Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of me.com
	designates 17.172.220.236 as permitted sender)
	client-ip=17.172.220.236; envelope-from=jeanpaulkogelman@me.com;
	helo=st11p02mm-asmtp001.mac.com; 
MIME-version: 1.0
Content-type: multipart/alternative;
	boundary="Boundary_(ID_6v39sDBKz5LmGaScvSoOlg)"
To: bitcoin-development@lists.sourceforge.net
From: Jean-Paul Kogelman <jeanpaulkogelman@me.com>
Date: Fri, 19 Jul 2013 17:46:44 +0000 (GMT)
Message-id: <20ec1e35-3051-45d6-b449-e4a4d5c06dc8@me.com>
Subject: [Bitcoin-development] [RFC] Proposal: Base58 encoded HD Wallet
 master seed with optional encryption
Precedence: list


--Boundary_(ID_6v39sDBKz5LmGaScvSoOlg)
Content-type: text/plain; charset=utf-8; format=flowed
Content-transfer-encoding: quoted-printable

=0AHi everyone,=0A=0AI'm looking for feedback on the proposal below.=0A=0A=
Kind regards,=0A=0AJean-Paul=0A=0A---=0ABIP:=C2=A0=0ATitle: Base58 encoded=
 HD Wallet master seed with optional encryption=0AAuthor: Jean-Paul Kogelm=
an=0AStatus: Draft=0AType: Informational=0ACreated: 17-07-2013=0A=0AAbstra=
ct=0A=0AThis proposal describes a method for encoding and optionally encry=
pting a Bitcoin Hierarchical Deterministic (HD) Wallet master seed. Encode=
d master seeds are intended for use on paper wallets. Each string contains=
 all the information needed to verify and reconstitute an HD wallet except=
 for the optional passphrase. The encrypted version uses salting and scryp=
t to resist brute-force attacks.=0A=0AThe method provides two encoding met=
hodologies in 3 lengths each (16, 32 and 64 byte seeds). One is a clear ve=
rsion of the master seed with verification information for integrity check=
ing and the other is an encrypted representation.=0A=0AA 32-bit hash of th=
e resulting master Bitcoin public address is encoded in plain text within =
each seed record, so in the case of an encrypted seed, it can be correlate=
d to a Bitcoin public address with reasonable probability by someone not k=
nowing the passphrase. The complete Bitcoin public address can be derived =
through successful decoding and optional decryption of the master seed rec=
ord.=0A=0A=0AMotivation=0A=0AThe extended private keys proposed in BIP 003=
2 are long, fixed length records and don't offer any form of security. The=
 master seed used to generate the HD wallet is typically shorter than the =
extended master private key that results from it.=C2=A0=0A=0AA compact rep=
resentation of the master seed is easier to handle and a 2-factor version =
of the master seed record allows for safe storage and the creation of pape=
r wallets by 3rd parties.=C2=A0=0A=0A=0ACopyright=0A=0AThis proposal is he=
reby placed in the public domain.=0A=0A=0ARationale=0A=0AUser story: As a =
Bitcoin user who uses HD wallets, I would like the ability to store my wal=
let master seed in a compact form as a paper wallet.=0A=0AUser story: As a=
 Bitcoin user who uses HD wallets, I would like the ability to have a 3rd =
party create a paper wallet with my master seed in it, without having acce=
ss to the funds stored in the wallet.=0A=0AUser story: As a Bitcoin user w=
ho uses HD wallets, I would like the ability to choose the strength of the=
 master seed depending on my security requirements and how I wish to store=
 it.=C2=A0=0A=0A=0ASpecification=0A=0AThis proposal makes use of the follo=
wing functions and definitions:=0A=0AAES256Encrypt, AES256Decrypt: the sim=
ple form of the well-known AES block cipher without consideration for init=
ialization vectors or block chaining. Each of these functions takes a 256-=
bit key and a variable legth of input and deterministically yields output =
data of similar length to the input.=0A=0ASHA256: a well-known hashing alg=
orithm that takes an arbitrary number of bytes as input and deterministica=
lly yields a 32-byte hash.=0A=0ARIPEMD160: a well known hashing algorithm =
that takes an arbitrary number of bytes as input and deterministically yie=
lds a 20-byte hash.=0A=0Ascrypt: A well-known key derivation algorithm. It=
 takes the following parameters: (string) password, (string) salt, (int) n=
, (int) r, (int) p, (int) length, and deterministically yields an array of=
 bytes whose length is equal to the length parameter.=0A=0AHMAC-SHA512: Pr=
oduces a 64 byte (512 bit) hash based message authentication code using th=
e SHA512 hash function using a seed (in our case we will use a byte repres=
entation of "Bitcoin seed") and an aribtrary input message. The output wil=
l be 64 bytes.=0A=0ABase58Check: a method for encoding arrays of bytes usi=
ng 58 alphanumeric characters commonly used in the Bitcoin ecosystem.=0A=0A=
G, N: Constants defined as part of the secp256k1 elliptic curve. G is an e=
lliptic curve point, and N is a large positive integer.=0A=0APrefix=0A=0AI=
t is proposed that the resulting Base58Check-encoded string start with eit=
her "WS" for clear master seed records or "ws" for 2-factor master seed re=
cords. The prefixes "WS" and "ws" were chosen as abreviations of the term =
"Wallet Seed" and upper case to indicate whether it's a clear representati=
on and lower case when it's a 2-factor representation.=C2=A0=0A=0ATo keep =
the size of the encrypted key equal to the clear version, no initializatio=
n vectors (IVs) are used in the AES encryption. Rather, suitable values fo=
r IV-like use are derived using scrypt from the passphrase and from using =
a 32-bit hash of the resulting Bitcoin public address as salt.=0A=0APropos=
ed specification=0A=0AThere are 2 seed record representations with 3 lengt=
hs each, resulting in a total of 6 different object identifier prefixes.=C2=
=A0=0A=0APrefix 0x1093: Clear 16 byte master seed, total length: 22 bytes=0A=
Prefix 0x1E68: Clear 32 byte master seed, total length: 38 bytes=0APrefix =
0x665A: Clear 64 byte master seed, total length: 70 bytes=0A=0APrefix 0x1E=
E4: 2-factor 16 byte master seed, total length: 22 bytes=0APrefix 0x38AE: =
2-factor 32 byte master seed, total length: 38 bytes=0APrefix 0xBECB: 2-fa=
ctor 64 byte master seed, total length: 70 bytes=0A=0AThese are constant b=
ytes that appear at the beginning of the Base58Check-encoded record, and t=
heir presence causes the resulting string to have a predictable prefix.=0A=
=0AHow the user sees it: 35, 57 or 101 characters always starting with eit=
her "WS" or "ws".=0A=0ACount of payload bytes (beyond prefix): 20, 36 or 6=
8=0A=0APayload format:=0A4 bytes: SHA256(SHA256(master_bitcoin_public_addr=
ess))[0...3], used both for typo checking and as salt.=0A16, 32 or 64 byte=
s: either a clear representation or an encrypted representation of the mas=
ter seed.=0A=0ARange in Base58Check encoding for clear 16 byte master seed=
 (prefix WS):=0AMinimum value: WSJ5JnjiRZT8b15aZr6GGWzt2VMBPapmhBQ (based =
on 0x10 0x93 plus twenty 0x00's)=0AMaximum value: WShQumr1iGdbTpWiesWbb189=
p7rSLBiq3EJ (based on 0x10 0x93 plus twenty 0xFF's)=0A=0ARange in Base58Ch=
eck encoding for clear 32 byte master seed (prefix WS):=0AMinimum value: W=
S7SqjMWhDGCagcZxCk317LLWyWUny7465ENGKEKuxBf5sFvRHmRRfCgr (based on 0x1E 0x=
68 plus thirty-six 0x00's)=0AMaximum value: WSLAbo8WHEQr1Z1cv26Z5njh5URHMo=
9fPiDFYE2NpCwmAoPZwDxzm3PjB (based on 0x1E 0x68 plus thirty-six 0xFF's)=0A=
=0ARange in Base58Check encoding for clear 64 byte master seed (prefix WS)=
:=0AMinimum value: WS2cMzM9WrogWVLKYFzTaTXZnYCryY31uptmdevXuRFBXTWJhmt4No9=
Eejoj3apqyU5RkyXsGHFPbZd14oz7Fv1Mi85kadBD4TPsL (based on 0x66 0x5A plus si=
xty-eight 0x00's)=0AMaximum value: WS6PXJ1HoJXn9hyLz8uXQEy2ZajAVaFDTViXhZD=
thwYbhyvfHRqjwU4FoGpepCbuuycAwMFbgoZB6E48baqD1c9PdMNUZCSSBmfE7 (based on 0=
x66 0x5A plus sixty-eight 0xFF's)=0A=0ARange in Base58Check encoding for 2=
-factor 16 byte master seed (prefix ws):=0AMinimum value: ws1nyTi9KjdRkJda=
4Yh1KkXSLC8SZ6kKzEM (based on 0x1E 0xE4 plus twenty 0x00's)=0AMaximum valu=
e: wsR8aSpScSotd84i9a7LeEei7pdhVkeciX8 (based on 0x1E 0xE4 plus twenty 0xF=
F's)=0A=0ARange in Base58Check encoding for 2-factor 32 byte master seed (=
prefix ws):=0AMinimum value: wsC8sayZpTpeX3k6jcCMeTedDapXkXd7SZpRJbSjdeqKB=
J2Vnrm1xyfD3 (based on 0x38 0xAE plus thirty-six 0x00's)=0AMaximum value: =
wsQrdekZQUyHwv99hRYsj93yn5jLKMfikCoJaWEnXubRGEA9Jnxg5KaPW (based on 0x38 0=
xAE plus thirty-six 0xFF's)=0A=0ARange in Base58Check encoding for 2-facto=
r 64 byte master seed (prefix ws):=0AMinimum value: ws4XTrriTEyyy2TrGWv9R7=
o94CyBiN69S2VxiK5tVW9htEi48w54sQ43JChCmadoGtYpZSu7vqbbQTMemCSyyToyLPPMjugh=
cXNxE (based on 0xBE 0xCB plus sixty-eight 0x00's)=0AMaximum value: ws8JdA=
Wrjgi5cF6siPqDEuEbqFVVEQJLyhKinDPFJ2T84m8Qib2kS4y4Sji8YCQsDQ5ZjpcrMMuNu7nn=
HyJ5j9x1Fcg5iUwvZ7krH (based on 0xBE 0xCB plus sixty-eight 0xFF's)=0A=0AGe=
neration of master seed:=0A=0A1. Take either an existing 16, 32 or 64 byte=
 master seed S, or generate one from a (P)RNG.=0A2. Calculate I =3D HMAC-S=
HA512(key =3D "Bitcoin seed", msg =3D S)=0A3. Split I into two 32-byte seq=
uences, IL and IR.=0A4. Use IL as master secret key. IR, the master chain =
code is not relevant here.=0A5. In case IL is 0 or >=3D N, the master key =
is invalid. Go back to step 1 if generating, or in case of a provided mast=
er seed, return an error.=0A6. Compute the public key K =3D IL*G=0A7. Calc=
ulate the master Bitcoin public address A =3D Base58Check(RIPEMD160(SHA256=
(K)))=0A8. Calculate the salt =3D SHA256(SHA256(A))[0...3]=0A=0AEncryption=
:=0A=0A9. Derive a hash H from the passphrase using scrypt=0A=C2=A0 =C2=A0=
 - Parameters: passphrase is the passphrase itself encoded in UTF-8, salt =
=3D salt, n =3D 16384, r =3D 8, p =3D 8, length =3D seed length + 32=0A10.=
 The first number of bytes in H, equal to length of seed S are used to xor=
 seed S. Call the result X.=0A11. Do AES256Encrypt(message =3D X, key =3D =
last 32 bytes of H), call this encrypted_seed.=0A=0A=0AThe encrypted_maste=
r_seed is the Base58Check-encoded concatenation of the following, which to=
tals 2 + 4 + seed length bytes (22, 38 or 70 bytes):=0A=0Aencrypted_master=
_seed =3D prefix + salt + encrypted_seed=0A=0AThe clear version is:=0A=0Am=
aster_seed =3D prefix + salt + seed S=0A=0A=0ADecryption:=0A=0A1. Collect =
encrypted_master_seed and passphrase from user.=0A2. Perform step 9 of enc=
ryption with the passphrase and the salt from the encrypted_master_seed.=0A=
3. With the encrypted_seed from encrypted_master_seed do AES256Decrypt(mes=
sage =3D encrypted_seed, key =3D last 32 bytes of H), call this decrypted_=
seed.=0A4. With the first number of bytes in H, equal to the length of the=
 decrypted_seed, perform the xor operation on decrypted_seed and call the =
result S.=0A5. Perform generation steps 2 until 8 and verify that the gene=
rated salt is equal to the salt from encrypted_master_seed.=0A=0A=0ASugges=
tions for implementers of proposal with alt-chains=0A=0AThis proposal invo=
lves hashing of a text representation of a public address which for Bitcoi=
n includes the leading '1'. Alt-chains can easily be denoted simply by usi=
ng the alt-chain's preferred format for representing an address. Alt-chain=
 implementers may also change the prefix such that encoded master seeds do=
 not start with "WS" or "ws".=0A=0A=0ABitcoin testnet representation=0A=0A=
This proposal does not cover separate Bitcoin testnet representations of e=
ncoded master seeds, although since the 4 salt bytes are based on a double=
 SHA256 of the Bitcoin public address, they will be different for Bitcoin =
testnet public addresses and validation will fail.=C2=A0=0A=0A=0AReference=
 implementation=0A=0ATODO=0A=0A=0ATest vectors=0A=0ATest 1:=0A=0ASeed =C2=A0=
 =C2=A0 =C2=A0: 000102030405060708090a0b0c0d0e0f=0AClear =C2=A0 =C2=A0 : W=
SZsLQ5c1uKrRQugbrZNYsvMhRixiaWaVmJ=0APassword =C2=A0: Satoshi=0AEncrypted =
: wsHb15443fYPmneEXskd6wUZeP15fCiA69n=0AAddress =C2=A0 : 15mKKb2eos1hWa6ti=
sdPwwDC1a5J1y9nma=0Axprv =C2=A0 =C2=A0 =C2=A0: xprv9s21ZrQH143K3QTDL4LXw2F=
7HEK3wJUD2nW2nRk4stbPy6cq3jPPqjiChkVvvNKmPGJxWUtg6LnF5kejMRNNU3TGtRBeJgk33=
yuGBxrMPHi=0Axpub =C2=A0 =C2=A0 =C2=A0: xpub661MyMwAqRbcFtXgS5sYJABqqG9YLm=
C4Q1Rdap9gSE8NqtwybGhePY2gZ29ESFjqJoCu1Rupje8YtGqsefD265TMg7usUDFdp6W1EGMc=
et8=0A=0ATest 2:=0A=0ASeed =C2=A0 =C2=A0 =C2=A0: 7f0ad7d595be13e6fe4cf1fa0=
fbb6ae9c26c5d9b09920709414982b6363d5844=0AClear =C2=A0 =C2=A0 : WSB7z3izBZ=
wDoaAUA4mDpEHzAZsA5zfTWu3cCxhkaLtZ4Ur6n6mXsgpMK=0APassword =C2=A0: Nakamot=
o=0AEncrypted : wsFp1uM2gFhd2PuRzmNFReRud71hgmVwPoc7cGpxuvgETRsv8J1wHNANJ=0A=
Address =C2=A0 : 1A54ECavJaJAoLGqqNrPd9Y3cvSvkL2Roz=0Axprv =C2=A0 =C2=A0 =C2=
=A0: xprv9s21ZrQH143K3f9hMVvcbY4EX4CfxsEtc6C5BMkZtgGpTGpxAscoq7SLSAcL6k5dx=
aZ9s4SChrtfSFoKpijuwAnhuPn76eva6W8bDr118t3=0Axpub =C2=A0 =C2=A0 =C2=A0: xp=
ub661MyMwAqRbcG9EATXTcxfzy563ANKxjyK7fykABT1ooL5A6iQw4NukpHShDxYgeso4NHscF=
mqcVEtdUt61c8RCf7FqXK9z6sgfkQvYBQPP=0A=0ATest 3:=0A=0ASeed =C2=A0 =C2=A0 =C2=
=A0: fffcf9f6f3f0edeae7e4e1dedbd8d5d2cfccc9c6c3c0bdbab7b4b1aeaba8a5a29f9c9=
99693908d8a8784817e7b7875726f6c696663605d5a5754514e4b484542=0AClear =C2=A0=
 =C2=A0 : WS6186bsAkSaGRjRZ1UGyCGigxsXPvnYGSqNHJYmauV9X4W8tLJke1DH8UP8YMsD=
LdsjwgodcghjjKqkWQmk3t7qDbNMJVBDKcD2s=0APassword =C2=A0: Vires In Numeris=0A=
Encrypted : ws7vDy7RjqMvcPX7GeakKvdK6vDKGhRSjQtaRfKUVQrJXwwetLSeTdNgGzn5BK=
ZZqz1BBdaHBFYfLvNUSxDaoP1ojJMMJD9UnQuwt=0AAddress =C2=A0 : 1JEoxevbLLG8cVq=
eoGKQiAwoWbNYSUyYjg=0Axprv =C2=A0 =C2=A0 =C2=A0: xprv9s21ZrQH143K31xYSDQpP=
DxsXRTUcvj2iNHm5NUtrGiGG5e2DtALGdso3pGz6ssrdK4PFmM8NSpSBHNqPqm55Qn3LqFtT2e=
mdEXVYsCzC2U=0Axpub =C2=A0 =C2=A0 =C2=A0: xpub661MyMwAqRbcFW31YEwpkMuc5THy=
2PSt5bDMsktWQcFF8syAmRUapSCGu8ED9W6oDMSgv6Zz8idoc4a6mr8BDzTJY47LJhkJ8UB7WE=
GuduB=0A=0ATest 4:=0A=0ASeed =C2=A0 =C2=A0 =C2=A0: 6ca4a27ac660c683340f593=
53b1375a9=0AClear =C2=A0 =C2=A0 : WSXnfK5CJbDoSwcqMfz7Xqy3avuPHSxDQQk=0APa=
ssword =C2=A0: =E8=81=A1=E4=B8=AD=E6=9C=AC=0AEncrypted : wsFWKz3c5eeHRwtJv=
eSdFvwUrmoNVkJ5ns2=0AAddress =C2=A0 : 1JVncPbsdB2s4zHim3VdAWNkZ8JANBZ1U9=0A=
xprv =C2=A0 =C2=A0 =C2=A0: xprv9s21ZrQH143K3mJ4upPSDfXdA34yNjem6PSsXT63vm8=
dq8ikUJv4iiTD3PrSKtdGZXFVD689z5T7knXo55BjcHS2WL3Syp2DbGgnbgxw2QA=0Axpub =C2=
=A0 =C2=A0 =C2=A0: xpub661MyMwAqRbcGFNY1qvSaoUMi4uTnCNcTcNUKqVfV6fchw3u1rE=
KGWmgtfUMRKLgUHNZ7dfsh8Ys6SLwUojZqScFBQL3dFGF3QywNLJVZ2o=0A=0A=0AAcknowled=
gements=0A=0AMike Caldwell for BIP 0038, which this proposal borrows heavi=
ly from.=0A=0A=0ASee Also=0A=0ABIP 0032 Hierarchical Deterministic Wallets=
: https://en.bitcoin.it/wiki/BIP_0032=0ABIP 0038 Passphrase-protected priv=
ate key: https://en.bitcoin.it/wiki/BIP_0038=0A=0A=

--Boundary_(ID_6v39sDBKz5LmGaScvSoOlg)
Content-type: multipart/related;
	boundary="Boundary_(ID_1aeWVYtuDr9QTTO/wGdM5Q)"; type="text/html"


--Boundary_(ID_1aeWVYtuDr9QTTO/wGdM5Q)
Content-type: text/html; charset=utf-8
Content-transfer-encoding: quoted-printable

<html><body><div><br></div><div>Hi everyone,</div><div><br></div><div>I'm looking for =
feedback on the proposal below.</div><div><br></div><div>Kind regards,</di=
v><div><br></div><div>Jean-Paul</div><div><br></div><div>---</div><div>BIP=
:&nbsp;</div><div>Title: Base58 encoded HD Wallet master seed with optiona=
l encryption</div><div>Author: Jean-Paul Kogelman</div><div>Status: Draft<=
/div><div>Type: Informational</div><div>Created: 17-07-2013</div><div><br>=
</div><div><strong>Abstract</strong></div><div><br></div><div>This proposa=
l describes a method for encoding and optionally encrypting a Bitcoin Hier=
archical Deterministic (HD) Wallet master seed. Encoded master seeds are i=
ntended for use on paper wallets. Each string contains all the information=
 needed to verify and reconstitute an HD wallet except for the optional pa=
ssphrase. The encrypted version uses salting and scrypt to resist brute-fo=
rce attacks.</div><div><br></div><div>The method provides two encoding met=
hodologies in 3 lengths each (16, 32 and 64 byte seeds). One is a clear ve=
rsion of the master seed with verification information for integrity check=
ing and the other is an encrypted representation.</div><div><br></div><div=
>A 32-bit hash of the resulting master Bitcoin public address is encoded i=
n plain text within each seed record, so in the case of an encrypted seed,=
 it can be correlated to a Bitcoin public address with reasonable probabil=
ity by someone not knowing the passphrase. The complete Bitcoin public add=
ress can be derived through successful decoding and optional decryption of=
 the master seed record.</div><div><br></div><div><br></div><div><strong>M=
otivation</strong></div><div><br></div><div>The extended private keys prop=
osed in BIP 0032 are long, fixed length records and don't offer any form o=
f security. The master seed used to generate the HD wallet is typically sh=
orter than the extended master private key that results from it.&nbsp;</di=
v><div><br></div><div>A compact representation of the master seed is easie=
r to handle and a 2-factor version of the master seed record allows for sa=
fe storage and the creation of paper wallets by 3rd parties.&nbsp;</div><d=
iv><br></div><div><br></div><div><strong>Copyright</strong></div><div><br>=
</div><div>This proposal is hereby placed in the public domain.</div><div>=
<br></div><div><br></div><div><strong>Rationale</strong></div><div><br></d=
iv><div>User story: As a Bitcoin user who uses HD wallets, I would like th=
e ability to store my wallet master seed in a compact form as a paper wall=
et.</div><div><br></div><div>User story: As a Bitcoin user who uses HD wal=
lets, I would like the ability to have a 3rd party create a paper wallet w=
ith my master seed in it, without having access to the funds stored in the=
 wallet.</div><div><br></div><div>User story: As a Bitcoin user who uses H=
D wallets, I would like the ability to choose the strength of the master s=
eed depending on my security requirements and how I wish to store it.&nbsp=
;</div><div><br></div><div><br></div><div><strong>Specification</strong></=
div><div><br></div><div>This proposal makes use of the following functions=
 and definitions:</div><div><br></div><div>AES256Encrypt, AES256Decrypt: t=
he simple form of the well-known AES block cipher without consideration fo=
r initialization vectors or block chaining. Each of these functions takes =
a 256-bit key and a variable legth of input and deterministically yields o=
utput data of similar length to the input.</div><div><br></div><div>SHA256=
: a well-known hashing algorithm that takes an arbitrary number of bytes a=
s input and deterministically yields a 32-byte hash.</div><div><br></div><=
div>RIPEMD160: a well known hashing algorithm that takes an arbitrary numb=
er of bytes as input and deterministically yields a 20-byte hash.</div><di=
v><br></div><div>scrypt: A well-known key derivation algorithm. It takes t=
he following parameters: (string) password, (string) salt, (int) n, (int) =
r, (int) p, (int) length, and deterministically yields an array of bytes w=
hose length is equal to the length parameter.</div><div><br></div><div>HMA=
C-SHA512: Produces a 64 byte (512 bit) hash based message authentication c=
ode using the SHA512 hash function using a seed (in our case we will use a=
 byte representation of "Bitcoin seed") and an aribtrary input message. Th=
e output will be 64 bytes.</div><div><br></div><div>Base58Check: a method =
for encoding arrays of bytes using 58 alphanumeric characters commonly use=
d in the Bitcoin ecosystem.</div><div><br></div><div>G, N: Constants defin=
ed as part of the secp256k1 elliptic curve. G is an elliptic curve point, =
and N is a large positive integer.</div><div><br></div><div><span style=3D=
"text-decoration: underline;">Prefix</span></div><div><br></div><div>It is=
 proposed that the resulting Base58Check-encoded string start with either =
"WS" for clear master seed records or "ws" for 2-factor master seed record=
s. The prefixes "WS" and "ws" were chosen as abreviations of the term "Wal=
let Seed" and upper case to indicate whether it's a clear representation a=
nd lower case when it's a 2-factor representation.&nbsp;</div><div><br></d=
iv><div>To keep the size of the encrypted key equal to the clear version, =
no initialization vectors (IVs) are used in the AES encryption. Rather, su=
itable values for IV-like use are derived using scrypt from the passphrase=
 and from using a 32-bit hash of the resulting Bitcoin public address as s=
alt.</div><div><br></div><div><span style=3D"text-decoration: underline;">=
Proposed specification</span></div><div><br></div><div>There are 2 seed re=
cord representations with 3 lengths each, resulting in a total of 6 differ=
ent object identifier prefixes.&nbsp;</div><div><br></div><div>Prefix 0x10=
93: Clear 16 byte master seed, total length: 22 bytes</div><div>Prefix 0x1=
E68: Clear 32 byte master seed, total length: 38 bytes</div><div>Prefix 0x=
665A: Clear 64 byte master seed, total length: 70 bytes</div><div><br></di=
v><div>Prefix 0x1EE4: 2-factor 16 byte master seed, total length: 22 bytes=
</div><div>Prefix 0x38AE: 2-factor 32 byte master seed, total length: 38 b=
ytes</div><div>Prefix 0xBECB: 2-factor 64 byte master seed, total length: =
70 bytes</div><div><br></div><div>These are constant bytes that appear at =
the beginning of the Base58Check-encoded record, and their presence causes=
 the resulting string to have a predictable prefix.</div><div><br></div><d=
iv>How the user sees it: 35, 57 or 101 characters always starting with eit=
her "WS" or "ws".</div><div><br></div><div>Count of payload bytes (beyond =
prefix): 20, 36 or 68</div><div><br></div><div>Payload format:</div><div>4=
 bytes: SHA256(SHA256(master_bitcoin_public_address))[0...3], used both fo=
r typo checking and as salt.</div><div>16, 32 or 64 bytes: either a clear =
representation or an encrypted representation of the master seed.</div><di=
v><br></div><div>Range in Base58Check encoding for clear 16 byte master se=
ed (prefix WS):</div><div>Minimum value: WSJ5JnjiRZT8b15aZr6GGWzt2VMBPapmh=
BQ (based on 0x10 0x93 plus twenty 0x00's)</div><div>Maximum value: WShQum=
r1iGdbTpWiesWbb189p7rSLBiq3EJ (based on 0x10 0x93 plus twenty 0xFF's)</div=
><div><br></div><div>Range in Base58Check encoding for clear 32 byte maste=
r seed (prefix WS):</div><div>Minimum value: WS7SqjMWhDGCagcZxCk317LLWyWUn=
y7465ENGKEKuxBf5sFvRHmRRfCgr (based on 0x1E 0x68 plus thirty-six 0x00's)</=
div><div>Maximum value: WSLAbo8WHEQr1Z1cv26Z5njh5URHMo9fPiDFYE2NpCwmAoPZwD=
xzm3PjB (based on 0x1E 0x68 plus thirty-six 0xFF's)</div><div><br></div><d=
iv>Range in Base58Check encoding for clear 64 byte master seed (prefix WS)=
:</div><div>Minimum value: WS2cMzM9WrogWVLKYFzTaTXZnYCryY31uptmdevXuRFBXTW=
Jhmt4No9Eejoj3apqyU5RkyXsGHFPbZd14oz7Fv1Mi85kadBD4TPsL (based on 0x66 0x5A=
 plus sixty-eight 0x00's)</div><div>Maximum value: WS6PXJ1HoJXn9hyLz8uXQEy=
2ZajAVaFDTViXhZDthwYbhyvfHRqjwU4FoGpepCbuuycAwMFbgoZB6E48baqD1c9PdMNUZCSSB=
mfE7 (based on 0x66 0x5A plus sixty-eight 0xFF's)</div><div><br></div><div=
>Range in Base58Check encoding for 2-factor 16 byte master seed (prefix ws=
):</div><div>Minimum value: ws1nyTi9KjdRkJda4Yh1KkXSLC8SZ6kKzEM (based on =
0x1E 0xE4 plus twenty 0x00's)</div><div>Maximum value: wsR8aSpScSotd84i9a7=
LeEei7pdhVkeciX8 (based on 0x1E 0xE4 plus twenty 0xFF's)</div><div><br></d=
iv><div>Range in Base58Check encoding for 2-factor 32 byte master seed (pr=
efix ws):</div><div>Minimum value: wsC8sayZpTpeX3k6jcCMeTedDapXkXd7SZpRJbS=
jdeqKBJ2Vnrm1xyfD3 (based on 0x38 0xAE plus thirty-six 0x00's)</div><div>M=
aximum value: wsQrdekZQUyHwv99hRYsj93yn5jLKMfikCoJaWEnXubRGEA9Jnxg5KaPW (b=
ased on 0x38 0xAE plus thirty-six 0xFF's)</div><div><br></div><div>Range i=
n Base58Check encoding for 2-factor 64 byte master seed (prefix ws):</div>=
<div>Minimum value: ws4XTrriTEyyy2TrGWv9R7o94CyBiN69S2VxiK5tVW9htEi48w54sQ=
43JChCmadoGtYpZSu7vqbbQTMemCSyyToyLPPMjughcXNxE (based on 0xBE 0xCB plus s=
ixty-eight 0x00's)</div><div>Maximum value: ws8JdAWrjgi5cF6siPqDEuEbqFVVEQ=
JLyhKinDPFJ2T84m8Qib2kS4y4Sji8YCQsDQ5ZjpcrMMuNu7nnHyJ5j9x1Fcg5iUwvZ7krH (b=
ased on 0xBE 0xCB plus sixty-eight 0xFF's)</div><div><br></div><div>Genera=
tion of master seed:</div><div><br></div><div>1. Take either an existing 1=
6, 32 or 64 byte master seed S, or generate one from a (P)RNG.</div><div>2=
. Calculate I =3D HMAC-SHA512(key =3D "Bitcoin seed", msg =3D S)</div><div=
>3. Split I into two 32-byte sequences, IL and IR.</div><div>4. Use IL as =
master secret key. IR, the master chain code is not relevant here.</div><d=
iv>5. In case IL is 0 or &gt;=3D N, the master key is invalid. Go back to =
step 1 if generating, or in case of a provided master seed, return an erro=
r.</div><div>6. Compute the public key K =3D IL*G</div><div>7. Calculate t=
he master Bitcoin public address A =3D Base58Check(RIPEMD160(SHA256(K)))</=
div><div>8. Calculate the salt =3D SHA256(SHA256(A))[0...3]</div><div><br>=
</div><div>Encryption:</div><div><br></div><div>9. Derive a hash H from th=
e passphrase using scrypt</div><div>&nbsp; &nbsp; - Parameters: passphrase=
 is the passphrase itself encoded in UTF-8, salt =3D salt, n =3D 16384, r =
=3D 8, p =3D 8, length =3D seed length + 32</div><div>10. The first number=
 of bytes in H, equal to length of seed S are used to xor seed S. Call the=
 result X.</div><div>11. Do AES256Encrypt(message =3D X, key =3D last 32 b=
ytes of H), call this encrypted_seed.</div><div><br></div><div><br></div><=
div>The encrypted_master_seed is the Base58Check-encoded concatenation of =
the following, which totals 2 + 4 + seed length bytes (22, 38 or 70 bytes)=
:</div><div><br></div><div>encrypted_master_seed =3D prefix + salt + encry=
pted_seed</div><div><br></div><div>The clear version is:</div><div><br></d=
iv><div>master_seed =3D prefix + salt + seed S</div><div><br></div><div><b=
r></div><div>Decryption:</div><div><br></div><div>1. Collect encrypted_mas=
ter_seed and passphrase from user.</div><div>2. Perform step 9 of encrypti=
on with the passphrase and the salt from the encrypted_master_seed.</div><=
div>3. With the encrypted_seed from encrypted_master_seed do AES256Decrypt=
(message =3D encrypted_seed, key =3D last 32 bytes of H), call this decryp=
ted_seed.</div><div>4. With the first number of bytes in H, equal to the l=
ength of the decrypted_seed, perform the xor operation on decrypted_seed a=
nd call the result S.</div><div>5. Perform generation steps 2 until 8 and =
verify that the generated salt is equal to the salt from encrypted_master_=
seed.</div><div><br></div><div><br></div><div><strong>Suggestions for impl=
ementers of proposal with alt-chains</strong></div><div><br></div><div>Thi=
s proposal involves hashing of a text representation of a public address w=
hich for Bitcoin includes the leading '1'. Alt-chains can easily be denote=
d simply by using the alt-chain's preferred format for representing an add=
ress. Alt-chain implementers may also change the prefix such that encoded =
master seeds do not start with "WS" or "ws".</div><div><br></div><div><br>=
</div><div><strong>Bitcoin testnet representation</strong></div><div><br><=
/div><div>This proposal does not cover separate Bitcoin testnet representa=
tions of encoded master seeds, although since the 4 salt bytes are based o=
n a double SHA256 of the Bitcoin public address, they will be different fo=
r Bitcoin testnet public addresses and validation will fail.&nbsp;</div><d=
iv><br></div><div><br></div><div><strong>Reference implementation</strong>=
</div><div><br></div><div>TODO</div><div><br></div><div><br></div><div><st=
rong>Test vectors</strong></div><div><br></div><div>Test 1:</div><div><br>=
</div><div>Seed &nbsp; &nbsp; &nbsp;: 000102030405060708090a0b0c0d0e0f</di=
v><div>Clear &nbsp; &nbsp; : WSZsLQ5c1uKrRQugbrZNYsvMhRixiaWaVmJ</div><div=
>Password &nbsp;: Satoshi</div><div>Encrypted : wsHb15443fYPmneEXskd6wUZeP=
15fCiA69n</div><div>Address &nbsp; : 15mKKb2eos1hWa6tisdPwwDC1a5J1y9nma</d=
iv><div>xprv &nbsp; &nbsp; &nbsp;: xprv9s21ZrQH143K3QTDL4LXw2F7HEK3wJUD2nW=
2nRk4stbPy6cq3jPPqjiChkVvvNKmPGJxWUtg6LnF5kejMRNNU3TGtRBeJgk33yuGBxrMPHi</=
div><div>xpub &nbsp; &nbsp; &nbsp;: xpub661MyMwAqRbcFtXgS5sYJABqqG9YLmC4Q1=
Rdap9gSE8NqtwybGhePY2gZ29ESFjqJoCu1Rupje8YtGqsefD265TMg7usUDFdp6W1EGMcet8<=
/div><div><br></div><div>Test 2:</div><div><br></div><div>Seed &nbsp; &nbs=
p; &nbsp;: 7f0ad7d595be13e6fe4cf1fa0fbb6ae9c26c5d9b09920709414982b6363d584=
4</div><div>Clear &nbsp; &nbsp; : WSB7z3izBZwDoaAUA4mDpEHzAZsA5zfTWu3cCxhk=
aLtZ4Ur6n6mXsgpMK</div><div>Password &nbsp;: Nakamoto</div><div>Encrypted =
: wsFp1uM2gFhd2PuRzmNFReRud71hgmVwPoc7cGpxuvgETRsv8J1wHNANJ</div><div>Addr=
ess &nbsp; : 1A54ECavJaJAoLGqqNrPd9Y3cvSvkL2Roz</div><div>xprv &nbsp; &nbs=
p; &nbsp;: xprv9s21ZrQH143K3f9hMVvcbY4EX4CfxsEtc6C5BMkZtgGpTGpxAscoq7SLSAc=
L6k5dxaZ9s4SChrtfSFoKpijuwAnhuPn76eva6W8bDr118t3</div><div>xpub &nbsp; &nb=
sp; &nbsp;: xpub661MyMwAqRbcG9EATXTcxfzy563ANKxjyK7fykABT1ooL5A6iQw4NukpHS=
hDxYgeso4NHscFmqcVEtdUt61c8RCf7FqXK9z6sgfkQvYBQPP</div><div><br></div><div=
>Test 3:</div><div><br></div><div>Seed &nbsp; &nbsp; &nbsp;: fffcf9f6f3f0e=
deae7e4e1dedbd8d5d2cfccc9c6c3c0bdbab7b4b1aeaba8a5a29f9c999693908d8a8784817=
e7b7875726f6c696663605d5a5754514e4b484542</div><div>Clear &nbsp; &nbsp; : =
WS6186bsAkSaGRjRZ1UGyCGigxsXPvnYGSqNHJYmauV9X4W8tLJke1DH8UP8YMsDLdsjwgodcg=
hjjKqkWQmk3t7qDbNMJVBDKcD2s</div><div>Password &nbsp;: Vires In Numeris</d=
iv><div>Encrypted : ws7vDy7RjqMvcPX7GeakKvdK6vDKGhRSjQtaRfKUVQrJXwwetLSeTd=
NgGzn5BKZZqz1BBdaHBFYfLvNUSxDaoP1ojJMMJD9UnQuwt</div><div>Address &nbsp; :=
 1JEoxevbLLG8cVqeoGKQiAwoWbNYSUyYjg</div><div>xprv &nbsp; &nbsp; &nbsp;: x=
prv9s21ZrQH143K31xYSDQpPDxsXRTUcvj2iNHm5NUtrGiGG5e2DtALGdso3pGz6ssrdK4PFmM=
8NSpSBHNqPqm55Qn3LqFtT2emdEXVYsCzC2U</div><div>xpub &nbsp; &nbsp; &nbsp;: =
xpub661MyMwAqRbcFW31YEwpkMuc5THy2PSt5bDMsktWQcFF8syAmRUapSCGu8ED9W6oDMSgv6=
Zz8idoc4a6mr8BDzTJY47LJhkJ8UB7WEGuduB</div><div><br></div><div>Test 4:</di=
v><div><br></div><div>Seed &nbsp; &nbsp; &nbsp;: 6ca4a27ac660c683340f59353=
b1375a9</div><div>Clear &nbsp; &nbsp; : WSXnfK5CJbDoSwcqMfz7Xqy3avuPHSxDQQ=
k</div><div>Password &nbsp;: =E8=81=A1=E4=B8=AD=E6=9C=AC</div><div>Encrypt=
ed : wsFWKz3c5eeHRwtJveSdFvwUrmoNVkJ5ns2</div><div>Address &nbsp; : 1JVncP=
bsdB2s4zHim3VdAWNkZ8JANBZ1U9</div><div>xprv &nbsp; &nbsp; &nbsp;: xprv9s21=
ZrQH143K3mJ4upPSDfXdA34yNjem6PSsXT63vm8dq8ikUJv4iiTD3PrSKtdGZXFVD689z5T7kn=
Xo55BjcHS2WL3Syp2DbGgnbgxw2QA</div><div>xpub &nbsp; &nbsp; &nbsp;: xpub661=
MyMwAqRbcGFNY1qvSaoUMi4uTnCNcTcNUKqVfV6fchw3u1rEKGWmgtfUMRKLgUHNZ7dfsh8Ys6=
SLwUojZqScFBQL3dFGF3QywNLJVZ2o</div><div><br></div><div><br></div><div><st=
rong>Acknowledgements</strong></div><div><br></div><div>Mike Caldwell for =
BIP 0038, which this proposal borrows heavily from.</div><div><br></div><d=
iv><br></div><div><strong>See Also</strong></div><div><br></div><div>BIP 0=
032 Hierarchical Deterministic Wallets: https://en.bitcoin.it/wiki/BIP_003=
2</div><div>BIP 0038 Passphrase-protected private key: https://en.bitcoin.=
it/wiki/BIP_0038</div><div><br></div></body></html>=

--Boundary_(ID_1aeWVYtuDr9QTTO/wGdM5Q)--

--Boundary_(ID_6v39sDBKz5LmGaScvSoOlg)--