From: Eric Kvam <nerdyrugbyguy@gmail•com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: Re: [bitcoindev] BIP39 Extension for Manual Seed Phrase Creation
Date: Sat, 24 May 2025 06:33:35 -0600 [thread overview]
Message-ID: <CADXQin4VbtvyWDGYLJB0HyJ2+Eai-01CKt6J6UzXM9qtdGJbuw@mail.gmail.com> (raw)
In-Reply-To: <CAMZUoK=A8T5N4ekR7r6+cfaxMCYL=a5_v0kqdPNVDzgcUY9xrg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 8132 bytes --]
I dug up some past arguments regarding the BIP39 checksum. Hopefully my
proposal to import manually generated entropy with a 16 word seed phrase
avoids controversy because it doesn't conflict with the existing
12/15/18/21/24 word seed phrase formats that are meant for transcribing
computer generated entropy.
-
https://www.reddit.com/r/TREZOR/comments/1d47lxg/bip39_checksum_is_a_misfeature_trezor_should/
-
https://www.reddit.com/r/Bitcoin/comments/k761mf/fck_the_mnemonic_sentence_checksum/
-
https://bitcoin.stackexchange.com/questions/100376/should-the-bip-39-mnemonic-sentence-checksum-be-eliminated-from-the-standard-do
-
https://www.reddit.com/r/Bitcoin/comments/wh0s11/bip39_whats_the_benefit_of_the_checksum_word/
Using BIP39 to import manually generated entropy into a computer is a
work-around that has become a de-facto standard. Some others, like me,
have found that the checksum does more harm than good when importing
manually generated entropy. I can see that the checksum is quite helpful
when transcribing seed phrases between two computing devices. In lieu of a
checksum, users transcribing their 16 word phrase could: select their input
from the full 2048 word list, select their input from 256 words but do it
twice, check the xpub derived from their seed phrase input. Initial
confirmation of the xpub is critical to ensure that a compromised computing
device can not cause users to send funds to an address they don't control.
Users might store the 16 word phrase, or discard it once they have
confirmed their xpub in favor of a format that is better for transcription
(12 word phrase or seedQR).
When I am onboarding no-coiners, getting them to create their seed phrase
has been a stumbling block. Any friction during onboarding reduces the
conversion rate. Most people will not bother to learn what a hash is but
already understand randomness from games like poker and understand the need
to keep their passphrase secret. Just as BIP39 helped enable the
proliferation of devices like Trezor/Ledger, a standardized format for
import of manually generated entropy enables cheap and simple paper
products to help users create their seed phrase. A printout of the
wordlist with paper masks that each cover half of the words would make it
easy for users to perform a binary search. The user could simply set a
mask on top of the wordlist as odd or even based on the totals of dice
rolls until only one word is showing. Such a product can be bundled with
steel plates for recording and storing the phrase. Instead of the user
having to learn about binary numbers, hashes, and checksums, no numbers are
required at all. The secure computing device and its ops can also be
simplified (only needs to accept seedphrase, display xpub, scan unsigned
TX, and display signed TX).
On Fri, May 23, 2025 at 2:45 PM Russell O'Connor <roconnor@blockstream•com>
wrote:
> FWIW, BIP-93 (codex32) was designed for both human and computer generated
> randomness. Codex32 also supports human and computer generated secret
> sharing.
>
> See also <https://secretcodex32.com/>.
>
> On Fri, May 23, 2025 at 11:35 AM Eric <nerdyrugbyguy@gmail•com> wrote:
>
>> Quoting BIP39: "This guide is meant to be a way to transport
>> computer-generated randomness with a human-readable transcription."
>>
>> BIP39 was meant to capture computer generated randomness. Manually
>> calculating the sha256 hash is not practical.
>>
>> Using a separate tool to compute the checksum or last word is cumbersome
>> and requires users to have a more advanced understanding of cryptography.
>>
>>
>> On May 23, 2025 8:29:27 AM MDT, Kyle Honeycutt <coinables@gmail•com>
>> wrote:
>>
>>> Respectfully, a "black box" is not trusted to generate mnemonic
>>> passphrases, the standard is well-defined and generally followed across
>>> wallets.
>>>
>>>
>>> https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#Generating_the_mnemonic
>>>
>>> Users can create their own mnemonics in a trustless way following the
>>> BIP39 standard published in 2013.
>>>
>>> Using any entropy source a user can perform a SHA256 hash on the entropy
>>> to get a 256 bit string, then convert that to binary. Perform another
>>> SHA256 hash on the binary, take the first 8 bits and solve for checksum and
>>> then solve the rest of mnemonic words.
>>>
>>> On Fri, May 23, 2025, 6:15 AM Eric Kvam <nerdyrugbyguy@gmail•com> wrote:
>>>
>>>> *Motivation*
>>>> Make it easy for users to manually create their seed phrase so that
>>>> they don't have to trust a "black box" and allow for encoding derivation
>>>> path in seed phrase to simplify recovery
>>>>
>>>> *How*
>>>> Use every eighth word from the wordlist to generate 16 word phrases
>>>> with 128 bits of entropy (no checksum). The most significant eight bits of
>>>> each word are used as entropy. The least significant three bits of each
>>>> word specify the derivation path.
>>>>
>>>> - *000* Derivation Path Not Specified
>>>> - *001* m/44'/0'/0'
>>>> - *010* m/49'/0'/0'
>>>> - *011* m/84'/0'/0'
>>>> - *100* m/48'/0'/0'/2'
>>>> - *101* m/86'/0'/0'
>>>>
>>>> Up to seven derivation paths can be specified if all words have the
>>>> same least significant bits. If the least significant bits of each word
>>>> vary, there are 48 bits that can be used to encode meta-data. As long as
>>>> meta-data is limited to certain allowable values, this provides a mechanism
>>>> for error detection, similar to a checksum.
>>>>
>>>> *Benefits of Suggested Implementation*
>>>>
>>>> - The word length determines how the seed phrase should be
>>>> interpreted. User only needs to know how many words they have and how many
>>>> words the wallet supports to check for compatibility with this extension
>>>> - Uses same wordlist to represent the same entropy as a 12 word
>>>> phrase (could be a revision to BIP39 instead of a new BIP)
>>>> - Manual procedure is very simple, each derivation path can use a
>>>> shortened 256 word list which enjoys improved alphabetical separation of
>>>> words
>>>> - May prevent naive word selections which aren't limited to every
>>>> eighth word (similar to what checksum does)
>>>> - Can be extended further. For example, a 32 word phrase with the
>>>> same entropy as a 24 word phrase could also be added. We can keep adding
>>>> formats with unique word length and keep adding uses for the meta data as
>>>> needed.
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Bitcoin Development Mailing List" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to bitcoindev+unsubscribe@googlegroups•com.
>>>> To view this discussion visit
>>>> https://groups.google.com/d/msgid/bitcoindev/a139ee2e-473c-487b-a9b0-e68013fdb7cen%40googlegroups.com
>>>> <https://groups.google.com/d/msgid/bitcoindev/a139ee2e-473c-487b-a9b0-e68013fdb7cen%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "Bitcoin Development Mailing List" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to bitcoindev+unsubscribe@googlegroups•com.
>> To view this discussion visit
>> https://groups.google.com/d/msgid/bitcoindev/09A940A2-122A-445E-82EA-1B4E32AC7E34%40gmail.com
>> <https://groups.google.com/d/msgid/bitcoindev/09A940A2-122A-445E-82EA-1B4E32AC7E34%40gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CADXQin4VbtvyWDGYLJB0HyJ2%2BEai-01CKt6J6UzXM9qtdGJbuw%40mail.gmail.com.
[-- Attachment #2: Type: text/html, Size: 10576 bytes --]
next prev parent reply other threads:[~2025-05-24 13:07 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-23 11:25 Eric Kvam
2025-05-23 14:29 ` Kyle Honeycutt
[not found] ` <09A940A2-122A-445E-82EA-1B4E32AC7E34@gmail.com>
2025-05-23 20:45 ` 'Russell O'Connor' via Bitcoin Development Mailing List
2025-05-24 12:33 ` Eric Kvam [this message]
[not found] <20250523131541.1521C7C0DB0@smtp.postman.i2p>
2025-05-24 20:56 ` pithosian
2025-05-25 14:26 ` nerdyrugbyguy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CADXQin4VbtvyWDGYLJB0HyJ2+Eai-01CKt6J6UzXM9qtdGJbuw@mail.gmail.com \
--to=nerdyrugbyguy@gmail$(echo .)com \
--cc=bitcoindev@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox