* [bitcoindev] BIP39 Extension for Manual Seed Phrase Creation @ 2025-05-23 11:25 Eric Kvam 2025-05-23 14:29 ` Kyle Honeycutt 0 siblings, 1 reply; 6+ messages in thread From: Eric Kvam @ 2025-05-23 11:25 UTC (permalink / raw) To: Bitcoin Development Mailing List [-- Attachment #1.1: Type: text/plain, Size: 2237 bytes --] *Motivation* Make it easy for users to manually create their seed phrase so that they don't have to trust a "black box" and allow for encoding derivation path in seed phrase to simplify recovery *How* Use every eighth word from the wordlist to generate 16 word phrases with 128 bits of entropy (no checksum). The most significant eight bits of each word are used as entropy. The least significant three bits of each word specify the derivation path. - *000* Derivation Path Not Specified - *001* m/44'/0'/0' - *010* m/49'/0'/0' - *011* m/84'/0'/0' - *100* m/48'/0'/0'/2' - *101* m/86'/0'/0' Up to seven derivation paths can be specified if all words have the same least significant bits. If the least significant bits of each word vary, there are 48 bits that can be used to encode meta-data. As long as meta-data is limited to certain allowable values, this provides a mechanism for error detection, similar to a checksum. *Benefits of Suggested Implementation* - The word length determines how the seed phrase should be interpreted. User only needs to know how many words they have and how many words the wallet supports to check for compatibility with this extension - Uses same wordlist to represent the same entropy as a 12 word phrase (could be a revision to BIP39 instead of a new BIP) - Manual procedure is very simple, each derivation path can use a shortened 256 word list which enjoys improved alphabetical separation of words - May prevent naive word selections which aren't limited to every eighth word (similar to what checksum does) - Can be extended further. For example, a 32 word phrase with the same entropy as a 24 word phrase could also be added. We can keep adding formats with unique word length and keep adding uses for the meta data as needed. -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/a139ee2e-473c-487b-a9b0-e68013fdb7cen%40googlegroups.com. [-- Attachment #1.2: Type: text/html, Size: 2693 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bitcoindev] BIP39 Extension for Manual Seed Phrase Creation 2025-05-23 11:25 [bitcoindev] BIP39 Extension for Manual Seed Phrase Creation Eric Kvam @ 2025-05-23 14:29 ` Kyle Honeycutt [not found] ` <09A940A2-122A-445E-82EA-1B4E32AC7E34@gmail.com> 0 siblings, 1 reply; 6+ messages in thread From: Kyle Honeycutt @ 2025-05-23 14:29 UTC (permalink / raw) To: Eric Kvam; +Cc: Bitcoin Development Mailing List [-- Attachment #1: Type: text/plain, Size: 3590 bytes --] Respectfully, a "black box" is not trusted to generate mnemonic passphrases, the standard is well-defined and generally followed across wallets. https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#Generating_the_mnemonic Users can create their own mnemonics in a trustless way following the BIP39 standard published in 2013. Using any entropy source a user can perform a SHA256 hash on the entropy to get a 256 bit string, then convert that to binary. Perform another SHA256 hash on the binary, take the first 8 bits and solve for checksum and then solve the rest of mnemonic words. On Fri, May 23, 2025, 6:15 AM Eric Kvam <nerdyrugbyguy@gmail•com> wrote: > *Motivation* > Make it easy for users to manually create their seed phrase so that they > don't have to trust a "black box" and allow for encoding derivation path in > seed phrase to simplify recovery > > *How* > Use every eighth word from the wordlist to generate 16 word phrases with > 128 bits of entropy (no checksum). The most significant eight bits of each > word are used as entropy. The least significant three bits of each word > specify the derivation path. > > - *000* Derivation Path Not Specified > - *001* m/44'/0'/0' > - *010* m/49'/0'/0' > - *011* m/84'/0'/0' > - *100* m/48'/0'/0'/2' > - *101* m/86'/0'/0' > > Up to seven derivation paths can be specified if all words have the same > least significant bits. If the least significant bits of each word vary, > there are 48 bits that can be used to encode meta-data. As long as > meta-data is limited to certain allowable values, this provides a mechanism > for error detection, similar to a checksum. > > *Benefits of Suggested Implementation* > > - The word length determines how the seed phrase should be > interpreted. User only needs to know how many words they have and how many > words the wallet supports to check for compatibility with this extension > - Uses same wordlist to represent the same entropy as a 12 word phrase > (could be a revision to BIP39 instead of a new BIP) > - Manual procedure is very simple, each derivation path can use a > shortened 256 word list which enjoys improved alphabetical separation of > words > - May prevent naive word selections which aren't limited to every > eighth word (similar to what checksum does) > - Can be extended further. For example, a 32 word phrase with the > same entropy as a 24 word phrase could also be added. We can keep adding > formats with unique word length and keep adding uses for the meta data as > needed. > > -- > You received this message because you are subscribed to the Google Groups > "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to bitcoindev+unsubscribe@googlegroups•com. > To view this discussion visit > https://groups.google.com/d/msgid/bitcoindev/a139ee2e-473c-487b-a9b0-e68013fdb7cen%40googlegroups.com > <https://groups.google.com/d/msgid/bitcoindev/a139ee2e-473c-487b-a9b0-e68013fdb7cen%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAL9hkF1ptPqvjNqpBHv3_WkEf0cL5HhNudT9SNXZ9DfzpupyOA%40mail.gmail.com. [-- Attachment #2: Type: text/html, Size: 4627 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <09A940A2-122A-445E-82EA-1B4E32AC7E34@gmail.com>]
* Re: [bitcoindev] BIP39 Extension for Manual Seed Phrase Creation [not found] ` <09A940A2-122A-445E-82EA-1B4E32AC7E34@gmail.com> @ 2025-05-23 20:45 ` 'Russell O'Connor' via Bitcoin Development Mailing List 2025-05-24 12:33 ` Eric Kvam 0 siblings, 1 reply; 6+ messages in thread From: 'Russell O'Connor' via Bitcoin Development Mailing List @ 2025-05-23 20:45 UTC (permalink / raw) To: Eric; +Cc: Bitcoin Development Mailing List [-- Attachment #1: Type: text/plain, Size: 5058 bytes --] FWIW, BIP-93 (codex32) was designed for both human and computer generated randomness. Codex32 also supports human and computer generated secret sharing. See also <https://secretcodex32.com/>. On Fri, May 23, 2025 at 11:35 AM Eric <nerdyrugbyguy@gmail•com> wrote: > Quoting BIP39: "This guide is meant to be a way to transport > computer-generated randomness with a human-readable transcription." > > BIP39 was meant to capture computer generated randomness. Manually > calculating the sha256 hash is not practical. > > Using a separate tool to compute the checksum or last word is cumbersome > and requires users to have a more advanced understanding of cryptography. > > > On May 23, 2025 8:29:27 AM MDT, Kyle Honeycutt <coinables@gmail•com> > wrote: > >> Respectfully, a "black box" is not trusted to generate mnemonic >> passphrases, the standard is well-defined and generally followed across >> wallets. >> >> >> https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#Generating_the_mnemonic >> >> Users can create their own mnemonics in a trustless way following the >> BIP39 standard published in 2013. >> >> Using any entropy source a user can perform a SHA256 hash on the entropy >> to get a 256 bit string, then convert that to binary. Perform another >> SHA256 hash on the binary, take the first 8 bits and solve for checksum and >> then solve the rest of mnemonic words. >> >> On Fri, May 23, 2025, 6:15 AM Eric Kvam <nerdyrugbyguy@gmail•com> wrote: >> >>> *Motivation* >>> Make it easy for users to manually create their seed phrase so that they >>> don't have to trust a "black box" and allow for encoding derivation path in >>> seed phrase to simplify recovery >>> >>> *How* >>> Use every eighth word from the wordlist to generate 16 word phrases with >>> 128 bits of entropy (no checksum). The most significant eight bits of each >>> word are used as entropy. The least significant three bits of each word >>> specify the derivation path. >>> >>> - *000* Derivation Path Not Specified >>> - *001* m/44'/0'/0' >>> - *010* m/49'/0'/0' >>> - *011* m/84'/0'/0' >>> - *100* m/48'/0'/0'/2' >>> - *101* m/86'/0'/0' >>> >>> Up to seven derivation paths can be specified if all words have the same >>> least significant bits. If the least significant bits of each word vary, >>> there are 48 bits that can be used to encode meta-data. As long as >>> meta-data is limited to certain allowable values, this provides a mechanism >>> for error detection, similar to a checksum. >>> >>> *Benefits of Suggested Implementation* >>> >>> - The word length determines how the seed phrase should be >>> interpreted. User only needs to know how many words they have and how many >>> words the wallet supports to check for compatibility with this extension >>> - Uses same wordlist to represent the same entropy as a 12 word >>> phrase (could be a revision to BIP39 instead of a new BIP) >>> - Manual procedure is very simple, each derivation path can use a >>> shortened 256 word list which enjoys improved alphabetical separation of >>> words >>> - May prevent naive word selections which aren't limited to every >>> eighth word (similar to what checksum does) >>> - Can be extended further. For example, a 32 word phrase with the >>> same entropy as a 24 word phrase could also be added. We can keep adding >>> formats with unique word length and keep adding uses for the meta data as >>> needed. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Bitcoin Development Mailing List" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to bitcoindev+unsubscribe@googlegroups•com. >>> To view this discussion visit >>> https://groups.google.com/d/msgid/bitcoindev/a139ee2e-473c-487b-a9b0-e68013fdb7cen%40googlegroups.com >>> <https://groups.google.com/d/msgid/bitcoindev/a139ee2e-473c-487b-a9b0-e68013fdb7cen%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to bitcoindev+unsubscribe@googlegroups•com. > To view this discussion visit > https://groups.google.com/d/msgid/bitcoindev/09A940A2-122A-445E-82EA-1B4E32AC7E34%40gmail.com > <https://groups.google.com/d/msgid/bitcoindev/09A940A2-122A-445E-82EA-1B4E32AC7E34%40gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAMZUoK%3DA8T5N4ekR7r6%2BcfaxMCYL%3Da5_v0kqdPNVDzgcUY9xrg%40mail.gmail.com. [-- Attachment #2: Type: text/html, Size: 6781 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bitcoindev] BIP39 Extension for Manual Seed Phrase Creation 2025-05-23 20:45 ` 'Russell O'Connor' via Bitcoin Development Mailing List @ 2025-05-24 12:33 ` Eric Kvam 0 siblings, 0 replies; 6+ messages in thread From: Eric Kvam @ 2025-05-24 12:33 UTC (permalink / raw) To: Bitcoin Development Mailing List [-- Attachment #1: Type: text/plain, Size: 8132 bytes --] I dug up some past arguments regarding the BIP39 checksum. Hopefully my proposal to import manually generated entropy with a 16 word seed phrase avoids controversy because it doesn't conflict with the existing 12/15/18/21/24 word seed phrase formats that are meant for transcribing computer generated entropy. - https://www.reddit.com/r/TREZOR/comments/1d47lxg/bip39_checksum_is_a_misfeature_trezor_should/ - https://www.reddit.com/r/Bitcoin/comments/k761mf/fck_the_mnemonic_sentence_checksum/ - https://bitcoin.stackexchange.com/questions/100376/should-the-bip-39-mnemonic-sentence-checksum-be-eliminated-from-the-standard-do - https://www.reddit.com/r/Bitcoin/comments/wh0s11/bip39_whats_the_benefit_of_the_checksum_word/ Using BIP39 to import manually generated entropy into a computer is a work-around that has become a de-facto standard. Some others, like me, have found that the checksum does more harm than good when importing manually generated entropy. I can see that the checksum is quite helpful when transcribing seed phrases between two computing devices. In lieu of a checksum, users transcribing their 16 word phrase could: select their input from the full 2048 word list, select their input from 256 words but do it twice, check the xpub derived from their seed phrase input. Initial confirmation of the xpub is critical to ensure that a compromised computing device can not cause users to send funds to an address they don't control. Users might store the 16 word phrase, or discard it once they have confirmed their xpub in favor of a format that is better for transcription (12 word phrase or seedQR). When I am onboarding no-coiners, getting them to create their seed phrase has been a stumbling block. Any friction during onboarding reduces the conversion rate. Most people will not bother to learn what a hash is but already understand randomness from games like poker and understand the need to keep their passphrase secret. Just as BIP39 helped enable the proliferation of devices like Trezor/Ledger, a standardized format for import of manually generated entropy enables cheap and simple paper products to help users create their seed phrase. A printout of the wordlist with paper masks that each cover half of the words would make it easy for users to perform a binary search. The user could simply set a mask on top of the wordlist as odd or even based on the totals of dice rolls until only one word is showing. Such a product can be bundled with steel plates for recording and storing the phrase. Instead of the user having to learn about binary numbers, hashes, and checksums, no numbers are required at all. The secure computing device and its ops can also be simplified (only needs to accept seedphrase, display xpub, scan unsigned TX, and display signed TX). On Fri, May 23, 2025 at 2:45 PM Russell O'Connor <roconnor@blockstream•com> wrote: > FWIW, BIP-93 (codex32) was designed for both human and computer generated > randomness. Codex32 also supports human and computer generated secret > sharing. > > See also <https://secretcodex32.com/>. > > On Fri, May 23, 2025 at 11:35 AM Eric <nerdyrugbyguy@gmail•com> wrote: > >> Quoting BIP39: "This guide is meant to be a way to transport >> computer-generated randomness with a human-readable transcription." >> >> BIP39 was meant to capture computer generated randomness. Manually >> calculating the sha256 hash is not practical. >> >> Using a separate tool to compute the checksum or last word is cumbersome >> and requires users to have a more advanced understanding of cryptography. >> >> >> On May 23, 2025 8:29:27 AM MDT, Kyle Honeycutt <coinables@gmail•com> >> wrote: >> >>> Respectfully, a "black box" is not trusted to generate mnemonic >>> passphrases, the standard is well-defined and generally followed across >>> wallets. >>> >>> >>> https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#Generating_the_mnemonic >>> >>> Users can create their own mnemonics in a trustless way following the >>> BIP39 standard published in 2013. >>> >>> Using any entropy source a user can perform a SHA256 hash on the entropy >>> to get a 256 bit string, then convert that to binary. Perform another >>> SHA256 hash on the binary, take the first 8 bits and solve for checksum and >>> then solve the rest of mnemonic words. >>> >>> On Fri, May 23, 2025, 6:15 AM Eric Kvam <nerdyrugbyguy@gmail•com> wrote: >>> >>>> *Motivation* >>>> Make it easy for users to manually create their seed phrase so that >>>> they don't have to trust a "black box" and allow for encoding derivation >>>> path in seed phrase to simplify recovery >>>> >>>> *How* >>>> Use every eighth word from the wordlist to generate 16 word phrases >>>> with 128 bits of entropy (no checksum). The most significant eight bits of >>>> each word are used as entropy. The least significant three bits of each >>>> word specify the derivation path. >>>> >>>> - *000* Derivation Path Not Specified >>>> - *001* m/44'/0'/0' >>>> - *010* m/49'/0'/0' >>>> - *011* m/84'/0'/0' >>>> - *100* m/48'/0'/0'/2' >>>> - *101* m/86'/0'/0' >>>> >>>> Up to seven derivation paths can be specified if all words have the >>>> same least significant bits. If the least significant bits of each word >>>> vary, there are 48 bits that can be used to encode meta-data. As long as >>>> meta-data is limited to certain allowable values, this provides a mechanism >>>> for error detection, similar to a checksum. >>>> >>>> *Benefits of Suggested Implementation* >>>> >>>> - The word length determines how the seed phrase should be >>>> interpreted. User only needs to know how many words they have and how many >>>> words the wallet supports to check for compatibility with this extension >>>> - Uses same wordlist to represent the same entropy as a 12 word >>>> phrase (could be a revision to BIP39 instead of a new BIP) >>>> - Manual procedure is very simple, each derivation path can use a >>>> shortened 256 word list which enjoys improved alphabetical separation of >>>> words >>>> - May prevent naive word selections which aren't limited to every >>>> eighth word (similar to what checksum does) >>>> - Can be extended further. For example, a 32 word phrase with the >>>> same entropy as a 24 word phrase could also be added. We can keep adding >>>> formats with unique word length and keep adding uses for the meta data as >>>> needed. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Bitcoin Development Mailing List" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to bitcoindev+unsubscribe@googlegroups•com. >>>> To view this discussion visit >>>> https://groups.google.com/d/msgid/bitcoindev/a139ee2e-473c-487b-a9b0-e68013fdb7cen%40googlegroups.com >>>> <https://groups.google.com/d/msgid/bitcoindev/a139ee2e-473c-487b-a9b0-e68013fdb7cen%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Bitcoin Development Mailing List" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to bitcoindev+unsubscribe@googlegroups•com. >> To view this discussion visit >> https://groups.google.com/d/msgid/bitcoindev/09A940A2-122A-445E-82EA-1B4E32AC7E34%40gmail.com >> <https://groups.google.com/d/msgid/bitcoindev/09A940A2-122A-445E-82EA-1B4E32AC7E34%40gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CADXQin4VbtvyWDGYLJB0HyJ2%2BEai-01CKt6J6UzXM9qtdGJbuw%40mail.gmail.com. [-- Attachment #2: Type: text/html, Size: 10576 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <20250523131541.1521C7C0DB0@smtp.postman.i2p>]
* Re: [bitcoindev] BIP39 Extension for Manual Seed Phrase Creation [not found] <20250523131541.1521C7C0DB0@smtp.postman.i2p> @ 2025-05-24 20:56 ` pithosian 2025-05-25 14:26 ` nerdyrugbyguy 0 siblings, 1 reply; 6+ messages in thread From: pithosian @ 2025-05-24 20:56 UTC (permalink / raw) To: bitcoindev BIP39 works fine with entropy generated without a computer. I personally recommend using coinflips with Von Neumann skew correction. Yes, you need to perform a SHA256 hash to calculate the checksum word. You need to use SHA512 HMAC as the next step, and EC point multiplication along with a host of other steps which are unrealistic to expect a human to perform by hand to actually get child keys and addresses out the other end, too. I have a bootable UEFI application for generating a mnemonic with skew-corrected coinflips (among other things), designed for airgapped operation, lying around in my archive somewhere. I plan on re-implementing it as part of a much larger, long-running project but if there's interest I can go find it, clean it up and publish the old version in the meantime. The spec doesn't need to change; there's really no benefit to generating a mnemonic without the SHA256 hash step, because again, you can't do anything with that mnemonic without hashing. As for encoding derivation paths in the mnemonic, Electrum's Seed Version System achieves roughly the same thing, but descriptors are a better solution for managing non-entropy metadata for wallets. For those who really don't want to put in the small amount of additional effort required to use descriptors, replying on the standard derivation paths is sufficient, as long as they're made aware of their existence. Educating your users is a better solution than attempting to abstract away (aka hide) critical information from them. On Fri, 23 May 2025 13:15:41 +0000 (UTC) Eric Kvam <nerdyrugbyguy@gmail•com> wrote: > *Motivation* > Make it easy for users to manually create their seed phrase so that > they don't have to trust a "black box" and allow for encoding > derivation path in seed phrase to simplify recovery > > *How* > Use every eighth word from the wordlist to generate 16 word phrases > with 128 bits of entropy (no checksum). The most significant eight > bits of each word are used as entropy. The least significant three > bits of each word specify the derivation path. > > - *000* Derivation Path Not Specified > - *001* m/44'/0'/0' > - *010* m/49'/0'/0' > - *011* m/84'/0'/0' > - *100* m/48'/0'/0'/2' > - *101* m/86'/0'/0' > > Up to seven derivation paths can be specified if all words have the > same least significant bits. If the least significant bits of each > word vary, there are 48 bits that can be used to encode meta-data. > As long as meta-data is limited to certain allowable values, this > provides a mechanism for error detection, similar to a checksum. > > *Benefits of Suggested Implementation* > > - The word length determines how the seed phrase should be > interpreted. User only needs to know how many words they have and how > many words the wallet supports to check for compatibility with this > extension > - Uses same wordlist to represent the same entropy as a 12 word > phrase (could be a revision to BIP39 instead of a new BIP) > - Manual procedure is very simple, each derivation path can use a > shortened 256 word list which enjoys improved alphabetical > separation of words > - May prevent naive word selections which aren't limited to every > eighth word (similar to what checksum does) > - Can be extended further. For example, a 32 word phrase with the > same entropy as a 24 word phrase could also be added. We can keep > adding formats with unique word length and keep adding uses for the > meta data as needed. > -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/20250524205608.D723F7C1191%40smtp.postman.i2p. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bitcoindev] BIP39 Extension for Manual Seed Phrase Creation 2025-05-24 20:56 ` pithosian @ 2025-05-25 14:26 ` nerdyrugbyguy 0 siblings, 0 replies; 6+ messages in thread From: nerdyrugbyguy @ 2025-05-25 14:26 UTC (permalink / raw) To: Bitcoin Development Mailing List [-- Attachment #1.1: Type: text/plain, Size: 6495 bytes --] Greetings Pithosian, Thank you (and everyone) for taking time to consider my suggestions. I flipped coins to create my seed phrase ten years ago. I founded a bitcoin club, created printed guides, and taught the procedure to others. Even out of a group of people with engineering degrees, it was too much. Many people have limited math ability and most will never learn binary math or checksums. Unfortunately bitcoin "self custody" is typically based on trusting a black box. The question is really whether bitcoin is for elites or plebs. The UEFI application you're suggesting sounds like it might be similar to other existing tools that receive entropy input and output a seed phrase or last word. What format should be used for the entropy input? Typically hex or binary is used because we lack a standard format (encoding entropy with words would be less error prone). To be trustless and do what you suggest, it seems users would have to record their entropy in a non-standard format, obtain two independent tools, perform a non-standard import of their entropy into the first tool, record the seed phrase output, perform a non-standard import of their entropy into the second tool, then confirm that the output of the second tool matches. While not requiring the user to know binary math, this is too much for most users and is error prone. I agree that the spec doesn't need to change, it's not broken and is well suited for its intended purpose. I'm proposing an extension. Here are the current options I'm aware of for seed generation: *#1* Use a "white box" tool (only an option for devs that can verify source and build their own tools) *#2* Trust a "black box" tool *#3* Non-standard entropy import into two independent "black box" tools and cross-check results *#4* Use binary math to determine initial words and most significant bits of last word. Obtain least significant bits of last word by guessing or computing sha256 hash. A standard for encoding entropy would make #3 easier (useful for things like seedQR) and enable #5: *#5* Record entropy in a standard format As far as encoding derivation paths, I was trying to think of something useful that could be done with the extra bits being encoded. I would defer this discussion for now and just ask for consideration of the case where derivation path is not specified. Regards, -Eric On Sunday, May 25, 2025 at 5:44:44 AM UTC-6 pithosian wrote: BIP39 works fine with entropy generated without a computer. I personally recommend using coinflips with Von Neumann skew correction. Yes, you need to perform a SHA256 hash to calculate the checksum word. You need to use SHA512 HMAC as the next step, and EC point multiplication along with a host of other steps which are unrealistic to expect a human to perform by hand to actually get child keys and addresses out the other end, too. I have a bootable UEFI application for generating a mnemonic with skew-corrected coinflips (among other things), designed for airgapped operation, lying around in my archive somewhere. I plan on re-implementing it as part of a much larger, long-running project but if there's interest I can go find it, clean it up and publish the old version in the meantime. The spec doesn't need to change; there's really no benefit to generating a mnemonic without the SHA256 hash step, because again, you can't do anything with that mnemonic without hashing. As for encoding derivation paths in the mnemonic, Electrum's Seed Version System achieves roughly the same thing, but descriptors are a better solution for managing non-entropy metadata for wallets. For those who really don't want to put in the small amount of additional effort required to use descriptors, replying on the standard derivation paths is sufficient, as long as they're made aware of their existence. Educating your users is a better solution than attempting to abstract away (aka hide) critical information from them. On Fri, 23 May 2025 13:15:41 +0000 (UTC) Eric Kvam <nerdyr...@gmail•com> wrote: > *Motivation* > Make it easy for users to manually create their seed phrase so that > they don't have to trust a "black box" and allow for encoding > derivation path in seed phrase to simplify recovery > > *How* > Use every eighth word from the wordlist to generate 16 word phrases > with 128 bits of entropy (no checksum). The most significant eight > bits of each word are used as entropy. The least significant three > bits of each word specify the derivation path. > > - *000* Derivation Path Not Specified > - *001* m/44'/0'/0' > - *010* m/49'/0'/0' > - *011* m/84'/0'/0' > - *100* m/48'/0'/0'/2' > - *101* m/86'/0'/0' > > Up to seven derivation paths can be specified if all words have the > same least significant bits. If the least significant bits of each > word vary, there are 48 bits that can be used to encode meta-data. > As long as meta-data is limited to certain allowable values, this > provides a mechanism for error detection, similar to a checksum. > > *Benefits of Suggested Implementation* > > - The word length determines how the seed phrase should be > interpreted. User only needs to know how many words they have and how > many words the wallet supports to check for compatibility with this > extension > - Uses same wordlist to represent the same entropy as a 12 word > phrase (could be a revision to BIP39 instead of a new BIP) > - Manual procedure is very simple, each derivation path can use a > shortened 256 word list which enjoys improved alphabetical > separation of words > - May prevent naive word selections which aren't limited to every > eighth word (similar to what checksum does) > - Can be extended further. For example, a 32 word phrase with the > same entropy as a 24 word phrase could also be added. We can keep > adding formats with unique word length and keep adding uses for the > meta data as needed. > -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/4c376336-1fe3-4b1c-b13b-8dcc2075e758n%40googlegroups.com. [-- Attachment #1.2: Type: text/html, Size: 7764 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-05-25 15:12 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-05-23 11:25 [bitcoindev] BIP39 Extension for Manual Seed Phrase Creation Eric Kvam
2025-05-23 14:29 ` Kyle Honeycutt
[not found] ` <09A940A2-122A-445E-82EA-1B4E32AC7E34@gmail.com>
2025-05-23 20:45 ` 'Russell O'Connor' via Bitcoin Development Mailing List
2025-05-24 12:33 ` Eric Kvam
[not found] <20250523131541.1521C7C0DB0@smtp.postman.i2p>
2025-05-24 20:56 ` pithosian
2025-05-25 14:26 ` nerdyrugbyguy
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox