Date: Fri, 20 Mar 2020 15:44:01 +0000
To: "bitcoin-dev@lists.linuxfoundation.org"
 <bitcoin-dev@lists.linuxfoundation.org>
From: Ethan Kosakovsky <ethankosakovsky@protonmail.com>
Reply-To: Ethan Kosakovsky <ethankosakovsky@protonmail.com>
Message-ID: <_CC9MLKCy5rmooAmR91_34tQxgDiXDJCdY4W6_X6xqDJUiAEuaWBVi8iBaFipx2KGt5_mf5XqFKMfoNgemTPCMgraWt5CVRifUM5iMolxto=@protonmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: [bitcoin-dev] RFC: Deterministic Entropy From BIP32 Keychains
Precedence: list

I would like to present a proposal for discussion and peer review. It aims =
to solve the problem of "too many seeds and too many backups" due to the ma=
ny reasons stipulated in the proposal text.

https://gist.githubusercontent.com/ethankosakovsky/f7d148f588d14e0bb4f70bb6=
afc509d0/raw/6da51e837b0e1f1b2b21f3d4cbc2c5a87969ffd5/bip-entropy-from-bip3=
2.mediawiki

<pre>
  BIP:
  Title: Deterministic Entropy From BIP32 Keychains
  Author: Ethan Kosakovsky <ethankosakovsky@protonmail.com>
  Comments-Summary: No comments yet.
  Comments-URI:
  Status: Proposed
  Type: Standards Track
  Created: 2020-03-20
  License: BSD-2-Clause
           OPL
</pre>

=3D=3DAbstract=3D=3D

This proposal provides a way to derive entropy from a HD keychain path in o=
rder to deterministically derive the initial entropy used to create keychai=
n mnemonics and seeds.

=3D=3DMotivation=3D=3D

BIP32 uses some initial entropy as a seed to deterministically derive a BIP=
32 root for hierarchical deterministic keychains. BIP39 introduced a method=
 of encoding initial entropy into a mnemonic phrase which is used as input =
to a one way hash function in order to deterministically derive a BIP32 see=
d. The motivation behind mnemonic phrases was to make it easier for humans =
to backup and store offline. There are also other variations of this theme.

The initial motivation of BIP32 was to make handling of large numbers of pr=
ivate keys easier to manage and backup, since you only need one BIP32 seed =
to cover all possible keys in the keychain. In practice however, due to var=
ious wallet implementations and security models, the average user may be fa=
ced with the need to handle an ever growing number of seeds/mnemonics. This=
 is due to incompatible wallet standards, hardware wallets (HWW), seed form=
ats and standards, as well as, the need to used a mix of hot and cold walle=
ts depending on the application and environment.

Examples would span wallets on mobile phones, online servers running protoc=
ols like Join Market or Lightning, and the difference between Electrum and =
BIP39 mnemonic seed formats. The reference implementation of Bitcoin Core u=
ses BIP32, while other cryptocurrencies like Monero use different mnemonic =
encoding schemes.

We must also consider the different variety of physical backups including p=
aper, metal and other physical storage devices, as well as the potentially =
splitting backups across different geographical locations. This complexity =
may result in less care being taken with subsequently generated seeds for n=
ew wallets need to be stored and it ultimately results in less security. In=
 reality, the idea of having "one seed for all" has proven to be more diffi=
cult in practice than originally thought.

Since all these derivation schemes are deterministic based on some initial =
entropy, this proposal aims to solve the above problems by detailing a way =
to deterministically derive the initial entropy used for new root keychains=
 using a single BIP32 style "master root key". This will allow one root key=
 or mnemonic to derive any variety of different root keychains in whatever =
format is required (like BIP32 and BIP39 etc).

=3D=3DSpecification=3D=3D

Input starts with a BIP32 seed. Derivation scheme uses the format `m/836969=
68'/type'/index'` where `type` is the final seed type, and `index` in the k=
ey index of the hardened child private key.

| type | bits| output                    |
|------|-----|---------------------------|
|   0  | 128 | 12 word BIP39 mnemonic    |
|   1  | 256 | 24 word BIP39 mnemonic    |
|   2  | 128 | 12 word Electrum mnemonic |
|   3  | 256 | 24 word Electrum mnemonic |
|   4  | 256 | WIF for Bitcoin Core      |
|   5  | 256 | 25 word Monero mnemonic   |

Entropy is calculated from the HMAC-SHA512(key=3Dk, msg=3D'bip-entropy-from=
-bip32') of the derived 32 byte private key (k). Entropy is taken from the =
result according to the number of bits required. This entropy can then be u=
sed as input to derive a mnemonic, wallet etc according to the `type` speci=
fied.

=3D=3DCompatibility=3D=3D

In order to maintain the widest compatibility, the input to this function i=
s a BIP32 seed, which may or may not have been derived from a BIP39 like mn=
emonic scheme. This maintains the original motivation that one backup can s=
tore any and all child derivation schemes depending on the user's preferenc=
e or hardware signing devices. For example, devices that store the HD seed =
as a BIP39 mnemonic, Electrum seed, or BIP32 root key would all be able to =
implement this standard.

=3D=3DDiscussion=3D=3D

This proposal could be split into multiple discrete BIPs in the same way th=
at BIP32 described the derivation mechanics, BIP39 the input encoding with =
mnemonics, and the derivation paths like BIP44, BIP49 and BIP84. This has b=
een avoided to reduce complexity. The resulting private key processed with =
HMAC-SHA512 and truncated as necessary. HMAC-SHA512 was chosen because it m=
ay have better compatibility in embedded devices as it's already required i=
n devices supporting BIP32.

=3D=3DTest Vectors=3D=3D

=3D=3D=3DTest case 1=3D=3D=3D

MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind employ =
giant era attitude exit final oval one finger decorate pair useless super m=
ethod float toddler dance
MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5Nb=
Buof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp
PATH: m/83696968'/0'/0'
BITS REQUIRED: 128

DERIVED CHILD WIF=3DL3cefeCHyo8jczVjckMxaiPBaPUunc3D8CsjRxYbYp3FhasGpsV3
DERIVED CHILD k=3Dbed343b04ba0216d9eeebff0366b61c4179d90d44b61c716ef6d56883=
6ba4d23
CHILD ENTROPY=3D6458698fae3578b48a64124ea3514e12
CONVERT ENTROPY TO WIF=3DKwDiBf89QgGbjEhKnhXJuH7T2Vv72UKQA8KRkmNwVFS2znAS5x=
b9
CHILD BIP39 MNEMONIC=3Dgold select glue fragile fiscal fog civil liquid exc=
hange box fatal caught
CHILD BIP39 SEED=3D2a2720e5590d4ec3140e51ba1b0b0a5183222c1668977c8a57572b0e=
a55d238cd8e899b3b1870e48894ca837e41e5d0db07554715efb21556fdde27f9f7ba153
CHILD BIP32 ROOT KEY=3Dxprv9s21ZrQH143K2ZH5qacptquLGvcYpHSNeyFVCU8Ur4u9koca=
jbBgcaCbHkGbwDsBR661H29F54j5mz14kwXbY9PZKdNRdjgRcGfshBK9XXb


=3D=3D=3DTest case 2=3D=3D=3D

MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind employ =
giant era attitude exit final oval one finger decorate pair useless super m=
ethod float toddler dance
MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5Nb=
Buof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp
PATH: m/83696968'/1'/0'
BITS REQUIRED: 256

DERIVED CHILD WIF=3DL1zCbtnDWUN4vJA3De4sxmJnoRim57CQUuBb4KBoRNs2EMEq2Brg
DERIVED CHILD k=3D8e3ca6054a6303f4a6a1bcbda6134c9802f4f0a0d76b0ee6b69b06b1e=
80b2192
CHILD ENTROPY=3Dec4e2f7e2c3fca9a34fa29747bf8ba0ab7f05136f37e134e2457e9e5363=
9670b
CONVERT ENTROPY TO WIF=3DL594JSCygt2wBaB9mCpXjiLkkxkEojpBdNXG8UrrdLd2LvPBRM=
Us
CHILD BIP39 MNEMONIC=3Dunable imitate test flash witness escape stadium ear=
ly inner thank company betray lecture chuckle swift hurt battle illness bic=
ycle stable fat bronze order high
CHILD BIP39 SEED=3D73509b0e847ee66bddeb098a55063d73e8c6dd5f1c1db6969c668bb5=
4c19bde6eae8acc29a81118d1d9719fa1bc620fee7edd7c15a17bcaf70b0fdfc0c0c3803
CHILD BIP32 ROOT KEY=3Dxprv9s21ZrQH143K4PfLyyjYLVmKbnUTNFK6Y7jPKWfRZB3iSw1G=
y9qowEzkYHfetVabfmjHEEPrcTJbh7chae33Sm9uAjuXzhSL6Li8dcwM9Bm


=3D=3D=3DTest case 3=3D=3D=3D

MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind employ =
giant era attitude exit final oval one finger decorate pair useless super m=
ethod float toddler dance
MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5Nb=
Buof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp
PATH: m/83696968'/4'/0'
BITS REQUIRED: 256

DERIVED CHILD WIF=3DKwdD5PYnCU3xQDfFJ6XBf6UDaLrTUxrKmBpdjRuuavWyqAQtpaA2
DERIVED CHILD k=3D0c169ce2c17bea08512a7519769e365242a1562bd63c4c903daef5160=
00efbf2
CHILD ENTROPY=3D25573247f8a76799f7abc086b9286b5a7ccb03cb8d3550f48ac1e71d908=
32974
CONVERT ENTROPY TO WIF=3DKxUJ8VzMk7uWDEcwYjLRzRMGE6sSpwCfQxkE9GEwAvXhFSDNba=
9G
CHILD BIP39 MNEMONIC=3Dcensus ridge music vanish island smooth team job mam=
mal sing bracket reject smile limit comfort pluck extend picture race soda =
suit dose place obtain
CHILD BIP39 SEED=3D4e5c82be6455ecf0884d9475435e29a9afb9acf70b07296d7e5039c8=
66e4d54647706918b9d14909dfbd7071a4b7aee8a4ad0ac2bf48f0a09a8899dd28564418
CHILD BIP32 ROOT KEY=3Dxprv9s21ZrQH143K2kekJsK9V6t4ZKwHkY1Q3umxuaAhdZKGxCMp=
HiddLdYUQBoynszpwnk5upoC788LiT5MZ5q1vUABXG7AMyZK5UjD9iyL7Am

=3D=3DReferences=3D=3D

BIP32, BIP39

=3D=3DCopyright=3D=3D

This BIP is dual-licensed under the Open Publication License and BSD 2-clau=
se license.