[bitcoin-dev] RFC: Deterministic Entropy From BIP32 Keychains
I would like to present a proposal for discussion and peer review. It aims to solve the problem of "too many seeds and too many backups" due to the many reasons stipulated in the proposal text. https://gist.githubusercontent.com/ethankosakovsky/f7d148f588d14e0bb4f70bb6afc509d0/raw/6da51e837b0e1f1b2b21f3d4cbc2c5a87969ffd5/bip-entropy-from-bip32.mediawiki BIP: Title: Deterministic Entropy From BIP32 Keychains Author: Ethan Kosakovsky Comments-Summary: No comments yet. Comments-URI: Status: Proposed Type: Standards Track Created: 2020-03-20 License: BSD-2-Clause OPL ==Abstract== This proposal provides a way to derive entropy from a HD keychain path in order to deterministically derive the initial entropy used to create keychain mnemonics and seeds. ==Motivation== BIP32 uses some initial entropy as a seed to deterministically derive a BIP32 root for hierarchical deterministic keychains. BIP39 introduced a method of encoding initial entropy into a mnemonic phrase which is used as input to a one way hash function in order to deterministically derive a BIP32 seed. The motivation behind mnemonic phrases was to make it easier for humans to backup and store offline. There are also other variations of this theme. The initial motivation of BIP32 was to make handling of large numbers of private keys easier to manage and backup, since you only need one BIP32 seed to cover all possible keys in the keychain. In practice however, due to various wallet implementations and security models, the average user may be faced with the need to handle an ever growing number of seeds/mnemonics. This is due to incompatible wallet standards, hardware wallets (HWW), seed formats and standards, as well as, the need to used a mix of hot and cold wallets depending on the application and environment. Examples would span wallets on mobile phones, online servers running protocols like Join Market or Lightning, and the difference between Electrum and BIP39 mnemonic seed formats. The reference implementation of Bitcoin Core uses BIP32, while other cryptocurrencies like Monero use different mnemonic encoding schemes. We must also consider the different variety of physical backups including paper, metal and other physical storage devices, as well as the potentially splitting backups across different geographical locations. This complexity may result in less care being taken with subsequently generated seeds for new wallets need to be stored and it ultimately results in less security. In reality, the idea of having "one seed for all" has proven to be more difficult in practice than originally thought. Since all these derivation schemes are deterministic based on some initial entropy, this proposal aims to solve the above problems by detailing a way to deterministically derive the initial entropy used for new root keychains using a single BIP32 style "master root key". This will allow one root key or mnemonic to derive any variety of different root keychains in whatever format is required (like BIP32 and BIP39 etc). ==Specification== Input starts with a BIP32 seed. Derivation scheme uses the format `m/83696968'/type'/index'` where `type` is the final seed type, and `index` in the key index of the hardened child private key. | type | bits| output| |--|-|---| | 0 | 128 | 12 word BIP39 mnemonic| | 1 | 256 | 24 word BIP39 mnemonic| | 2 | 128 | 12 word Electrum mnemonic | | 3 | 256 | 24 word Electrum mnemonic | | 4 | 256 | WIF for Bitcoin Core | | 5 | 256 | 25 word Monero mnemonic | Entropy is calculated from the HMAC-SHA512(key=k, msg='bip-entropy-from-bip32') of the derived 32 byte private key (k). Entropy is taken from the result according to the number of bits required. This entropy can then be used as input to derive a mnemonic, wallet etc according to the `type` specified. ==Compatibility== In order to maintain the widest compatibility, the input to this function is a BIP32 seed, which may or may not have been derived from a BIP39 like mnemonic scheme. This maintains the original motivation that one backup can store any and all child derivation schemes depending on the user's preference or hardware signing devices. For example, devices that store the HD seed as a BIP39 mnemonic, Electrum seed, or BIP32 root key would all be able to implement this standard. ==Discussion== This proposal could be split into multiple discrete BIPs in the same way that BIP32 described the derivation mechanics, BIP39 the input encoding with mnemonics, and the derivation paths like BIP44, BIP49 and BIP84. This has been avoided to reduce complexity. The resulting private key processed with HMAC-SHA512 and truncated as necessary. HMAC-SHA512 was chosen because it may have better compatibility in embedded devices as it's already required in devices supporting BIP32. ==Test Vectors== ===Test ca
Re: [bitcoin-dev] RFC: Deterministic Entropy From BIP32 Keychains
Pavol, Yes thank you. I find abstracts hard, I will try again. Currently I need a separate BIP30 for many of my wallets. I cant have one master seed for all my wallets because some are less safe than others and storing the master in each environment will increase the chance it could be compromised (e.g. hot environments). I cant export a hardened xprv from my main BIP32 keychain and import it to my JM/Android wallet because they dont support it. There's also a usability issue there since xprvs are not easy to type. e.g. 1. Join Market server (online) 2. Lightning node (online) 3. Trezor (offline) 4. Smartphone wallet with coffee money (online) (and no HWW support) 5. Bitcoin Core (doesn't use BIP39 at all) I cannot use the same BIP39 seed across all these services. 1,2,4,5 are effectively hot wallets. The problem is BIP39. BIP32 is fine but the backup process is not human friendly. It would have been better to simply serialize 128 or 256 bits of entropy into words like BIP39 does and be done with it. After that, it's all deterministic anyway. Instead BIP39 tries to ensure pseudorandom entropy by hash-stretching the initial entropy. We can already export keychains from BIP32, as xprvs, but there is also no easy way to make as a human readable/typeable like BIP39 mnemonics. Most wallets don't allow you to import an xprv anyway, but again, good luck typing it. What we are left with is an ecosystem that widely implements BIP39, so practically speaking if I want to use multiple wallets and cannot share an existing seed with that device, I need separate 12 or 24 word mnemonics. That's 5 times the complexity to store than one (in my case). I need a new cryptosteel. If I have two different geological locations for backup, it's hard to add more, since I need to travel. The whole point of BIP32 was one master key would rule them all - set up once, back up once and it's done. BIP39 was simply to make it human friendly to write down the seed on paper. The easy solution as I see it is have one BIP39 mnemonic as my "master root key". From there it makes a BIP32 keychain and I can deterministically create child BIP39 seeds by taking a hardened path, using the private key as entropy ENT to create a new BIP39 mnemonic. If I do it this way I can have one initial backup, and if I need more wallets with a different seed, I can do it without worrying about backups. I'm future proof this way. Ethan ‐‐‐ Original Message ‐‐‐ On Friday, March 20, 2020 5:29 PM, Pavol Rusnak wrote: > On 20/03/2020 16:44, Ethan Kosakovsky via bitcoin-dev wrote: > > > I would like to present a proposal for discussion and peer review > > I read your proposal twice and I still don't know what kind of problem > are you trying to solve. > > This should be obvious from the "Abstract" and it's bad if it's not. > > > - > > Best Regards / S pozdravom, > > Pavol "stick" Rusnak > CTO, SatoshiLabs ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] RFC: Deterministic Entropy From BIP32 Keychains
I think my proposal can be summarized simply: 1. get a child private key, hmac it and get entropy bits. 2. Use that entropy to feed BIP39 to make a new mnemonic seed Bitcoin Core hdseed is a private key, so we can also do the same steps here 1. get a child private key, hmac it and get entropy bits. 2. Use that entropy to create a WIF to become the key for hdseed in Bitcoin Core. I standardize this by using paths (like BIP44/49) m/SEED'/BIP39'/index' m/SEED'/CORE'/index' index allows me to generate multiple childs for that type. Ethen ‐‐‐ Original Message ‐‐‐ On Friday, March 20, 2020 6:34 PM, Ethan Kosakovsky wrote: > Pavol, > > Yes thank you. I find abstracts hard, I will try again. > > Currently I need a separate BIP30 for many of my wallets. I cant have one > master seed for all my wallets because some are less safe than others and > storing the master in each environment will increase the chance it could be > compromised (e.g. hot environments). I cant export a hardened xprv from my > main BIP32 keychain and import it to my JM/Android wallet because they dont > support it. There's also a usability issue there since xprvs are not easy to > type. > > e.g. > > 1. Join Market server (online) > 2. Lightning node (online) > 3. Trezor (offline) > 4. Smartphone wallet with coffee money (online) (and no HWW support) > 5. Bitcoin Core (doesn't use BIP39 at all) > > I cannot use the same BIP39 seed across all these services. 1,2,4,5 are > effectively hot wallets. > > The problem is BIP39. BIP32 is fine but the backup process is not human > friendly. It would have been better to simply serialize 128 or 256 bits of > entropy into words like BIP39 does and be done with it. After that, it's all > deterministic anyway. Instead BIP39 tries to ensure pseudorandom entropy by > hash-stretching the initial entropy. > > We can already export keychains from BIP32, as xprvs, but there is also > no easy way to make as a human readable/typeable like BIP39 mnemonics. Most > wallets don't allow you to import an xprv anyway, but again, good luck typing > it. > > What we are left with is an ecosystem that widely implements BIP39, so > practically speaking if I want to use multiple wallets and cannot share an > existing seed with that device, I need separate 12 or 24 word mnemonics. > That's 5 times the complexity to store than one (in my case). I need a new > cryptosteel. If I have two different geological locations for backup, it's > hard to add more, since I need to travel. The whole point of BIP32 was one > master key would rule them all - set up once, back up once and it's done. > BIP39 was simply to make it human friendly to write down the seed on paper. > > The easy solution as I see it is have one BIP39 mnemonic as my "master > root key". From there it makes a BIP32 keychain and I can deterministically > create child BIP39 seeds by taking a hardened path, using the private key as > entropy ENT to create a new BIP39 mnemonic. If I do it this way I can have > one initial backup, and if I need more wallets with a different seed, I can > do it without worrying about backups. I'm future proof this way. > > Ethan > > ‐‐‐ Original Message ‐‐‐ > On Friday, March 20, 2020 5:29 PM, Pavol Rusnak st...@satoshilabs.com > wrote: > > > > On 20/03/2020 16:44, Ethan Kosakovsky via bitcoin-dev wrote: > > > > > I would like to present a proposal for discussion and peer review > > > > I read your proposal twice and I still don't know what kind of problem > > are you trying to solve. > > This should be obvious from the "Abstract" and it's bad if it's not. > > > > Best Regards / S pozdravom, > > Pavol "stick" Rusnak > > CTO, SatoshiLabs ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] RFC: Deterministic Entropy From BIP32 Keychains
Chris, Thank you for taking the time to share your thoughts. I agree there are wide considerations surrounding key handling and storage. I dont think my proposal interferes with that perspective any more than BIP32 itself would. How keys are handled is a separate matter than the cryptography of key derivation and trying to get back to the one single backup that is future proof. My proposal is not concerned with how the initial master key/seed is generated, just that we have one. My proposal is concerned with how to avoid having to generate more master keys because of the wide adoption of standards that impose restrictions (like BIP39); or the fragmented methods of initialization various wallets; as well as the instances where sharing the BIP39 seed with multiple wallets is undesirable due to security concerns (for example hot and offline wallet); or just plain incompatible standards. If we were to start everything from scratch, we would obviously do things differently. However, there are already millions of wallets created using existing standards. It's just not possible to reset sadly. > What I think Ethan is proposing is the ability to turn any child derived > xprv key into a new set valid seed words that could be used by a wallet or > other devices that don't understand xprv and will only allow import of new > seeds words. This gets even more complicated if the seed words are not the > standard BIP-39 set (which BTW, are not an ideal set of words, the > selection of the SLIP-39 words is much better). I am proposing two separate things. - that we use fully hardened paths to derive keys in order to derive entropy. - that a BIP44 like derivation path can be used to describe what the entropy is intended for For example we use the prefix 83696968 (ASCII seed in decimal) `m/83696968'/type'/index'` - `type` defines how the entropy will be used `0` means use 128 bits of the entropy as input to BIP39, producing a 12 word BIP39 mnemonic `4` means use 256 bits of the entropy as the secret exponent to create a compressed WIF (for use as hdseed in Bitcoin Core) In this way, we can neatly define the specific use-cases of the entropy maintaining some order. - `index` is the key index so we can generate multiple instances of this type of entropy To answer your question about whether to one-way-transform the resulting k. In practice, k is already safe because it was derived from a fully hardened path which protects the parent tree. However, the purpose here semantically is to be entropy. But k is not entropy, it's a private key on that derivation path. Neither are we exporting and xprv. We want entropy to seed the derivation of something else specified by the `type`. For that reason I consider it important to transform k by way of a hash or hmac. Using HMAC over hash is a decision based on an abundance of caution to ensure ward off unwanted side effects should k be used for a dual purpose, including as a nonce hash(k), where undesirable and unforeseen interactions could occur. > Though possibly pragmatic, this approach would be a hack – starting with some > raw entropy, convert this to an entropy seed, then to words, then hmac to > xprv, then derive child keys, then convert that child key to a new entropy > seed, then hmac to xprv, and then derive child keys again, etc. I am not proposing the nesting, although nothing would prohibit it, I'm just proposing one master root key from which all child keychains can be derived and overcome the incompatibilities and impracticalities detailed. > Let me know if you'd like to participate in the discussions (currently either > Github issues or a Signal group for the group) Sure! What's the URL of the Github? Ethan ‐‐‐ Original Message ‐‐‐ On Saturday, March 21, 2020 2:46 AM, Christopher Allen via bitcoin-dev wrote: > I agree with the problem statement in this proposal, but not the proposed > solution. > > The challenge of safely securing a seed for a single signature is not > insignificant. Blockchain Commons has published procedures that we consider > the current best practices for cold storage in a free book at > http://bit.ly/SmartCustodyBookV101 and in github at > https://github.com/BlockchainCommons/smartcustodybook. It currently requires > a couple of hours and $200 or more of materials (home safe, 2 ledgers, > titanium blanks, etc.) to safely product (significantly less time and money > than Glacier Protocol). > > Presumably, people are not going to go to this level of protection for too > many keys, thus there needs to be methods to leverage the root seeds that are > properly protected. > > Currently Blockchain Commons is working on standards for airgap solutions for > storing and signing from offline keys. Scenarios include using Shamir and > SLIP-39 on an offline device with no-WiFi or Bluetooth, an air-gapped mobile > phone in airplane mode, or another dedi
Re: [bitcoin-dev] RFC: Deterministic Entropy From BIP32 Keychains
I have completely revised the wording of this proposal I hope to be clearer in explaining the motivation and methodology. https://gist.github.com/ethankosakovsky/268c52f018b94bea29a6e809381c05d6 Ethan ‐‐‐ Original Message ‐‐‐ On Friday, March 20, 2020 4:44 PM, Ethan Kosakovsky via bitcoin-dev wrote: > I would like to present a proposal for discussion and peer review. It aims to > solve the problem of "too many seeds and too many backups" due to the many > reasons stipulated in the proposal text. > > https://gist.githubusercontent.com/ethankosakovsky/f7d148f588d14e0bb4f70bb6afc509d0/raw/6da51e837b0e1f1b2b21f3d4cbc2c5a87969ffd5/bip-entropy-from-bip32.mediawiki > > > BIP: > Title: Deterministic Entropy From BIP32 Keychains > Author: Ethan Kosakovsky ethankosakov...@protonmail.com > Comments-Summary: No comments yet. > Comments-URI: > Status: Proposed > Type: Standards Track > Created: 2020-03-20 > License: BSD-2-Clause > OPL > > > ==Abstract== > > This proposal provides a way to derive entropy from a HD keychain path in > order to deterministically derive the initial entropy used to create keychain > mnemonics and seeds. > > ==Motivation== > > BIP32 uses some initial entropy as a seed to deterministically derive a BIP32 > root for hierarchical deterministic keychains. BIP39 introduced a method of > encoding initial entropy into a mnemonic phrase which is used as input to a > one way hash function in order to deterministically derive a BIP32 seed. The > motivation behind mnemonic phrases was to make it easier for humans to backup > and store offline. There are also other variations of this theme. > > The initial motivation of BIP32 was to make handling of large numbers of > private keys easier to manage and backup, since you only need one BIP32 seed > to cover all possible keys in the keychain. In practice however, due to > various wallet implementations and security models, the average user may be > faced with the need to handle an ever growing number of seeds/mnemonics. This > is due to incompatible wallet standards, hardware wallets (HWW), seed formats > and standards, as well as, the need to used a mix of hot and cold wallets > depending on the application and environment. > > Examples would span wallets on mobile phones, online servers running > protocols like Join Market or Lightning, and the difference between Electrum > and BIP39 mnemonic seed formats. The reference implementation of Bitcoin Core > uses BIP32, while other cryptocurrencies like Monero use different mnemonic > encoding schemes. > > We must also consider the different variety of physical backups including > paper, metal and other physical storage devices, as well as the potentially > splitting backups across different geographical locations. This complexity > may result in less care being taken with subsequently generated seeds for new > wallets need to be stored and it ultimately results in less security. In > reality, the idea of having "one seed for all" has proven to be more > difficult in practice than originally thought. > > Since all these derivation schemes are deterministic based on some initial > entropy, this proposal aims to solve the above problems by detailing a way to > deterministically derive the initial entropy used for new root keychains > using a single BIP32 style "master root key". This will allow one root key or > mnemonic to derive any variety of different root keychains in whatever format > is required (like BIP32 and BIP39 etc). > > ==Specification== > > Input starts with a BIP32 seed. Derivation scheme uses the format > `m/83696968'/type'/index'` where `type` is the final seed type, and `index` > in the key index of the hardened child private key. > > type > > bits > > output > > 0 > > 128 > > 12 word BIP39 mnemonic > > 1 > > 256 > > 24 word BIP39 mnemonic > > 2 > > 128 > > 12 word Electrum mnemonic > > 3 > > 256 > > 24 word Electrum mnemonic > > 4 > > 256 > > WIF for Bitcoin Core > > 5 > > 256 > > 25 word Monero mnemonic > > Entropy is calculated from the HMAC-SHA512(key=k, > msg='bip-entropy-from-bip32') of the derived 32 byte private key (k). Entropy > is taken from the result according to the number of bits required. This > entropy can then be used as input to derive a mnemonic, wallet etc according > to the`type` specified. > > ==Compatibility== > > In order to maintain the widest compatibility, the input to this function is > a BIP32 seed, which may or may not have been derived from a BIP39 like > mnemonic scheme. This maintains th
Re: [bitcoin-dev] Deterministic Entropy From BIP32 Keychains
Yes, I plan to submit as a BIP. I was just letting it sit for a while for others to consider. I was also considering to split the BIP into two. One for the the entropy derivation, and the Applications section would be another BIP. This would be akin to how BIP32 is the basis for derivation schemes like BIP39, and BIP44, BIP49 etc. Ethan ‐‐‐ Original Message ‐‐‐ On Tuesday, April 7, 2020 1:36 AM, Rodolfo Novak wrote: > Hello, > > We are planning on implementing the Deterministic Entropy From BIP32 > Keychains BIP on Coldcard. > > Is there a BIP number planned to be assigned and is there any review of this > BIP yet? > > Regards, > > ℝ. > > Rodolfo Novak || Coinkite Inc. || GPG: B444CDDA ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Deterministic Entropy From BIP32 Keychains
I have opened a BIP PR at https://github.com/bitcoin/bips/pull/910 and also created a Python library with test vectors referenced in the BIP text. I am still unsure if I should or shouldnt split the BIP's "Applications" into a separate BIP or leave in the current BIP. ‐‐‐ Original Message ‐‐‐ On Monday, April 6, 2020 5:36 PM, Rodolfo Novak wrote: > Hello, > > We are planning on implementing the Deterministic Entropy From BIP32 > Keychains BIP on Coldcard. > > Is there a BIP number planned to be assigned and is there any review of this > BIP yet? > > Regards, > > ℝ. > > Rodolfo Novak || Coinkite Inc. || GPG: B444CDDA ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
