public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Tobias Kaupat <Tobias@kaupat-hh.de>
To: Erik Aronesty <erik@q32.com>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Encryption of an existing BIP39 mnemonic without changing the seed
Date: Thu, 6 May 2021 16:10:31 +0200	[thread overview]
Message-ID: <CAPyCnfuPdxUa7xRKt+7q92jP3cG4wrjnU9SajwCf19Bc-8=A_w@mail.gmail.com> (raw)
In-Reply-To: <CAJowKg+bpobZq3KfqwO6Rb-tKNw_N-tXoXFE84SdE0jjnc6i3g@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 3148 bytes --]

Hello Erik,
Thanks for your reply.
After a little research I came to the same conclusion. PDKDF2 makes sense,
since it is already used in BIP39.
I will update my code.



Regarding SeedXOR:
That's at least a similar solution, but than I have to store 2 phrases, I
really like to keep one part in my head, which is only possible with a
password.
Plus for anyone who want to use two seeds my proposal also works - it just
needs software to be applied.

Kind regards
Tobias Kaupat



Erik Aronesty <erik@q32.com> schrieb am Do., 6. Mai 2021, 15:19:

> i would stretch the password, with pbkdf2 or argon2 with like 30k
> rounds or something first, rather than "just hashing it".  remember,
> it's pretty easy to validate these seeds - not like you lock someone
> out after 9 guesses!
>
> On Wed, May 5, 2021 at 3:38 PM Tobias Kaupat via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >
> > Hi all,
> > I want to start a discussion about a use case I have and a possible
> solution. I have not found any satisfying solution to this use case yet.
> >
> > Use case:
> > An existing mnemonic (e.g. for a hardware wallet) should be saved on a
> paper backup in a password encrypted form. The encrypted form should be a
> mnemonic itself to keep all backup properties like error correction.
> >
> > Suggested solution:
> > 1) Take the existing mnemonic and extract the related entropy
> > 2) Create a SHA526 hash (key) from a user defined password
> > 3) Use the key as input for an AES CTR (empty IV) to encrypt the entropy
> > 4) Derive a new mnemonic from the encrypted entropy to be stored on a
> paper backup
> >
> > We can add some hints to the paper backp that the mnemonic is encrypted,
> or prefix it with "*" to make clear it's not usable without applying the
> password via the algorithm above.
> >
> > To restore the original mnemonic, one must know the password and need to
> follow the process above again.
> >
> > An example implementation in GoLang can be found here:
> > https://github.com/Niondir/go-bip39/blob/master/encyrption_test.go
> >
> > Why not use the existing BIP-39 Passphrase?
> > When generating a mnemonic with passphrase, the entropy is derived from
> the passphrase. When you have an existing mnemonic without a passphrase,
> any attempt to add a passphrase will end up in a different seed and thus a
> different private key. What we actually need is to encrypt the entropy.
> >
> > I'm open for your feedback. All encryption parameters are up to
> discussion and the whole proposal needs a security review. It's just the
> first draft.
> >
> > Existing solutions
> > One solution I found is "Seedshift" which can be found here:
> https://github.com/mifunetoshiro/Seedshift
> >
> > But I consider it less secure and I would like to suggest a solution
> based on provably secure algorithms rather than a "rot23 derivation". Also
> using a date as password seems not very clever to me.
> >
> > Kind regards
> > Tobias
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

[-- Attachment #2: Type: text/html, Size: 4618 bytes --]

  reply	other threads:[~2021-05-06 14:10 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-05 17:32 [bitcoin-dev] Encryption of an existing BIP39 mnemonic without changing the seed Tobias Kaupat
2021-05-06 12:56 ` Peter D. Gray
2021-05-06 13:19 ` Erik Aronesty
2021-05-06 14:10   ` Tobias Kaupat [this message]
2021-05-08 22:49 ` yanmaani

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAPyCnfuPdxUa7xRKt+7q92jP3cG4wrjnU9SajwCf19Bc-8=A_w@mail.gmail.com' \
    --to=tobias@kaupat-hh.de \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=erik@q32.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox