Return-Path: <peter@coinkite.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id AFF74C0001
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu,  6 May 2021 13:01:43 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id AB5FC83B6B
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu,  6 May 2021 13:01:43 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level: 
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5
 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id fXay6qNRGqqq
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu,  6 May 2021 13:01:42 +0000 (UTC)
X-Greylist: delayed 00:05:03 by SQLgrey-1.8.0
Received: from smtp114.ord1d.emailsrvr.com (smtp114.ord1d.emailsrvr.com
 [184.106.54.114])
 by smtp1.osuosl.org (Postfix) with ESMTPS id 9313183B0D
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu,  6 May 2021 13:01:42 +0000 (UTC)
X-Auth-ID: peter@coinkite.com
Received: by smtp7.relay.ord1d.emailsrvr.com (Authenticated sender:
 peter-AT-coinkite.com) with ESMTPSA id 5C809201E9; 
 Thu,  6 May 2021 08:56:38 -0400 (EDT)
Date: Thu, 6 May 2021 08:56:37 -0400
From: "Peter D. Gray" <peter@coinkite.com>
To: Tobias Kaupat <Tobias@kaupat-hh.de>
Message-ID: <20210506125637.GF1239@coinkite.com>
Reply-To: Peter Gray <peter@coinkite.com>
References: <CAPyCnfvqVT00C2TZ86GXf856jNJqPXY0duRa1CfdCqC0ecC6xA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="xcivb/T/gnJQjo5J"
Content-Disposition: inline
In-Reply-To: <CAPyCnfvqVT00C2TZ86GXf856jNJqPXY0duRa1CfdCqC0ecC6xA@mail.gmail.com>
Organization: Coinkite Inc. (www.coinkite.com)
X-Classification-ID: 97e1937a-bd19-4d5b-8f99-17a0ab2aadb3-1-1
X-Mailman-Approved-At: Thu, 06 May 2021 15:48:29 +0000
Cc: bitcoin-dev@lists.linuxfoundation.org
Subject: Re: [bitcoin-dev] Encryption of an existing BIP39 mnemonic without
 changing the seed
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 06 May 2021 13:01:43 -0000


--xcivb/T/gnJQjo5J
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Tobias.

The most recent release of Coldcard now offers "Seed XOR" to solve
similar problems. It allows any numbers of standard BIP-39
compatible seed phrases to be bitwise XOR'ed together to make a new seed.

Coldcard can split an existing seed into 2, 3 or 4 new phrases, or
you can take your existing seed phrase, and XOR-in a new seed phrase
to arrive at a new random seed phrase (and wallet).

More details about this feature at: <https://seedxor.com>

Best part is XOR is simple enough that the split or combine operation can
be worked out by hand on paper. (We even made a worksheet for this.)
The checksums on each of the XOR parts protects the final result, and
each "part" is a fully functional decoy wallet.

Hope that helps!

On Wed, May 05, 2021 at 07:32:05PM +0200, Tobias Kaupat wrote:
> Hi all,
> I want to start a discussion about a use case I have and a possible
> solution. I have not found any satisfying solution to this use case yet.
>=20
> *Use case:*
> An existing mnemonic (e.g. for a hardware wallet) should be saved on a
> paper backup in a password encrypted form. The encrypted form should be a
> mnemonic itself to keep all backup properties like error correction.
>=20
> *Suggested solution:*
> 1) Take the existing mnemonic and extract the related entropy
> 2) Create a SHA526 hash (key) from a user defined password
> 3) Use the key as input for an AES CTR (empty IV) to encrypt the entropy
> 4) Derive a new mnemonic from the encrypted entropy to be stored on a pap=
er
> backup
=2E..
> *Existing solutions*
> One solution I found is "Seedshift" which can be found here:
> https://github.com/mifunetoshiro/Seedshift
>=20
> But I consider it less secure and I would like to suggest a solution based
> on provably secure algorithms rather than a "rot23 derivation". Also using
> a date as password seems not very clever to me.
>=20
> Kind regards
> Tobias

---
@DocHEX  ||  Coinkite  ||  PGP: A3A31BAD 5A2A5B10


--xcivb/T/gnJQjo5J
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAABCgAdFiEERYl3mt/BTzMnU06oo6MbrVoqWxAFAmCT54QACgkQo6MbrVoq
WxDsJAgAn+O9CvNpwES6LtLVUrmekggWGLa9nIonNHYrvf+v0YyJBwF6psplfjTR
p7h47zqszHtAgC1VDCT/Gs0zSzuoXn/jlOde+WkYbAupFbRMCgHBgRmY9iI1SGTT
BkBAGLgYvDH7/20e3WYt5jo2PReUv7TEtNJCHxhvwY1LR+4TntfWmnGb9gNBAlMQ
x6ue6nZLENmrV6mVB6KuCwx6O31QTPlSJJMTWtIIRDQOt36BRSRu+BmPM3IIUQWa
dNcwAmtWoO4zVcby8CyS3A8IgsUf5lk7yqTKJU6+MgDZlEJJUNE4cx/QOL1c2/Ia
hlB80kOOVqeZdsWknsDdOz1INOqKVQ==
=mRFk
-----END PGP SIGNATURE-----

--xcivb/T/gnJQjo5J--