Re: [bitcoin-dev] Encryption of an existing BIP39 mnemonic without changing the seed

From: Erik Aronesty <erik@q32•com>
To: Tobias Kaupat <Tobias@kaupat-hh•de>,
	 Bitcoin Protocol Discussion
	<bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Encryption of an existing BIP39 mnemonic without changing the seed
Date: Thu, 6 May 2021 09:19:31 -0400	[thread overview]
Message-ID: <CAJowKg+bpobZq3KfqwO6Rb-tKNw_N-tXoXFE84SdE0jjnc6i3g@mail.gmail.com> (raw)
In-Reply-To: <CAPyCnfvqVT00C2TZ86GXf856jNJqPXY0duRa1CfdCqC0ecC6xA@mail.gmail.com>

i would stretch the password, with pbkdf2 or argon2 with like 30k
rounds or something first, rather than "just hashing it".  remember,
it's pretty easy to validate these seeds - not like you lock someone
out after 9 guesses!

On Wed, May 5, 2021 at 3:38 PM Tobias Kaupat via bitcoin-dev
<bitcoin-dev@lists•linuxfoundation.org> wrote:
>
> Hi all,
> I want to start a discussion about a use case I have and a possible solution. I have not found any satisfying solution to this use case yet.
>
> Use case:
> An existing mnemonic (e.g. for a hardware wallet) should be saved on a paper backup in a password encrypted form. The encrypted form should be a mnemonic itself to keep all backup properties like error correction.
>
> Suggested solution:
> 1) Take the existing mnemonic and extract the related entropy
> 2) Create a SHA526 hash (key) from a user defined password
> 3) Use the key as input for an AES CTR (empty IV) to encrypt the entropy
> 4) Derive a new mnemonic from the encrypted entropy to be stored on a paper backup
>
> We can add some hints to the paper backp that the mnemonic is encrypted, or prefix it with "*" to make clear it's not usable without applying the password via the algorithm above.
>
> To restore the original mnemonic, one must know the password and need to follow the process above again.
>
> An example implementation in GoLang can be found here:
> https://github.com/Niondir/go-bip39/blob/master/encyrption_test.go
>
> Why not use the existing BIP-39 Passphrase?
> When generating a mnemonic with passphrase, the entropy is derived from the passphrase. When you have an existing mnemonic without a passphrase, any attempt to add a passphrase will end up in a different seed and thus a different private key. What we actually need is to encrypt the entropy.
>
> I'm open for your feedback. All encryption parameters are up to discussion and the whole proposal needs a security review. It's just the first draft.
>
> Existing solutions
> One solution I found is "Seedshift" which can be found here: https://github.com/mifunetoshiro/Seedshift
>
> But I consider it less secure and I would like to suggest a solution based on provably secure algorithms rather than a "rot23 derivation". Also using a date as password seems not very clever to me.
>
> Kind regards
> Tobias
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev