More of a shower-thought than a BIP, but it's something I've long wish 
(hardware) wallets supported:


Abstract: Bitcoin Wallets generally ask us to trust their seed generation is 
both correct and honest. Especially for hardware and air gapped wallets, this 
is both a big ask and more or less impossible to practically verify. So we 
propose a bring-your-own-entropy approach in which the wallet can function 
completely deterministically. Our method is based on shuffling physical deck of 
cards. There are 52!  (2^219.88) different shuffle order, which is a big enough 
space to be secure against collision and brute force attacks. Conveniently a 
shuffled deck of cards also can serve as a physical backup which is easy to 
hide in plain sight with great plausible deniability.


Each card has a suit which can be represented by one of SCHD (spades, clubs, 
hearts, diamonds) and a value of one of 23456789TJQKA where the numbers are 
obvious and (T=ten, J=jack, Q=queen, K=king, A=ace) so "7 of clubs" would be 
represented by "7C" and a "Ten of Hearts" would be represented with "TH".

An deck of cards looks like:


And can be verified by making sure that every one of the 52 cards appears 
exactly once.

Step 1.  Shuffle your deck of cards

This is a lot harder than you'd imagine, so do it quite a few times, with quite 
a few different techniques. It is advised to do at *least* 7 good quality 
shuffles to achieve a true cryptographically secure shuffle. Do not look at the 
cards while shuffling (to avoid biasing) and don't be afraid to also shuffle 
them face down on the table. Err on the side over over-shuffling.
See also:

Step 2. Write out the order (comma separated)

And example shuffle is:


Step 3.  Sha512 it to create a seed

In the example above you should get:

Step 4. Interpret it

e.g. For bip32 you would treat the first 32 bytes as the private key, and the 
second 32 bytes as as the extension code.

bitcoin-dev mailing list

Reply via email to