summaryrefslogtreecommitdiff
path: root/d7/d2b8ce4ee4c3c86e339c2a313a1682a5af4e98
blob: 9793be80c80877972aee732f19ba0eaa20f26720 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
Return-Path: <millibitcoins@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id BED8C92B
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue, 26 Jul 2016 18:31:41 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-wm0-f46.google.com (mail-wm0-f46.google.com [74.125.82.46])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id B4C01259
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue, 26 Jul 2016 18:31:40 +0000 (UTC)
Received: by mail-wm0-f46.google.com with SMTP id f65so184678572wmi.0
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue, 26 Jul 2016 11:31:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=to:from:subject:message-id:date:user-agent:mime-version
	:content-transfer-encoding;
	bh=fuPSvWxMdNaFisqS12ZSU8DNkfthbdEfTjP1Jn2TkRA=;
	b=i24aWkioIl78JDVRMXGjjU/OVTVUOra33k4bS4fT/XCueXYOic/CB5JbOHUv+gWK2a
	gnBRjjsWcsW4VLfMjBmgyBwjXFfUb34tSyjvGpyb7sLmnd9TlRODozCLu0CEzcQFzZSM
	BJ85AdmW0jbVC8s0VRkbRQUDc+U14wj2DFyFy8tSlTQXX42JgEzmZ35+kDpRKf8bKOGK
	jZuAJVCnOyJ72pNPJIlygiOlDMUM9z0v+fcu8tk6QB8HIr+gxKXhDpytcIQbSjInqJNn
	ItTix4gbwYToUhlyN4eTv/arkbnO4UVw1zU5OQzoi/LY7GEaEQBp22F9sVkQgd0yhZpa
	0sZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:to:from:subject:message-id:date:user-agent
	:mime-version:content-transfer-encoding;
	bh=fuPSvWxMdNaFisqS12ZSU8DNkfthbdEfTjP1Jn2TkRA=;
	b=CxGXJzj9aCZwf+wLnwn7HuokJkEiQiD4Bg1VI/HUYuoU9yabztgoZYE0/L+4lYndqa
	ngPANSLc7PeCWPp5lkilINAT7+ZEzDR6QUvUTJr0wRX5EtM3GB3vdiroCavpYl1BzgdY
	/HKW1xmPB9qXb6hqqlZjfysF7xtEkgEif6ebxU+AOamdHkN/KsvnbWFrB1uLD0QmYx2t
	4v5NJhfwBIPUQus/JkQxfNlzBbAwVAOTnvB0zKvMjFmYjuHRtPAe5SOhkIVKsumTMLKc
	p18A/Ka7H2RMEI9K+7032fc6loSFY6mGiZQ3nWFmsPhlat52bv7uKWTllfzSx4Rlhbpg
	JF5Q==
X-Gm-Message-State: AEkooutgLBjX0hy0MatpFlfsjqyMpRC/y+U1c+fMdAVeSXx+Ovz+z4bUyOINFw/xOCp69g==
X-Received: by 10.28.41.131 with SMTP id p125mr24605774wmp.15.1469557899005;
	Tue, 26 Jul 2016 11:31:39 -0700 (PDT)
Received: from [192.168.178.13] (52D9D6D7.cm-11-1d.dynamic.ziggo.nl.
	[82.217.214.215]) by smtp.googlemail.com with ESMTPSA id
	f10sm2268383wje.14.2016.07.26.11.31.37
	for <bitcoin-dev@lists.linuxfoundation.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 26 Jul 2016 11:31:38 -0700 (PDT)
To: bitcoin-dev@lists.linuxfoundation.org
From: millibitcoin <millibitcoins@gmail.com>
Message-ID: <5797AC88.8030507@gmail.com>
Date: Tue, 26 Jul 2016 20:31:36 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101
	Thunderbird/38.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Tue, 26 Jul 2016 18:44:46 +0000
Subject: [bitcoin-dev] BIP proposal: derived mnemonics
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2016 18:31:41 -0000

(not sure so sent again after subscribing (one use case added))

Dear Bitcoin developers,

Below is provided a draft BIP proposal for a master mnemonic sentence 
from which other mnemonics sentences can be derived in a deterministic 
non-reversible way (on an offline computer). This would make it much 
easier to split funds into smaller fractions and use those in a 
HD-wallet when appropriate (just by inserting 12 or more words), without 
ever putting the master mnemonic at risk on an online computer. But 
there are many more use cases.

A reference implementation, specifically for use with a Trezor, has been 
generated and can be found at: 
http://thebitcoinecosystem.info/DerivedMnemonics.html

I'm not a professional programmer or cryptographer, so the idea and 
reference implementation will probably need a lot of reviewing but I do 
think Bitcoin needs this extension and the corresponding ease of use and 
improved security model.

In the hope you like the idea,

Regards,
sumBTC


<pre>
   BIP: ???
   Title: Derived mnemonics from a master mnemonic.
   Author: sumBTC <millibitcoins@gmail.com>
   Status: For Discussion
   Type:
   Created: 2016-07-24
</pre>

==Abstract==

This BIP??? uses a master mnemonic sentence, as described in BIP39, for 
the deterministic generation of derived mnemonic sentences. The derived 
mnemonics are of the same format as the master mnemonic but can consist 
of a higher or lower number of words.

Binary seeds can then be generated for derived mnemonics (and master 
mnemonic) as described in BIP39. Each of these seeds can be used to 
generate deterministic wallets using BIP-0032 or similar methods.

==Motivation==

A mnemonic code or sentence is superior for human interaction as 
described in BIP39 and can, for example, be written on paper or even 
memorized. However, once a mnemonic has been used online, even through 
the use of a hardware wallet, the mnemonic could be compromised. This 
should be considered a bad practice from a security standpoint.

We therefore propose the generation of a master mnemonic offline and 
from this generate (also offline) multiple derived mnemonics in a 
deterministic way for online use. The master mnemonic is never used 
online and the master mnemonic cannot be obtained from the derived 
mnemonics. Examples of use cases are described below.

==Generating the master mnemonic==

The master mnemonic is first derived as a standard mnemonic as described 
in BIP39.

==From master mnemonic to derived mnemonics==

 From the master mnemonic a new string is created:

string = MasterMnemonic + " " + Count + " " + Strength;

Here, MasterMnemonic are the space separated words of the master 
mnemonic. Count = 0, 1, 2 denotes the different derived mnemonics of a 
given strength and Strength = numWords / 3 * 32, where numWords is the 
number of words desired for the derived mnemonic and only integer 
arithmetic is used in the calculation (e.g. for numWords = 14, Strength 
= 128). Both Count and Strength are converted to strings.

This string is then hashed using sha512:

hash = sha512(string);

and turned into a byte array:

for (var i=0; i<strength/8; i++) {
   byteArray[i] = (hash[Math.floor((i%64)/4)] >>> ((i%4)*8)) & 0b11111111;
}

This byte array is then used to generate a new mnemonic as shown in the 
reference implementation using the method described in BIP39. The core 
of the new code in the reference manual can be found by jumping to 
"start: new code" in the reference software.

A passphrase for the master mnemonic has the same effect on the derived 
mnemoncis (so must be included).

==Reference Implementation==

The reference implementation generates addresses based on BIP44 for a 24 
word master mnemonic and is available from

http://thebitcoinecosystem.info/DerivedMnemonics.html

or

github (not yet)

==Checking the derived mnemonics using Electrum==

The displayed addresses in each of the reference implementations can be 
easily checked using Electrum in the following manner:

move the directory ~/.electrum to a backup directory.
start Electrum and choose:
Restore a wallet or import keys
Hardware wallet
Restore Electum wallet from device seed words
TREZOR wallet
Insert one of the mnemonics and check that the same addresses are 
generated by Electrum

Check the private keys:
move the directory ~/.electrum to a backup directory.
start Electrum and choose:
Restore a wallet or import keys
Standard wallet
Import one of the private keys and check that the correct address has 
been generated.

Some checks should include a passphrase.

==Examples of Use Cases==

A person with 25 bitcoin splits funds using 5 derived mnemonics and 
sends 5 bitcoins to the first address of each derived mnemonic. He can 
then use a (hardware) HD-wallet and simply insert one of the derived 
mnemonics to put only 5 bitcoins online and at risk at once. All funds 
can be recovered from the master mnemonic.

A person wants to give 10 bitcoin to each of his family members, giving 
each participant a derived mnemonic and sending bitcoin to each of them. 
The donating person can always recover the derived mnemonic if one of 
his family members loses his derived mnemonic.

For his Trezor wallet, someone wants to memorize only a 12 words master 
seed but wants to insert a 24 words derived seed so a key logger on his 
computer has 24! possibilities to check and not 12! (not a possibility 
for the current reference implementation but trivial to add).