1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
|
Return-Path: <ethankosakovsky@protonmail.com>
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
by lists.linuxfoundation.org (Postfix) with ESMTP id 64C50C07FF
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 20 Mar 2020 15:44:12 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by fraxinus.osuosl.org (Postfix) with ESMTP id 50DC2865A5
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 20 Mar 2020 15:44:12 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 6RzQtCvhfSUy
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 20 Mar 2020 15:44:10 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-40135.protonmail.ch (mail-40135.protonmail.ch
[185.70.40.135])
by fraxinus.osuosl.org (Postfix) with ESMTPS id 1EA1C864E6
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 20 Mar 2020 15:44:10 +0000 (UTC)
Date: Fri, 20 Mar 2020 15:44:01 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
s=default; t=1584719047;
bh=Sj6juAL+ckM5nj7jagxrR43rYu5QslmcV87NKuSXUSE=;
h=Date:To:From:Reply-To:Subject:From;
b=H5Wt+5TgvZlns2SzcjhmXiHFYKkbCQrCrORNFHF3PL2IZoO1zs0VChJfk6SL328dP
LW6zArWgvNaJ6PTfYfINUh5pgLxZ/4DgmYHBGfrg7BaHY681ppydoY7Quj5tsKRSax
epiWGMSj05HUyGcoO2zehAr2ngSWQvZ1WnlHOCB4=
To: "bitcoin-dev@lists.linuxfoundation.org"
<bitcoin-dev@lists.linuxfoundation.org>
From: Ethan Kosakovsky <ethankosakovsky@protonmail.com>
Reply-To: Ethan Kosakovsky <ethankosakovsky@protonmail.com>
Message-ID: <_CC9MLKCy5rmooAmR91_34tQxgDiXDJCdY4W6_X6xqDJUiAEuaWBVi8iBaFipx2KGt5_mf5XqFKMfoNgemTPCMgraWt5CVRifUM5iMolxto=@protonmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Fri, 20 Mar 2020 15:44:48 +0000
Subject: [bitcoin-dev] RFC: Deterministic Entropy From BIP32 Keychains
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 15:44:12 -0000
I would like to present a proposal for discussion and peer review. It aims =
to solve the problem of "too many seeds and too many backups" due to the ma=
ny reasons stipulated in the proposal text.
https://gist.githubusercontent.com/ethankosakovsky/f7d148f588d14e0bb4f70bb6=
afc509d0/raw/6da51e837b0e1f1b2b21f3d4cbc2c5a87969ffd5/bip-entropy-from-bip3=
2.mediawiki
<pre>
BIP:
Title: Deterministic Entropy From BIP32 Keychains
Author: Ethan Kosakovsky <ethankosakovsky@protonmail.com>
Comments-Summary: No comments yet.
Comments-URI:
Status: Proposed
Type: Standards Track
Created: 2020-03-20
License: BSD-2-Clause
OPL
</pre>
=3D=3DAbstract=3D=3D
This proposal provides a way to derive entropy from a HD keychain path in o=
rder to deterministically derive the initial entropy used to create keychai=
n mnemonics and seeds.
=3D=3DMotivation=3D=3D
BIP32 uses some initial entropy as a seed to deterministically derive a BIP=
32 root for hierarchical deterministic keychains. BIP39 introduced a method=
of encoding initial entropy into a mnemonic phrase which is used as input =
to a one way hash function in order to deterministically derive a BIP32 see=
d. The motivation behind mnemonic phrases was to make it easier for humans =
to backup and store offline. There are also other variations of this theme.
The initial motivation of BIP32 was to make handling of large numbers of pr=
ivate keys easier to manage and backup, since you only need one BIP32 seed =
to cover all possible keys in the keychain. In practice however, due to var=
ious wallet implementations and security models, the average user may be fa=
ced with the need to handle an ever growing number of seeds/mnemonics. This=
is due to incompatible wallet standards, hardware wallets (HWW), seed form=
ats and standards, as well as, the need to used a mix of hot and cold walle=
ts depending on the application and environment.
Examples would span wallets on mobile phones, online servers running protoc=
ols like Join Market or Lightning, and the difference between Electrum and =
BIP39 mnemonic seed formats. The reference implementation of Bitcoin Core u=
ses BIP32, while other cryptocurrencies like Monero use different mnemonic =
encoding schemes.
We must also consider the different variety of physical backups including p=
aper, metal and other physical storage devices, as well as the potentially =
splitting backups across different geographical locations. This complexity =
may result in less care being taken with subsequently generated seeds for n=
ew wallets need to be stored and it ultimately results in less security. In=
reality, the idea of having "one seed for all" has proven to be more diffi=
cult in practice than originally thought.
Since all these derivation schemes are deterministic based on some initial =
entropy, this proposal aims to solve the above problems by detailing a way =
to deterministically derive the initial entropy used for new root keychains=
using a single BIP32 style "master root key". This will allow one root key=
or mnemonic to derive any variety of different root keychains in whatever =
format is required (like BIP32 and BIP39 etc).
=3D=3DSpecification=3D=3D
Input starts with a BIP32 seed. Derivation scheme uses the format `m/836969=
68'/type'/index'` where `type` is the final seed type, and `index` in the k=
ey index of the hardened child private key.
| type | bits| output |
|------|-----|---------------------------|
| 0 | 128 | 12 word BIP39 mnemonic |
| 1 | 256 | 24 word BIP39 mnemonic |
| 2 | 128 | 12 word Electrum mnemonic |
| 3 | 256 | 24 word Electrum mnemonic |
| 4 | 256 | WIF for Bitcoin Core |
| 5 | 256 | 25 word Monero mnemonic |
Entropy is calculated from the HMAC-SHA512(key=3Dk, msg=3D'bip-entropy-from=
-bip32') of the derived 32 byte private key (k). Entropy is taken from the =
result according to the number of bits required. This entropy can then be u=
sed as input to derive a mnemonic, wallet etc according to the `type` speci=
fied.
=3D=3DCompatibility=3D=3D
In order to maintain the widest compatibility, the input to this function i=
s a BIP32 seed, which may or may not have been derived from a BIP39 like mn=
emonic scheme. This maintains the original motivation that one backup can s=
tore any and all child derivation schemes depending on the user's preferenc=
e or hardware signing devices. For example, devices that store the HD seed =
as a BIP39 mnemonic, Electrum seed, or BIP32 root key would all be able to =
implement this standard.
=3D=3DDiscussion=3D=3D
This proposal could be split into multiple discrete BIPs in the same way th=
at BIP32 described the derivation mechanics, BIP39 the input encoding with =
mnemonics, and the derivation paths like BIP44, BIP49 and BIP84. This has b=
een avoided to reduce complexity. The resulting private key processed with =
HMAC-SHA512 and truncated as necessary. HMAC-SHA512 was chosen because it m=
ay have better compatibility in embedded devices as it's already required i=
n devices supporting BIP32.
=3D=3DTest Vectors=3D=3D
=3D=3D=3DTest case 1=3D=3D=3D
MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind employ =
giant era attitude exit final oval one finger decorate pair useless super m=
ethod float toddler dance
MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5Nb=
Buof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp
PATH: m/83696968'/0'/0'
BITS REQUIRED: 128
DERIVED CHILD WIF=3DL3cefeCHyo8jczVjckMxaiPBaPUunc3D8CsjRxYbYp3FhasGpsV3
DERIVED CHILD k=3Dbed343b04ba0216d9eeebff0366b61c4179d90d44b61c716ef6d56883=
6ba4d23
CHILD ENTROPY=3D6458698fae3578b48a64124ea3514e12
CONVERT ENTROPY TO WIF=3DKwDiBf89QgGbjEhKnhXJuH7T2Vv72UKQA8KRkmNwVFS2znAS5x=
b9
CHILD BIP39 MNEMONIC=3Dgold select glue fragile fiscal fog civil liquid exc=
hange box fatal caught
CHILD BIP39 SEED=3D2a2720e5590d4ec3140e51ba1b0b0a5183222c1668977c8a57572b0e=
a55d238cd8e899b3b1870e48894ca837e41e5d0db07554715efb21556fdde27f9f7ba153
CHILD BIP32 ROOT KEY=3Dxprv9s21ZrQH143K2ZH5qacptquLGvcYpHSNeyFVCU8Ur4u9koca=
jbBgcaCbHkGbwDsBR661H29F54j5mz14kwXbY9PZKdNRdjgRcGfshBK9XXb
=3D=3D=3DTest case 2=3D=3D=3D
MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind employ =
giant era attitude exit final oval one finger decorate pair useless super m=
ethod float toddler dance
MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5Nb=
Buof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp
PATH: m/83696968'/1'/0'
BITS REQUIRED: 256
DERIVED CHILD WIF=3DL1zCbtnDWUN4vJA3De4sxmJnoRim57CQUuBb4KBoRNs2EMEq2Brg
DERIVED CHILD k=3D8e3ca6054a6303f4a6a1bcbda6134c9802f4f0a0d76b0ee6b69b06b1e=
80b2192
CHILD ENTROPY=3Dec4e2f7e2c3fca9a34fa29747bf8ba0ab7f05136f37e134e2457e9e5363=
9670b
CONVERT ENTROPY TO WIF=3DL594JSCygt2wBaB9mCpXjiLkkxkEojpBdNXG8UrrdLd2LvPBRM=
Us
CHILD BIP39 MNEMONIC=3Dunable imitate test flash witness escape stadium ear=
ly inner thank company betray lecture chuckle swift hurt battle illness bic=
ycle stable fat bronze order high
CHILD BIP39 SEED=3D73509b0e847ee66bddeb098a55063d73e8c6dd5f1c1db6969c668bb5=
4c19bde6eae8acc29a81118d1d9719fa1bc620fee7edd7c15a17bcaf70b0fdfc0c0c3803
CHILD BIP32 ROOT KEY=3Dxprv9s21ZrQH143K4PfLyyjYLVmKbnUTNFK6Y7jPKWfRZB3iSw1G=
y9qowEzkYHfetVabfmjHEEPrcTJbh7chae33Sm9uAjuXzhSL6Li8dcwM9Bm
=3D=3D=3DTest case 3=3D=3D=3D
MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind employ =
giant era attitude exit final oval one finger decorate pair useless super m=
ethod float toddler dance
MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5Nb=
Buof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp
PATH: m/83696968'/4'/0'
BITS REQUIRED: 256
DERIVED CHILD WIF=3DKwdD5PYnCU3xQDfFJ6XBf6UDaLrTUxrKmBpdjRuuavWyqAQtpaA2
DERIVED CHILD k=3D0c169ce2c17bea08512a7519769e365242a1562bd63c4c903daef5160=
00efbf2
CHILD ENTROPY=3D25573247f8a76799f7abc086b9286b5a7ccb03cb8d3550f48ac1e71d908=
32974
CONVERT ENTROPY TO WIF=3DKxUJ8VzMk7uWDEcwYjLRzRMGE6sSpwCfQxkE9GEwAvXhFSDNba=
9G
CHILD BIP39 MNEMONIC=3Dcensus ridge music vanish island smooth team job mam=
mal sing bracket reject smile limit comfort pluck extend picture race soda =
suit dose place obtain
CHILD BIP39 SEED=3D4e5c82be6455ecf0884d9475435e29a9afb9acf70b07296d7e5039c8=
66e4d54647706918b9d14909dfbd7071a4b7aee8a4ad0ac2bf48f0a09a8899dd28564418
CHILD BIP32 ROOT KEY=3Dxprv9s21ZrQH143K2kekJsK9V6t4ZKwHkY1Q3umxuaAhdZKGxCMp=
HiddLdYUQBoynszpwnk5upoC788LiT5MZ5q1vUABXG7AMyZK5UjD9iyL7Am
=3D=3DReferences=3D=3D
BIP32, BIP39
=3D=3DCopyright=3D=3D
This BIP is dual-licensed under the Open Publication License and BSD 2-clau=
se license.
|
