1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
|
Return-Path: <millibitcoins@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id BED8C92B
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 26 Jul 2016 18:31:41 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-wm0-f46.google.com (mail-wm0-f46.google.com [74.125.82.46])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id B4C01259
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 26 Jul 2016 18:31:40 +0000 (UTC)
Received: by mail-wm0-f46.google.com with SMTP id f65so184678572wmi.0
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 26 Jul 2016 11:31:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=to:from:subject:message-id:date:user-agent:mime-version
:content-transfer-encoding;
bh=fuPSvWxMdNaFisqS12ZSU8DNkfthbdEfTjP1Jn2TkRA=;
b=i24aWkioIl78JDVRMXGjjU/OVTVUOra33k4bS4fT/XCueXYOic/CB5JbOHUv+gWK2a
gnBRjjsWcsW4VLfMjBmgyBwjXFfUb34tSyjvGpyb7sLmnd9TlRODozCLu0CEzcQFzZSM
BJ85AdmW0jbVC8s0VRkbRQUDc+U14wj2DFyFy8tSlTQXX42JgEzmZ35+kDpRKf8bKOGK
jZuAJVCnOyJ72pNPJIlygiOlDMUM9z0v+fcu8tk6QB8HIr+gxKXhDpytcIQbSjInqJNn
ItTix4gbwYToUhlyN4eTv/arkbnO4UVw1zU5OQzoi/LY7GEaEQBp22F9sVkQgd0yhZpa
0sZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:to:from:subject:message-id:date:user-agent
:mime-version:content-transfer-encoding;
bh=fuPSvWxMdNaFisqS12ZSU8DNkfthbdEfTjP1Jn2TkRA=;
b=CxGXJzj9aCZwf+wLnwn7HuokJkEiQiD4Bg1VI/HUYuoU9yabztgoZYE0/L+4lYndqa
ngPANSLc7PeCWPp5lkilINAT7+ZEzDR6QUvUTJr0wRX5EtM3GB3vdiroCavpYl1BzgdY
/HKW1xmPB9qXb6hqqlZjfysF7xtEkgEif6ebxU+AOamdHkN/KsvnbWFrB1uLD0QmYx2t
4v5NJhfwBIPUQus/JkQxfNlzBbAwVAOTnvB0zKvMjFmYjuHRtPAe5SOhkIVKsumTMLKc
p18A/Ka7H2RMEI9K+7032fc6loSFY6mGiZQ3nWFmsPhlat52bv7uKWTllfzSx4Rlhbpg
JF5Q==
X-Gm-Message-State: AEkooutgLBjX0hy0MatpFlfsjqyMpRC/y+U1c+fMdAVeSXx+Ovz+z4bUyOINFw/xOCp69g==
X-Received: by 10.28.41.131 with SMTP id p125mr24605774wmp.15.1469557899005;
Tue, 26 Jul 2016 11:31:39 -0700 (PDT)
Received: from [192.168.178.13] (52D9D6D7.cm-11-1d.dynamic.ziggo.nl.
[82.217.214.215]) by smtp.googlemail.com with ESMTPSA id
f10sm2268383wje.14.2016.07.26.11.31.37
for <bitcoin-dev@lists.linuxfoundation.org>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Tue, 26 Jul 2016 11:31:38 -0700 (PDT)
To: bitcoin-dev@lists.linuxfoundation.org
From: millibitcoin <millibitcoins@gmail.com>
Message-ID: <5797AC88.8030507@gmail.com>
Date: Tue, 26 Jul 2016 20:31:36 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101
Thunderbird/38.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Tue, 26 Jul 2016 18:44:46 +0000
Subject: [bitcoin-dev] BIP proposal: derived mnemonics
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2016 18:31:41 -0000
(not sure so sent again after subscribing (one use case added))
Dear Bitcoin developers,
Below is provided a draft BIP proposal for a master mnemonic sentence
from which other mnemonics sentences can be derived in a deterministic
non-reversible way (on an offline computer). This would make it much
easier to split funds into smaller fractions and use those in a
HD-wallet when appropriate (just by inserting 12 or more words), without
ever putting the master mnemonic at risk on an online computer. But
there are many more use cases.
A reference implementation, specifically for use with a Trezor, has been
generated and can be found at:
http://thebitcoinecosystem.info/DerivedMnemonics.html
I'm not a professional programmer or cryptographer, so the idea and
reference implementation will probably need a lot of reviewing but I do
think Bitcoin needs this extension and the corresponding ease of use and
improved security model.
In the hope you like the idea,
Regards,
sumBTC
<pre>
BIP: ???
Title: Derived mnemonics from a master mnemonic.
Author: sumBTC <millibitcoins@gmail.com>
Status: For Discussion
Type:
Created: 2016-07-24
</pre>
==Abstract==
This BIP??? uses a master mnemonic sentence, as described in BIP39, for
the deterministic generation of derived mnemonic sentences. The derived
mnemonics are of the same format as the master mnemonic but can consist
of a higher or lower number of words.
Binary seeds can then be generated for derived mnemonics (and master
mnemonic) as described in BIP39. Each of these seeds can be used to
generate deterministic wallets using BIP-0032 or similar methods.
==Motivation==
A mnemonic code or sentence is superior for human interaction as
described in BIP39 and can, for example, be written on paper or even
memorized. However, once a mnemonic has been used online, even through
the use of a hardware wallet, the mnemonic could be compromised. This
should be considered a bad practice from a security standpoint.
We therefore propose the generation of a master mnemonic offline and
from this generate (also offline) multiple derived mnemonics in a
deterministic way for online use. The master mnemonic is never used
online and the master mnemonic cannot be obtained from the derived
mnemonics. Examples of use cases are described below.
==Generating the master mnemonic==
The master mnemonic is first derived as a standard mnemonic as described
in BIP39.
==From master mnemonic to derived mnemonics==
From the master mnemonic a new string is created:
string = MasterMnemonic + " " + Count + " " + Strength;
Here, MasterMnemonic are the space separated words of the master
mnemonic. Count = 0, 1, 2 denotes the different derived mnemonics of a
given strength and Strength = numWords / 3 * 32, where numWords is the
number of words desired for the derived mnemonic and only integer
arithmetic is used in the calculation (e.g. for numWords = 14, Strength
= 128). Both Count and Strength are converted to strings.
This string is then hashed using sha512:
hash = sha512(string);
and turned into a byte array:
for (var i=0; i<strength/8; i++) {
byteArray[i] = (hash[Math.floor((i%64)/4)] >>> ((i%4)*8)) & 0b11111111;
}
This byte array is then used to generate a new mnemonic as shown in the
reference implementation using the method described in BIP39. The core
of the new code in the reference manual can be found by jumping to
"start: new code" in the reference software.
A passphrase for the master mnemonic has the same effect on the derived
mnemoncis (so must be included).
==Reference Implementation==
The reference implementation generates addresses based on BIP44 for a 24
word master mnemonic and is available from
http://thebitcoinecosystem.info/DerivedMnemonics.html
or
github (not yet)
==Checking the derived mnemonics using Electrum==
The displayed addresses in each of the reference implementations can be
easily checked using Electrum in the following manner:
move the directory ~/.electrum to a backup directory.
start Electrum and choose:
Restore a wallet or import keys
Hardware wallet
Restore Electum wallet from device seed words
TREZOR wallet
Insert one of the mnemonics and check that the same addresses are
generated by Electrum
Check the private keys:
move the directory ~/.electrum to a backup directory.
start Electrum and choose:
Restore a wallet or import keys
Standard wallet
Import one of the private keys and check that the correct address has
been generated.
Some checks should include a passphrase.
==Examples of Use Cases==
A person with 25 bitcoin splits funds using 5 derived mnemonics and
sends 5 bitcoins to the first address of each derived mnemonic. He can
then use a (hardware) HD-wallet and simply insert one of the derived
mnemonics to put only 5 bitcoins online and at risk at once. All funds
can be recovered from the master mnemonic.
A person wants to give 10 bitcoin to each of his family members, giving
each participant a derived mnemonic and sending bitcoin to each of them.
The donating person can always recover the derived mnemonic if one of
his family members loses his derived mnemonic.
For his Trezor wallet, someone wants to memorize only a 12 words master
seed but wants to insert a 24 words derived seed so a key logger on his
computer has 24! possibilities to check and not 12! (not a possibility
for the current reference implementation but trivial to add).
|
