1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
|
Return-Path: <ethankosakovsky@protonmail.com>
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
by lists.linuxfoundation.org (Postfix) with ESMTP id D9A03C0177
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 22 Mar 2020 11:59:04 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by whitealder.osuosl.org (Postfix) with ESMTP id D1971875BD
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 22 Mar 2020 11:59:04 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id B0fUiwqOzCKv
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 22 Mar 2020 11:59:02 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-40132.protonmail.ch (mail-40132.protonmail.ch
[185.70.40.132])
by whitealder.osuosl.org (Postfix) with ESMTPS id 7473287592
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 22 Mar 2020 11:59:02 +0000 (UTC)
Date: Sun, 22 Mar 2020 11:58:53 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
s=default; t=1584878339;
bh=Pj0mDWYlzsrtZjaRvNoT6w+hy/T8hYjJgBlWQgh9rx4=;
h=Date:To:From:Reply-To:Subject:In-Reply-To:References:From;
b=PcGLMRLJuUjg9Rg3nzf7X2/jrfCJjgQxxfHA3oWTHkuGs8NbTbfxenmHL2Q9tGs3L
OfJlqFj166yfjzSF5asFRLh72ieMl/ciixUL8Fx9gjPEhQlo0HGHBkqzVbXzK7at6n
vxcS9U+oMc7IFI6Jo+fy6ZzYqJu/pyVw2t2f1H4Y=
To: Ethan Kosakovsky <ethankosakovsky@protonmail.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
From: Ethan Kosakovsky <ethankosakovsky@protonmail.com>
Reply-To: Ethan Kosakovsky <ethankosakovsky@protonmail.com>
Message-ID: <S90SB9DcluBjzhnWrbT1Urh61XgVcn6ynEU7EGsfR-UhGGMxPOXMuJdwM0BPtdAcIaL22B4zR0Pooe4Yaoi0zBPFnnwQ4WSSpL7FoW4OOBA=@protonmail.com>
In-Reply-To: <_CC9MLKCy5rmooAmR91_34tQxgDiXDJCdY4W6_X6xqDJUiAEuaWBVi8iBaFipx2KGt5_mf5XqFKMfoNgemTPCMgraWt5CVRifUM5iMolxto=@protonmail.com>
References: <_CC9MLKCy5rmooAmR91_34tQxgDiXDJCdY4W6_X6xqDJUiAEuaWBVi8iBaFipx2KGt5_mf5XqFKMfoNgemTPCMgraWt5CVRifUM5iMolxto=@protonmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Sun, 22 Mar 2020 12:22:22 +0000
Subject: Re: [bitcoin-dev] RFC: Deterministic Entropy From BIP32 Keychains
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Mar 2020 11:59:05 -0000
I have completely revised the wording of this proposal I hope to be clearer=
in explaining the motivation and methodology.
https://gist.github.com/ethankosakovsky/268c52f018b94bea29a6e809381c05d6
Ethan
=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me=
ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90
On Friday, March 20, 2020 4:44 PM, Ethan Kosakovsky via bitcoin-dev <bitcoi=
n-dev@lists.linuxfoundation.org> wrote:
> I would like to present a proposal for discussion and peer review. It aim=
s to solve the problem of "too many seeds and too many backups" due to the =
many reasons stipulated in the proposal text.
>
> https://gist.githubusercontent.com/ethankosakovsky/f7d148f588d14e0bb4f70b=
b6afc509d0/raw/6da51e837b0e1f1b2b21f3d4cbc2c5a87969ffd5/bip-entropy-from-bi=
p32.mediawiki
>
> <pre>
> BIP:
> Title: Deterministic Entropy From BIP32 Keychains
> Author: Ethan Kosakovsky ethankosakovsky@protonmail.com
> Comments-Summary: No comments yet.
> Comments-URI:
> Status: Proposed
> Type: Standards Track
> Created: 2020-03-20
> License: BSD-2-Clause
> OPL
> </pre>
>
> =3D=3DAbstract=3D=3D
>
> This proposal provides a way to derive entropy from a HD keychain path in=
order to deterministically derive the initial entropy used to create keych=
ain mnemonics and seeds.
>
> =3D=3DMotivation=3D=3D
>
> BIP32 uses some initial entropy as a seed to deterministically derive a B=
IP32 root for hierarchical deterministic keychains. BIP39 introduced a meth=
od of encoding initial entropy into a mnemonic phrase which is used as inpu=
t to a one way hash function in order to deterministically derive a BIP32 s=
eed. The motivation behind mnemonic phrases was to make it easier for human=
s to backup and store offline. There are also other variations of this them=
e.
>
> The initial motivation of BIP32 was to make handling of large numbers of =
private keys easier to manage and backup, since you only need one BIP32 see=
d to cover all possible keys in the keychain. In practice however, due to v=
arious wallet implementations and security models, the average user may be =
faced with the need to handle an ever growing number of seeds/mnemonics. Th=
is is due to incompatible wallet standards, hardware wallets (HWW), seed fo=
rmats and standards, as well as, the need to used a mix of hot and cold wal=
lets depending on the application and environment.
>
> Examples would span wallets on mobile phones, online servers running prot=
ocols like Join Market or Lightning, and the difference between Electrum an=
d BIP39 mnemonic seed formats. The reference implementation of Bitcoin Core=
uses BIP32, while other cryptocurrencies like Monero use different mnemoni=
c encoding schemes.
>
> We must also consider the different variety of physical backups including=
paper, metal and other physical storage devices, as well as the potentiall=
y splitting backups across different geographical locations. This complexit=
y may result in less care being taken with subsequently generated seeds for=
new wallets need to be stored and it ultimately results in less security. =
In reality, the idea of having "one seed for all" has proven to be more dif=
ficult in practice than originally thought.
>
> Since all these derivation schemes are deterministic based on some initia=
l entropy, this proposal aims to solve the above problems by detailing a wa=
y to deterministically derive the initial entropy used for new root keychai=
ns using a single BIP32 style "master root key". This will allow one root k=
ey or mnemonic to derive any variety of different root keychains in whateve=
r format is required (like BIP32 and BIP39 etc).
>
> =3D=3DSpecification=3D=3D
>
> Input starts with a BIP32 seed. Derivation scheme uses the format `m/8369=
6968'/type'/index'` where `type` is the final seed type, and `index` in the=
key index of the hardened child private key.
>
> type
>
> bits
>
> output
>
> 0
>
> 128
>
> 12 word BIP39 mnemonic
>
> 1
>
> 256
>
> 24 word BIP39 mnemonic
>
> 2
>
> 128
>
> 12 word Electrum mnemonic
>
> 3
>
> 256
>
> 24 word Electrum mnemonic
>
> 4
>
> 256
>
> WIF for Bitcoin Core
>
> 5
>
> 256
>
> 25 word Monero mnemonic
>
> Entropy is calculated from the HMAC-SHA512(key=3Dk, msg=3D'bip-entropy-fr=
om-bip32') of the derived 32 byte private key (k). Entropy is taken from th=
e result according to the number of bits required. This entropy can then be=
used as input to derive a mnemonic, wallet etc according to the`type` spec=
ified.
>
> =3D=3DCompatibility=3D=3D
>
> In order to maintain the widest compatibility, the input to this function=
is a BIP32 seed, which may or may not have been derived from a BIP39 like =
mnemonic scheme. This maintains the original motivation that one backup can=
store any and all child derivation schemes depending on the user's prefere=
nce or hardware signing devices. For example, devices that store the HD see=
d as a BIP39 mnemonic, Electrum seed, or BIP32 root key would all be able t=
o implement this standard.
>
> =3D=3DDiscussion=3D=3D
>
> This proposal could be split into multiple discrete BIPs in the same way =
that BIP32 described the derivation mechanics, BIP39 the input encoding wit=
h mnemonics, and the derivation paths like BIP44, BIP49 and BIP84. This has=
been avoided to reduce complexity. The resulting private key processed wit=
h HMAC-SHA512 and truncated as necessary. HMAC-SHA512 was chosen because it=
may have better compatibility in embedded devices as it's already required=
in devices supporting BIP32.
>
> =3D=3DTest Vectors=3D=3D
>
> =3D=3D=3DTest case 1=3D=3D=3D
>
> MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind emplo=
y giant era attitude exit final oval one finger decorate pair useless super=
method float toddler dance
> MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5=
NbBuof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp
> PATH: m/83696968'/0'/0'
> BITS REQUIRED: 128
>
> DERIVED CHILD WIF=3DL3cefeCHyo8jczVjckMxaiPBaPUunc3D8CsjRxYbYp3FhasGpsV3
> DERIVED CHILD k=3Dbed343b04ba0216d9eeebff0366b61c4179d90d44b61c716ef6d568=
836ba4d23
> CHILD ENTROPY=3D6458698fae3578b48a64124ea3514e12
> CONVERT ENTROPY TO WIF=3DKwDiBf89QgGbjEhKnhXJuH7T2Vv72UKQA8KRkmNwVFS2znAS=
5xb9
> CHILD BIP39 MNEMONIC=3Dgold select glue fragile fiscal fog civil liquid e=
xchange box fatal caught
> CHILD BIP39 SEED=3D2a2720e5590d4ec3140e51ba1b0b0a5183222c1668977c8a57572b=
0ea55d238cd8e899b3b1870e48894ca837e41e5d0db07554715efb21556fdde27f9f7ba153
> CHILD BIP32 ROOT KEY=3Dxprv9s21ZrQH143K2ZH5qacptquLGvcYpHSNeyFVCU8Ur4u9ko=
cajbBgcaCbHkGbwDsBR661H29F54j5mz14kwXbY9PZKdNRdjgRcGfshBK9XXb
>
> =3D=3D=3DTest case 2=3D=3D=3D
>
> MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind emplo=
y giant era attitude exit final oval one finger decorate pair useless super=
method float toddler dance
> MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5=
NbBuof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp
> PATH: m/83696968'/1'/0'
> BITS REQUIRED: 256
>
> DERIVED CHILD WIF=3DL1zCbtnDWUN4vJA3De4sxmJnoRim57CQUuBb4KBoRNs2EMEq2Brg
> DERIVED CHILD k=3D8e3ca6054a6303f4a6a1bcbda6134c9802f4f0a0d76b0ee6b69b06b=
1e80b2192
> CHILD ENTROPY=3Dec4e2f7e2c3fca9a34fa29747bf8ba0ab7f05136f37e134e2457e9e53=
639670b
> CONVERT ENTROPY TO WIF=3DL594JSCygt2wBaB9mCpXjiLkkxkEojpBdNXG8UrrdLd2LvPB=
RMUs
> CHILD BIP39 MNEMONIC=3Dunable imitate test flash witness escape stadium e=
arly inner thank company betray lecture chuckle swift hurt battle illness b=
icycle stable fat bronze order high
> CHILD BIP39 SEED=3D73509b0e847ee66bddeb098a55063d73e8c6dd5f1c1db6969c668b=
b54c19bde6eae8acc29a81118d1d9719fa1bc620fee7edd7c15a17bcaf70b0fdfc0c0c3803
> CHILD BIP32 ROOT KEY=3Dxprv9s21ZrQH143K4PfLyyjYLVmKbnUTNFK6Y7jPKWfRZB3iSw=
1Gy9qowEzkYHfetVabfmjHEEPrcTJbh7chae33Sm9uAjuXzhSL6Li8dcwM9Bm
>
> =3D=3D=3DTest case 3=3D=3D=3D
>
> MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind emplo=
y giant era attitude exit final oval one finger decorate pair useless super=
method float toddler dance
> MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5=
NbBuof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp
> PATH: m/83696968'/4'/0'
> BITS REQUIRED: 256
>
> DERIVED CHILD WIF=3DKwdD5PYnCU3xQDfFJ6XBf6UDaLrTUxrKmBpdjRuuavWyqAQtpaA2
> DERIVED CHILD k=3D0c169ce2c17bea08512a7519769e365242a1562bd63c4c903daef51=
6000efbf2
> CHILD ENTROPY=3D25573247f8a76799f7abc086b9286b5a7ccb03cb8d3550f48ac1e71d9=
0832974
> CONVERT ENTROPY TO WIF=3DKxUJ8VzMk7uWDEcwYjLRzRMGE6sSpwCfQxkE9GEwAvXhFSDN=
ba9G
> CHILD BIP39 MNEMONIC=3Dcensus ridge music vanish island smooth team job m=
ammal sing bracket reject smile limit comfort pluck extend picture race sod=
a suit dose place obtain
> CHILD BIP39 SEED=3D4e5c82be6455ecf0884d9475435e29a9afb9acf70b07296d7e5039=
c866e4d54647706918b9d14909dfbd7071a4b7aee8a4ad0ac2bf48f0a09a8899dd28564418
> CHILD BIP32 ROOT KEY=3Dxprv9s21ZrQH143K2kekJsK9V6t4ZKwHkY1Q3umxuaAhdZKGxC=
MpHiddLdYUQBoynszpwnk5upoC788LiT5MZ5q1vUABXG7AMyZK5UjD9iyL7Am
>
> =3D=3DReferences=3D=3D
>
> BIP32, BIP39
>
> =3D=3DCopyright=3D=3D
>
> This BIP is dual-licensed under the Open Publication License and BSD 2-cl=
ause license.
>
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
|