From: Tobias Kaupat <Tobias@kaupat-hh•de>
To: bitcoin-dev@lists•linuxfoundation.org
Subject: [bitcoin-dev] Encryption of an existing BIP39 mnemonic without changing the seed
Date: Wed, 5 May 2021 19:32:05 +0200 [thread overview]
Message-ID: <CAPyCnfvqVT00C2TZ86GXf856jNJqPXY0duRa1CfdCqC0ecC6xA@mail.gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 1922 bytes --]
Hi all,
I want to start a discussion about a use case I have and a possible
solution. I have not found any satisfying solution to this use case yet.
*Use case:*
An existing mnemonic (e.g. for a hardware wallet) should be saved on a
paper backup in a password encrypted form. The encrypted form should be a
mnemonic itself to keep all backup properties like error correction.
*Suggested solution:*
1) Take the existing mnemonic and extract the related entropy
2) Create a SHA526 hash (key) from a user defined password
3) Use the key as input for an AES CTR (empty IV) to encrypt the entropy
4) Derive a new mnemonic from the encrypted entropy to be stored on a paper
backup
We can add some hints to the paper backp that the mnemonic is encrypted, or
prefix it with "*" to make clear it's not usable without applying the
password via the algorithm above.
To restore the original mnemonic, one must know the password and need to
follow the process above again.
An example implementation in GoLang can be found here:
https://github.com/Niondir/go-bip39/blob/master/encyrption_test.go
*Why not use the existing BIP-39 Passphrase?*
When generating a mnemonic with passphrase, the entropy is derived from the
passphrase. When you have an existing mnemonic without a passphrase, any
attempt to add a passphrase will end up in a different seed and thus a
different private key. What we actually need is to encrypt the entropy.
I'm open for your feedback. All encryption parameters are up to discussion
and the whole proposal needs a security review. It's just the first draft.
*Existing solutions*
One solution I found is "Seedshift" which can be found here:
https://github.com/mifunetoshiro/Seedshift
But I consider it less secure and I would like to suggest a solution based
on provably secure algorithms rather than a "rot23 derivation". Also using
a date as password seems not very clever to me.
Kind regards
Tobias
[-- Attachment #2: Type: text/html, Size: 2504 bytes --]
next reply other threads:[~2021-05-05 17:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-05 17:32 Tobias Kaupat [this message]
2021-05-06 12:56 ` Peter D. Gray
2021-05-06 13:19 ` Erik Aronesty
2021-05-06 14:10 ` Tobias Kaupat
2021-05-08 22:49 ` yanmaani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAPyCnfvqVT00C2TZ86GXf856jNJqPXY0duRa1CfdCqC0ecC6xA@mail.gmail.com \
--to=tobias@kaupat-hh$(echo .)de \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox