From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 64C50C07FF for ; Fri, 20 Mar 2020 15:44:12 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 50DC2865A5 for ; Fri, 20 Mar 2020 15:44:12 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6RzQtCvhfSUy for ; Fri, 20 Mar 2020 15:44:10 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-40135.protonmail.ch (mail-40135.protonmail.ch [185.70.40.135]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 1EA1C864E6 for ; Fri, 20 Mar 2020 15:44:10 +0000 (UTC) Date: Fri, 20 Mar 2020 15:44:01 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1584719047; bh=Sj6juAL+ckM5nj7jagxrR43rYu5QslmcV87NKuSXUSE=; h=Date:To:From:Reply-To:Subject:From; b=H5Wt+5TgvZlns2SzcjhmXiHFYKkbCQrCrORNFHF3PL2IZoO1zs0VChJfk6SL328dP LW6zArWgvNaJ6PTfYfINUh5pgLxZ/4DgmYHBGfrg7BaHY681ppydoY7Quj5tsKRSax epiWGMSj05HUyGcoO2zehAr2ngSWQvZ1WnlHOCB4= To: "bitcoin-dev@lists.linuxfoundation.org" From: Ethan Kosakovsky Reply-To: Ethan Kosakovsky Message-ID: <_CC9MLKCy5rmooAmR91_34tQxgDiXDJCdY4W6_X6xqDJUiAEuaWBVi8iBaFipx2KGt5_mf5XqFKMfoNgemTPCMgraWt5CVRifUM5iMolxto=@protonmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Fri, 20 Mar 2020 15:44:48 +0000 Subject: [bitcoin-dev] RFC: Deterministic Entropy From BIP32 Keychains X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Mar 2020 15:44:12 -0000 I would like to present a proposal for discussion and peer review. It aims = to solve the problem of "too many seeds and too many backups" due to the ma= ny reasons stipulated in the proposal text. https://gist.githubusercontent.com/ethankosakovsky/f7d148f588d14e0bb4f70bb6= afc509d0/raw/6da51e837b0e1f1b2b21f3d4cbc2c5a87969ffd5/bip-entropy-from-bip3= 2.mediawiki 
  BIP:
  Title: Deterministic Entropy From BIP32 Keychains
  Author: Ethan Kosakovsky 
  Comments-Summary: No comments yet.
  Comments-URI:
  Status: Proposed
  Type: Standards Track
  Created: 2020-03-20
  License: BSD-2-Clause
           OPL
=3D=3DAbstract=3D=3D This proposal provides a way to derive entropy from a HD keychain path in o= rder to deterministically derive the initial entropy used to create keychai= n mnemonics and seeds. =3D=3DMotivation=3D=3D BIP32 uses some initial entropy as a seed to deterministically derive a BIP= 32 root for hierarchical deterministic keychains. BIP39 introduced a method= of encoding initial entropy into a mnemonic phrase which is used as input = to a one way hash function in order to deterministically derive a BIP32 see= d. The motivation behind mnemonic phrases was to make it easier for humans = to backup and store offline. There are also other variations of this theme. The initial motivation of BIP32 was to make handling of large numbers of pr= ivate keys easier to manage and backup, since you only need one BIP32 seed = to cover all possible keys in the keychain. In practice however, due to var= ious wallet implementations and security models, the average user may be fa= ced with the need to handle an ever growing number of seeds/mnemonics. This= is due to incompatible wallet standards, hardware wallets (HWW), seed form= ats and standards, as well as, the need to used a mix of hot and cold walle= ts depending on the application and environment. Examples would span wallets on mobile phones, online servers running protoc= ols like Join Market or Lightning, and the difference between Electrum and = BIP39 mnemonic seed formats. The reference implementation of Bitcoin Core u= ses BIP32, while other cryptocurrencies like Monero use different mnemonic = encoding schemes. We must also consider the different variety of physical backups including p= aper, metal and other physical storage devices, as well as the potentially = splitting backups across different geographical locations. This complexity = may result in less care being taken with subsequently generated seeds for n= ew wallets need to be stored and it ultimately results in less security. In= reality, the idea of having "one seed for all" has proven to be more diffi= cult in practice than originally thought. Since all these derivation schemes are deterministic based on some initial = entropy, this proposal aims to solve the above problems by detailing a way = to deterministically derive the initial entropy used for new root keychains= using a single BIP32 style "master root key". This will allow one root key= or mnemonic to derive any variety of different root keychains in whatever = format is required (like BIP32 and BIP39 etc). =3D=3DSpecification=3D=3D Input starts with a BIP32 seed. Derivation scheme uses the format `m/836969= 68'/type'/index'` where `type` is the final seed type, and `index` in the k= ey index of the hardened child private key. | type | bits| output | |------|-----|---------------------------| | 0 | 128 | 12 word BIP39 mnemonic | | 1 | 256 | 24 word BIP39 mnemonic | | 2 | 128 | 12 word Electrum mnemonic | | 3 | 256 | 24 word Electrum mnemonic | | 4 | 256 | WIF for Bitcoin Core | | 5 | 256 | 25 word Monero mnemonic | Entropy is calculated from the HMAC-SHA512(key=3Dk, msg=3D'bip-entropy-from= -bip32') of the derived 32 byte private key (k). Entropy is taken from the = result according to the number of bits required. This entropy can then be u= sed as input to derive a mnemonic, wallet etc according to the `type` speci= fied. =3D=3DCompatibility=3D=3D In order to maintain the widest compatibility, the input to this function i= s a BIP32 seed, which may or may not have been derived from a BIP39 like mn= emonic scheme. This maintains the original motivation that one backup can s= tore any and all child derivation schemes depending on the user's preferenc= e or hardware signing devices. For example, devices that store the HD seed = as a BIP39 mnemonic, Electrum seed, or BIP32 root key would all be able to = implement this standard. =3D=3DDiscussion=3D=3D This proposal could be split into multiple discrete BIPs in the same way th= at BIP32 described the derivation mechanics, BIP39 the input encoding with = mnemonics, and the derivation paths like BIP44, BIP49 and BIP84. This has b= een avoided to reduce complexity. The resulting private key processed with = HMAC-SHA512 and truncated as necessary. HMAC-SHA512 was chosen because it m= ay have better compatibility in embedded devices as it's already required i= n devices supporting BIP32. =3D=3DTest Vectors=3D=3D =3D=3D=3DTest case 1=3D=3D=3D MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind employ = giant era attitude exit final oval one finger decorate pair useless super m= ethod float toddler dance MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5Nb= Buof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp PATH: m/83696968'/0'/0' BITS REQUIRED: 128 DERIVED CHILD WIF=3DL3cefeCHyo8jczVjckMxaiPBaPUunc3D8CsjRxYbYp3FhasGpsV3 DERIVED CHILD k=3Dbed343b04ba0216d9eeebff0366b61c4179d90d44b61c716ef6d56883= 6ba4d23 CHILD ENTROPY=3D6458698fae3578b48a64124ea3514e12 CONVERT ENTROPY TO WIF=3DKwDiBf89QgGbjEhKnhXJuH7T2Vv72UKQA8KRkmNwVFS2znAS5x= b9 CHILD BIP39 MNEMONIC=3Dgold select glue fragile fiscal fog civil liquid exc= hange box fatal caught CHILD BIP39 SEED=3D2a2720e5590d4ec3140e51ba1b0b0a5183222c1668977c8a57572b0e= a55d238cd8e899b3b1870e48894ca837e41e5d0db07554715efb21556fdde27f9f7ba153 CHILD BIP32 ROOT KEY=3Dxprv9s21ZrQH143K2ZH5qacptquLGvcYpHSNeyFVCU8Ur4u9koca= jbBgcaCbHkGbwDsBR661H29F54j5mz14kwXbY9PZKdNRdjgRcGfshBK9XXb =3D=3D=3DTest case 2=3D=3D=3D MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind employ = giant era attitude exit final oval one finger decorate pair useless super m= ethod float toddler dance MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5Nb= Buof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp PATH: m/83696968'/1'/0' BITS REQUIRED: 256 DERIVED CHILD WIF=3DL1zCbtnDWUN4vJA3De4sxmJnoRim57CQUuBb4KBoRNs2EMEq2Brg DERIVED CHILD k=3D8e3ca6054a6303f4a6a1bcbda6134c9802f4f0a0d76b0ee6b69b06b1e= 80b2192 CHILD ENTROPY=3Dec4e2f7e2c3fca9a34fa29747bf8ba0ab7f05136f37e134e2457e9e5363= 9670b CONVERT ENTROPY TO WIF=3DL594JSCygt2wBaB9mCpXjiLkkxkEojpBdNXG8UrrdLd2LvPBRM= Us CHILD BIP39 MNEMONIC=3Dunable imitate test flash witness escape stadium ear= ly inner thank company betray lecture chuckle swift hurt battle illness bic= ycle stable fat bronze order high CHILD BIP39 SEED=3D73509b0e847ee66bddeb098a55063d73e8c6dd5f1c1db6969c668bb5= 4c19bde6eae8acc29a81118d1d9719fa1bc620fee7edd7c15a17bcaf70b0fdfc0c0c3803 CHILD BIP32 ROOT KEY=3Dxprv9s21ZrQH143K4PfLyyjYLVmKbnUTNFK6Y7jPKWfRZB3iSw1G= y9qowEzkYHfetVabfmjHEEPrcTJbh7chae33Sm9uAjuXzhSL6Li8dcwM9Bm =3D=3D=3DTest case 3=3D=3D=3D MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind employ = giant era attitude exit final oval one finger decorate pair useless super m= ethod float toddler dance MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5Nb= Buof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp PATH: m/83696968'/4'/0' BITS REQUIRED: 256 DERIVED CHILD WIF=3DKwdD5PYnCU3xQDfFJ6XBf6UDaLrTUxrKmBpdjRuuavWyqAQtpaA2 DERIVED CHILD k=3D0c169ce2c17bea08512a7519769e365242a1562bd63c4c903daef5160= 00efbf2 CHILD ENTROPY=3D25573247f8a76799f7abc086b9286b5a7ccb03cb8d3550f48ac1e71d908= 32974 CONVERT ENTROPY TO WIF=3DKxUJ8VzMk7uWDEcwYjLRzRMGE6sSpwCfQxkE9GEwAvXhFSDNba= 9G CHILD BIP39 MNEMONIC=3Dcensus ridge music vanish island smooth team job mam= mal sing bracket reject smile limit comfort pluck extend picture race soda = suit dose place obtain CHILD BIP39 SEED=3D4e5c82be6455ecf0884d9475435e29a9afb9acf70b07296d7e5039c8= 66e4d54647706918b9d14909dfbd7071a4b7aee8a4ad0ac2bf48f0a09a8899dd28564418 CHILD BIP32 ROOT KEY=3Dxprv9s21ZrQH143K2kekJsK9V6t4ZKwHkY1Q3umxuaAhdZKGxCMp= HiddLdYUQBoynszpwnk5upoC788LiT5MZ5q1vUABXG7AMyZK5UjD9iyL7Am =3D=3DReferences=3D=3D BIP32, BIP39 =3D=3DCopyright=3D=3D This BIP is dual-licensed under the Open Publication License and BSD 2-clau= se license.