1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
|
Return-Path: <adam.ficsor73@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 2BF578653
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 4 Feb 2019 06:49:42 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-lf1-f41.google.com (mail-lf1-f41.google.com
[209.85.167.41])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 450561FB
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 4 Feb 2019 06:49:41 +0000 (UTC)
Received: by mail-lf1-f41.google.com with SMTP id v5so9451528lfe.7
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 03 Feb 2019 22:49:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
bh=Ltm71hRcXRScsnBzgkLGkL/wk2XeN/y6mc98NH/L/Uo=;
b=KLoeB5ZmXSYfMY2l2xRWkxk2uQa2subSdRKxF+TBmRh7Wd+fqWa2Y36Mw4hYZE4mge
PcyaNbW7akR1PdvVtzjA/bb9V/BcwPYHKV7ue+8RcN8f2XfFugBUPLKw7zLjcGAzt51m
m/5TojsY7+Ham3FOoz/6RuVR56cJBQ9iSJbNGR4kJAYjs2S0qXLQ16LntKxAWeLi/N61
22iQrOs+2LjmzLo+Q5ksvhNOzBoieFc/QLL+2XyFciKb17A1X014ZGKMVKn8LoDY++64
2zHz8/FFJseMze2ZWytTJtnBjo3fDVYyDkgVOYNBnzHGzvT/Zs63jgJiJJzxcKISZeF1
tHyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to;
bh=Ltm71hRcXRScsnBzgkLGkL/wk2XeN/y6mc98NH/L/Uo=;
b=CM5+ZrBcPOAjXwee0kzR4J1nFoorBVonlTv8ES+WR1KAuKYsGPXreaQpyf4ay+o7fN
/4O9b5i5gPJ5Z+e+rjJnHSnHowtfGGgBi5BBX3hc2aDTvUTtTrPOcqzppIhk+hHjNayG
vMlK1tepecu6nIhfyzd7wVOLOoZ56t8OVOU+XZ3O9DUYaIpH84K5pfrFVm9NDgFfoMnL
RMzcaJAHGkRilPjA2F5zShFHwh7+ZK3bYN9QMAh9jHUsgnjiexQV+m8yfpHu8SgRf8FZ
gREWNnDN357VXuklzPwfTCRihQLhB9oH0ZMQ7N7AxfydJJLWw/sZbgerp5sR/a1HxUGK
E0Dg==
X-Gm-Message-State: AHQUAubsVwprQVgBFX6073KhIt1vINnPtj7sBl6OHfxF7PrReo80+Nif
xAr9K5wKBnxztLXaOu7ylkbu7I5m8B4hkooJi7w=
X-Google-Smtp-Source: AHgI3IbI9zddM+CE+pC2q4O4/BtMLFWGdcfhMoeS7mVK7R2IYLHT2hUdKT4jmrq/OnP/QcGJLVqBAZA1FJx59PWLDXs=
X-Received: by 2002:ac2:520e:: with SMTP id a14mr613751lfl.16.1549262979482;
Sun, 03 Feb 2019 22:49:39 -0800 (PST)
MIME-Version: 1.0
References: <2s__WN8iJ71DEJxYfCGbJpcp3lVLuOV95To49v3xc9XxyHod7ikfJU3EjYt2bSReGlKpjLxny0fR8KkEGjZynH8OFBoy_aCfWaScv9Vw5I4=@protonmail.com>
In-Reply-To: <2s__WN8iJ71DEJxYfCGbJpcp3lVLuOV95To49v3xc9XxyHod7ikfJU3EjYt2bSReGlKpjLxny0fR8KkEGjZynH8OFBoy_aCfWaScv9Vw5I4=@protonmail.com>
From: Adam Ficsor <adam.ficsor73@gmail.com>
Date: Mon, 4 Feb 2019 07:49:27 +0100
Message-ID: <CAEPKjgeuO7NU+i3pS-0ks6sfeJRiig2UkZHakUasRzCWLyZoUg@mail.gmail.com>
To: rhavar@protonmail.com,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="0000000000008e480905810be5be"
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,
HTML_MESSAGE,RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Mon, 04 Feb 2019 18:49:05 +0000
Subject: Re: [bitcoin-dev] Card Shuffle To Bitcoin Seed
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Feb 2019 06:49:42 -0000
--0000000000008e480905810be5be
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Unlike mouse movement it works in a CLI software, which is great. However,
isn't there something else you can use instead of cards? Something with
invariant culture and maybe more common.
On Sun, Feb 3, 2019 at 7:27 PM Ryan Havar via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> More of a shower-thought than a BIP, but it's something I've long wish
> (hardware) wallets supported:
>
> ---
>
> Abstract: Bitcoin Wallets generally ask us to trust their seed generation
> is both correct and honest. Especially for hardware and air gapped wallet=
s,
> this is both a big ask and more or less impossible to practically verify.
> So we propose a bring-your-own-entropy approach in which the wallet can
> function completely deterministically. Our method is based on shuffling
> physical deck of cards. There are 52! (2^219.88) different shuffle order=
,
> which is a big enough space to be secure against collision and brute forc=
e
> attacks. Conveniently a shuffled deck of cards also can serve as a physic=
al
> backup which is easy to hide in plain sight with great plausible
> deniability.
>
>
> Representation:
>
> Each card has a suit which can be represented by one of SCHD (spades,
> clubs, hearts, diamonds) and a value of one of 23456789TJQKA where the
> numbers are obvious and (T=3Dten, J=3Djack, Q=3Dqueen, K=3Dking, A=3Dace)=
so "7 of
> clubs" would be represented by "7C" and a "Ten of Hearts" would be
> represented with "TH".
>
> An deck of cards looks like:
>
>
> 2S,3S,4S,5S,6S,7S,8S,9S,TS,JS,QS,KS,AS,2C,3C,4C,5C,6C,7C,8C,9C,TC,JC,QC,K=
C,AC,2H,3H,4H,5H,6H,7H,8H,9H,TH,JH,QH,KH,AH,2D,3D,4D,5D,6D,7D,8D,9D,TD,JD,Q=
D,KD,AD
>
> And can be verified by making sure that every one of the 52 cards appears
> exactly once.
>
>
> Step 1. Shuffle your deck of cards
>
> This is a lot harder than you'd imagine, so do it quite a few times, with
> quite a few different techniques. It is advised to do at *least* 7 good
> quality shuffles to achieve a true cryptographically secure shuffle. Do n=
ot
> look at the cards while shuffling (to avoid biasing) and don't be afraid =
to
> also shuffle them face down on the table. Err on the side over
> over-shuffling.
> See also:
> https://en.wikipedia.org/wiki/Shuffling#Sufficient_number_of_shuffles
>
> Step 2. Write out the order (comma separated)
>
> And example shuffle is:
>
>
> 5C,7C,4C,AS,3C,KC,AD,QS,7S,2S,5H,4D,AC,9C,3H,6H,9D,4S,8D,TD,2H,7H,JD,QD,2=
D,JC,KH,9S,9H,4H,6C,7D,3D,6S,2C,AH,QC,TH,TC,JS,6D,8H,8C,JH,8S,KD,QH,5D,5S,K=
S,TS,3S
>
> Step 3. Sha512 it to create a seed
>
> In the example above you should get:
>
> dc04e4c331b1bd347581d4361841335fe0b090d39dfe5e1c258c547255cd5cf1545e2387d=
8a7c4dc53e03cacca049a414a9269a2ac6954429955476c56038498
>
> Step 4. Interpret it
>
> e.g. For bip32 you would treat the first 32 bytes as the private key, and
> the second 32 bytes as as the extension code.
>
>
>
>
> -Ryan
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--=20
Best,
=C3=81d=C3=A1m
--0000000000008e480905810be5be
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Unlike mouse movement it works in a CLI software, which is=
great. However, isn't there something else you can use instead of card=
s? Something with invariant culture and maybe more common.</div><br><div cl=
ass=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Sun, Feb 3, 20=
19 at 7:27 PM Ryan Havar via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@=
lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a>> wr=
ote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px=
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>More o=
f a shower-thought than a BIP, but it's something I've long wish (h=
ardware) wallets supported:</div><div><br></div><div>---<br></div><div><br>=
</div><div>Abstract: Bitcoin Wallets generally ask us to trust their seed g=
eneration is both correct and honest. Especially for hardware and air gappe=
d wallets, this is both a big ask and more or less impossible to practicall=
y verify. So we propose a bring-your-own-entropy approach in which the wall=
et can function completely deterministically. Our method is based on shuffl=
ing physical deck of cards. There are 52!=C2=A0 (2^219.88) different shuffl=
e order, which is a big enough space to be secure against collision and bru=
te force attacks. Conveniently a shuffled deck of cards also can serve as a=
physical backup which is easy to hide in plain sight with great plausible =
deniability.<br></div><div><br></div><div><br></div><div>Representation:<br=
></div><div><br></div><div>Each card has a suit which can be represented by=
one of SCHD (spades, clubs, hearts, diamonds) and a value of one of 234567=
89TJQKA where the numbers are obvious and (T=3Dten, J=3Djack, Q=3Dqueen, K=
=3Dking, A=3Dace) so "7 of clubs" would be represented by "7=
C" and a "Ten of Hearts" would be represented with "TH&=
quot;.<br></div><div><br></div><div>An deck of cards looks like:<br></div><=
div><br></div><div>2S,3S,4S,5S,6S,7S,8S,9S,TS,JS,QS,KS,AS,2C,3C,4C,5C,6C,7C=
,8C,9C,TC,JC,QC,KC,AC,2H,3H,4H,5H,6H,7H,8H,9H,TH,JH,QH,KH,AH,2D,3D,4D,5D,6D=
,7D,8D,9D,TD,JD,QD,KD,AD<br></div><div><br></div><div>And can be verified b=
y making sure that every one of the 52 cards appears exactly once.<br></div=
><div><br></div><div><br></div><div>Step 1.=C2=A0 Shuffle your deck of card=
s<br></div><div><br></div><div>This is a lot harder than you'd imagine,=
so do it quite a few times, with quite a few different techniques. It is a=
dvised to do at *least* 7 good quality shuffles to achieve a true cryptogra=
phically secure shuffle. Do not look at the cards while shuffling (to avoid=
biasing) and don't be afraid to also shuffle them face down on the tab=
le. Err on the side over over-shuffling.<br></div><div>See also: <a href=3D=
"https://en.wikipedia.org/wiki/Shuffling#Sufficient_number_of_shuffles" tar=
get=3D"_blank">https://en.wikipedia.org/wiki/Shuffling#Sufficient_number_of=
_shuffles</a><br></div><div><br></div><div>Step 2. Write out the order (com=
ma separated)<br></div><div><br></div><div>And example shuffle is:<br></div=
><div><br></div><div>5C,7C,4C,AS,3C,KC,AD,QS,7S,2S,5H,4D,AC,9C,3H,6H,9D,4S,=
8D,TD,2H,7H,JD,QD,2D,JC,KH,9S,9H,4H,6C,7D,3D,6S,2C,AH,QC,TH,TC,JS,6D,8H,8C,=
JH,8S,KD,QH,5D,5S,KS,TS,3S<br></div><div><br></div><div>Step 3.=C2=A0 Sha51=
2 it to create a seed<br></div><div><br></div><div>In the example above you=
should get:<br></div><div>dc04e4c331b1bd347581d4361841335fe0b090d39dfe5e1c=
258c547255cd5cf1545e2387d8a7c4dc53e03cacca049a414a9269a2ac6954429955476c560=
38498<br></div><div><br></div><div>Step 4. Interpret it<br></div><div><br><=
/div><div>e.g. For bip32 you would treat the first 32 bytes as the private =
key, and the second 32 bytes as as the extension code.<br></div><div><br></=
div><div><br></div><div><br></div><div><br></div><div class=3D"gmail-m_-139=
4256920372711715protonmail_signature_block"><div class=3D"gmail-m_-13942569=
20372711715protonmail_signature_block-user"><div>-Ryan<br></div></div><div =
class=3D"gmail-m_-1394256920372711715protonmail_signature_block-proton gmai=
l-m_-1394256920372711715protonmail_signature_block-empty"><br></div></div><=
div><br></div>_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr"=
class=3D"gmail_signature"><div dir=3D"ltr"><div><div dir=3D"ltr"><div><div=
dir=3D"ltr"><div><div><span style=3D"font-size:13.3333px">Best,<br>=C3=81d=
=C3=A1m</span></div></div></div></div></div></div></div></div>
--0000000000008e480905810be5be--
|
