public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Ethan Kosakovsky <ethankosakovsky@protonmail•com>
To: "bitcoin-dev@lists•linuxfoundation.org"
	<bitcoin-dev@lists•linuxfoundation.org>
Subject: [bitcoin-dev] RFC: Deterministic Entropy From BIP32 Keychains
Date: Fri, 20 Mar 2020 15:44:01 +0000	[thread overview]
Message-ID: <_CC9MLKCy5rmooAmR91_34tQxgDiXDJCdY4W6_X6xqDJUiAEuaWBVi8iBaFipx2KGt5_mf5XqFKMfoNgemTPCMgraWt5CVRifUM5iMolxto=@protonmail.com> (raw)

I would like to present a proposal for discussion and peer review. It aims to solve the problem of "too many seeds and too many backups" due to the many reasons stipulated in the proposal text.

https://gist.githubusercontent.com/ethankosakovsky/f7d148f588d14e0bb4f70bb6afc509d0/raw/6da51e837b0e1f1b2b21f3d4cbc2c5a87969ffd5/bip-entropy-from-bip32.mediawiki

<pre>
  BIP:
  Title: Deterministic Entropy From BIP32 Keychains
  Author: Ethan Kosakovsky <ethankosakovsky@protonmail•com>
  Comments-Summary: No comments yet.
  Comments-URI:
  Status: Proposed
  Type: Standards Track
  Created: 2020-03-20
  License: BSD-2-Clause
           OPL
</pre>

==Abstract==

This proposal provides a way to derive entropy from a HD keychain path in order to deterministically derive the initial entropy used to create keychain mnemonics and seeds.

==Motivation==

BIP32 uses some initial entropy as a seed to deterministically derive a BIP32 root for hierarchical deterministic keychains. BIP39 introduced a method of encoding initial entropy into a mnemonic phrase which is used as input to a one way hash function in order to deterministically derive a BIP32 seed. The motivation behind mnemonic phrases was to make it easier for humans to backup and store offline. There are also other variations of this theme.

The initial motivation of BIP32 was to make handling of large numbers of private keys easier to manage and backup, since you only need one BIP32 seed to cover all possible keys in the keychain. In practice however, due to various wallet implementations and security models, the average user may be faced with the need to handle an ever growing number of seeds/mnemonics. This is due to incompatible wallet standards, hardware wallets (HWW), seed formats and standards, as well as, the need to used a mix of hot and cold wallets depending on the application and environment.

Examples would span wallets on mobile phones, online servers running protocols like Join Market or Lightning, and the difference between Electrum and BIP39 mnemonic seed formats. The reference implementation of Bitcoin Core uses BIP32, while other cryptocurrencies like Monero use different mnemonic encoding schemes.

We must also consider the different variety of physical backups including paper, metal and other physical storage devices, as well as the potentially splitting backups across different geographical locations. This complexity may result in less care being taken with subsequently generated seeds for new wallets need to be stored and it ultimately results in less security. In reality, the idea of having "one seed for all" has proven to be more difficult in practice than originally thought.

Since all these derivation schemes are deterministic based on some initial entropy, this proposal aims to solve the above problems by detailing a way to deterministically derive the initial entropy used for new root keychains using a single BIP32 style "master root key". This will allow one root key or mnemonic to derive any variety of different root keychains in whatever format is required (like BIP32 and BIP39 etc).

==Specification==

Input starts with a BIP32 seed. Derivation scheme uses the format `m/83696968'/type'/index'` where `type` is the final seed type, and `index` in the key index of the hardened child private key.

| type | bits| output                    |
|------|-----|---------------------------|
|   0  | 128 | 12 word BIP39 mnemonic    |
|   1  | 256 | 24 word BIP39 mnemonic    |
|   2  | 128 | 12 word Electrum mnemonic |
|   3  | 256 | 24 word Electrum mnemonic |
|   4  | 256 | WIF for Bitcoin Core      |
|   5  | 256 | 25 word Monero mnemonic   |

Entropy is calculated from the HMAC-SHA512(key=k, msg='bip-entropy-from-bip32') of the derived 32 byte private key (k). Entropy is taken from the result according to the number of bits required. This entropy can then be used as input to derive a mnemonic, wallet etc according to the `type` specified.

==Compatibility==

In order to maintain the widest compatibility, the input to this function is a BIP32 seed, which may or may not have been derived from a BIP39 like mnemonic scheme. This maintains the original motivation that one backup can store any and all child derivation schemes depending on the user's preference or hardware signing devices. For example, devices that store the HD seed as a BIP39 mnemonic, Electrum seed, or BIP32 root key would all be able to implement this standard.

==Discussion==

This proposal could be split into multiple discrete BIPs in the same way that BIP32 described the derivation mechanics, BIP39 the input encoding with mnemonics, and the derivation paths like BIP44, BIP49 and BIP84. This has been avoided to reduce complexity. The resulting private key processed with HMAC-SHA512 and truncated as necessary. HMAC-SHA512 was chosen because it may have better compatibility in embedded devices as it's already required in devices supporting BIP32.

==Test Vectors==

===Test case 1===

MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind employ giant era attitude exit final oval one finger decorate pair useless super method float toddler dance
MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5NbBuof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp
PATH: m/83696968'/0'/0'
BITS REQUIRED: 128

DERIVED CHILD WIF=L3cefeCHyo8jczVjckMxaiPBaPUunc3D8CsjRxYbYp3FhasGpsV3
DERIVED CHILD k=bed343b04ba0216d9eeebff0366b61c4179d90d44b61c716ef6d568836ba4d23
CHILD ENTROPY=6458698fae3578b48a64124ea3514e12
CONVERT ENTROPY TO WIF=KwDiBf89QgGbjEhKnhXJuH7T2Vv72UKQA8KRkmNwVFS2znAS5xb9
CHILD BIP39 MNEMONIC=gold select glue fragile fiscal fog civil liquid exchange box fatal caught
CHILD BIP39 SEED=2a2720e5590d4ec3140e51ba1b0b0a5183222c1668977c8a57572b0ea55d238cd8e899b3b1870e48894ca837e41e5d0db07554715efb21556fdde27f9f7ba153
CHILD BIP32 ROOT KEY=xprv9s21ZrQH143K2ZH5qacptquLGvcYpHSNeyFVCU8Ur4u9kocajbBgcaCbHkGbwDsBR661H29F54j5mz14kwXbY9PZKdNRdjgRcGfshBK9XXb


===Test case 2===

MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind employ giant era attitude exit final oval one finger decorate pair useless super method float toddler dance
MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5NbBuof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp
PATH: m/83696968'/1'/0'
BITS REQUIRED: 256

DERIVED CHILD WIF=L1zCbtnDWUN4vJA3De4sxmJnoRim57CQUuBb4KBoRNs2EMEq2Brg
DERIVED CHILD k=8e3ca6054a6303f4a6a1bcbda6134c9802f4f0a0d76b0ee6b69b06b1e80b2192
CHILD ENTROPY=ec4e2f7e2c3fca9a34fa29747bf8ba0ab7f05136f37e134e2457e9e53639670b
CONVERT ENTROPY TO WIF=L594JSCygt2wBaB9mCpXjiLkkxkEojpBdNXG8UrrdLd2LvPBRMUs
CHILD BIP39 MNEMONIC=unable imitate test flash witness escape stadium early inner thank company betray lecture chuckle swift hurt battle illness bicycle stable fat bronze order high
CHILD BIP39 SEED=73509b0e847ee66bddeb098a55063d73e8c6dd5f1c1db6969c668bb54c19bde6eae8acc29a81118d1d9719fa1bc620fee7edd7c15a17bcaf70b0fdfc0c0c3803
CHILD BIP32 ROOT KEY=xprv9s21ZrQH143K4PfLyyjYLVmKbnUTNFK6Y7jPKWfRZB3iSw1Gy9qowEzkYHfetVabfmjHEEPrcTJbh7chae33Sm9uAjuXzhSL6Li8dcwM9Bm


===Test case 3===

MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind employ giant era attitude exit final oval one finger decorate pair useless super method float toddler dance
MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5NbBuof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp
PATH: m/83696968'/4'/0'
BITS REQUIRED: 256

DERIVED CHILD WIF=KwdD5PYnCU3xQDfFJ6XBf6UDaLrTUxrKmBpdjRuuavWyqAQtpaA2
DERIVED CHILD k=0c169ce2c17bea08512a7519769e365242a1562bd63c4c903daef516000efbf2
CHILD ENTROPY=25573247f8a76799f7abc086b9286b5a7ccb03cb8d3550f48ac1e71d90832974
CONVERT ENTROPY TO WIF=KxUJ8VzMk7uWDEcwYjLRzRMGE6sSpwCfQxkE9GEwAvXhFSDNba9G
CHILD BIP39 MNEMONIC=census ridge music vanish island smooth team job mammal sing bracket reject smile limit comfort pluck extend picture race soda suit dose place obtain
CHILD BIP39 SEED=4e5c82be6455ecf0884d9475435e29a9afb9acf70b07296d7e5039c866e4d54647706918b9d14909dfbd7071a4b7aee8a4ad0ac2bf48f0a09a8899dd28564418
CHILD BIP32 ROOT KEY=xprv9s21ZrQH143K2kekJsK9V6t4ZKwHkY1Q3umxuaAhdZKGxCMpHiddLdYUQBoynszpwnk5upoC788LiT5MZ5q1vUABXG7AMyZK5UjD9iyL7Am

==References==

BIP32, BIP39

==Copyright==

This BIP is dual-licensed under the Open Publication License and BSD 2-clause license.


             reply	other threads:[~2020-03-20 15:44 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-20 15:44 Ethan Kosakovsky [this message]
2020-03-20 16:29 ` Pavol Rusnak
2020-03-20 17:34   ` Ethan Kosakovsky
2020-03-20 17:35     ` Ethan Kosakovsky
2020-03-20 20:02 ` Peter D. Gray
2020-03-21  1:46   ` Christopher Allen
2020-03-21 15:10     ` Ethan Kosakovsky
2020-03-22 11:58 ` Ethan Kosakovsky
2020-03-24  8:07   ` Tim Ruffing
2020-03-25 13:54     ` Adam Back

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='_CC9MLKCy5rmooAmR91_34tQxgDiXDJCdY4W6_X6xqDJUiAEuaWBVi8iBaFipx2KGt5_mf5XqFKMfoNgemTPCMgraWt5CVRifUM5iMolxto=@protonmail.com' \
    --to=ethankosakovsky@protonmail$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox