path: root/65/8398980edfb1a74541476546e59a8b1c3b06ae

Delivery-date: Wed, 04 Jun 2025 00:57:11 -0700
Received: from mail-qt1-f183.google.com ([209.85.160.183])
	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <bitcoindev+bncBAABBQPY77AQMGQELJANZZQ@googlegroups.com>)
	id 1uMizm-0004YO-0h
	for bitcoindev@gnusha.org; Wed, 04 Jun 2025 00:57:11 -0700
Received: by mail-qt1-f183.google.com with SMTP id d75a77b69052e-4a4871e796bsf63503001cf.1
        for <bitcoindev@gnusha.org>; Wed, 04 Jun 2025 00:57:09 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1749023824; cv=pass;
        d=google.com; s=arc-20240605;
        b=YPsRfEkCWvYFiKZBBRHlw41cCOC1sK5p0RmrIRQgxMXkFF8upfG2gJRXQk2l+UUp60
         /P9niL3VRD0ThBk4patIzVl2MC2y39uh9zF24/i+nItwoua0Mzo53FBE4ZOlI0b4AMms
         ALBSCN8/XBvCzH2AqxLEa4bIoRm1/2SjFBoC3AG+X7jRp5jhradDp0QDXkGVR7fThDzX
         1LIqcSMZo6G9Q0aHChKH+EAFv5qmo56Nc8KzZVjfAAiLyrEnQqGb3T8ZzghDTmMTagSI
         AI3BhQQiH3Jl4PPVLRolBelkGlbH841THzIzMWVU/XgXUamZnEgus1eDDO/EXa4dJcu9
         yMDQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:date:message-id
         :content-transfer-encoding:mime-version:references:in-reply-to
         :subject:to:from:sender:dkim-signature;
        bh=KDrDf7yWDrqz7d3jO5LY4wp7z6AeWMTVo9etGho/NCc=;
        fh=jlgW0BXGOnwhoyr/SwwZsEfDqV+5vX5loCPfp2s01wA=;
        b=i/PfzH7xmJPB90NwbysS2PpHSo1ZALB4gf0/xg8iT0wlaBVoPJgpuFkOZHiqAwY999
         2Jyz9apqOFjdEHZsinwn6aoOexqb8HardcUTLvGuSnXs4xre26i7FEqqiRbQnKm8YdVm
         popX/cVEItbtC5S20hER0sBpqCfEosO5owGsiEO/OLdgC+LhdKmYcgsegwwiOjmjQ6n5
         +7ZdUvbzutSTdRBG+Sdd4zV8KjIcInJiLt17AF4fx36LKv16yXrWg4aEs+OE4borWbFX
         QduzKFbibU4TYUoSsFMyHq5Z38s36coWPbmOkqGQS7YmF1SJK9CbsuMpzwi2ndHLDcDy
         Ka3w==;
        darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       spf=pass (google.com: domain of pithosian@i2pmail.org designates 91.143.83.7 as permitted sender) smtp.mailfrom=pithosian@i2pmail.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1749023824; x=1749628624; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:date:message-id:content-transfer-encoding
         :mime-version:references:in-reply-to:subject:to:from:sender:from:to
         :cc:subject:date:message-id:reply-to;
        bh=KDrDf7yWDrqz7d3jO5LY4wp7z6AeWMTVo9etGho/NCc=;
        b=Ory2rSQfqx+WskJusYbyPjH7gwZ/NHOqRAYH47N2mlXQECk8EO6CuZ/OB6ZSfnjorm
         AXhWYmM3uoVU5tyXx7wZCdNEeTxA/t8NrazukhnkIb7OtyGef3L9pl2HncXKFOY2p9b0
         ZnNPCLO+MqLNr5Nfruhky8XJNOwexRLUOOInp/0zfphFCEb9ssEukRe7AbdWstrdBFVz
         YltNS3BoFcUFsfeVay1R2M8x8VWol9uhxnifXuZQPUE1bD0p+oa+WhWpLD1BnkrKobta
         y96iupZWJ3Dy0pY3NMmyvwhT4Jtg3q7BZ9vgOA1QMTdAq13PlRPZxOFXrCmAF3ep3BN5
         TPUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1749023824; x=1749628624;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:date:message-id:content-transfer-encoding
         :mime-version:references:in-reply-to:subject:to:from:x-beenthere
         :x-gm-message-state:sender:from:to:cc:subject:date:message-id
         :reply-to;
        bh=KDrDf7yWDrqz7d3jO5LY4wp7z6AeWMTVo9etGho/NCc=;
        b=JzHeP4pEuIIswF1ERue59fV3WT76NSCzHD2sppLUpi+MRu5kKoL/rVI40CXmLUyb7m
         cyDKZgFTVJjqaIhM/Idlh1svYmbzTZumpJznrGPyht6sV4KdU8QSOqdORRYReXxVYFI1
         SFAh1By2NtsvU+30s17CJjobCOM7GG4GnCKu2Jbiw8fWy2V3ETwFDSu1p3NQtlWOD4U5
         3zpeJyzTPCSurkhj3ks8sGUQJcODUtT/U/A+fucNdhBOF0uGws2U4UqoNXoQxgOZRFju
         5+8UNEdNDF3Xa8V9n48yVlPvzs2JOsbrVPBps2iryoLKpxdOhRODlx2I8VHq03VyeH+k
         FLGg==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCX2a345WTmnCS3okpJBPAuuljh/ng7KtSsUpX9GlJQnnh6vvrTFCVyfeqcjZh3q0spxSJ1zsU9dHTrg@gnusha.org
X-Gm-Message-State: AOJu0YwiFruedQvYHe8mtST5T46ULgPJ1Fw6vlS89ooRBx7AKDNYu4P+
	fCrlMgy51wYzMsQKWNePax/OTghOdV6l1crLjbw88Drcpg4PNNggQdCd
X-Google-Smtp-Source: AGHT+IGJix3Si/zxY/lRUsqkGnyiE53MpdgymDw2QvgqlLNqY3jCyQnUr7PFHEdULXt0+ctk9ZjRNQ==
X-Received: by 2002:ad4:5ca1:0:b0:6e8:9dc9:1c03 with SMTP id 6a1803df08f44-6faf6fefa8bmr23999016d6.21.1749023813132;
        Wed, 04 Jun 2025 00:56:53 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZcUK4wpMdgBD3lUItuerbegRpYLr+EycBUTJMpvBmlzYA==
Received: by 2002:a05:6214:501b:b0:6fa:b7fb:ca13 with SMTP id
 6a1803df08f44-6fac5cfb940ls138823836d6.0.-pod-prod-05-us; Wed, 04 Jun 2025
 00:56:49 -0700 (PDT)
X-Received: by 2002:a05:620a:29c6:b0:7d0:9c55:2ca9 with SMTP id af79cd13be357-7d2198f87e9mr304339085a.46.1749023809384;
        Wed, 04 Jun 2025 00:56:49 -0700 (PDT)
Received: by 2002:a05:600c:2206:b0:43c:fd8b:faa8 with SMTP id 5b1f17b1804b1-442fe8b8c82ms5e9;
        Sun, 25 May 2025 22:25:11 -0700 (PDT)
X-Received: by 2002:a05:6000:4027:b0:3a3:5ae4:6e81 with SMTP id ffacd0b85a97d-3a4cb4613e5mr5050581f8f.8.1748237109383;
        Sun, 25 May 2025 22:25:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1748237109; cv=none;
        d=google.com; s=arc-20240605;
        b=IXpNi47n6OwSzNk7On3rRq+O3pjh+MnfSqQMMEa3p+Gyi4sB5lTj8W2UCE7GEKFgVT
         h4GQowD+AupFeUGRgE2zLf2my+QJUXN1kgQHP0ZVw1ecVvK6LSRW9vGr80yuhaXJdEps
         Cndc3krW5HuSP0pAMMrauS+XfeJFbiaHjtOw0lWNnLI/REfj0trqnxJHoLNQMX2JuvfI
         fGXmgF4lG/YDrMJ70PanewY7baLkxDejouC46IXYnz8Z+JBLdwqPXdE/THUdHsM++mDK
         A5xe9OLy5CCloU+3t3PP5FKOSNCcMfgFhB7PlPkNkh+iHL40zNpujNvTyFcdsdGRPdzp
         ZZjA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=date:message-id:content-transfer-encoding:mime-version:references
         :in-reply-to:subject:to:from;
        bh=a/MXXtT54oiMyC2EGOJcukdXTHCEOK7ii2MZzj4O0lA=;
        fh=VcGcg+Zjs9gw1uDcHbxsAILhBAcecnbJzZRdxgKVDIc=;
        b=k12sPi3vwogvAcSLHLfarhEW33QStEgGLB4Ol0kWyl1CG6in6ME3SY58Ujqz9mZNX0
         CPFIQc9p7UJ9r8B29fNdHGrwAPM+LPCoek7fBL2rF+XKbvK3furH/vHGyc8jyDSNJ5Ur
         VM92Vy89WNNi6WL9yoP666D5tquUcTqajqncV2KFSw2+RDbivtQtjQCfu3647vZSDrCI
         l2bnYsGWK6RGYmQnV0h7k7+AKo61OYYyrbanpnGUnZKkbIMtlVEq1xxyJ2OUF2O5qyXH
         e1LFA5lnPGterxGeD79DaR8FQ9TL0boU3PtRO5xs4eYiK9TPth/Tct4+XHrLwt3tUZwJ
         gJEA==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of pithosian@i2pmail.org designates 91.143.83.7 as permitted sender) smtp.mailfrom=pithosian@i2pmail.org
Received: from mail.i2pproject.net (mail.i2pproject.net. [91.143.83.7])
        by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-447f298913asi466035e9.1.2025.05.25.22.25.09
        for <bitcoindev@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 25 May 2025 22:25:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of pithosian@i2pmail.org designates 91.143.83.7 as permitted sender) client-ip=91.143.83.7;
Received: from i2prouter.i2p.net ([81.7.8.99] helo=smtp.postman.i2p)
	by mail.i2pproject.net with esmtp (Exim 4.96)
	(envelope-from <pithosian@i2pmail.org>)
	id 1uJQKg-000104-0q
	for bitcoindev@googlegroups.com;
	Mon, 26 May 2025 07:25:09 +0200
X-Mailer: smtp.postman.i2p - Official I2P Mailer
From: pithosian <pithosian@i2pmail.org>
To: bitcoindev@googlegroups.com
Subject: Re: [bitcoindev] BIP39 Extension for Manual Seed Phrase Creation
In-Reply-To: <20250525154052.28C0E7C1013@smtp.postman.i2p>
References: <20250523131541.1521C7C0DB0@smtp.postman.i2p>
	<20250524205608.D723F7C1191@smtp.postman.i2p>
	<20250525154052.28C0E7C1013@smtp.postman.i2p>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: clamav-milter 0.103.X on milter.postman.i2p
Message-Id: <20250525214153.163D47C0BC6@smtp.postman.i2p>
Date: Sun, 25 May 2025 21:41:53 +0000 (UTC)
X-Spam-Score: -3.0 (---)
X-Original-Sender: pithosian@i2pmail.org
X-Original-Authentication-Results: gmr-mx.google.com;       spf=pass
 (google.com: domain of pithosian@i2pmail.org designates 91.143.83.7 as
 permitted sender) smtp.mailfrom=pithosian@i2pmail.org
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: 0.9 (/)

I'm not totally against thinking about different ways to (effectively)
represent the data you'd use a descriptor for for simple use-cases,
just not personally convinced on the utility of a purely
hand-calculated mnemonic given the requirement of running (off the top
of my head) SHA512 PBKDF2 for the BIP 32 seed, and a SHA512 HMAC for
going from that to the root priv.

> A standard for encoding entropy

In my view, this is exactly what BIP 39 already is. It's a
specification for encoding Base2048 numbers with a checksum, similar to
Base58. The character set is a list of words, but fundamentally the
only real difference between it, and Base2, Base10, Base16, etc is the
checksum.

The UEFI tool is an interactive TUI. You don't (necessarily) input
entropy you already generated elsewhere, you choose whether to use
skew-corrected coinflips, or raw coinflips, dice rolls etc, input how
many bits of entropy you want, then it asks you to input
coinflips/dicerolls one by one, displaying the entropy you're building
as you go. That entropy can then be used in various ways, including
creating a BIP 39 mnemonic. I had CKD implemented too, as well as a
bunch of simple more general 'security' standalone tools, but if I
throw together a release from the old code to just make something
available quickly, it'll be stripped down and streamlined for this one
use-case, eg:

1. Select desired mnemonic length.
2. Choose whether to use skew correction.
3. Input coinflips; display collected entropy in Base2 (intuitive
for coinflips) as you go so the user can observe the process. Maybe show
the current BIP39 Base2048 encoding of that entropy too.
4. Once the entropy requirement is met, display the entropy, its hash,
the checksummed mnemonic bits, and the actual mnemonic, so the user can
see exactly how it all fits together. They have to trust that the SHA256
implementation is correct, but if it isn't, the mnemonic will fail
checksumming when trying to use it in an actual wallet.

Maybe could have a second 'program' to input a mnemonic, validate it,
see its entropy, and derive the BIP 32 seed and root extended priv,
given SHA512 and PBKDF2 are fairly trivial if you already need a SHA256
implementation.

On Sun, 25 May 2025 15:40:52 +0000 (UTC)
nerdyrugbyguy <nerdyrugbyguy@gmail.com> wrote:

> Greetings Pithosian,
>=20
> Thank you (and everyone) for taking time to consider my suggestions.
>=20
> I flipped coins to create my seed phrase ten years ago.  I founded a=20
> bitcoin club, created printed guides, and taught the procedure to
> others. Even out of a group of people with engineering degrees, it
> was too much. Many people have limited math ability and most will
> never learn binary math or checksums.  Unfortunately bitcoin "self
> custody" is typically based on trusting a black box.  The question is
> really whether bitcoin is for elites or plebs.
>=20
> The UEFI application you're suggesting sounds like it might be
> similar to other existing tools that receive entropy input and output
> a seed phrase or last word.  What format should be used for the
> entropy input? Typically hex or binary is used because we lack a
> standard format (encoding entropy with words would be less error
> prone).  To be trustless and do what you suggest, it seems users
> would have to record their entropy in a non-standard format, obtain
> two independent tools, perform a non-standard import of their entropy
> into the first tool, record the seed phrase output, perform a
> non-standard import of their entropy into the second tool, then
> confirm that the output of the second tool matches. While not
> requiring the user to know binary math, this is too much for most
> users and is error prone.
>=20
> I agree that the spec doesn't need to change, it's not broken and is
> well suited for its intended purpose.  I'm proposing an extension.
>=20
> Here are the current options I'm aware of for seed generation:
> *#1* Use a "white box" tool (only an option for devs that can verify
> source and build their own tools)
> *#2* Trust a "black box" tool
> *#3* Non-standard entropy import into two independent "black box"
> tools and cross-check results
> *#4* Use binary math to determine initial words and most significant
> bits of last word.  Obtain least significant bits of last word by
> guessing or computing sha256 hash.
>=20
> A standard for encoding entropy would make #3 easier (useful for
> things like seedQR) and enable #5:
> *#5* Record entropy in a standard format
>=20
> As far as encoding derivation paths, I was trying to think of
> something useful that could be done with the extra bits being
> encoded.  I would defer this discussion for now and just ask for
> consideration of the case where derivation path is not specified.
>=20
> Regards,
> -Eric
>=20
> On Sunday, May 25, 2025 at 5:44:44=E2=80=AFAM UTC-6 pithosian wrote:
>=20
> BIP39 works fine with entropy generated without a computer. I=20
> personally recommend using coinflips with Von Neumann skew
> correction.=20
>=20
> Yes, you need to perform a SHA256 hash to calculate the checksum
> word.=20
>=20
> You need to use SHA512 HMAC as the next step, and EC point=20
> multiplication along with a host of other steps which are unrealistic=20
> to expect a human to perform by hand to actually get child keys and=20
> addresses out the other end, too.=20
>=20
> I have a bootable UEFI application for generating a mnemonic with=20
> skew-corrected coinflips (among other things), designed for airgapped=20
> operation, lying around in my archive somewhere. I plan on=20
> re-implementing it as part of a much larger, long-running project but=20
> if there's interest I can go find it, clean it up and publish the=20
> old version in the meantime.=20
>=20
> The spec doesn't need to change; there's really no benefit to=20
> generating a mnemonic without the SHA256 hash step, because again,
> you can't do anything with that mnemonic without hashing.=20
>=20
> As for encoding derivation paths in the mnemonic, Electrum's Seed=20
> Version System achieves roughly the same thing, but descriptors are a=20
> better solution for managing non-entropy metadata for wallets.=20
>=20
> For those who really don't want to put in the small amount of
> additional effort required to use descriptors, replying on the
> standard derivation paths is sufficient, as long as they're made
> aware of their existence. Educating your users is a better solution
> than attempting to abstract away (aka hide) critical information from
> them.=20
>=20
> On Fri, 23 May 2025 13:15:41 +0000 (UTC)=20
> Eric Kvam <nerdyr...@gmail.com> wrote:=20
>=20
> > *Motivation*=20
> > Make it easy for users to manually create their seed phrase so that=20
> > they don't have to trust a "black box" and allow for encoding=20
> > derivation path in seed phrase to simplify recovery=20
> >=20
> > *How*=20
> > Use every eighth word from the wordlist to generate 16 word phrases=20
> > with 128 bits of entropy (no checksum). The most significant eight=20
> > bits of each word are used as entropy. The least significant three=20
> > bits of each word specify the derivation path.=20
> >=20
> > - *000* Derivation Path Not Specified=20
> > - *001* m/44'/0'/0'=20
> > - *010* m/49'/0'/0'=20
> > - *011* m/84'/0'/0'=20
> > - *100* m/48'/0'/0'/2'=20
> > - *101* m/86'/0'/0'=20
> >=20
> > Up to seven derivation paths can be specified if all words have the=20
> > same least significant bits. If the least significant bits of each=20
> > word vary, there are 48 bits that can be used to encode meta-data.=20
> > As long as meta-data is limited to certain allowable values, this=20
> > provides a mechanism for error detection, similar to a checksum.=20
> >=20
> > *Benefits of Suggested Implementation*=20
> >=20
> > - The word length determines how the seed phrase should be=20
> > interpreted. User only needs to know how many words they have and
> > how many words the wallet supports to check for compatibility with
> > this extension=20
> > - Uses same wordlist to represent the same entropy as a 12 word=20
> > phrase (could be a revision to BIP39 instead of a new BIP)=20
> > - Manual procedure is very simple, each derivation path can use a=20
> > shortened 256 word list which enjoys improved alphabetical=20
> > separation of words=20
> > - May prevent naive word selections which aren't limited to every=20
> > eighth word (similar to what checksum does)=20
> > - Can be extended further. For example, a 32 word phrase with the=20
> > same entropy as a 24 word phrase could also be added. We can keep=20
> > adding formats with unique word length and keep adding uses for the=20
> > meta data as needed.=20
> >=20
>=20

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
20250525214153.163D47C0BC6%40smtp.postman.i2p.