From: thomasV1@gmx•de
To: bitcoin-development@lists•sourceforge.net
Subject: [Bitcoin-development] Proposal to replace BIP0039
Date: Thu, 24 Oct 2013 19:29:18 +0200 (CEST) [thread overview]
Message-ID: <trinity-ba3941a0-f758-4372-b431-c64e9b44328a-1382635758149@3capp-gmx-bs09> (raw)
I would like to propose a new BIP, that replaces BIP0039.
My initial problem was that BIP0039 is not backward compatible with Electrum. When trying to solve that, I realized that the seed encoding used in Electrum does not help, because it does not contain a version number information. However, BIP0039 suffers the same shortcoming: it does nothing to help a future replacement, it wants to be final. My first recommendation is to allocate a few bits of the mnemonic, in order to encode a "version number" along with the checksum bits.
The second problem is the wallet structure. There are multiple ways to use a BIP32 tree, and each client will certainly handle this differently. For Electrum, it is important to be able to recover an entire wallet from its mnemonic, using no extra information. Thus, the client needs to know which branches of the BIP32 tree are populated by default. This means that the "version number" I mentioned will not only be about the seed encoding, but it should also give some information about the wallet structure, at least in the case of Electrum.
The third problem is the dictionary. I do not like the dictionary proposed in BIP0039, because it contains too many short words, which are bad for memorization (I explained here how I designed the dictionary used by Electrum: https://bitcointalk.org/index.php?topic=153990.msg2167909#msg2167909). I had some discussions with slush about this, but I do not think it will ever be possible to find a consensus on that topic.
BIP0039 also suggests to use localized dictionaries, with non-colliding word lists, but it is not clear how that will be achieved; it seems to be difficult, because languages often have words in common. It looks like a first-come-first-served aproach will be used.
For these reasons, I believe that we need a dictionary-independent solution. This will allow developers to use the dictionary they like, and localization will be easy.
I would like to suggest the following solution:
1. Define a target of k bits: this target contains the metadata ("version number"), plus some extra bits for the checksum. For example, with k=16, we can allocate 8 bits for the version number, and 8 bits for checksum.
2. Pick a random number of length n+k bits, where n is the desired entropy of the seed, and k is the number of bits needed for the metadata (checksum, version number)
3. Translate this random number to a mnemonic string, using a dictionary.
4. Compute a hash of the mnemonic string (utf8 encoded).
5. Repeat steps 2, 3 and 4 until the k first bits of the hash are equal to the target defined in 1.
6. Use the final hash as input for bip32 (as the master seed)
This means that we "mine" for the seed, until the desired metadata is obtained in the hash. This "mining" also adds a bit of difficulty to the process of finding a seed (on average, it will require 2^k iterations). The entropy of the final hash is n, the number of unconstrained bits.
This solution makes it possible for developers to define new dictionaries, localized or adapted to a particular need.
The resulting mnemonics will always be usable with other clients, even if they do not know the dictionary.
I am willing to write a new BIP where this proposal is specified in detail.
next reply other threads:[~2013-10-24 17:29 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-24 17:29 thomasV1 [this message]
2013-10-24 18:09 ` slush
2013-10-25 9:27 ` Thomas Voegtlin
2013-10-24 18:54 ` slush
2013-10-26 15:24 ` Thomas Voegtlin
2013-10-26 20:47 ` slush
2013-10-26 21:30 ` Pieter Wuille
2013-10-31 9:13 ` Thomas Voegtlin
2013-10-31 10:41 ` slush
2013-10-31 11:07 ` Peter Todd
2013-11-02 9:44 ` Thomas Voegtlin
2013-11-03 6:41 ` Timo Hanke
2013-11-03 7:03 ` Thomas Voegtlin
2013-11-03 7:40 ` Timo Hanke
2013-11-03 8:39 ` Thomas Voegtlin
2013-11-04 15:10 ` Timo Hanke
2013-11-16 23:41 ` Pavol Rusnak
2013-11-16 23:49 ` Pavol Rusnak
2013-11-17 0:42 ` Timo Hanke
2013-11-17 0:49 ` Pavol Rusnak
2013-10-31 11:11 ` slush
2013-10-31 11:18 ` slush
2013-11-02 10:10 ` Thomas Voegtlin
2013-10-24 21:55 ` Luke-Jr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=trinity-ba3941a0-f758-4372-b431-c64e9b44328a-1382635758149@3capp-gmx-bs09 \
--to=thomasv1@gmx$(echo .)de \
--cc=bitcoin-development@lists$(echo .)sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox