I have completely revised the wording of this proposal I hope to be clearer in explaining the motivation and methodology.
https://gist.github.com/ethankosakovsky/268c52f018b94bea29a6e809381c05d6 Ethan ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, March 20, 2020 4:44 PM, Ethan Kosakovsky via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: > I would like to present a proposal for discussion and peer review. It aims to > solve the problem of "too many seeds and too many backups" due to the many > reasons stipulated in the proposal text. > > https://gist.githubusercontent.com/ethankosakovsky/f7d148f588d14e0bb4f70bb6afc509d0/raw/6da51e837b0e1f1b2b21f3d4cbc2c5a87969ffd5/bip-entropy-from-bip32.mediawiki > > <pre> > BIP: > Title: Deterministic Entropy From BIP32 Keychains > Author: Ethan Kosakovsky ethankosakov...@protonmail.com > Comments-Summary: No comments yet. > Comments-URI: > Status: Proposed > Type: Standards Track > Created: 2020-03-20 > License: BSD-2-Clause > OPL > </pre> > > ==Abstract== > > This proposal provides a way to derive entropy from a HD keychain path in > order to deterministically derive the initial entropy used to create keychain > mnemonics and seeds. > > ==Motivation== > > BIP32 uses some initial entropy as a seed to deterministically derive a BIP32 > root for hierarchical deterministic keychains. BIP39 introduced a method of > encoding initial entropy into a mnemonic phrase which is used as input to a > one way hash function in order to deterministically derive a BIP32 seed. The > motivation behind mnemonic phrases was to make it easier for humans to backup > and store offline. There are also other variations of this theme. > > The initial motivation of BIP32 was to make handling of large numbers of > private keys easier to manage and backup, since you only need one BIP32 seed > to cover all possible keys in the keychain. In practice however, due to > various wallet implementations and security models, the average user may be > faced with the need to handle an ever growing number of seeds/mnemonics. This > is due to incompatible wallet standards, hardware wallets (HWW), seed formats > and standards, as well as, the need to used a mix of hot and cold wallets > depending on the application and environment. > > Examples would span wallets on mobile phones, online servers running > protocols like Join Market or Lightning, and the difference between Electrum > and BIP39 mnemonic seed formats. The reference implementation of Bitcoin Core > uses BIP32, while other cryptocurrencies like Monero use different mnemonic > encoding schemes. > > We must also consider the different variety of physical backups including > paper, metal and other physical storage devices, as well as the potentially > splitting backups across different geographical locations. This complexity > may result in less care being taken with subsequently generated seeds for new > wallets need to be stored and it ultimately results in less security. In > reality, the idea of having "one seed for all" has proven to be more > difficult in practice than originally thought. > > Since all these derivation schemes are deterministic based on some initial > entropy, this proposal aims to solve the above problems by detailing a way to > deterministically derive the initial entropy used for new root keychains > using a single BIP32 style "master root key". This will allow one root key or > mnemonic to derive any variety of different root keychains in whatever format > is required (like BIP32 and BIP39 etc). > > ==Specification== > > Input starts with a BIP32 seed. Derivation scheme uses the format > `m/83696968'/type'/index'` where `type` is the final seed type, and `index` > in the key index of the hardened child private key. > > type > > bits > > output > > 0 > > 128 > > 12 word BIP39 mnemonic > > 1 > > 256 > > 24 word BIP39 mnemonic > > 2 > > 128 > > 12 word Electrum mnemonic > > 3 > > 256 > > 24 word Electrum mnemonic > > 4 > > 256 > > WIF for Bitcoin Core > > 5 > > 256 > > 25 word Monero mnemonic > > Entropy is calculated from the HMAC-SHA512(key=k, > msg='bip-entropy-from-bip32') of the derived 32 byte private key (k). Entropy > is taken from the result according to the number of bits required. This > entropy can then be used as input to derive a mnemonic, wallet etc according > to the`type` specified. > > ==Compatibility== > > In order to maintain the widest compatibility, the input to this function is > a BIP32 seed, which may or may not have been derived from a BIP39 like > mnemonic scheme. This maintains the original motivation that one backup can > store any and all child derivation schemes depending on the user's preference > or hardware signing devices. For example, devices that store the HD seed as a > BIP39 mnemonic, Electrum seed, or BIP32 root key would all be able to > implement this standard. > > ==Discussion== > > This proposal could be split into multiple discrete BIPs in the same way that > BIP32 described the derivation mechanics, BIP39 the input encoding with > mnemonics, and the derivation paths like BIP44, BIP49 and BIP84. This has > been avoided to reduce complexity. The resulting private key processed with > HMAC-SHA512 and truncated as necessary. HMAC-SHA512 was chosen because it may > have better compatibility in embedded devices as it's already required in > devices supporting BIP32. > > ==Test Vectors== > > ===Test case 1=== > > MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind employ > giant era attitude exit final oval one finger decorate pair useless super > method float toddler dance > MASTER BIP32 ROOT KEY: > xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5NbBuof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp > PATH: m/83696968'/0'/0' > BITS REQUIRED: 128 > > DERIVED CHILD WIF=L3cefeCHyo8jczVjckMxaiPBaPUunc3D8CsjRxYbYp3FhasGpsV3 > DERIVED CHILD > k=bed343b04ba0216d9eeebff0366b61c4179d90d44b61c716ef6d568836ba4d23 > CHILD ENTROPY=6458698fae3578b48a64124ea3514e12 > CONVERT ENTROPY TO WIF=KwDiBf89QgGbjEhKnhXJuH7T2Vv72UKQA8KRkmNwVFS2znAS5xb9 > CHILD BIP39 MNEMONIC=gold select glue fragile fiscal fog civil liquid > exchange box fatal caught > CHILD BIP39 > SEED=2a2720e5590d4ec3140e51ba1b0b0a5183222c1668977c8a57572b0ea55d238cd8e899b3b1870e48894ca837e41e5d0db07554715efb21556fdde27f9f7ba153 > CHILD BIP32 ROOT > KEY=xprv9s21ZrQH143K2ZH5qacptquLGvcYpHSNeyFVCU8Ur4u9kocajbBgcaCbHkGbwDsBR661H29F54j5mz14kwXbY9PZKdNRdjgRcGfshBK9XXb > > ===Test case 2=== > > MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind employ > giant era attitude exit final oval one finger decorate pair useless super > method float toddler dance > MASTER BIP32 ROOT KEY: > xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5NbBuof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp > PATH: m/83696968'/1'/0' > BITS REQUIRED: 256 > > DERIVED CHILD WIF=L1zCbtnDWUN4vJA3De4sxmJnoRim57CQUuBb4KBoRNs2EMEq2Brg > DERIVED CHILD > k=8e3ca6054a6303f4a6a1bcbda6134c9802f4f0a0d76b0ee6b69b06b1e80b2192 > CHILD ENTROPY=ec4e2f7e2c3fca9a34fa29747bf8ba0ab7f05136f37e134e2457e9e53639670b > CONVERT ENTROPY TO WIF=L594JSCygt2wBaB9mCpXjiLkkxkEojpBdNXG8UrrdLd2LvPBRMUs > CHILD BIP39 MNEMONIC=unable imitate test flash witness escape stadium early > inner thank company betray lecture chuckle swift hurt battle illness bicycle > stable fat bronze order high > CHILD BIP39 > SEED=73509b0e847ee66bddeb098a55063d73e8c6dd5f1c1db6969c668bb54c19bde6eae8acc29a81118d1d9719fa1bc620fee7edd7c15a17bcaf70b0fdfc0c0c3803 > CHILD BIP32 ROOT > KEY=xprv9s21ZrQH143K4PfLyyjYLVmKbnUTNFK6Y7jPKWfRZB3iSw1Gy9qowEzkYHfetVabfmjHEEPrcTJbh7chae33Sm9uAjuXzhSL6Li8dcwM9Bm > > ===Test case 3=== > > MASTER BIP39 SEED INPUT: angle fabric town envelope music diet bind employ > giant era attitude exit final oval one finger decorate pair useless super > method float toddler dance > MASTER BIP32 ROOT KEY: > xprv9s21ZrQH143K2xNoceSiUtx8Wb8Fcrk9FUfzD3MLT4eFx5NbBuof9Mwrf7CCbfGJNehNRHvrXnWvy9FtWVaeNggsSKT57GNk7jpk1PRzZDp > PATH: m/83696968'/4'/0' > BITS REQUIRED: 256 > > DERIVED CHILD WIF=KwdD5PYnCU3xQDfFJ6XBf6UDaLrTUxrKmBpdjRuuavWyqAQtpaA2 > DERIVED CHILD > k=0c169ce2c17bea08512a7519769e365242a1562bd63c4c903daef516000efbf2 > CHILD ENTROPY=25573247f8a76799f7abc086b9286b5a7ccb03cb8d3550f48ac1e71d90832974 > CONVERT ENTROPY TO WIF=KxUJ8VzMk7uWDEcwYjLRzRMGE6sSpwCfQxkE9GEwAvXhFSDNba9G > CHILD BIP39 MNEMONIC=census ridge music vanish island smooth team job mammal > sing bracket reject smile limit comfort pluck extend picture race soda suit > dose place obtain > CHILD BIP39 > SEED=4e5c82be6455ecf0884d9475435e29a9afb9acf70b07296d7e5039c866e4d54647706918b9d14909dfbd7071a4b7aee8a4ad0ac2bf48f0a09a8899dd28564418 > CHILD BIP32 ROOT > KEY=xprv9s21ZrQH143K2kekJsK9V6t4ZKwHkY1Q3umxuaAhdZKGxCMpHiddLdYUQBoynszpwnk5upoC788LiT5MZ5q1vUABXG7AMyZK5UjD9iyL7Am > > ==References== > > BIP32, BIP39 > > ==Copyright== > > This BIP is dual-licensed under the Open Publication License and BSD 2-clause > license. > > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
