Return-Path: Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id D9A03C0177 for ; Sun, 22 Mar 2020 11:59:04 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id D1971875BD for ; Sun, 22 Mar 2020 11:59:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B0fUiwqOzCKv for ; Sun, 22 Mar 2020 11:59:02 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-40132.protonmail.ch (mail-40132.protonmail.ch [185.70.40.132]) by whitealder.osuosl.org (Postfix) with ESMTPS id 7473287592 for ; Sun, 22 Mar 2020 11:59:02 +0000 (UTC) Date: Sun, 22 Mar 2020 11:58:53 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1584878339; bh=Pj0mDWYlzsrtZjaRvNoT6w+hy/T8hYjJgBlWQgh9rx4=; h=Date:To:From:Reply-To:Subject:In-Reply-To:References:From; b=PcGLMRLJuUjg9Rg3nzf7X2/jrfCJjgQxxfHA3oWTHkuGs8NbTbfxenmHL2Q9tGs3L OfJlqFj166yfjzSF5asFRLh72ieMl/ciixUL8Fx9gjPEhQlo0HGHBkqzVbXzK7at6n vxcS9U+oMc7IFI6Jo+fy6ZzYqJu/pyVw2t2f1H4Y= To: Ethan Kosakovsky , Bitcoin Protocol Discussion From: Ethan Kosakovsky Reply-To: Ethan Kosakovsky Message-ID: In-Reply-To: <_CC9MLKCy5rmooAmR91_34tQxgDiXDJCdY4W6_X6xqDJUiAEuaWBVi8iBaFipx2KGt5_mf5XqFKMfoNgemTPCMgraWt5CVRifUM5iMolxto=@protonmail.com> References: <_CC9MLKCy5rmooAmR91_34tQxgDiXDJCdY4W6_X6xqDJUiAEuaWBVi8iBaFipx2KGt5_mf5XqFKMfoNgemTPCMgraWt5CVRifUM5iMolxto=@protonmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Sun, 22 Mar 2020 12:22:22 +0000 Subject: Re: [bitcoin-dev] RFC: Deterministic Entropy From BIP32 Keychains X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Mar 2020 11:59:05 -0000 I have completely revised the wording of this proposal I hope to be clearer= in explaining the motivation and methodology. https://gist.github.com/ethankosakovsky/268c52f018b94bea29a6e809381c05d6 Ethan =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me= ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 On Friday, March 20, 2020 4:44 PM, Ethan Kosakovsky via bitcoin-dev wrote: > I would like to present a proposal for discussion and peer review. It aim= s to solve the problem of "too many seeds and too many backups" due to the = many reasons stipulated in the proposal text. > > https://gist.githubusercontent.com/ethankosakovsky/f7d148f588d14e0bb4f70b= b6afc509d0/raw/6da51e837b0e1f1b2b21f3d4cbc2c5a87969ffd5/bip-entropy-from-bi= p32.mediawiki > >

> BIP:
> Title: Deterministic Entropy From BIP32 Keychains
> Author: Ethan Kosakovsky ethankosakovsky@protonmail.com
> Comments-Summary: No comments yet.
> Comments-URI:
> Status: Proposed
> Type: Standards Track
> Created: 2020-03-20
> License: BSD-2-Clause
> OPL
>

> > =3D=3DAbstract=3D=3D > > This proposal provides a way to derive entropy from a HD keychain path in= order to deterministically derive the initial entropy used to create keych= ain mnemonics and seeds. > > =3D=3DMotivation=3D=3D > > BIP32 uses some initial entropy as a seed to deterministically derive a B= IP32 root for hierarchical deterministic keychains. BIP39 introduced a meth= od of encoding initial entropy into a mnemonic phrase which is used as inpu= t to a one way hash function in order to deterministically derive a BIP32 s= eed. The motivation behind mnemonic phrases was to make it easier for human= s to backup and store offline. There are also other variations of this them= e. > > The initial motivation of BIP32 was to make handling of large numbers of = private keys easier to manage and backup, since you only need one BIP32 see= d to cover all possible keys in the keychain. In practice however, due to v= arious wallet implementations and security models, the average user may be = faced with the need to handle an ever growing number of seeds/mnemonics. Th= is is due to incompatible wallet standards, hardware wallets (HWW), seed fo= rmats and standards, as well as, the need to used a mix of hot and cold wal= lets depending on the application and environment. > > Examples would span wallets on mobile phones, online servers running prot= ocols like Join Market or Lightning, and the difference between Electrum an= d BIP39 mnemonic seed formats. The reference implementation of Bitcoin Core= uses BIP32, while other cryptocurrencies like Monero use different mnemoni= c encoding schemes. > > We must also consider the different variety of physical backups including= paper, metal and other physical storage devices, as well as the potentiall= y splitting backups across different geographical locations. This complexit= y may result in less care being taken with subsequently generated seeds for= new wallets need to be stored and it ultimately results in less security. = In reality, the idea of having "one seed for all" has proven to be more dif= ficult in practice than originally thought. > > Since all these derivation schemes are deterministic based on some initia= l entropy, this proposal aims to solve the above problems by detailing a wa= y to deterministically derive the initial entropy used for new root keychai= ns using a single BIP32 style "master root key". This will allow one root k= ey or mnemonic to derive any variety of different root keychains in whateve= r format is required (like BIP32 and BIP39 etc). > > =3D=3DSpecification=3D=3D > > Input starts with a BIP32 seed. Derivation scheme uses the format `m/8369= 6968'/type'/index'` where `type` is the final seed type, and `index` in the= key index of the hardened child private key. > > type > > bits > > output > > 0 > > 128 > > 12 word BIP39 mnemonic > > 1 > > 256 > > 24 word BIP39 mnemonic > > 2 > > 128 > > 12 word Electrum mnemonic > > 3 > > 256 > > 24 word Electrum mnemonic > > 4 > > 256 > > WIF for Bitcoin Core > > 5 > > 256 > > 25 word Monero mnemonic > > Entropy is calculated from the HMAC-SHA512(key=3Dk, msg=3D'bip-entropy-fr= om-bip32') of the derived 32 byte private key (k). Entropy is taken from th= e result according to the number of bits required. This entropy can then be= used as input to derive a mnemonic, wallet etc according to the`type` spec= ified. > > =3D=3DCompatibility=3D=3D > > In order to maintain the widest compatibility, the input to this function= is a BIP32 seed, which may or may not have been derived from a BIP39 like = mnemonic scheme. This maintains the original motivation that one backup can= store any and all child derivation schemes depending on the user's prefere= nce or hardware signing devices. For example, devices that store the HD see= d as a BIP39 mnemonic, Electrum seed, or BIP32 root key would all be able t= o implement this standard. > > =3D=3DDiscussion=3D=3D > > This proposal could be split into multiple discrete BIPs in the same way = that BIP32 described the derivation mechanics, BIP39 the input encoding wit= h mnemonics, and the derivation paths like BIP44, BIP49 and BIP84. This has= been avoided to reduce complexity. The resulting private key processed wit= h HMAC-SHA512 and truncated as necessary. HMAC-SHA512 was chosen because it= may have better compatibility in embedded devices as it's already required= in devices supporting BIP32. > > =3D=3DTest Vectors=3D=3D > > =3D=3D=3DTest case 1=3D=3D=3D > > MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind emplo= y giant era attitude exit final oval one finger decorate pair useless super= method float toddler dance > MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5= NbBuof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp > PATH: m/83696968'/0'/0' > BITS REQUIRED: 128 > > DERIVED CHILD WIF=3DL3cefeCHyo8jczVjckMxaiPBaPUunc3D8CsjRxYbYp3FhasGpsV3 > DERIVED CHILD k=3Dbed343b04ba0216d9eeebff0366b61c4179d90d44b61c716ef6d568= 836ba4d23 > CHILD ENTROPY=3D6458698fae3578b48a64124ea3514e12 > CONVERT ENTROPY TO WIF=3DKwDiBf89QgGbjEhKnhXJuH7T2Vv72UKQA8KRkmNwVFS2znAS= 5xb9 > CHILD BIP39 MNEMONIC=3Dgold select glue fragile fiscal fog civil liquid e= xchange box fatal caught > CHILD BIP39 SEED=3D2a2720e5590d4ec3140e51ba1b0b0a5183222c1668977c8a57572b= 0ea55d238cd8e899b3b1870e48894ca837e41e5d0db07554715efb21556fdde27f9f7ba153 > CHILD BIP32 ROOT KEY=3Dxprv9s21ZrQH143K2ZH5qacptquLGvcYpHSNeyFVCU8Ur4u9ko= cajbBgcaCbHkGbwDsBR661H29F54j5mz14kwXbY9PZKdNRdjgRcGfshBK9XXb > > =3D=3D=3DTest case 2=3D=3D=3D > > MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind emplo= y giant era attitude exit final oval one finger decorate pair useless super= method float toddler dance > MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5= NbBuof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp > PATH: m/83696968'/1'/0' > BITS REQUIRED: 256 > > DERIVED CHILD WIF=3DL1zCbtnDWUN4vJA3De4sxmJnoRim57CQUuBb4KBoRNs2EMEq2Brg > DERIVED CHILD k=3D8e3ca6054a6303f4a6a1bcbda6134c9802f4f0a0d76b0ee6b69b06b= 1e80b2192 > CHILD ENTROPY=3Dec4e2f7e2c3fca9a34fa29747bf8ba0ab7f05136f37e134e2457e9e53= 639670b > CONVERT ENTROPY TO WIF=3DL594JSCygt2wBaB9mCpXjiLkkxkEojpBdNXG8UrrdLd2LvPB= RMUs > CHILD BIP39 MNEMONIC=3Dunable imitate test flash witness escape stadium e= arly inner thank company betray lecture chuckle swift hurt battle illness b= icycle stable fat bronze order high > CHILD BIP39 SEED=3D73509b0e847ee66bddeb098a55063d73e8c6dd5f1c1db6969c668b= b54c19bde6eae8acc29a81118d1d9719fa1bc620fee7edd7c15a17bcaf70b0fdfc0c0c3803 > CHILD BIP32 ROOT KEY=3Dxprv9s21ZrQH143K4PfLyyjYLVmKbnUTNFK6Y7jPKWfRZB3iSw= 1Gy9qowEzkYHfetVabfmjHEEPrcTJbh7chae33Sm9uAjuXzhSL6Li8dcwM9Bm > > =3D=3D=3DTest case 3=3D=3D=3D > > MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind emplo= y giant era attitude exit final oval one finger decorate pair useless super= method float toddler dance > MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5= NbBuof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp > PATH: m/83696968'/4'/0' > BITS REQUIRED: 256 > > DERIVED CHILD WIF=3DKwdD5PYnCU3xQDfFJ6XBf6UDaLrTUxrKmBpdjRuuavWyqAQtpaA2 > DERIVED CHILD k=3D0c169ce2c17bea08512a7519769e365242a1562bd63c4c903daef51= 6000efbf2 > CHILD ENTROPY=3D25573247f8a76799f7abc086b9286b5a7ccb03cb8d3550f48ac1e71d9= 0832974 > CONVERT ENTROPY TO WIF=3DKxUJ8VzMk7uWDEcwYjLRzRMGE6sSpwCfQxkE9GEwAvXhFSDN= ba9G > CHILD BIP39 MNEMONIC=3Dcensus ridge music vanish island smooth team job m= ammal sing bracket reject smile limit comfort pluck extend picture race sod= a suit dose place obtain > CHILD BIP39 SEED=3D4e5c82be6455ecf0884d9475435e29a9afb9acf70b07296d7e5039= c866e4d54647706918b9d14909dfbd7071a4b7aee8a4ad0ac2bf48f0a09a8899dd28564418 > CHILD BIP32 ROOT KEY=3Dxprv9s21ZrQH143K2kekJsK9V6t4ZKwHkY1Q3umxuaAhdZKGxC= MpHiddLdYUQBoynszpwnk5upoC788LiT5MZ5q1vUABXG7AMyZK5UjD9iyL7Am > > =3D=3DReferences=3D=3D > > BIP32, BIP39 > > =3D=3DCopyright=3D=3D > > This BIP is dual-licensed under the Open Publication License and BSD 2-cl= ause license. > > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev