Re: [bitcoin-dev] Upgrading PoW algorithm

[nullius via bitcoin-dev]

On 2018-01-17 at 22:31:52 +, Jefferson Carpenter 
 wrote:
Bitcoin's difficulty will be maxed out within about 400 years, by 
Moore's law.


On 2018-01-19 at 20:54:52 +, Jefferson Carpenter 
 wrote:
In other words, max difficulty for SHA256 might be significantly faster 
than forcing the first 256 bits of a SHA512 hash...


“Moore’s law” is not a law of nature.  Indeed, chipmakers began bumping 
up against the limitations of *actual* natural laws about 15—20 years 
ago.  That is why instead of increasing core clock, they play the tricks 
which opened the way for Meltdown and Spectre.  Feature size, and thus 
transistor counts, will soon enough run into physical limitations, too.


But the scenario you describe does not even require such a discussion.

2^256 work for brute force is on the order of 10^77 hashes.  For the 
number of atoms in the observable universe, I’ve seen estimates ranging 
from 10^78 to 10^82.  Thus, you are suggesting that within 400 years, 
computers will be able to compute one hash for every myriad of atoms in 
the observable universe—perhaps one hash for every *ten* atoms.  
Moreover, you suggest that twenty-fourth century computers will do this 
fast enough to meet Bitcoin’s ten-minute target rate.


Such a proposition bypasses science, leaps over science fiction, and 
lands in the realm of religion.  Perhaps a deity could do this—using a 
computer made of other than matter, powered by other than energy.  
Humans will *never* be capable of such a feat:  Not now, and not in a 
billion years.  Certainly not a mere four centuries hence!


(I do not here positively exclude the possibility, however slim, that 
mathematical breakthroughs may yield a preimage attack on SHA-256 which 
is significantly better than bruteforce.  I *do* positively declare it 
impossible that Earth-beings will ever be capable of performing 2^256 
work.  Or even 2^128 work, for that matter.)


--
null...@nym.zone | PGP ECC: 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C
Bitcoin: bc1qcash96s5jqppzsp8hy8swkggf7f6agex98an7h | (Segwit nested:
3NULL3ZCUXr7RDLxXeLPDMZDZYxuaYkCnG)  (PGP RSA: 0x36EBB4AB699A10EE)
“‘If you’re not doing anything wrong, you have nothing to hide.’
No!  Because I do nothing wrong, I have nothing to show.” — nullius


signature.asc
Description: PGP signature
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Proposal to reduce mining power bill

[nullius via bitcoin-dev]

On 2018-01-15 at 22:47:54 +, Enrique Arizón Benito 
 wrote:

Hi all,

just new to the list and curious to know if next proposal (or similar) 
for reducing mining-power consumption has already been discussed.


The objective is to reduce the power consumption required while keeping 
the network safe and the miners "motivated" and cooperative to continue 
mining:


The global idea is to introduce the concept of "next-coinbase" for 
miners. This will work something like as follow:


- Any miner submitting a block will submit the "next-coinbase" for any 
new block mined by itself. (This address can be the same one or 
different from the just mined block). The miner keeps the private key 
associated with the "next-coinbase" secret.


- The consensus algorithm will add next checks:
A hash from, for example, the just mined block and the previous one, 
will have to match up to N bits for the next "next-coinbase" from the 
next block to be valid.


That means that for the next block only 1/2^N bitcoin addresses will 
be accepted from the previously submitted "next-coinbase" list.


Since the last previous block hash can be considered random, miners 
know in advance whether they will be able to participate or not in the 
next block depending on the just submited "next-coinbase". And since 
the "punishment" is distributed uniformely random to all miners no one 
has any advantage over the other. But the global miner netwok will 
consume much less power.


A detail rest: New miners are not allowed in such scheme so next 
addition is needed:


- A miner with no previous "next-coinbase" will need to first mine an 
special block, "new-miner-block", that instead of normal transactions 
will register the new miner and submit a "next-coinbase". This special 
block will not be rewarded with new bitcoins. The only reward will be 
the permission to mine in following blocks. No reward is applied so 
only new miners wanting to "enter" the mining network are expected to 
create such block.


Observation:  This totally destroys Bitcoin’s transaction-ordering 
security.  A “51% attack” could be executed by any miner who has >50% of 
the hashpower *proportionate to miners who are allowed to mine a 
particular block*, rather than >50% of *global* hashpower.  (I infer 
that this could be done retroactively, and wave my hands over some of 
the details since you did not talk about reorgs.)  The same applies as 
for attacks requiring 33% or 25% of total hashpower.


Potential attack, assuming that N *must* be based partly or wholly on 
the existing set of “next-coinbase” addresses:  A large miner could 
gradually push N higher, by progressively committing new “next-coinbase” 
addresses which differ in the next bit for all previously seen 
combinations of bits.  Large miners would have a vast advantage over 
small miners, insofar as deliberately incrementing N by one more bit 
could only be done by a miner who creates 2^(N+1) blocks (= 2 * 2^N).  
By such means, it may be possible for a very large miner to eventually 
lock out all other miners altogether, and monopolize all Bitcoin mining.


Now, questions:

How is N determined?  By a wave of the hands?

What part of which block hash is matched against N bits?  You were quite 
unclear about this, and other important details.  (Much of what I say 
here is based on assumptions and inferences necessary to fill in the 
blanks.)


How, exactly, are reorgs handled?

How does this interact with the difficulty adjustment algorithm?  
Indeed, how is difficulty determined at all under your scheme?


What happens to coinbase fees from a “new-miner-block”?  The way I read 
your scheme, the “new-miner-block” must necessarily have no payout 
whatsoever.  But you discuss only “new bitcoins”, which are a 
diminishing portion of the block reward, and will eventually reach zero.  
Coinbase from fees must go somewhere; but under your scheme, a “new 
miner” has no payable address.


What if no existing “next-coinbase” address matches?  Is N constrained 
to be sufficiently short that a match is guaranteed from the existing 
set, then that makes it trivial for large mining farms to collect 
addresses and further dominate (or even monopolize) the network in the 
attack described above.  If it isn’t, then the network could suddenly 
halt when nobody is allowed to mine the next block; and that would 
enable *this* attack:


What stops a malicious miner (including a “new miner” creating a 
“new-miner block”) from deliberately working to create a block with a 
hash which does not have N bits matching any of the existing 
“next-coinbase” addresses?  Contra what you say, block hashes can’t be 
“considered random”.  Indeed, partial preimage bruteforcing of block 
hashes is the entire basis of mining POW.


Asking here more generally than as for the attack described above, what 
stops mining farms with large hashpower from submitting many different 
“next-coinbase” addresses in many 

[bitcoin-dev] Plausible Deniability (Re: Satoshilabs secret shared private key scheme)

[nullius via bitcoin-dev]

On 2018-01-12 at 09:50:58 +, Peter Todd  wrote:

On Tue, Jan 09, 2018 at 12:43:48PM +, Perry Gibson wrote:
Trezor's "plausible deniability" scheme could very well result in you 
going to jail for lying to border security, because it's so easy for 
them to simply brute force alternate passwords based on your seeds.  
With that, they have proof that you lied to customs, a serious 
offense.
The passphrase scheme as I understand it allows a maximum of 50 
characters to be used.  Surely even with the HD seed, that search 
space is too large to brute force.  Or is there a weakness in the 
scheme I haven't clocked?


While passphrases *can* be long, most user's aren't going to understand 
the risk. For example, Trezors blog(1) doesn't make it clear that the 
passphrases could be bruteforced and used as evidence against you, and 
even suggests the contrary:  [...quote...]


I despise the term “plausible deniability”; and that’s really the wrong 
term to use in this discussion.


“Plausible deniability” is a transparent excuse for explaining away an 
indisputable fact which arouses suspicion—when you got some serious 
’splain’ to do.  This is usually used in the context of some pseudolegal 
argument about introducing “reasonable doubt”, or even making “probable 
cause” a wee bit less probable.


“Why yes, officer:  I was seen carrying an axe down the street near the 
site of an axe murder, at approximately the time of said axe murder.  
But I do have a fireplace; so it is plausible that I was simply out 
gathering wood.”


I rather suspect the concept of “plausible deniability” of having been 
invented by a detective or agent provocateur.  There are few concepts 
more useful for helping suspects shoot themselves in the foot, or 
frankly, for entrapping people.


One of the worst examples I have seen is in discussions of Monero, 
whereby I’ve seen proponents claim that even under the worst known 
active attacks, their mix scheme reduces transaction linking to a 
maximum of 20–40% probability.  “That’s not good enough to convince a 
jury!”  No, but it is certainly adequate for investigators to identify 
you as a person of interest.  Then, your (mis)deeds can be subjected to 
powerful confirmation attacks based on other data; blockchains do not 
exist in isolation.  I usually stay out of such discussions; for I have 
no interest in helping the sorts of people whose greatest concern in 
life is what story to foist on a jury.


In the context of devices such as Trezor, what is needed is not 
“plausible deniability”, but rather the ability to obviate any need to 
deny anything at all.  I must repeat, information does not exist in 
isolation.


If you are publicly known to be deepy involved in Bitcoin, then nobody 
will believe that your one-and-only wallet contains only 0.01 BTC.  
That’s not even “plausible”.  But if you have overall privacy practices 
which leave nobody knowing or suspecting that you have any Bitcoin at 
all, then there is nothing to “deny”; and should a Trezor with 
(supposedly) 0.01 BTC be found in your possession, that’s much better 
than “plausible”.  It’s completely unremarkable.


Whereas if you are known or believed to own large amounts of BTC, a 
realistic bad guy’s response to your “decoy” wallet could be, “I don’t 
believe you; and it costs me nothing to keep beating you with rubber 
hose until you tell me the *real* password.”


It could be worse, too.  In a kidnapping scenario, the bad guys could 
say, “I don’t believe you.  Hey, I also read Trezor’s website about 
‘plausible deniability’.  Now, I will maim your kid for life just to 
test whether you told me the *real* password.  And if you still don’t 
tell me the real password after you see that little Johnny can no longer 
walk, then I will kill him.”


The worst part is that you have no means of proving that you really 
*did* give the real password.  Indeed, it can be proved if you’re lying 
by finding a password which reveals a hidden wallet—but *you* have no 
means of affirmatively proving that you are telling the truth!  If the 
bad guys overestimated your riches (or if they’re in a bad mood), then 
little Johnny is dead either way.


In a legalistic scenario, if “authorities” believe you have 1000 BTC and 
you only reveal a password for 0.01 BTC, the likely response will not be 
to let you go.  Rather, “You will now sit in jail until you tell the 
*real* password.”  And again:  You have no means of proving that you did 
give the real password!


“Plausible deniability” schemes can backfire quite badly.

Also note how this blog doesn't mention anti-forensics: the wallet 
software itself may leave traces of the other wallets on the computer.  
Have they really audited it sufficiently to be sure this isn't the 
case?


What about data obtained via the network?  I don’t *only* refer to 
dragnet surveillance.  See for but one e.g., Goldfelder, et al., “When 
the cookie meets the blockchain:  Privacy risks of 

Re: [bitcoin-dev] New Bitcoin Core macOS signing key

[nullius via bitcoin-dev]

On 2018-01-12 at 08:54:12 +, Peter Todd  wrote:
While a clunky way to do it, you can use the `-signer` option to tell 
OpenSSL to write the signer's certificate to a file. That certificate 
can then be compared to the one from the repo, which was still in the 
repo as of the (signed!) v0.15.1 tag.



Fun fact: OpenTimestamps has git integration, which means you can 
extract a OTS proof from 2016 for that certificate from the repo:


   $ git checkout v0.15.1
   $ ots git-extract share/certs/BitcoinFoundation_Apple_Cert.pem 
share/certs/BitcoinFoundation_Apple_Cert.pem.ots 
36f60a5d5b1bc9a12b87d6475e3245b8236775e4
   $ ots verify share/certs/BitcoinFoundation_Apple_Cert.pem.ots
   Assuming target filename is 'share/certs/BitcoinFoundation_Apple_Cert.pem'
   Success! Bitcoin attests data existed as of Thu Oct 13 14:08:59 2016 EDT

Homework problem: write a paragraph explaining how the proof generated 
by the above three commands are crypto snakeoil that proved little. :)


It says, “Bitcoin attests data existed”.  Within the scope of those 
three commands, I don’t see any proof of who put it there.  Does OTS 
check the PGP signatures on *commits* when it does that `git-extract`?  
The signature on the v0.15.1 tag is irrelevant to that question; and 
FWIW, I don’t see *that* signature being verified here, either.  

Second paragraph:  Moreover, with the breaking of SHA-1, it *may* be 
feasible for some scenario to play out involving two different PEMs with 
the same hash, but different public keys (and thus different 
corresponding private keys).  I don’t know off the top of my head if 
somewhere could be found to stash the magic bits; and the overall 
scenario would need to be a bit convoluted.  I think a malicious 
committer who lacked access to the signing key *may* be able to create a 
collision between the real certificate, and a certificate as for which 
he has the private key—then switch them, later.  Maybe.  I would not 
discount the possibility off-hand.  OTS would prove nothing, if he had 
the foresight to obtain timestamps proving that both certificates 
existed at the appropriate time (which they would need to anyway; it is 
not a post facto preimage attack).



[...]

What's nice about OpenPGP's "clearsigned" format is how it ignores 
whitespace; a replica of that might be a nice thing for OTS to be able 
to do too. Though that's on low priority, as there's some tricky design 
choices(1) to be made about how to nicely nest clearsigned PGP within 
OTS.



1) For example, I recently found a security hole related to clearsigned 
PGP recently. Basically the issue was that gpg --verify will return 
true on a file that looks like the following:


   1d7a363ce12430881ec56c9cf1409c49c491043618e598c356e2959040872f5a  
foo-v2.0.tar.gz
   -BEGIN PGP SIGNED MESSAGE-
   Hash: SHA256

   e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  
foo-v1.0.tar.gz
   -BEGIN PGP SIGNATURE-

   
   -END PGP SIGNATURE-

The system I was auditing then did something like this to verify that 
the file was signed:


   set -e # exit immediately on error
   gpg --verify SHA256SUMS.asc
   cat SHA256SUMS.asc | grep foo-v2.0.tar.gz
   

While it makes it a bit less user friendly, the fact that PKCS7's 
encoding made it impossible to see the message you signed until it's 
been properly verified is a good thing re: security.


Potential solutions using PGP:

0. Don’t use clearsigning.

1. Use a detached signature.

2. Use `gpg --verify -o -` and pipe that to `grep`, rather than 
illogically separating verification from use of data.  (By the way, 
where is the *hash* verified?  Was `grep` piped to `sha256sum -c`?)


3. Have shell scripts written by somebody who knows how to think about 
security, and/or who knows how to RTFM; quoting gpg(1):


Note: When verifying a cleartext signature, gpg verifies only what  
makes up the cleartext signed data and not any extra data outside of 
the cleartext signature or the header lines directly following the dash 
marker line.  The option --output may be used to write out the actual 
signed data, but there are other pitfalls with this format as well.  It 
is suggested to avoid cleartext signatures in favor of detached 
signatures.


4. Obtain an audit from Peter Todd.

And yes, I checked: Bitcoin Core's contrib/verifybinaries/verify.sh 
isn't vulnerable to this mistake. :)


P.S., oh my!  *Unsigned data:*


___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


--
null...@nym.zone | PGP ECC: 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C
Bitcoin: bc1qcash96s5jqppzsp8hy8swkggf7f6agex98an7h | (Segwit nested:
3NULL3ZCUXr7RDLxXeLPDMZDZYxuaYkCnG)  (PGP RSA: 0x36EBB4AB699A10EE)
“‘If you’re not doing anything wrong, you have nothing to hide.’
No!  Because I do nothing wrong, I have nothing to show.” — nullius


signature.asc

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

[nullius via bitcoin-dev]

On 2018-01-08 at 04:22:43 + Gregory Maxwell  wrote:
I'm happy to see that there is no obvious way to abuse this one as a 
brainwallet scheme!


BIP 39 was designed to make brainwallets secure!  If a user generates a 
weakling 12-word mnemonic from 16 tiny octets of entropy drawn off the 
non-artistic /dev/urandom, then protects its seed with a creative 
passphrase haiku about the power of human stupidity, then the result 
will have a 128-bit security level.  PROVE ME WRONG.


--
null...@nym.zone | PGP ECC: 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C
BIP 39 tool in progress, currently growing brainw^H^H^H^H^Hpassphrase 
support to help poor /dev/urandom: https://github.com/nym-zone/easyseed

Bitcoin: bc1qcash96s5jqppzsp8hy8swkggf7f6agex98an7h


signature.asc
Description: PGP signature
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] BIP 39: Add language identifier strings for wordlists

[nullius via bitcoin-dev]

On 2018-01-08 at 07:35:52 +, 木ノ下じょな  
wrote:

This is very sad.

The number one problem in Japan with BIP39 seeds is with English words.

I have seen a 60 year old Japanese man writing down his phrase (because 
he kept on failing recovery), and watched him write down "aneter" for 
"amateur"...


[...]

If you understand English and can spell, you read a word, your brain 
processes the word, and you can spell it on your own when writing down.  
Not many Japanese people can do that, so they need to copy letter for 
letter, taking a long time, and still messing up on occasion.


[...]

Defining "everyone should only use English, because ASCII is easier to 
plan for" is not a good way to move forward as a currency.


Well said.  Thank you for telling of these experiences.  Now please, 
let’s put the shoe on the other foot.


I ask everybody who wants an English-only mnemonic standard to entrust 
*their own money* to their abilities to very, very carefully write this 
down—then later, type it back in:


すさん　たんろ　りゆう　しもん　ていおん　しとう
とこや　はやい　おうさま　ほくろ　けちゃっふ　たもつ

(Approximate translation:  “Whatever would you do if Bitcoin had been 
invented by somebody named Satoshi Nakamoto?”)


No, wait:  That is only a 12-word mnemonic.  We are probably talking 
about a Trezor; so now, hey you there, stake the backup of your life’s 
savings on your ability to handwrite *this*:


にあう　しひょう　にんすう　ひえる　かいこう　いのる　ねんし　はあさん　ひこく
とうく　きもためし　そなた　こなこな　にさんかたんそ　ろんき　めいあん　みわく
へこむ　すひょう　おやゆひ　ふせく　けさき　めいきょく　こんまけ

Ready to bet your money on *that* as a backup phrase in your own hands?  
No?  Then please, stop demanding that others risk *their* money on the 
inverse case.




If you cheat here by having studied Japanese, then remember that many 
Japanese people know English and other European languages, too.  Then 
think of how much money would be lost by your non-Japanese-literate 
family and friends—if BIP 39 had only Japanese wordlists, and your folks 
needed to wrestle with the above phrases as their “mnemonics”.


In such cases, the phrases cannot be called “mnemonics” at all.  A 
“mnemonic” implies aid to memory.  Gibberish in a wholly alien writing 
system is much worse even than transcribing pseudorandom hex strings.  
The Japanese man in the quoted story, who wrote “aneter” for “amateur”, 
was not dealing with a *mnemonic*:  He was using the world’s most 
inefficient means of making cryptic bitstrings *less* userfriendly.




I began this thread with a quite simple request:  Is “日本語” an 
appropriate string for identifying the Japanese language to Japanese 
users?  And what of the other strings I posted for other languages?


I asked this as an implementer working on my own instance of the 
greatest guard against vendor lock-in and stale software:  Independent 
implementations.  —  I asked, because obviously, I myself do not speak 
all these different languages; and I want to implement them all.  *All.*


Some replies have been interesting in their own right; but thus far, 
nobody has squarely addressed the substance of my question.


Most worrisome is that much of the discussion has veered into criticism 
of multi-language support.  I opened with a question about other 
languages, and I am getting replies which raise a hue and cry of 
“English only!”


Though I am fluent and literate in English, I am uninterested in ever 
implementing any standard of this nature which is artificially 
restricted to English.  I am fortunate; for as of this moment, we have a 
standard called “BIP 39” which has seven non-English wordlists, and four 
more pending in open pull requests (#432, #442, #493, #621).


I request discussion of language identification strings appropriate for 
use with that standard.


(P.S., I hope that my system did not mangle anything in the foregoing.  
I have seen weird copypaste behaviour mess up decomposed characters.  I 
thought of this after I searched for and collected some visually 
fascinating phrases; so I tried to normalize these to NFC...  It should 
go without saying, easyseed output the Japanese perfectly!)


--
null...@nym.zone | PGP ECC: 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C
Bitcoin: bc1qcash96s5jqppzsp8hy8swkggf7f6agex98an7h | (Segwit nested:
3NULL3ZCUXr7RDLxXeLPDMZDZYxuaYkCnG)  (PGP RSA: 0x36EBB4AB699A10EE)
“‘If you’re not doing anything wrong, you have nothing to hide.’
No!  Because I do nothing wrong, I have nothing to show.” — nullius


signature.asc
Description: PGP signature
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] BIP 39: Add language identifier strings for wordlists

[nullius via bitcoin-dev]

On 2018-01-05 at 16:04:10 +, Sjors Provoost  
wrote:
I’m not a fan of language specific word lists within the current BIP-39 
standard. Very few wallets support anything other than English, which 
can lead to vendor lock-in and long term loss of funds if a rare 
non-English wallet disappears.


However, because people can memorize things better in their native 
tongue, supporting multiple languages seems quite useful.


I would prefer a new standard [...] A replacement for BIP-39 [...]

[snip]
For my above point and some related ideas, see: 
https://github.com/satoshilabs/slips/issues/103


You present some interesting ideas; and I will be much interested in the 
Github issue you referenced—thanks for that.  However, this discussion 
is *far* beyond the scope of my simple proposal and request to add 
standardized native language and short-ASCII identifier strings to the 
BIP repository.  I suggest that readers solely interested in the 
existing BIP 39 standard and its direct application to Bitcoin should 
stop reading right here.




That being said, I should briefly address some of the issues you raise 
(with further discussion best continued elsewhere):


I *strongly* urge the importance of language-specific standardized 
wordlists.  Even an individual who has secondarily acquired reasonable 
fluency in English will most likely have the least difficulty 
memorizing, transcribing, and otherwise handling a “mother-tongue” 
mnemonic.  Such an advantage is important in applications whereby even 
slight errors can be fatal, and every bit counts.  This is to say 
nothing of persons who have limited or no English-language knowledge.


Yet for multiple reasons, multilanguage support is only feasible with 
standardization.  Wordlist creation is a highly specialized task.  
Independent implementation of standards is imperative for avoiding 
implementation lock-in; and independent implementors (such as I) would 
be unable to create sets multi-language wordlists on their own, anyway.  
For a view of the language-specific process involved in creating a 
wordlist, I invite everybody following this discussion to review BIP 
repository PRs #92, #130 (Japanese); #100 (Spanish); #114 (Chinese, both 
variants); #152 (French); #306 (Italian); #544 (Korean, rejected); and 
#570 (Korean).  The rejection of #544 for Korean, and its superseding 
with #570 is particularly instructive.


With standardized wordlists, independent implementation is easy.  In my 
own implementation, the language switching backend (excluding the UI[1]) 
for multilingual mnemonic generation required only relatively small C 
code changes, as seen here[0]:


[0] 
https://github.com/nym-zone/easyseed/commit/5b6a6668458d96d6ccc4bf19e4fd40fe6ea72fec#diff-20dcf1782b7568b85ea01ed695abeb02

[1] 
https://github.com/nym-zone/easyseed/commit/1a6e48bbdac9366d9d5d1912dc062dfc3f0db2c6#diff-20dcf1782b7568b85ea01ed695abeb02

Admittedly, the multilingual requirements for seed generation will take 
a bit more; and my nonstandard, non-BIP39 ideas which require decoding 
words directly back to bits will take yet more.  But it is still not 
problematic.


I only began writing this tool one week ago, as of today; and it has 
been a side project requiring small amounts of time, not a full-time 
dedicated task.  When I fully complete all aspects of seed generation, 
then users will have the option of another simple open-source tool which 
*will* be able to output a binary or BIP-32-formatted (“xprv”) 512-bit 
seed, given input of an existing mnemonic in any language supported by 
official BIP 39 wordlists.  Output can then be imported to any wallet 
software which supports BIP 32, regardless of the wallet’s langauge 
support (and whether or not the wallet supports BIP 39 at all).


**The ease of creating such tools squarely answers your concerns about 
vendor lock-in.**  And yes, it’s easy.  I can attest as a lone coder, 
it’s easy for me to create “easyseed” as a side project!


Finally, aside:  In the discussion at SLIP repository issue #103, I see 
mention of m-of-n .  I have been mentally whiteboarding just such an 
application involving mnemonics.  Watch for it.It is likely that 
I will crib the BIP 39 wordlists, given the impossibility that I could 
create my own set of wordlists in many languages.  I only wish that the 
BIP repository had support for more languages.  More!  Adding each new 
language to my implementation(s) will require approximately one-line 
code changes for me.


(Aside further:  Why is there not a Dutch wordlist?  I should like to 
add that, please—meneer Provoost.  More wordlists!)


Aside still yet further:  Should you be interested in more general 
applications of mnemonic phrases for pseudorandom strings, I think you 
will like this future feature which currently exists only as an Easter 
egg, (un)documented in my commit log:

[bitcoin-dev] BIP 39: Add language identifier strings for wordlists

[nullius via bitcoin-dev]

I propose and request as an enhancement that the BIP 39 wordlist set 
should specify canonical native language strings to identify each 
wordlist, as well as short ASCII language codes.  At present, the 
languages are identified only by their names in English.


Strings properly vetted and recommended by native speakers should 
facilitate language identification in user interface options or menus.  
Specification of language identifier strings would also promote 
interface consistency between implementations; this may be important if 
a user creates a mnemonic in Implementation A, then restores a wallet 
using that mnemonic in Implementation B.


As an independent implementer who does not know *all* these different 
languages, I monkey-pasted language-native strings from a popular wiki 
site.  I cannot guarantee that they be all accurate, sensible, or even 
non-embarrassing.


https://github.com/nym-zone/easyseed/blob/1a6e48bbdac9366d9d5d1912dc062dfc3f0db2c6/easyseed.c#L99
```
LANG(english,   u8"English",  "en", ascii_space ),
LANG(chinese_simplified,u8"汉语",   "zh-CN",ascii_space ),
LANG(chinese_traditional,   u8"漢語",   "zh-TW",ascii_space ),
LANG(french,u8"Français", "fr", ascii_space ),
LANG(italian,   u8"Italiano", "it", ascii_space ),
LANG(japanese,  u8"日本語",  "ja", u8"\u3000"  ),
LANG(korean,u8"한국어",  "ko", ascii_space ),
LANG(spanish,   u8"Español",  "es", ascii_space )
```

Per the comment at #L85 of the quoted file, I also know that for my 
short identifiers for Chinese, “zh-CN” and “zh-TW”, are imprecise at 
best—insofar as Hong Kong uses Traditional; and overseas Chinese may use 
either.  For differentiating the two Chinese writing variants, are there 
any appropriate standardized or customary short ASCII language IDs 
similar to ISO 3166-1 alpha-2 which are purely linguistic, and not fit 
to present-day political boundaries?


My general suggestion is that the specification of appropriate strings 
in bitcoin:bips/bip-0039/bip-0039-wordlists.md be made part of the 
process for accepting new wordlists.  My specific request is that such 
strings be ascertained for the wordlists already existing, preferably 
from the persons involved in the original pull requests therefor.


Should this proposal be “concept ACKed” by appropriate parties, then I 
may open a pull request suggesting an appropriate format for specifying 
this information in the repository.  However, I will must needs leave 
the vetting of appropriate strings to native speakers or experts in the 
respective languages.


Prior references:  The wordlist additions at PRs #92, #130 (Japanese); 
#100 (Spanish); #114 (Chinese, both variants); #152 (French); #306 
(Italian); #570 (Korean); #621 (Indonesian, *proposed*, open).


signature.asc
Description: PGP signature
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

[bitcoin-dev] Bravo Charlie One: Branding Bech32

[nullius via bitcoin-dev]

I here record for the devs a thought I had a few days ago on the Bitcoin 
Forum about BIP 173 Bech32 addresses.  I’ve heard Greg Maxwell say that 
“Bech32 is designed for human use and basically nothing else”; so I hope 
I be not untoward in considering the following human-friendliness 
enhancement to entwine with the technical ambit of this list.  This MAY 
be suitable for mention in an informative specification, or informative 
section thereof.


To help gain user familiarity with and acceptance of the 
error-correcting, case-insensitive Bitcoin addresses of the future, I 
propose a need for what I think marketers call “branding”.  The best 
branding is that which derives naturally from some intrinsic quality of 
a thing; wherefore I look to what may perhaps be a bit of serendipity in 
the specification.


I expect that in practical use, one of the great advantages of Bech32 
addresses will be the relative ease of communicating them 
aloud—especially over the phone.  In similar circumstances, when trying 
to convey unusual names or pseudorandom strings, I’ve found radio 
alphabets to work well at their intended purpose.  And when reading 
Bech32 Bitcoin addresses in the most popular radio alphabet, they will 
always start with a catchy phrase:  “Bravo Charlie One”.


That’s memorable, $SEARCH-able, and yet also one of those unique, 
otherwise meaningless phrases which gets marketers excited.  Keeping to 
a word triplet, I hereby submit for consideration as the official 
nickname for Bech32 Bitcoin use:  “Bravo Charlie Addresses”.  These are 
the Bitcoin addresses with the magic words, suitable for a motto:  
“Bravo Charlie One means money.”  Add a logo à la Segwit’s, and raise 
user awareness of this exciting new technology!


Beyond the branding issue, recommendations for Bitcoin spelling-alphabet 
use in English and other languages may perhaps be a suitable matter for 
such standardization as would facilitate coherent user documentation.  I 
invite discussion.


Of course, this branding only applies directly to Bitcoin Bech32 
addresses.  The BIP 173 authors were gracious to make the standard 
generally adaptable; and it has already seen some uptake amongst 
altcoins.  I myself am now contemplating how Bech32 would be a superior 
human-facing format for key fingerprints for PGP, SSH, and even TLS, 
with HRPs of “pgp”, “ssh”, “tls”, etc. and some appropriate means of 
embedding the key type just as “bc” embeds the witness version.  There 
is an urgent general need for a specification which reduces the inherent 
pain of wetware in handling pseudorandom strings; and I do think that 
anything which familiarizes users with Bech32 in a specific use will be 
beneficial to Bech32 adoption generally.


To celebrate, as seen in my sig, I created for myself a new Bravo 
Charlie Address which expresses that I am pleased:  Now, I have an 
error-correcting, case-insensitive address which can receive only 
genuine Bitcoin cash money.  Because “Bravo Charlie One means money.”


Here’s to the Bitcoin address format of the future!

--
null...@nym.zone | PGP ECC: 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C
Bitcoin: bc1qcash96s5jqppzsp8hy8swkggf7f6agex98an7h | (Segwit nested:
3NULL3ZCUXr7RDLxXeLPDMZDZYxuaYkCnG)  (PGP RSA: 0x36EBB4AB699A10EE)
“‘If you’re not doing anything wrong, you have nothing to hide.’
No!  Because I do nothing wrong, I have nothing to show.” — nullius


signature.asc
Description: PGP signature
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev