Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 2BF578653 for ; Mon, 4 Feb 2019 06:49:42 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-lf1-f41.google.com (mail-lf1-f41.google.com [209.85.167.41]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 450561FB for ; Mon, 4 Feb 2019 06:49:41 +0000 (UTC) Received: by mail-lf1-f41.google.com with SMTP id v5so9451528lfe.7 for ; Sun, 03 Feb 2019 22:49:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Ltm71hRcXRScsnBzgkLGkL/wk2XeN/y6mc98NH/L/Uo=; b=KLoeB5ZmXSYfMY2l2xRWkxk2uQa2subSdRKxF+TBmRh7Wd+fqWa2Y36Mw4hYZE4mge PcyaNbW7akR1PdvVtzjA/bb9V/BcwPYHKV7ue+8RcN8f2XfFugBUPLKw7zLjcGAzt51m m/5TojsY7+Ham3FOoz/6RuVR56cJBQ9iSJbNGR4kJAYjs2S0qXLQ16LntKxAWeLi/N61 22iQrOs+2LjmzLo+Q5ksvhNOzBoieFc/QLL+2XyFciKb17A1X014ZGKMVKn8LoDY++64 2zHz8/FFJseMze2ZWytTJtnBjo3fDVYyDkgVOYNBnzHGzvT/Zs63jgJiJJzxcKISZeF1 tHyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Ltm71hRcXRScsnBzgkLGkL/wk2XeN/y6mc98NH/L/Uo=; b=CM5+ZrBcPOAjXwee0kzR4J1nFoorBVonlTv8ES+WR1KAuKYsGPXreaQpyf4ay+o7fN /4O9b5i5gPJ5Z+e+rjJnHSnHowtfGGgBi5BBX3hc2aDTvUTtTrPOcqzppIhk+hHjNayG vMlK1tepecu6nIhfyzd7wVOLOoZ56t8OVOU+XZ3O9DUYaIpH84K5pfrFVm9NDgFfoMnL RMzcaJAHGkRilPjA2F5zShFHwh7+ZK3bYN9QMAh9jHUsgnjiexQV+m8yfpHu8SgRf8FZ gREWNnDN357VXuklzPwfTCRihQLhB9oH0ZMQ7N7AxfydJJLWw/sZbgerp5sR/a1HxUGK E0Dg== X-Gm-Message-State: AHQUAubsVwprQVgBFX6073KhIt1vINnPtj7sBl6OHfxF7PrReo80+Nif xAr9K5wKBnxztLXaOu7ylkbu7I5m8B4hkooJi7w= X-Google-Smtp-Source: AHgI3IbI9zddM+CE+pC2q4O4/BtMLFWGdcfhMoeS7mVK7R2IYLHT2hUdKT4jmrq/OnP/QcGJLVqBAZA1FJx59PWLDXs= X-Received: by 2002:ac2:520e:: with SMTP id a14mr613751lfl.16.1549262979482; Sun, 03 Feb 2019 22:49:39 -0800 (PST) MIME-Version: 1.0 References: <2s__WN8iJ71DEJxYfCGbJpcp3lVLuOV95To49v3xc9XxyHod7ikfJU3EjYt2bSReGlKpjLxny0fR8KkEGjZynH8OFBoy_aCfWaScv9Vw5I4=@protonmail.com> In-Reply-To: <2s__WN8iJ71DEJxYfCGbJpcp3lVLuOV95To49v3xc9XxyHod7ikfJU3EjYt2bSReGlKpjLxny0fR8KkEGjZynH8OFBoy_aCfWaScv9Vw5I4=@protonmail.com> From: Adam Ficsor Date: Mon, 4 Feb 2019 07:49:27 +0100 Message-ID: To: rhavar@protonmail.com, Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="0000000000008e480905810be5be" X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Mon, 04 Feb 2019 18:49:05 +0000 Subject: Re: [bitcoin-dev] Card Shuffle To Bitcoin Seed X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Feb 2019 06:49:42 -0000 --0000000000008e480905810be5be Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Unlike mouse movement it works in a CLI software, which is great. However, isn't there something else you can use instead of cards? Something with invariant culture and maybe more common. On Sun, Feb 3, 2019 at 7:27 PM Ryan Havar via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > More of a shower-thought than a BIP, but it's something I've long wish > (hardware) wallets supported: > > --- > > Abstract: Bitcoin Wallets generally ask us to trust their seed generation > is both correct and honest. Especially for hardware and air gapped wallet= s, > this is both a big ask and more or less impossible to practically verify. > So we propose a bring-your-own-entropy approach in which the wallet can > function completely deterministically. Our method is based on shuffling > physical deck of cards. There are 52! (2^219.88) different shuffle order= , > which is a big enough space to be secure against collision and brute forc= e > attacks. Conveniently a shuffled deck of cards also can serve as a physic= al > backup which is easy to hide in plain sight with great plausible > deniability. > > > Representation: > > Each card has a suit which can be represented by one of SCHD (spades, > clubs, hearts, diamonds) and a value of one of 23456789TJQKA where the > numbers are obvious and (T=3Dten, J=3Djack, Q=3Dqueen, K=3Dking, A=3Dace)= so "7 of > clubs" would be represented by "7C" and a "Ten of Hearts" would be > represented with "TH". > > An deck of cards looks like: > > > 2S,3S,4S,5S,6S,7S,8S,9S,TS,JS,QS,KS,AS,2C,3C,4C,5C,6C,7C,8C,9C,TC,JC,QC,K= C,AC,2H,3H,4H,5H,6H,7H,8H,9H,TH,JH,QH,KH,AH,2D,3D,4D,5D,6D,7D,8D,9D,TD,JD,Q= D,KD,AD > > And can be verified by making sure that every one of the 52 cards appears > exactly once. > > > Step 1. Shuffle your deck of cards > > This is a lot harder than you'd imagine, so do it quite a few times, with > quite a few different techniques. It is advised to do at *least* 7 good > quality shuffles to achieve a true cryptographically secure shuffle. Do n= ot > look at the cards while shuffling (to avoid biasing) and don't be afraid = to > also shuffle them face down on the table. Err on the side over > over-shuffling. > See also: > https://en.wikipedia.org/wiki/Shuffling#Sufficient_number_of_shuffles > > Step 2. Write out the order (comma separated) > > And example shuffle is: > > > 5C,7C,4C,AS,3C,KC,AD,QS,7S,2S,5H,4D,AC,9C,3H,6H,9D,4S,8D,TD,2H,7H,JD,QD,2= D,JC,KH,9S,9H,4H,6C,7D,3D,6S,2C,AH,QC,TH,TC,JS,6D,8H,8C,JH,8S,KD,QH,5D,5S,K= S,TS,3S > > Step 3. Sha512 it to create a seed > > In the example above you should get: > > dc04e4c331b1bd347581d4361841335fe0b090d39dfe5e1c258c547255cd5cf1545e2387d= 8a7c4dc53e03cacca049a414a9269a2ac6954429955476c56038498 > > Step 4. Interpret it > > e.g. For bip32 you would treat the first 32 bytes as the private key, and > the second 32 bytes as as the extension code. > > > > > -Ryan > > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --=20 Best, =C3=81d=C3=A1m --0000000000008e480905810be5be Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Unlike mouse movement it works in a CLI software, which is= great. However, isn't there something else you can use instead of card= s? Something with invariant culture and maybe more common.

On Sun, Feb 3, 20= 19 at 7:27 PM Ryan Havar via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wr= ote:
More o= f a shower-thought than a BIP, but it's something I've long wish (h= ardware) wallets supported:

---

=
Abstract: Bitcoin Wallets generally ask us to trust their seed g= eneration is both correct and honest. Especially for hardware and air gappe= d wallets, this is both a big ask and more or less impossible to practicall= y verify. So we propose a bring-your-own-entropy approach in which the wall= et can function completely deterministically. Our method is based on shuffl= ing physical deck of cards. There are 52!=C2=A0 (2^219.88) different shuffl= e order, which is a big enough space to be secure against collision and bru= te force attacks. Conveniently a shuffled deck of cards also can serve as a= physical backup which is easy to hide in plain sight with great plausible = deniability.


Representation:

Each card has a suit which can be represented by= one of SCHD (spades, clubs, hearts, diamonds) and a value of one of 234567= 89TJQKA where the numbers are obvious and (T=3Dten, J=3Djack, Q=3Dqueen, K= =3Dking, A=3Dace) so "7 of clubs" would be represented by "7= C" and a "Ten of Hearts" would be represented with "TH&= quot;.

An deck of cards looks like:
<= div>
2S,3S,4S,5S,6S,7S,8S,9S,TS,JS,QS,KS,AS,2C,3C,4C,5C,6C,7C= ,8C,9C,TC,JC,QC,KC,AC,2H,3H,4H,5H,6H,7H,8H,9H,TH,JH,QH,KH,AH,2D,3D,4D,5D,6D= ,7D,8D,9D,TD,JD,QD,KD,AD

And can be verified b= y making sure that every one of the 52 cards appears exactly once.


Step 1.=C2=A0 Shuffle your deck of card= s

This is a lot harder than you'd imagine,= so do it quite a few times, with quite a few different techniques. It is a= dvised to do at *least* 7 good quality shuffles to achieve a true cryptogra= phically secure shuffle. Do not look at the cards while shuffling (to avoid= biasing) and don't be afraid to also shuffle them face down on the tab= le. Err on the side over over-shuffling.

Step 2. Write out the order (com= ma separated)

And example shuffle is:

5C,7C,4C,AS,3C,KC,AD,QS,7S,2S,5H,4D,AC,9C,3H,6H,9D,4S,= 8D,TD,2H,7H,JD,QD,2D,JC,KH,9S,9H,4H,6C,7D,3D,6S,2C,AH,QC,TH,TC,JS,6D,8H,8C,= JH,8S,KD,QH,5D,5S,KS,TS,3S

Step 3.=C2=A0 Sha51= 2 it to create a seed

In the example above you= should get:
dc04e4c331b1bd347581d4361841335fe0b090d39dfe5e1c= 258c547255cd5cf1545e2387d8a7c4dc53e03cacca049a414a9269a2ac6954429955476c560= 38498

Step 4. Interpret it

<= /div>
e.g. For bip32 you would treat the first 32 bytes as the private = key, and the second 32 bytes as as the extension code.




-Ryan

<= div>
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev


--
Best,
=C3=81d= =C3=A1m
--0000000000008e480905810be5be--