* [Bitcoin-development] Proposal to replace BIP0039 @ 2013-10-24 17:29 thomasV1 2013-10-24 18:09 ` slush ` (2 more replies) 0 siblings, 3 replies; 24+ messages in thread From: thomasV1 @ 2013-10-24 17:29 UTC (permalink / raw) To: bitcoin-development I would like to propose a new BIP, that replaces BIP0039. My initial problem was that BIP0039 is not backward compatible with Electrum. When trying to solve that, I realized that the seed encoding used in Electrum does not help, because it does not contain a version number information. However, BIP0039 suffers the same shortcoming: it does nothing to help a future replacement, it wants to be final. My first recommendation is to allocate a few bits of the mnemonic, in order to encode a "version number" along with the checksum bits. The second problem is the wallet structure. There are multiple ways to use a BIP32 tree, and each client will certainly handle this differently. For Electrum, it is important to be able to recover an entire wallet from its mnemonic, using no extra information. Thus, the client needs to know which branches of the BIP32 tree are populated by default. This means that the "version number" I mentioned will not only be about the seed encoding, but it should also give some information about the wallet structure, at least in the case of Electrum. The third problem is the dictionary. I do not like the dictionary proposed in BIP0039, because it contains too many short words, which are bad for memorization (I explained here how I designed the dictionary used by Electrum: https://bitcointalk.org/index.php?topic=153990.msg2167909#msg2167909). I had some discussions with slush about this, but I do not think it will ever be possible to find a consensus on that topic. BIP0039 also suggests to use localized dictionaries, with non-colliding word lists, but it is not clear how that will be achieved; it seems to be difficult, because languages often have words in common. It looks like a first-come-first-served aproach will be used. For these reasons, I believe that we need a dictionary-independent solution. This will allow developers to use the dictionary they like, and localization will be easy. I would like to suggest the following solution: 1. Define a target of k bits: this target contains the metadata ("version number"), plus some extra bits for the checksum. For example, with k=16, we can allocate 8 bits for the version number, and 8 bits for checksum. 2. Pick a random number of length n+k bits, where n is the desired entropy of the seed, and k is the number of bits needed for the metadata (checksum, version number) 3. Translate this random number to a mnemonic string, using a dictionary. 4. Compute a hash of the mnemonic string (utf8 encoded). 5. Repeat steps 2, 3 and 4 until the k first bits of the hash are equal to the target defined in 1. 6. Use the final hash as input for bip32 (as the master seed) This means that we "mine" for the seed, until the desired metadata is obtained in the hash. This "mining" also adds a bit of difficulty to the process of finding a seed (on average, it will require 2^k iterations). The entropy of the final hash is n, the number of unconstrained bits. This solution makes it possible for developers to define new dictionaries, localized or adapted to a particular need. The resulting mnemonics will always be usable with other clients, even if they do not know the dictionary. I am willing to write a new BIP where this proposal is specified in detail. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-10-24 17:29 [Bitcoin-development] Proposal to replace BIP0039 thomasV1 @ 2013-10-24 18:09 ` slush 2013-10-25 9:27 ` Thomas Voegtlin 2013-10-24 18:54 ` slush 2013-10-24 21:55 ` Luke-Jr 2 siblings, 1 reply; 24+ messages in thread From: slush @ 2013-10-24 18:09 UTC (permalink / raw) To: thomasV1; +Cc: bitcoin-development [-- Attachment #1: Type: text/plain, Size: 3639 bytes --] On Thu, Oct 24, 2013 at 7:29 PM, <thomasV1@gmx•de> wrote: > > My initial problem was that BIP0039 is not backward compatible with > Electrum. When trying to solve that, I realized that the seed encoding used > in Electrum does not help, because it does not contain a version number > information. However, BIP0039 suffers the same shortcoming: it does nothing > to help a future replacement, it wants to be final. My first recommendation > is to allocate a few bits of the mnemonic, in order to encode a "version > number" along with the checksum bits. > > Two years ago I proposed exactly this and you refused to add extra information to mnemonic, because "it isn't necessary" and "it makes it longer to mnemonization". What changed since then? > The second problem is the wallet structure. There are multiple ways to use > a BIP32 tree, and each client will certainly handle this differently. For > Electrum, it is important to be able to recover an entire wallet from its > mnemonic, using no extra information. Thus, the client needs to know which > branches of the BIP32 tree are populated by default. This means that the > "version number" I mentioned will not only be about the seed encoding, but > it should also give some information about the wallet structure, at least > in the case of Electrum. > > Hm, what exactly do you need to store about wallet structure? I lived in opinion that everything is able to recover using CKD function to generate new addresses and blockchain lookups for their balances. > The third problem is the dictionary. I do not like the dictionary proposed > in BIP0039, because it contains too many short words, which are bad for > memorization (I explained here how I designed the dictionary used by > Electrum: > https://bitcointalk.org/index.php?topic=153990.msg2167909#msg2167909). I > had some discussions with slush about this, but I do not think it will ever > be possible to find a consensus on that topic. > > Yes, that's true. It isn't possible to make everybody 100% happy. At least I wanted to be constructive and asked you to replace the most problematic words. No pull request from you so far. > BIP0039 also suggests to use localized dictionaries, with non-colliding > word lists, but it is not clear how that will be achieved; it seems to be > difficult, because languages often have words in common. It looks like a > first-come-first-served aproach will be used. > > Yes, it was original idea. So far I don't think this is a problem. Of course some words may have some meaning across languages, but it should be easy to avoid them. There are tens of thousands words in every language and we need to pick "only" 2048 words to wordlist. > For these reasons, I believe that we need a dictionary-independent > solution. This will allow developers to use the dictionary they like, and > localization will be easy. > I would like to suggest the following solution: > > If I understand this well, it is basically one-way algorithm "mnemonic -> seed", right? Seed cannot be printed out as mnemonic, because there's hashing involved, but the bi-directionality has been the original requirement for such algorithm (at least in Electrum and bip39). Then, how is this different to picking 12 random words from dictionary and hashing them together? I don't see any benefit in that "mining" part of the proposal (except that it is lowering the entropy for given length of mnemonic). > This solution makes it possible for developers to define new dictionaries, > localized or adapted to a particular need. > Are your worries about overlapping words across languages a real issue? slush [-- Attachment #2: Type: text/html, Size: 5183 bytes --] ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-10-24 18:09 ` slush @ 2013-10-25 9:27 ` Thomas Voegtlin 0 siblings, 0 replies; 24+ messages in thread From: Thomas Voegtlin @ 2013-10-25 9:27 UTC (permalink / raw) To: bitcoin-development slush wrote : > Two years ago I proposed exactly this and you refused to add extra > information to mnemonic, because "it isn't necessary" and "it makes it > longer to mnemonization". What changed since then? I was wrong, and I fully acknowledge it. My concern was that adding extra information would make the mnemonic longer than 12 words. In addition, you proposed to allocate these extra bits for a checksum, not for metadata. However, a checksum does not really add any information, because Electrum checks the existence of a wallet directly from the blockchain. So, my feeling at that time was that adding extra bits would increase the risks (a longer seed is harder to memorize, increases the probability of mistakes, etc), and did not bring any real benefit. However, you showed since then how to solve this by using a slightly longer dictionary, and I do like your solution, I find it absolutely brilliant. In addition, I realize now that metadata (ie a "version number") is crucially needed, for the reasons mentioned in my previous post. > Hm, what exactly do you need to store about wallet structure? I lived > in opinion that everything is able to recover using CKD function to > generate new addresses and blockchain lookups for their balances. BIP32 gives a lot of freedom to wallet developers: it does not specify which branches of the HD tree shall be used for which purpose. However, if you want to recover a wallet from its mnemonic (a requirement for Electrum), then you need to know which branches to explore. In Electrum 1.9 I had to make some choices about branch allocation. However, the decisions that I made are certainly not final, so it is important to be able to change them in the future. Thus, this metadata needs to be added to the mnemonic. > Yes, that's true. It isn't possible to make everybody 100% happy. At > least I wanted to be constructive and asked you to replace the most > problematic words. No pull request from you so far. The solution I propose is very different from BIP39, and it does not require to predefine a dictionary. My proposal is actually somewhat similar to Pieter Wuille's proposal, which I discovered after his recent post. ( https://bitcointalk.org/index.php?topic=102349.0 ) > Yes, it was original idea. So far I don't think this is a problem. Of > course some words may have some meaning across languages, but it > should be easy to avoid them. There are tens of thousands words in > every language and we need to pick "only" 2048 words to wordlist. > ... > Are your worries about overlapping words across languages a real issue? No, there are not so many words that are frequent enough. Overlapping will be an issue, especially if we go for a 4096 words dictionary. > If I understand this well, it is basically one-way algorithm "mnemonic > -> seed", right? Seed cannot be printed out as mnemonic, because > there's hashing involved, but the bi-directionality has been the > original requirement for such algorithm (at least in Electrum and bip39). You are right, this encoding is not symmetric. Bi-directionality has never been a requirement for Electrum. May I ask why you need bi-directionality in Trezor? (the only reason I can think of is if you want to export a bip32 branch into another wallet, but this would create a very long mnemonic string) > Then, how is this different to picking 12 random words from dictionary > and hashing them together? I don't see any benefit in that "mining" > part of the proposal (except that it is lowering the entropy for given > length of mnemonic). it makes it possible to hash a utf8 string, and to retrieve the metadata from the hash. Thus we don't need to spend ages arguing about the best choice of a dictionary, and to set it in stone. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-10-24 17:29 [Bitcoin-development] Proposal to replace BIP0039 thomasV1 2013-10-24 18:09 ` slush @ 2013-10-24 18:54 ` slush 2013-10-26 15:24 ` Thomas Voegtlin 2013-10-24 21:55 ` Luke-Jr 2 siblings, 1 reply; 24+ messages in thread From: slush @ 2013-10-24 18:54 UTC (permalink / raw) To: thomasV1; +Cc: bitcoin-development [-- Attachment #1: Type: text/plain, Size: 2477 bytes --] On Thu, Oct 24, 2013 at 7:29 PM, <thomasV1@gmx•de> wrote: > > My initial problem was that BIP0039 is not backward compatible with > Electrum. When trying to solve that, I realized that the seed encoding used > in Electrum does not help, because it does not contain a version number > information. However, BIP0039 suffers the same shortcoming: it does nothing > to help a future replacement, it wants to be final. My first recommendation > is to allocate a few bits of the mnemonic, in order to encode a "version > number" along with the checksum bits. > > On topic of "it wants to be final" and "it is incompatible with Electrum": None of this is true. Firstly, it *is* possible to implement both algorithm into the client at the same time, so user will be able to recover wallet using Electrum or bip39 mnemonic and - what is worse - you already *know* about this solution. Still you're spreading FUD about it on IRC, on emails behind my back and here on mailing list. The solution for Electrum client - as we discussed two weeks ago on IRC - is that: a) User type down the mnemonic (created with Electrum or BIP39) b1) Only if *all* words are presented in both dictionaries and it has valid BIP39 checksum (which is quite rare situation itself!), the mnemonic can be consider to be both Electrum or BIP39. b2) In most of cases we end up here, because the most common situation is that with given words, only Electrum *or* BIP39 seed can be recovered. ---- c) Consider the mnemonic as Electrum. Create first few addresses and do a lookup. If there are transactions in address history, this is Electrum mnemonic. d) If there were no used address in c), build seed using BIP39 and do the same lookup. If there's history, this is BIP39 mnemonic. e) If there are no history on both algorithm, then pick prefered one for given client (it should not hurt which one, because first use of given mnemonic will "freeze" given algorithm for next time of mnemonic recovery). Well, because only Electrum uses some mnemonic algorithm to this date, such decision tree need to be implemented only in Electrum. You cannot tell that "it is too complicated" or "ambiguous", because you're using the same algorithm of deciding between Electrum deterministic / BIP32. I must admit that I'm quite annoyed of such discussion, because we already discussed all this privately, you didn't tell me any reason why this should not work and still I see that this is coming back as a boomerang. slush [-- Attachment #2: Type: text/html, Size: 3174 bytes --] ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-10-24 18:54 ` slush @ 2013-10-26 15:24 ` Thomas Voegtlin 2013-10-26 20:47 ` slush 0 siblings, 1 reply; 24+ messages in thread From: Thomas Voegtlin @ 2013-10-26 15:24 UTC (permalink / raw) To: bitcoin-development here is a simple implementation, with some ideas on how to format the metadata: https://en.bitcoin.it/wiki/Talk:BIP_0039 ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-10-26 15:24 ` Thomas Voegtlin @ 2013-10-26 20:47 ` slush 2013-10-26 21:30 ` Pieter Wuille 0 siblings, 1 reply; 24+ messages in thread From: slush @ 2013-10-26 20:47 UTC (permalink / raw) To: Thomas Voegtlin; +Cc: bitcoin-development [-- Attachment #1: Type: text/plain, Size: 1321 bytes --] Hi Thomas, can you more elaborate on that "version" bits? What is exact meaning of it? I still think this is more an implementation problem. What stops Electrum to do the same algorithm for searching branches as it is now for used addresses? These "version bits" need to be covered by the specification as well, because if any client will use them differently (or won't use them at all), it will break cross-compatibility between clients, which was another goal of bip39. Marek On Sat, Oct 26, 2013 at 5:24 PM, Thomas Voegtlin <thomasv1@gmx•de> wrote: > here is a simple implementation, with some ideas on how to format the > metadata: > https://en.bitcoin.it/wiki/Talk:BIP_0039 > > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists•sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > [-- Attachment #2: Type: text/html, Size: 2203 bytes --] ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-10-26 20:47 ` slush @ 2013-10-26 21:30 ` Pieter Wuille 2013-10-31 9:13 ` Thomas Voegtlin 0 siblings, 1 reply; 24+ messages in thread From: Pieter Wuille @ 2013-10-26 21:30 UTC (permalink / raw) To: slush; +Cc: bitcoin-development Let's first try to agree on what we are solving. It seems that Thomas wants - in addition to the cryptographic data - to encode the tree structure, or at least version information about what features are used in it, inside the seed. I'm not sure whether we're ready to standardize on something like that yet, not having established best practices regarding different wallet structures. I do think we first need to see what possibilities and developments are possible related to it. In addition, information about the wallet structure is strictly less secret than the key data - it is even less confidential than address book data, transaction annotations, labels and comments and bookkeeping information. It could be backed up anywhere and everywhere without any repercussions, as far as I can see. I understand that in the case of Electrum, there is a strong reason to want this encapsulated together with the seed, but it's not really a requirement for most wallets. (if really needed, any key derivation scheme that starts from random strings can be augmented with metadata by enforcing property-bits on a hash of the string (so not of the output), as this data doesn't need protection from brute-forcing). Regarding other requirements, I wonder why we want the transformation to be bidirectional? If it is just about generating master seeds, one direction should be enough, and allows far nicer properties w.r.t. security. If we do settle on a standard for 'brainwallets', I would strongly prefer if it had at least some strengthening built-in, to decrease the impact of worst-case situations. If the reason is backward-compatibility, I think that any client that supports seeds already can just keep supporting whatever they supported before. Only if it matches both encoding schemes (as mentioned before) there is a potential collision (and in that case, the user could just be asked). -- Pieter On Sat, Oct 26, 2013 at 10:47 PM, slush <slush@centrum•cz> wrote: > Hi Thomas, > > can you more elaborate on that "version" bits? What is exact meaning of it? > I still think this is more an implementation problem. What stops Electrum to > do the same algorithm for searching branches as it is now for used > addresses? > > These "version bits" need to be covered by the specification as well, > because if any client will use them differently (or won't use them at all), > it will break cross-compatibility between clients, which was another goal of > bip39. > > Marek > > > > > On Sat, Oct 26, 2013 at 5:24 PM, Thomas Voegtlin <thomasv1@gmx•de> wrote: >> >> here is a simple implementation, with some ideas on how to format the >> metadata: >> https://en.bitcoin.it/wiki/Talk:BIP_0039 >> >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk >> _______________________________________________ >> Bitcoin-development mailing list >> Bitcoin-development@lists•sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/bitcoin-development > > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists•sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-10-26 21:30 ` Pieter Wuille @ 2013-10-31 9:13 ` Thomas Voegtlin 2013-10-31 10:41 ` slush 2013-10-31 11:11 ` slush 0 siblings, 2 replies; 24+ messages in thread From: Thomas Voegtlin @ 2013-10-31 9:13 UTC (permalink / raw) To: bitcoin-development Indeed, I want to include a version number in the seed phrase because there are multiple ways to define the tree structure used with BIP32. It is certainly too early to make final decisions on that, or to achieve a common standard. Also, I can imagine that bip32 itself might be superseeded in the future. I understand that encapsulating a version number in the seed phrase might not be as important for other wallets as it is for Electrum. So it is probably not necessary to propose another BIP for that. I will simply implement it for Electrum, and I will try to do it in such a way that other wallets can use the same format. The other question we might be solving is strenghtening (your proposal). I consider that this is not a strong requirement for Electrum, because it does not let the user choose their seed phrase. However, if a few bits of the seed phrase are allocated for metadata, then I guess strenghtening can be part of it. That's another good reason to have a version number encapsulated in the seed. I too wonder why the transformation needs to be bidirectional in bip39. Le 26/10/2013 23:30, Pieter Wuille a écrit : > Let's first try to agree on what we are solving. > > It seems that Thomas wants - in addition to the cryptographic data - > to encode the tree structure, or at least version information about > what features are used in it, inside the seed. > > I'm not sure whether we're ready to standardize on something like that > yet, not having established best practices regarding different wallet > structures. I do think we first need to see what possibilities and > developments are possible related to it. > > In addition, information about the wallet structure is strictly less > secret than the key data - it is even less confidential than address > book data, transaction annotations, labels and comments and > bookkeeping information. It could be backed up anywhere and everywhere > without any repercussions, as far as I can see. I understand that in > the case of Electrum, there is a strong reason to want this > encapsulated together with the seed, but it's not really a requirement > for most wallets. > (if really needed, any key derivation scheme that starts from random > strings can be augmented with metadata by enforcing property-bits on a > hash of the string (so not of the output), as this data doesn't need > protection from brute-forcing). > > Regarding other requirements, I wonder why we want the transformation > to be bidirectional? If it is just about generating master seeds, one > direction should be enough, and allows far nicer properties w.r.t. > security. If we do settle on a standard for 'brainwallets', I would > strongly prefer if it had at least some strengthening built-in, to > decrease the impact of worst-case situations. > If the reason is backward-compatibility, I think that any client that > supports seeds already can just keep supporting whatever they > supported before. Only if it matches both encoding schemes (as > mentioned before) there is a potential collision (and in that case, > the user could just be asked). > ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-10-31 9:13 ` Thomas Voegtlin @ 2013-10-31 10:41 ` slush 2013-10-31 11:07 ` Peter Todd 2013-11-02 9:44 ` Thomas Voegtlin 2013-10-31 11:11 ` slush 1 sibling, 2 replies; 24+ messages in thread From: slush @ 2013-10-31 10:41 UTC (permalink / raw) To: Thomas Voegtlin; +Cc: bitcoin-development [-- Attachment #1: Type: text/plain, Size: 3987 bytes --] Strange, I didn't receive the response from sipa in separate message, so I'll respond to him at first place. Le 26/10/2013 23:30, Pieter Wuille a écrit : > I'm not sure whether we're ready to standardize on something like that > yet, not having established best practices regarding different wallet > structures. I do think we first need to see what possibilities and > developments are possible related to it. Although many strange practices how to use whole bip32 space are possible, I think that we may (should?) agree on some "good enough" way how to discover already used addresses in bip32 space. I read Electrum sources about bip32 and I see that Electrum still uses quite flat structure (fixed amount of branches, indexes from 0 to n), which is of course very sane way. So if I migrate seed to another (non-Electrum) software, I only need to discover close neighbourhood of the path "0", similarly like Electrum is doing with "gap limit" in plain old Electrum algorithm, except in two dimensions (paths 0, 1, 2, 3, 4, 5, 0/0, 0/1, 0/2, 0/3, 0/4, 0/5, 1/0, 1/1, ...5/5 for gap limit "5"). I don't say such operation is cheap, but this discovery needs to be done only during the import. For the reason that I think this is the only sane algorithm of general use of bip32 space, I still don't see why we do need some extra metadata. I would understand this if Electrum will use for some strange reason addresses in higher address space like 2^32-1 or so, but this is not going to happen at least in Electrum. > I understand that in > the case of Electrum, there is a strong reason to want this > encapsulated together with the seed, but it's not really a requirement > for most wallets. Well, I can imagine that the bip32 compatible software will do full scan of address space using some gap factor (actually I think "5" is too low by default) or it can ask for wallet metadata like which software used such tree before, to speedup scanning process. I see that Thomas wants to make this automatic and hidden to user and generally I agree that hiding the compexity to user is a good practice, but actually this particular situation sounds to me as an exact oposite of original statement "no metadata in mnemonic". > Regarding other requirements, I wonder why we want the transformation > to be bidirectional? If it is just about generating master seeds, one > direction should be enough, and allows far nicer properties w.r.t. > security. If we do settle on a standard for 'brainwallets', ECDSA has one very nice option - (almost) any random data can be used as a private key. There are very nice schemas possible by using this feature and requiring private key to be specially crafted just because the user wanted to use mnemonic schema is very strong limitation to me. To be specific, we (in cooperation with / inspired by Timo Hanke) developed method how to prove that the seed generated by Trezor has been created using combination of computer-provided entropy and device-provided entropy, without leaking full private information to other computer, just because we want Trezor to be blackbox-testable and fully deterministic (seed generation is currently the only operation which uses any source of RNG). To limit the complexity of such algorithm it is better to produce plain seed (128, 192 or 256 bits, depends on settings) and then transform the result of such "deterministic seed" to mnemonic, so for us the bi-directionality is quite strong requirement. *Maybe* it would be possible to combine such algorithm and one-way mnemonic together, but it would complicate the design and I'm sure you understand that we want to keep things as clear and simple as possible, especially while handling with seed generation. > I would strongly prefer if it had at least some strengthening built-in, to > decrease the impact of worst-case situations. Agree (hardening is default in bip39). Marek [-- Attachment #2: Type: text/html, Size: 5013 bytes --] ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-10-31 10:41 ` slush @ 2013-10-31 11:07 ` Peter Todd 2013-11-02 9:44 ` Thomas Voegtlin 1 sibling, 0 replies; 24+ messages in thread From: Peter Todd @ 2013-10-31 11:07 UTC (permalink / raw) To: slush; +Cc: bitcoin-development [-- Attachment #1: Type: text/plain, Size: 958 bytes --] On Thu, Oct 31, 2013 at 11:41:27AM +0100, slush wrote: > To be specific, we (in cooperation with / inspired by Timo Hanke) developed > method how to prove that the seed generated by Trezor has been created > using combination of computer-provided entropy and device-provided entropy, > without leaking full private information to other computer, just because we > want Trezor to be blackbox-testable and fully deterministic (seed > generation is currently the only operation which uses any source of RNG). I just wanted to say the fact that you're making key generation auditable, and using deterministic signatures, is a clear sign that you guys know what you're doing. Hearing this makes me a lot more confident that the Trezor will prove to be a secure way to store my Bitcoins and my pre-order will prove to be money well spent. Kudos! -- 'peter'[:-1]@petertodd.org 000000000000000784d399e7c1d1e8f2fc953c6939b115699a1ee05029a59bc9 [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 685 bytes --] ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-10-31 10:41 ` slush 2013-10-31 11:07 ` Peter Todd @ 2013-11-02 9:44 ` Thomas Voegtlin 2013-11-03 6:41 ` Timo Hanke 1 sibling, 1 reply; 24+ messages in thread From: Thomas Voegtlin @ 2013-11-02 9:44 UTC (permalink / raw) To: bitcoin-development > To be specific, we (in cooperation with / inspired by Timo Hanke) > developed method how to prove that the seed generated by Trezor has > been created using combination of computer-provided entropy and > device-provided entropy, without leaking full private information to > other computer, just because we want Trezor to be blackbox-testable > and fully deterministic (seed generation is currently the only > operation which uses any source of RNG). > Thanks for the explanation. Here is how I understand how it works, please correct me if I'm wrong: The user's computer picks a random number a, the Trezor picks a random number b. Trezor adds a and b in the secp256k1 group, and this creates a master private key k. Trezor sends the corresponding master public key K to the computer. Thus, the computer can check that K was derived from a, without knowing b. This also allows the computer to check that any bitcoin address derived from K is derived from a, without leaking b. (and reciprocally) However, it seems to me that this property will work only with bip32 public derivations; if a private derivation is used, don't you need to know k? ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-11-02 9:44 ` Thomas Voegtlin @ 2013-11-03 6:41 ` Timo Hanke 2013-11-03 7:03 ` Thomas Voegtlin 0 siblings, 1 reply; 24+ messages in thread From: Timo Hanke @ 2013-11-03 6:41 UTC (permalink / raw) To: Thomas Voegtlin; +Cc: bitcoin-development On Sat, Nov 02, 2013 at 10:44:58AM +0100, Thomas Voegtlin wrote: > > >To be specific, we (in cooperation with / inspired by Timo Hanke) > >developed method how to prove that the seed generated by Trezor > >has been created using combination of computer-provided entropy > >and device-provided entropy, without leaking full private > >information to other computer, just because we want Trezor to be > >blackbox-testable and fully deterministic (seed generation is > >currently the only operation which uses any source of RNG). > > > > Thanks for the explanation. Here is how I understand how it works, > please correct me if I'm wrong: > > The user's computer picks a random number a, the Trezor picks a > random number b. > Trezor adds a and b in the secp256k1 group, and this creates a > master private key k. > Trezor sends the corresponding master public key K to the computer. > Thus, the computer can check that K was derived from a, without knowing b. No. You mean the computer would use B for this check? (k,K) could be rigged by Trezor, who computes b as k-a. Timo > This also allows the computer to check that any bitcoin address > derived from K is derived from a, without leaking b. (and > reciprocally) > > However, it seems to me that this property will work only with bip32 > public derivations; if a private derivation is used, don't you need > to know k? > > > -- Timo Hanke PGP 1EFF 69BC 6FB7 8744 14DB 631D 1BB5 D6E3 AB96 7DA8 ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-11-03 6:41 ` Timo Hanke @ 2013-11-03 7:03 ` Thomas Voegtlin 2013-11-03 7:40 ` Timo Hanke 0 siblings, 1 reply; 24+ messages in thread From: Thomas Voegtlin @ 2013-11-03 7:03 UTC (permalink / raw) Cc: bitcoin-development Le 03/11/2013 07:41, Timo Hanke a écrit : > No. You mean the computer would use B for this check? (k,K) could be > rigged by Trezor, who computes b as k-a. Timo I was just asking a question, in order to understand how this device works, and what are its requirements. if you think you can help, please explain. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-11-03 7:03 ` Thomas Voegtlin @ 2013-11-03 7:40 ` Timo Hanke 2013-11-03 8:39 ` Thomas Voegtlin 2013-11-16 23:49 ` Pavol Rusnak 0 siblings, 2 replies; 24+ messages in thread From: Timo Hanke @ 2013-11-03 7:40 UTC (permalink / raw) To: Thomas Voegtlin; +Cc: bitcoin-development I think the communication would have to go the other way around. Trezor has to commit to a value First. Like this: Trezor picks random s and sends S=s*G to computer, keeping s secret. Computer picks random t and sends t to Trezor. Trezor makes r := s+t its internal master private key with corresponding master public key R := (s+t)*G. Since R = S+t*G, the computer can verify the master public key. As you say, the computer can then store R and can later verify for each derived pubkey that it was indeed derived from R, hence from his own entropy t. However, Trezor could not use straight bip32 out of the box. The chaincode would have to be something like SHA(R). And the seed (that gets translated to mnemonic) would be r itself, making it 256 bit instead of only 128 bit. If the longer seed is bearable then this is a good way to do it. One question remains: if you only write down the mnemonic how can you be sure that it is correct and corresponds to the secret in Trezor? You cannot verify that on paper. You would have to restore it on some device, eg another empty Trezor, and see if it brings up the same master pubkey. Right? Timo On Sun, Nov 03, 2013 at 08:03:54AM +0100, Thomas Voegtlin wrote: > > Le 03/11/2013 07:41, Timo Hanke a écrit : > >No. You mean the computer would use B for this check? (k,K) could > >be rigged by Trezor, who computes b as k-a. Timo > > I was just asking a question, in order to understand how this device > works, and what are its requirements. > if you think you can help, please explain. > > -- Timo Hanke PGP 1EFF 69BC 6FB7 8744 14DB 631D 1BB5 D6E3 AB96 7DA8 ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-11-03 7:40 ` Timo Hanke @ 2013-11-03 8:39 ` Thomas Voegtlin 2013-11-04 15:10 ` Timo Hanke 2013-11-16 23:49 ` Pavol Rusnak 1 sibling, 1 reply; 24+ messages in thread From: Thomas Voegtlin @ 2013-11-03 8:39 UTC (permalink / raw) Cc: bitcoin-development Le 03/11/2013 08:40, Timo Hanke a écrit : > I think the communication would have to go the other way around. Trezor > has to commit to a value First. Like this: > > Trezor picks random s and sends S=s*G to computer, keeping s secret. > Computer picks random t and sends t to Trezor. Trezor makes r := s+t > its internal master private key with corresponding master public key > R := (s+t)*G. Since R = S+t*G, the computer can verify the master > public key. As you say, the computer can then store R and can later > verify for each derived pubkey that it was indeed derived from R, hence > from his own entropy t. I'm not sure how this differs from what I wrote... However, if this is how it works, then my question remains: The computer has no proof to know that pubkeys derived through bip32's private derivations are derived from its own entropy... This verification would only work for public (aka type2) derivations. .. but maybe Trezor works in a different way? I think an explanation from slush would be needed. > However, Trezor could not use straight bip32 out of the box. The > chaincode would have to be something like SHA(R). And the seed (that > gets translated to mnemonic) would be r itself, making it 256 bit > instead of only 128 bit. > > If the longer seed is bearable then this is a good way to do it. > > One question remains: if you only write down the mnemonic how can you be > sure that it is correct and corresponds to the secret in Trezor? You > cannot verify that on paper. You would have to restore it on some > device, eg another empty Trezor, and see if it brings up the same master > pubkey. Right? > I guess you have to trust Trezor that it derives R from r ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-11-03 8:39 ` Thomas Voegtlin @ 2013-11-04 15:10 ` Timo Hanke 2013-11-16 23:41 ` Pavol Rusnak 0 siblings, 1 reply; 24+ messages in thread From: Timo Hanke @ 2013-11-04 15:10 UTC (permalink / raw) To: Thomas Voegtlin; +Cc: Bitcoin Dev On Sun, Nov 03, 2013 at 09:39:42AM +0100, Thomas Voegtlin wrote: > > Le 03/11/2013 08:40, Timo Hanke a écrit : > >I think the communication would have to go the other way around. Trezor > >has to commit to a value First. Like this: > > > >Trezor picks random s and sends S=s*G to computer, keeping s secret. > >Computer picks random t and sends t to Trezor. Trezor makes r := s+t > >its internal master private key with corresponding master public key > >R := (s+t)*G. Since R = S+t*G, the computer can verify the master > >public key. As you say, the computer can then store R and can later > >verify for each derived pubkey that it was indeed derived from R, hence > >from his own entropy t. > > I'm not sure how this differs from what I wrote... Sorry, yes, of course it's the same.. Your very first proposal was fine, provided that Trezor commits to its random value first. > However, if this is how it works, then my question remains: > The computer has no proof to know that pubkeys derived through > bip32's private derivations are derived from its own entropy... > This verification would only work for public (aka type2) derivations. > > .. but maybe Trezor works in a different way? I think an explanation > from slush would be needed. Does Trezor even use private derivation? Regardless of whether the derivation is private or public, and regardless of what kind of proof you use to show that the master public key was derived from user supplied entropy, my question also remains: How do you verify your backup? The backup is a seed or private key. It's too long to do any meaningful computation by hand. So you would need a second offline device, eg a second Trezor in "restore mode", just to verify your backup. Timo > >However, Trezor could not use straight bip32 out of the box. The > >chaincode would have to be something like SHA(R). And the seed (that > >gets translated to mnemonic) would be r itself, making it 256 bit > >instead of only 128 bit. > > > >If the longer seed is bearable then this is a good way to do it. > > > >One question remains: if you only write down the mnemonic how can you be > >sure that it is correct and corresponds to the secret in Trezor? You > >cannot verify that on paper. You would have to restore it on some > >device, eg another empty Trezor, and see if it brings up the same master > >pubkey. Right? > > > I guess you have to trust Trezor that it derives R from r > > > > -- Timo Hanke PGP 1EFF 69BC 6FB7 8744 14DB 631D 1BB5 D6E3 AB96 7DA8 ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-11-04 15:10 ` Timo Hanke @ 2013-11-16 23:41 ` Pavol Rusnak 0 siblings, 0 replies; 24+ messages in thread From: Pavol Rusnak @ 2013-11-16 23:41 UTC (permalink / raw) To: timo.hanke, Thomas Voegtlin; +Cc: Bitcoin Dev On 04/11/13 16:10, Timo Hanke wrote: > Does Trezor even use private derivation? No. It can't. Private keys never leave the device so client would not know how to generate addresses. -- Best Regards / S pozdravom, Pavol Rusnak <stick@gk2•sk> ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-11-03 7:40 ` Timo Hanke 2013-11-03 8:39 ` Thomas Voegtlin @ 2013-11-16 23:49 ` Pavol Rusnak 2013-11-17 0:42 ` Timo Hanke 1 sibling, 1 reply; 24+ messages in thread From: Pavol Rusnak @ 2013-11-16 23:49 UTC (permalink / raw) To: timo.hanke, Thomas Voegtlin; +Cc: bitcoin-development On 03/11/13 08:40, Timo Hanke wrote: > Trezor picks random s and sends S=s*G to computer, keeping s secret. That's a really neat trick! > One question remains: if you only write down the mnemonic how can you be > sure that it is correct and corresponds to the secret in Trezor? Right. That's a problem. I'm not sure if this whole cryptomagic is benefitial at all. I'd suggest to go the easy way for now, i.e. prove that external entropy was used while generating the master seed. If the user does not trust our firmware, he can use his own built one. -- Best Regards / S pozdravom, Pavol Rusnak <stick@gk2•sk> ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-11-16 23:49 ` Pavol Rusnak @ 2013-11-17 0:42 ` Timo Hanke 2013-11-17 0:49 ` Pavol Rusnak 0 siblings, 1 reply; 24+ messages in thread From: Timo Hanke @ 2013-11-17 0:42 UTC (permalink / raw) To: Pavol Rusnak; +Cc: bitcoin-development On Sun, Nov 17, 2013 at 12:49:04AM +0100, Pavol Rusnak wrote: > On 03/11/13 08:40, Timo Hanke wrote: > > Trezor picks random s and sends S=s*G to computer, keeping s secret. > > That's a really neat trick! > > > One question remains: if you only write down the mnemonic how can you be > > sure that it is correct and corresponds to the secret in Trezor? > > Right. That's a problem. I'm not sure if this whole cryptomagic is > benefitial at all. > > I'd suggest to go the easy way for now, i.e. prove that external entropy > was used while generating the master seed. If the user does not trust > our firmware, he can use his own built one. No, this question of mine was regardless of any cryptomagic or neat tricks like Thomas' suggestion. It has nothing do with auditing the entropy. It was just a backup question. I recently had an experience where I thought coins were lost because the secrets I had didn't match the public keys that I thought they'd match. From now on I will always recover my wallet first, from the backed up secrets, before sending any coins to the pubkeys in the wallet. I will never again generate a wallet, backup the secrets, and hope the secrets indeed match the pubkeys.. without testing that. My question was how Trezor allows me to verify my backup. All this makes me think if having one device generating and displaying the secret, and making a backing from the display, is the right way to go. Since you would need a second device to verify your backup is sane, you could have two devices to start with. One is your hardware wallet and it only imports secrets (restores backups). The other is an entropy generator and it only generates secrets. Best regards, Timo p.s. The question about auditing entropy would only apply to the generator, not the wallet. Is it yet documented how Trezor proves that external entropy was used? -- Timo Hanke PGP 1EFF 69BC 6FB7 8744 14DB 631D 1BB5 D6E3 AB96 7DA8 ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-11-17 0:42 ` Timo Hanke @ 2013-11-17 0:49 ` Pavol Rusnak 0 siblings, 0 replies; 24+ messages in thread From: Pavol Rusnak @ 2013-11-17 0:49 UTC (permalink / raw) To: timo.hanke; +Cc: bitcoin-development On 17/11/13 01:42, Timo Hanke wrote: > p.s. The question about auditing entropy would only apply to the generator, > not the wallet. Is it yet documented how Trezor proves that external > entropy was used? We'll probably use the most straightforward way: a) trezor prints entropy A on a display (probably in hex format, this step is triggered by sending a special flag in initialize message) b) trezor receives entropy B from external source c) trezor creates sha256(A + B) and uses that as a seed d) trezor prints used seed on a display (probably in BIP39 format) e) user can check on a trusted computer that everything was ok (note that steps b-d are the same regardless of whether the special flag was set) -- Best Regards / S pozdravom, Pavol Rusnak <stick@gk2•sk> ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-10-31 9:13 ` Thomas Voegtlin 2013-10-31 10:41 ` slush @ 2013-10-31 11:11 ` slush 2013-10-31 11:18 ` slush 1 sibling, 1 reply; 24+ messages in thread From: slush @ 2013-10-31 11:11 UTC (permalink / raw) To: Thomas Voegtlin; +Cc: bitcoin-development [-- Attachment #1: Type: text/plain, Size: 4535 bytes --] On Thu, Oct 31, 2013 at 10:13 AM, Thomas Voegtlin <thomasv1@gmx•de> wrote: > Indeed, I want to include a version number in the seed phrase because > there are > multiple ways to define the tree structure used with BIP32. It is > certainly too early > to make final decisions on that, or to achieve a common standard. > Well, as we're the first pioneers of bip32, let's start using it in some sane way and I'm sure the others will join. Just because they don't want to incompatible software. Actually I quite like that you're not wasting bip32 space by using some dynamic allocatons in higher address space, so I'm happy to follow your rules and I think we can agree on generic discover algorithm which maybe won't be optimal, but will find all used addresses and won't need any additional information directly in mnemonic. As I wrote in previous post, in worst case I can imagine dropdown list on import dialog, which will ask user which software has been handling the seed before, to speedup the scan. But for now I don't see this necessary at all. Also, I can imagine that bip32 itself might be superseeded in the future. > > Although I can imagine that as well, I hope that it won't be the case. We need to unite and integrate instead of making incompatible applications. One disadvantage of bip32 is that in fact it is too much flexible, so we even falled into the necessity of defining version of discovery algorithm. Lets set up best practices how to use it and other will follow instead of creating zillion cross-incompatible algorithms which won't understand each to other. > The other question we might be solving is strenghtening (your proposal). > I consider > that this is not a strong requirement for Electrum, because it does not > let the user > choose their seed phrase. However, if a few bits of the seed phrase are > Hardening and password protection are two unrelated requirements. Again, there are some scenarios in which use can leak part of the mnemonic to attacker, so hardening prevent to bruteforce the rest information by attacker, even if the mnemonic isn't passphrase protected. I'm especially refering to our algorithm of mnemonic import to Trezor during disaster recovery (when Trezor is destroyed and user wants to import the seed to another one), so that leak isn't just a theoretical concept, but real-word scenario. > allocated for metadata, then I guess strenghtening can be part of it. That's > another good > reason to have a version number encapsulated in the seed. > Actually creating optional features of such algorithm only make things complicated (and less cross-compatible). Every software still needs to implement such hardening even if it is optional feature, to be compatible with other clients. Then I don't see any reason why to have it optional. Don't forget that the proposal uses only 4 bits of version, which isn't too much combination for all these optional features ;-). I too wonder why the transformation needs to be bidirectional in bip39. > > Well, I wrote longer answer in previous email. tl;dr; there's quite easy way how to make the algorithm bi-directional, so I don't see a necessity to drop potentially useful feature for no good reason. I was thinking about your proposal and I realized that both our solutions solves a bit different problem. Lets summarize features (and forget to wordlist fights for moment): bip39: + bi-directional + passphrase protected + shorter mnemonic or shorter wordlist - predefined wordlist ThomasV proposal: + any software can has its own preferred worlist ? passphrase protected - one-direction only - longer mnemonic or longer wordlist Back to wordlist fights a) actually I think that the wordlist choice is far less important than it may look at first glance. Thomas thinks that bip39 wordlist is disaster, me and many other thinks it is ok, but mainly that it is very subjective. b) I see the beauty of "custom wordlists" in Thomas proposal, still if it means the algorithm is uni-direction only, it is very strong disadvantage to our usecase. c) I advocated our wordlist mainly because we put a lot of effort into it and after many weeks of tuning it is already done; not because I think that one method of picking the words is superior to other. I mean - if Thomas can offer any other plain-english wordlist which he'll be happy with, I'll vote for dropping our own wordlist and to use Thomas's version for the deal that he'll accept our need for bi-directionality and he agrees on the rest of bip39 ;-). Marek [-- Attachment #2: Type: text/html, Size: 6432 bytes --] ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-10-31 11:11 ` slush @ 2013-10-31 11:18 ` slush 2013-11-02 10:10 ` Thomas Voegtlin 0 siblings, 1 reply; 24+ messages in thread From: slush @ 2013-10-31 11:18 UTC (permalink / raw) To: Thomas Voegtlin; +Cc: bitcoin-development [-- Attachment #1: Type: text/plain, Size: 689 bytes --] Oh, I forgot to one practical aspect; the way how the mnemonic is "mined" in Thomas proposal prevents usage in embedded devices, because difficulty of generating proper mnemonic is simply too high for embedded microcontrollers. Maybe this can be solved somehow by modifying the proposal, but right now it is a showstopper for us. Marek On Thu, Oct 31, 2013 at 12:11 PM, slush <slush@centrum•cz> wrote: > > bip39: > + bi-directional > + passphrase protected > + shorter mnemonic or shorter wordlist > - predefined wordlist > > ThomasV proposal: > + any software can has its own preferred worlist > ? passphrase protected > - one-direction only > - longer mnemonic or longer wordlist > > [-- Attachment #2: Type: text/html, Size: 1285 bytes --] ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-10-31 11:18 ` slush @ 2013-11-02 10:10 ` Thomas Voegtlin 0 siblings, 0 replies; 24+ messages in thread From: Thomas Voegtlin @ 2013-11-02 10:10 UTC (permalink / raw) To: bitcoin-development Le 31/10/2013 12:18, slush a écrit : > Oh, I forgot to one practical aspect; the way how the mnemonic is > "mined" in Thomas proposal prevents usage in embedded devices, because > difficulty of generating proper mnemonic is simply too high for > embedded microcontrollers. Maybe this can be solved somehow by > modifying the proposal, but right now it is a showstopper for us. > > even if metadata is only 8 bits ? (that's about 256 hashes) ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [Bitcoin-development] Proposal to replace BIP0039 2013-10-24 17:29 [Bitcoin-development] Proposal to replace BIP0039 thomasV1 2013-10-24 18:09 ` slush 2013-10-24 18:54 ` slush @ 2013-10-24 21:55 ` Luke-Jr 2 siblings, 0 replies; 24+ messages in thread From: Luke-Jr @ 2013-10-24 21:55 UTC (permalink / raw) To: bitcoin-development On Thursday, October 24, 2013 5:29:18 PM thomasV1@gmx•de wrote: > I would like to propose a new BIP, that replaces BIP0039. BIP 39 is still a draft. Just suggest revisions to the author(s)... ^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2013-11-17 0:49 UTC | newest] Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2013-10-24 17:29 [Bitcoin-development] Proposal to replace BIP0039 thomasV1 2013-10-24 18:09 ` slush 2013-10-25 9:27 ` Thomas Voegtlin 2013-10-24 18:54 ` slush 2013-10-26 15:24 ` Thomas Voegtlin 2013-10-26 20:47 ` slush 2013-10-26 21:30 ` Pieter Wuille 2013-10-31 9:13 ` Thomas Voegtlin 2013-10-31 10:41 ` slush 2013-10-31 11:07 ` Peter Todd 2013-11-02 9:44 ` Thomas Voegtlin 2013-11-03 6:41 ` Timo Hanke 2013-11-03 7:03 ` Thomas Voegtlin 2013-11-03 7:40 ` Timo Hanke 2013-11-03 8:39 ` Thomas Voegtlin 2013-11-04 15:10 ` Timo Hanke 2013-11-16 23:41 ` Pavol Rusnak 2013-11-16 23:49 ` Pavol Rusnak 2013-11-17 0:42 ` Timo Hanke 2013-11-17 0:49 ` Pavol Rusnak 2013-10-31 11:11 ` slush 2013-10-31 11:18 ` slush 2013-11-02 10:10 ` Thomas Voegtlin 2013-10-24 21:55 ` Luke-Jr
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox