From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1VZOiv-0002ys-OG for bitcoin-development@lists.sourceforge.net; Thu, 24 Oct 2013 17:29:29 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmx.de designates 212.227.17.21 as permitted sender) client-ip=212.227.17.21; envelope-from=thomasV1@gmx.de; helo=mout.gmx.net; Received: from mout.gmx.net ([212.227.17.21]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.76) id 1VZOiq-0003a4-NI for bitcoin-development@lists.sourceforge.net; Thu, 24 Oct 2013 17:29:29 +0000 Received: from 3capp-gmx-bs09.server.lan ([172.19.170.60]) by mrigmx.server.lan (mrigmx001) with ESMTP (Nemesis) id 0Lvvff-1VlItX1WdJ-017ihG for ; Thu, 24 Oct 2013 19:29:18 +0200 Received: from [86.73.30.143] by 3capp-gmx-bs09.server.lan with HTTP; Thu Oct 24 19:29:18 CEST 2013 MIME-Version: 1.0 Message-ID: From: thomasV1@gmx.de To: bitcoin-development@lists.sourceforge.net Content-Type: text/plain; charset=UTF-8 Date: Thu, 24 Oct 2013 19:29:18 +0200 (CEST) Importance: normal Sensitivity: Normal X-Priority: 3 X-Provags-ID: V03:K0:wMcaW9tSmHX+5Nkouz/EHHSB7ntRNF8Ax+cQw6+jp29 SE7vRbbo9PlZfl/5wiRUKbM7aObir7/n/+21z2d6JNJ5JmtcHx 5dR8vLXzZdVVvKu8Za83xOwNKmIpaCxGvTzrVdLvQk1esp+IPw viVoRXw4sIldI2N02IPrTC3puCYkfNMu9w2wpQoDb4gK9CSBz7 obpQP3M3NghXQihertSpcsiWkxrCaMvz0ZteJfwIZery8LWODT m3EpjQSQcjthrN0/jKfGNQXaktBqYZ/n4z9I4HmuHxRuQudicw Z9WgoA= X-Spam-Score: -1.2 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [212.227.17.21 listed in list.dnswl.org] -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (thomasv1[at]gmx.de) -0.0 SPF_PASS SPF: sender matches SPF record 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (thomasv1[at]gmx.de) 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: bitcointalk.org] X-Headers-End: 1VZOiq-0003a4-NI Subject: [Bitcoin-development] Proposal to replace BIP0039 X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Oct 2013 17:29:29 -0000 I would like to propose a new BIP, that replaces BIP0039. My initial problem was that BIP0039 is not backward compatible with Electrum. When trying to solve that, I realized that the seed encoding used in Electrum does not help, because it does not contain a version number information. However, BIP0039 suffers the same shortcoming: it does nothing to help a future replacement, it wants to be final. My first recommendation is to allocate a few bits of the mnemonic, in order to encode a "version number" along with the checksum bits. The second problem is the wallet structure. There are multiple ways to use a BIP32 tree, and each client will certainly handle this differently. For Electrum, it is important to be able to recover an entire wallet from its mnemonic, using no extra information. Thus, the client needs to know which branches of the BIP32 tree are populated by default. This means that the "version number" I mentioned will not only be about the seed encoding, but it should also give some information about the wallet structure, at least in the case of Electrum. The third problem is the dictionary. I do not like the dictionary proposed in BIP0039, because it contains too many short words, which are bad for memorization (I explained here how I designed the dictionary used by Electrum: https://bitcointalk.org/index.php?topic=153990.msg2167909#msg2167909). I had some discussions with slush about this, but I do not think it will ever be possible to find a consensus on that topic. BIP0039 also suggests to use localized dictionaries, with non-colliding word lists, but it is not clear how that will be achieved; it seems to be difficult, because languages often have words in common. It looks like a first-come-first-served aproach will be used. For these reasons, I believe that we need a dictionary-independent solution. This will allow developers to use the dictionary they like, and localization will be easy. I would like to suggest the following solution: 1. Define a target of k bits: this target contains the metadata ("version number"), plus some extra bits for the checksum. For example, with k=16, we can allocate 8 bits for the version number, and 8 bits for checksum. 2. Pick a random number of length n+k bits, where n is the desired entropy of the seed, and k is the number of bits needed for the metadata (checksum, version number) 3. Translate this random number to a mnemonic string, using a dictionary. 4. Compute a hash of the mnemonic string (utf8 encoded). 5. Repeat steps 2, 3 and 4 until the k first bits of the hash are equal to the target defined in 1. 6. Use the final hash as input for bip32 (as the master seed) This means that we "mine" for the seed, until the desired metadata is obtained in the hash. This "mining" also adds a bit of difficulty to the process of finding a seed (on average, it will require 2^k iterations). The entropy of the final hash is n, the number of unconstrained bits. This solution makes it possible for developers to define new dictionaries, localized or adapted to a particular need. The resulting mnemonics will always be usable with other clients, even if they do not know the dictionary. I am willing to write a new BIP where this proposal is specified in detail.