> > | entropy to the passphrase [...]. Originally, in 1995,
> > | Diceware creator Arnold Reinhold considered five words
> > | (64.6 bits) the minimal length needed by average users.
> > | However, in 2014 Reinhold started recommending that at
> > | least six words (77.5 bits) be used.

Ok. now with a russian wordlist and a seperator. Would Eve
know that I used another Diceware wordlist, along with BIP39,
for creating an Argon2id key ...???

There are a couple of wordlists and one can create his own.

$ dwp -r 6 -d russian.txt -p -s "*"
Diceware number 1: 41644 - лад
Diceware number 2: 13132 - башкир
Diceware number 3: 11654 - аполог
Diceware number 4: 62335 - ужин
Diceware number 5: 56323 - суржа
Diceware number 6: 15314 - вагон

Complete passphrase: лад*башкир*аполог*ужин*суржа*вагон

--
Regards
Stefan

Stefan Claas <pollux@tilde.club> wrote:
> $ argon2id -p \
"project clock spirit taste shoulder trumpet what system radio boat local sock pond gauge cancel hundred" \
-s "4nnu41 u61y fu31 v01d 3x3cu73 54u5463 4n613 kn33"
>
> ...
>
> So, all in all, we only have to remember the Diceware passphrase to reconstruct
> our encryption key.

I suggest you perform a test.

Today, attempt to memorize your dicewords/leetspeek example above.

Then, wait seven days.

Then, try to regurgitate it (without cheating) and see how well you did.

Then, wait fourteen days.

Repeat trying to remember it (without cheating).

Continue with longer intervals at your pleasure.

I predict that you will find it difficult to remember those random word
sententes after only a short timeframe, likely somewhere on the order
of 7-28 days.

Rich wrote:
> Stefan Claas <pollux@tilde.club> wrote:
> > $ argon2id -p \
> "project clock spirit taste shoulder trumpet what system radio boat local sock pond gauge cancel hundred" \
> -s "4nnu41 u61y fu31 v01d 3x3cu73 54u5463 4n613 kn33"
> >
> > ...
> >
> > So, all in all, we only have to remember the Diceware passphrase to reconstruct
> > our encryption key.
>
> I suggest you perform a test.
>
> Today, attempt to memorize your dicewords/leetspeek example above.
>
> Then, wait seven days.
>
> Then, try to regurgitate it (without cheating) and see how well you did.
>
> Then, wait fourteen days.
>
> Repeat trying to remember it (without cheating).
>
> Continue with longer intervals at your pleasure.
>
> I predict that you will find it difficult to remember those random word
> sententes after only a short timeframe, likely somewhere on the order
> of 7-28 days.

In my example above we have to memorize six words, without leetspeak.

reselect envelope nuptials lapping expand earpiece

If we write them down as two words per line, we have 3 lines of text
to remember, wich should be doable, like we learned much longer poems
at school, I would say.

I would also argue that one can replace words, they do not like, with
their own ones. Or one can completely omit the Diceware step and uses
his own passphrase with my dice2bip program.

For myself I do not use English words, I use German words.

--
Regards
Stefan

Stefan Claas <pollux@tilde.club> wrote:
> Rich wrote:
>> Stefan Claas <pollux@tilde.club> wrote:
>> > $ argon2id -p \
>> "project clock spirit taste shoulder trumpet what system radio boat local sock pond gauge cancel hundred" \
>> -s "4nnu41 u61y fu31 v01d 3x3cu73 54u5463 4n613 kn33"
>> >
>> > ...
>> >
>> > So, all in all, we only have to remember the Diceware passphrase to reconstruct
>> > our encryption key.
>>
>> I suggest you perform a test.
>>
>> Today, attempt to memorize your dicewords/leetspeek example above.
>>
>> Then, wait seven days.
>>
>> Then, try to regurgitate it (without cheating) and see how well you did.
>>
>> Then, wait fourteen days.
>>
>> Repeat trying to remember it (without cheating).
>>
>> Continue with longer intervals at your pleasure.
>>
>> I predict that you will find it difficult to remember those random word
>> sententes after only a short timeframe, likely somewhere on the order
>> of 7-28 days.
>
> In my example above we have to memorize six words, without leetspeak.
>
> reselect envelope nuptials lapping expand earpiece
>
> If we write them down as two words per line, we have 3 lines of text
> to remember, wich should be doable, like we learned much longer poems
> at school, I would say.
>
> I would also argue that one can replace words, they do not like, with
> their own ones. Or one can completely omit the Diceware step and uses
> his own passphrase with my dice2bip program.
>
> For myself I do not use English words, I use German words.

My point is: "Try for yourself to memorize one of these, for some length
of time".

If you want to use German words, use German words. But make one up
"six words", "eight words", "??? words", your choice.

Then do an actual "memory test". Try to memorize it, then give yourself
varying lengths of time between not 'remembering' it to see how well
you can retain the random words.

I predict you'll find that without periodic refreshment, that after an
unexpected short time, you'll have mis-remembered at least one word or
the order of at least one word.

Beyond the few 'memory savants', most human memories, without periodic
refreshing, are quite lossy. More like DRAM than SRAM.

Rich wrote:
> Stefan Claas <pollux@tilde.club> wrote:

> > In my example above we have to memorize six words, without leetspeak.
> >
> > reselect envelope nuptials lapping expand earpiece
> >
> > If we write them down as two words per line, we have 3 lines of text
> > to remember, wich should be doable, like we learned much longer poems
> > at school, I would say.
> >
> > I would also argue that one can replace words, they do not like, with
> > their own ones. Or one can completely omit the Diceware step and uses
> > his own passphrase with my dice2bip program.
> >
> > For myself I do not use English words, I use German words.
>
> My point is: "Try for yourself to memorize one of these, for some length
> of time".
>
> If you want to use German words, use German words. But make one up
> "six words", "eight words", "??? words", your choice.

I already did this a while ago with six German words and can still
rember them.
> Then do an actual "memory test". Try to memorize it, then give yourself
> varying lengths of time between not 'remembering' it to see how well
> you can retain the random words.

Ok. I will do.

> I predict you'll find that without periodic refreshment, that after an
> unexpected short time, you'll have mis-remembered at least one word or
> the order of at least one word.

Well, what would you suggest then, as an example, some cool selfmade rhymes,
easy to remember or a self made peom etc., spiced up with special chars
between the words?

Eve can't know for sure what we can come up with in our minds, can she?

> Beyond the few 'memory savants', most human memories, without periodic
> refreshing, are quite lossy. More like DRAM than SRAM.

Well, then old school saying: practice makes perfect.

BTW. Like I said, we can completely omit the Diceware step and use whatever
we want with BIP39 and Argon2id.

--
Regards
Stefan

Stefan Claas <pollux@tilde.club> wrote:
> Rich wrote:
>> Then do an actual "memory test". Try to memorize it, then give yourself
>> varying lengths of time between not 'remembering' it to see how well
>> you can retain the random words.
>
> Ok. I will do.
>
>> I predict you'll find that without periodic refreshment, that after an
>> unexpected short time, you'll have mis-remembered at least one word or
>> the order of at least one word.
>
> Well, what would you suggest then,

Dicewords, etc. are good, and have usefulnesses, but are not a panacea.

For some individuals with better memory ability, they will work well.
For a fairly large group of "general people" they will be ok provided
they get periodic refreshing (i.e., usage, to reinforce the memory).
And for some subset of "general people" they won't be able to remember
even six dicewords in their native language accurately the very next
day.

The solution, as Bruce Schriber has stated, is to "write them down" and
store the slip of paper in some reasonably secure manner (one of his
recommendations was on one's wallet). Naturally if dealing with
spycraft and border searches then this changes radically, but for that
usage all but the worst subset of memories could likely replay six dice
words in their head just long enough to make it through a border
crossing search (to be written down again on the other side of the
border).

They *very much* do improve over asking a human to remember something
like (this is just the md5sum of 1k of /dev/urandom data):

038d71180f7880dca1125e160e1258df

But for all but the, say, top 10% of memory ability folks, they will
need to be "using" the diceword phrase on a fairly regular basis to
have any hope of remembering them long term.

>> Beyond the few 'memory savants', most human memories, without periodic
>> refreshing, are quite lossy. More like DRAM than SRAM.
>
> Well, then old school saying: practice makes perfect.

For all but the bottom 10% of memory ability folks, likely yes, but
they do need a reason to 'practice' the phrase. Without that practice
they will have it quickly slip their mind.

For your reference, records indicate that
Stefan Claas <pollux@tilde.club> wrote:

> Well, what would you suggest then, as an example, some cool selfmade rhymes,
> easy to remember or a self made peom etc., spiced up with special chars
> between the words?

One semi-clever thing I did for encoding locations as words:

<https://www.impossiblystupid.com/node/227/?content=be-+-direction>

was to allow the word list to be used flexibly to construct more “meaningful” phrases.

> Eve can't know for sure what we can come up with in our minds, can she?

The mind is a poor random number generator, though. That’s probably what makes it so bad at memorizing random *anything*. So the tools we need are ones that add meaning, and do so without reducing unpredictability. A tall order, to be sure.

--
"Also . . . I can kill you with my brain."
River Tam, Trash, Firefly

Doc O'Leary wrote:
> For your reference, records indicate that
> Stefan Claas <pollux@tilde.club> wrote:
>
> > Well, what would you suggest then, as an example, some cool selfmade rhymes,
> > easy to remember or a self made peom etc., spiced up with special chars
> > between the words?
>
> One semi-clever thing I did for encoding locations as words:
>
> <https://www.impossiblystupid.com/node/227/?content=be-+-direction>
>
> was to allow the word list to be used flexibly to construct more “meaningful” phrases.

Really nice idea, thanks for sharing.
> > Eve can't know for sure what we can come up with in our minds, can she?
>
> The mind is a poor random number generator, though. That’s probably what makes it so bad at memorizing random *anything*. So the tools we need are ones that add meaning, and do so without reducing unpredictability. A tall order, to be sure.

Yes, and I always try to come up with something worth discussing IMHO.

--
Regards
Stefan

Stefan Claas wrote:
> Doc O'Leary wrote:
> > For your reference, records indicate that
> > Stefan Claas <pollux@tilde.club> wrote:
> >
> > > Well, what would you suggest then, as an example, some cool selfmade rhymes,
> > > easy to remember or a self made peom etc., spiced up with special chars
> > > between the words?
> >
> > One semi-clever thing I did for encoding locations as words:
> >
> > <https://www.impossiblystupid.com/node/227/?content=be-+-direction>
> >
> > was to allow the word list to be used flexibly to construct more “meaningful” phrases.
>
> Really nice idea, thanks for sharing.

BTW. I figured out something IMHO really nice.

When using my dice2bip program with a '0', for example, as passphrase value
I get the following BIP39 mnemonics:

$ dice2bip -passphrase 0
24-word mnemonic:
grow chronic river sand follow wide spell depth change exclude diet disease around couple buzz domain public addict pave focus top crane glue valid

And now comes the fun part.

Feeding this mnemonic into https://iancoleman.io/bip39/ and pressing
the Show entropy details, I have made the '0' 256 bit entropy so to speak
and could theoretically use the hex values as deterministic encryption key.

--
Regards
Stefan

Stefan Claas wrote:

> BTW. I figured out something IMHO really nice.
>
> When using my dice2bip program with a '0', for example, as passphrase value
> I get the following BIP39 mnemonics:
>
> $ dice2bip -passphrase 0
> 24-word mnemonic:
> grow chronic river sand follow wide spell depth change exclude diet disease around couple buzz domain public addict pave focus top crane glue valid
>
> And now comes the fun part.
>
> Feeding this mnemonic into https://iancoleman.io/bip39/ and pressing
> the Show entropy details, I have made the '0' 256 bit entropy so to speak
> and could theoretically use the hex values as deterministic encryption key.

I renamed my dice2bip program, on GitHub, to p2m (password to mnemonic)
and it has now a feature added to show the entropy, as hex value, of the
mnemonic phrase.

This allows one for example to use the mnemonic phrase from a Ledger Hardware
Wallet to use as 256 bit encryption key. :-D

--
Regards
Stefan

Stefan Claas in sci.crypt:

>Marcel Logen wrote:
>> Stefan Claas in sci.crypt:

[...]

>> > Our final result: b3ff9d34181c4771dd9ec993c78b2d5b2cc809024c9447f97468893f0d70e611
>>
>> This result has an entropy of 77 Bits, too. IMHO.

Oh, sorry. That is a result of Argon2.

Therefore there is an additional entropy feeded into
the result.

Marcel (Lines: 22)
--
╭─────────╮ ╭──╮ ╭───────╮ ..45..╭─────────────────────
╮ │ ╭──────╯ │ ╰──╯ ╭────╯ ╭──╮ ╰────╮ ╭───╮ ..67..
╰───╯ ╰───╮ ╭──╯ ╭─────╯ ╭─╮ ╭───╯ ╰───╮ ╰─╯ ╭─╯ ..67..
╰───╯ ╰──────────────╯ ╰─╯ ╰───────╯ ..67..

Rich wrote:
> Stefan Claas <pollux@tilde.club> wrote:
> > Rich wrote:
> > > Then do an actual "memory test". Try to memorize it, then give yourself
> > > varying lengths of time between not 'remembering' it to see how well
> > > you can retain the random words.
> >
> > Ok. I will do.
> >
> > > I predict you'll find that without periodic refreshment, that after an
> > > unexpected short time, you'll have mis-remembered at least one word or
> > > the order of at least one word.
> >
> > Well, what would you suggest then,
>
> Dicewords, etc. are good, and have usefulnesses, but are not a panacea.
>
> For some individuals with better memory ability, they will work well.
> For a fairly large group of "general people" they will be ok provided
> they get periodic refreshing (i.e., usage, to reinforce the memory).
> And for some subset of "general people" they won't be able to remember
> even six dicewords in their native language accurately the very next
> day.
>
> The solution, as Bruce Schriber has stated, is to "write them down" and
> store the slip of paper in some reasonably secure manner (one of his
> recommendations was on one's wallet). Naturally if dealing with
> spycraft and border searches then this changes radically, but for that
> usage all but the worst subset of memories could likely replay six dice
> words in their head just long enough to make it through a border
> crossing search (to be written down again on the other side of the
> border).
>
> They *very much* do improve over asking a human to remember something
> like (this is just the md5sum of 1k of /dev/urandom data):
>
> 038d71180f7880dca1125e160e1258df
>
> But for all but the, say, top 10% of memory ability folks, they will
> need to be "using" the diceword phrase on a fairly regular basis to
> have any hope of remembering them long term.
>
> > > Beyond the few 'memory savants', most human memories, without periodic
> > > refreshing, are quite lossy. More like DRAM than SRAM.
> >
> > Well, then old school saying: practice makes perfect.
>
> For all but the bottom 10% of memory ability folks, likely yes, but
> they do need a reason to 'practice' the phrase. Without that practice
> they will have it quickly slip their mind.

Ok, understood. Another approach without diceware.
Your thoughts please, gentlemen.

I will use four programs Argon2id, eh (Eurasia-Hasher (one can use the
SHA families instead)) p2m (password to mnemonic) and leetspeak. This
approach should allow many variations, because users can easily repeat
steps, mix them etc. One only has to remember his password/passphrase
(and a salt), like he usually does and variable steps, which should be
IMHO easy to remember.

$ argon2id -p mypassword -s mysalt
0d6cffc82dd3ccd149a3228d1a08cb1007b67cf4ad8c28083665f834478360d0

with leetspeak

$ argon2id -p mypassword -s mysalt | leetspeak
0d6cffc82dd3ccd14943228d1408c81007867cf44d8c28083665f834478360d0

$ p2m -password 0d6cffc82dd3ccd14943228d1408c81007867cf44d8c28083665f834478360d0
24-word mnemonic:
public tragic scan you once possible census drink fossil dragon surround
hammer joke position conduct easy zebra behave april tower couple duck
portion cube

Entropy (hex):
ad1cdf00ff99a9510952185be8436a34478550cbb22eff828c2bf3131287aa11

$ echo ad1cdf00ff99a9510952185be8436a34478550cbb22eff828c2bf3131287aa11 | eh -sm3
11424cb7f3a1fbd806283f23dac38cc067dfa560e99cc18126647ef65b12a8d0
(this hash sum is done with the chinese SM3 hash algo)

So, now I have a deterministic 256 bit key, from the last step.
(11424cb7f3a1fbd806283f23dac38cc067dfa560e99cc18126647ef65b12a8d0)

Like I said one can mix and repeat or omit steps to his heart content,
without remembering Diceware passphrases, while others can use Diceware.

I guess this is now a more flexible approach.

--
Regards
Stefan

Stefan Claas wrote:
> So, now I have a deterministic 256 bit key, from the last step.
> (11424cb7f3a1fbd806283f23dac38cc067dfa560e99cc18126647ef65b12a8d0)
>
> Like I said one can mix and repeat or omit steps to his heart content,
> without remembering Diceware passphrases, while others can use Diceware.

Another example of my technique.

$ echo mystrongpassword | eh (uses now the Russian GOST 256 bit hash)
264bc0c69892780c99992157d746cc1d07aad09eeb675421194662daed4b9826

$ echo 264bc0c69892780c99992157d746cc1d07aad09eeb675421194662daed4b9826 | half
lh: 264bc0c69892780c99992157d746cc1d
rh: 07aad09eeb675421194662daed4b9826

$ argon2id -p 07aad09eeb675421194662daed4b9826 -s 264bc0c69892780c99992157d746cc1d
864a8bfa28bad9211519c3fb985d603a733bc63ba232a2691db1c9316de3195c

$ p2m -password 864a8bfa28bad9211519c3fb985d603a733bc63ba232a2691db1c9316de3195c
24-word mnemonic:
nuclear fury senior little electric era uniform foster endless fatal badge episode
prison panic holiday bind owner crack keep odor unable roof swamp weird

Entropy (hex):
974bcf0ec1447698bb5ae049aa7045a5fab13f5b30b29e2639e74c9ec57776cf
(my final 256 bit encryption key)

or

$ p2m -password mystrongpassphrase
24-word mnemonic:
must age elephant behave essence ivory genuine student category laundry
jealous smile knee roof assume poet oxygen biology rather cannon coast
genius traffic very

Entropy (hex):
9200991f0a34d4edd856bb242fb5de6657b977437d399e42cec910b2ccc1f9b7

$ echo 9200991f0a34d4edd856bb242fb5de6657b977437d399e42cec910b2ccc1f9b7 | half
lh: 9200991f0a34d4edd856bb242fb5de66
rh: 57b977437d399e42cec910b2ccc1f9b7

$ argon2id -p --9200991f0a34d4edd856bb242fb5de66-- -s --57b977437
d399e42cec910b2ccc1f9b7--
042adaae85112a95b9de95405de75eae95b03e5676a7f9a9e047e324c8488139

and so on ... :-)

--
Regards
Stefan

Stefan Claas wrote:

> So, now I have a deterministic 256 bit key, from the last step.
> (11424cb7f3a1fbd806283f23dac38cc067dfa560e99cc18126647ef65b12a8d0)
>
> Like I said one can mix and repeat or omit steps to his heart content,
> without remembering Diceware passphrases, while others can use Diceware.
>
> I guess this is now a more flexible approach.

Now my p2m program has a -salt paramter and PDKDF2 support.

$ echo -n "Из России с любовью." | eh | half
lh: 8e3ac353eec771e6a4d0d6febf734ea4
rh: 9fe103803768f76acac3a1e4b8c3720e

$ p2m -password 9fe103803768f76acac3a1e4b8c3720e -salt 8e3ac353eec771e6a4d0d6febf734ea4
24-word mnemonic:
alert virus special loyal start another tornado avoid fire twist add crumble
advance atom crisp rich option holiday day knife inject use already click

Entropy (hex):
063e9343c24d4a13395880573d700c9a603e1c8cedca9bad98e03dd741df41c9

What I have not shown yet, is as initial step, to base(n) encode the
first password, to give even more variations, without using Diceware.

--
Regards
Stefan

For your reference, records indicate that
Stefan Claas <pollux@tilde.club> wrote:

> Ok, understood. Another approach without diceware.

I say you’re still focusing on the wrong part of the problem. Getting 24
random words is *not* a mnemonic! If there is any processing to do with
the bits, it is to make the randomness more humanly meaningful, or to
help with error correction for imperfect recall.

--
"Also . . . I can kill you with my brain."
River Tam, Trash, Firefly

Doc O'Leary wrote:
> For your reference, records indicate that
> Stefan Claas <pollux@tilde.club> wrote:
>
> > Ok, understood. Another approach without diceware.
>
> I say you’re still focusing on the wrong part of the problem. Getting 24
> random words is *not* a mnemonic! If there is any processing to do with
> the bits, it is to make the randomness more humanly meaningful, or to
> help with error correction for imperfect recall.

My p2m program uses a password and salt, with PDKDF2, and from that the
BIP39 mnemonic is generated and the entropy, instead of a random seed.

You can feed my examples into this form:

https://iancoleman.io/bip39/

So why do I focus on the wrong part? I do not understand. I like to make
it easy for users to generate a deterministic 256 bit key, or used as
password, while Eve and friends should now have a problem, due to the
many variations possible, to generate such a key. No Diceware usage, as
per Rich's comments. Instead easy to remember steps, with a couple of
programs.

--
Regards
Stefan

Stefan Claas wrote:

> My p2m program uses a password and salt, with PDKDF2, and from that the
> BIP39 mnemonic is generated and the entropy, instead of a random seed.

How about this ...

$ openssl rand -hex 64 | half
lh: 86d1ec11406024f86c24c24efde152e189a6119758ae7a5a026dbf85da53795d
rh: 2282d25a7234a333c45d4d3af7fa513c74bc42664389f99184eda428da2e8693

$ argon2id -p 2282d25a7234a333c45d4d3af7fa513c74bc42664389f99184eda428da2e8693
-s 86d1ec11406024f86c24c24efde152e189a6119758ae7a5a026dbf85da53795d

a770799128f1dc4e3ef9028c797b6bd6ffbfc5833dc4b0e3433dc606e6979aaa

I can't regenerate this 256 bit encryption key. :-(

But with p2m I can regenerate a 256 bit encryption key from a radom seed,
thanks to mnemonic words. :-)

--
Regards
Stefan