Re: [bitcoin-dev] RFC: Deterministic Entropy From BIP32 Keychains
I agree with the problem statement in this proposal, but not the proposed
solution.
The challenge of safely securing a seed for a single signature is not
insignificant. Blockchain Commons has published procedures that we consider
the current best practices for cold storage in a free book at
http://bit.ly/SmartCustodyBookV101 and in github at
https://github.com/BlockchainCommons/smartcustodybook. It currently
requires a couple of hours and $200 or more of materials (home safe, 2
ledgers, titanium blanks, etc.) to safely product (significantly less time
and money than Glacier Protocol).
Presumably, people are not going to go to this level of protection for too
many keys, thus there needs to be methods to leverage the root seeds that
are properly protected.
Currently Blockchain Commons is working on standards for airgap solutions
for storing and signing from offline keys. Scenarios include using Shamir
and SLIP-39 on an offline device with no-WiFi or Bluetooth, an air-gapped
mobile phone in airplane mode, or another dedicated device (for instance
the SafeKey device if open source was an option). You would use this device
to create and restore seeds, convert seeds from BIP-39 to SLIP-39, derive
HD keys, and then use QR code from the device to transfer the generated
child keys for use by different apps. In some cases, this offline device
could also read QR transactions and sign them. We have working prototypes
of this today.
This technique works fine for online Bitcoin apps that accept child keys in
the form of xprv (or equivalents) such as those our FullyNoded2 iOS wallet
supports, but the problem for other wallets is that you can't go from an
xprv back to a seed — the xprv creation is a one-way hmac-sha512 operation
(still not convinced this was a good decision).
What I think Ethan is proposing is the ability to turn any child derived
xprv key into a new set valid seed words that could be used by a wallet or
other devices that don't understand xprv and will only allow import of new
seeds words. This gets even more complicated if the seed words are not the
standard BIP-39 set (which BTW, are not an ideal set of words, the
selection of the SLIP-39 words is much better).
Though possibly pragmatic, this approach would be a hack – starting with
some raw entropy, convert this to an entropy seed, then to words, then hmac
to xprv, then derive child keys, then convert that child key to a new
entropy seed, then hmac to xprv, and then derive child keys again, etc.
I'd really prefer to start with finding standards ways to protect the
entropy seed (not specifically the bip39 words derived from that but also
as derived roots for WebAuthN/FIDO, GPG, Signal/Session, etc.) that can be
then be used to create other hierarchies of keys using airgap solutions.
For instance, here is what FullyNoded 2 currently uses to restore a Bitcoin
wallet including root seed:
{
"birthdate": 1584725088,
"label": "Testnet Single Signature",
"entropy": "b3b17e8f425bf7b96d68b67867cdc816",
"walletName": "DEFAULT_EBaiuGgZQS_StandUp",
"descriptor":
"wpkh([6955c2cb/84'/1'/0']tprv8giCxdrRRrKfQkXTJ4q2PNZBsPL7HiTXXteajiG8wqAGpLVsHJfN1EwwKM8F8x1Cuk8p6vh1KrKBCuZtZdDtL6Sc2CB1ou8sYiGSf6hcujv/0/*)",
"blockheight": 1
}
Alternatively, FullyNoded 2 can also restore a wallets without the full
seed, so for instance, if this QR restore was missing the entropy field,
only derived child xprv from the descriptor could be used, so no other
accounts could be created but new addresses as children of the xprv could
be created.
The advantage of of an entropy seed storage centered technique is that I
can convert that entropy seed into either BIP39 words, or any number of
SLIP-39 shards, or Lightning words, and back. We are also looking at using
this with the VSS that underlies Schnorr Musig. We can talk other secure
tool makers on how to use this raw entropy for other purposes to create
chains or hierarchies of keys for their unique needs.
Blockchain Common's doesn't have a full architecture for this yet as we are
working on our POC and are seeking suggestions from other wallet vendors
(in particular lightning and non-bitcoin secure services) on requirements.
Let me know if you'd like to participate in the discussions (currently
either Github issues or a Signal group for the group)
— Christopher Allen
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] RFC: Deterministic Entropy From BIP32 Keychains
I like this proposal and I see it's value: "One seed to rule them all." Not hard to implement either. --- Peter D. Gray || Founder, Coinkite || Twitter: @dochex || GPG: A3A31BAD 5A2A5B10 On Fri, Mar 20, 2020 at 03:44:01PM +, Ethan Kosakovsky wrote: > I would like to present a proposal for discussion and peer review. It aims to > solve the problem of "too many seeds and too many backups" due to the many > reasons stipulated in the proposal text. > > https://gist.githubusercontent.com/ethankosakovsky/f7d148f588d14e0bb4f70bb6afc509d0/raw/6da51e837b0e1f1b2b21f3d4cbc2c5a87969ffd5/bip-entropy-from-bip32.mediawiki > > > BIP: > Title: Deterministic Entropy From BIP32 Keychains > Author: Ethan Kosakovsky > Comments-Summary: No comments yet. > Comments-URI: > Status: Proposed > Type: Standards Track > Created: 2020-03-20 > License: BSD-2-Clause >OPL > > > ==Abstract== > > This proposal provides a way to derive entropy from a HD keychain path in > order to deterministically derive the initial entropy used to create keychain > mnemonics and seeds. > ... signature.asc Description: PGP signature ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] RFC: Deterministic Entropy From BIP32 Keychains
I think my proposal can be summarized simply: 1. get a child private key, hmac it and get entropy bits. 2. Use that entropy to feed BIP39 to make a new mnemonic seed Bitcoin Core hdseed is a private key, so we can also do the same steps here 1. get a child private key, hmac it and get entropy bits. 2. Use that entropy to create a WIF to become the key for hdseed in Bitcoin Core. I standardize this by using paths (like BIP44/49) m/SEED'/BIP39'/index' m/SEED'/CORE'/index' index allows me to generate multiple childs for that type. Ethen ‐‐‐ Original Message ‐‐‐ On Friday, March 20, 2020 6:34 PM, Ethan Kosakovsky wrote: > Pavol, > > Yes thank you. I find abstracts hard, I will try again. > > Currently I need a separate BIP30 for many of my wallets. I cant have one > master seed for all my wallets because some are less safe than others and > storing the master in each environment will increase the chance it could be > compromised (e.g. hot environments). I cant export a hardened xprv from my > main BIP32 keychain and import it to my JM/Android wallet because they dont > support it. There's also a usability issue there since xprvs are not easy to > type. > > e.g. > > 1. Join Market server (online) > 2. Lightning node (online) > 3. Trezor (offline) > 4. Smartphone wallet with coffee money (online) (and no HWW support) > 5. Bitcoin Core (doesn't use BIP39 at all) > > I cannot use the same BIP39 seed across all these services. 1,2,4,5 are > effectively hot wallets. > > The problem is BIP39. BIP32 is fine but the backup process is not human > friendly. It would have been better to simply serialize 128 or 256 bits of > entropy into words like BIP39 does and be done with it. After that, it's all > deterministic anyway. Instead BIP39 tries to ensure pseudorandom entropy by > hash-stretching the initial entropy. > > We can already export keychains from BIP32, as xprvs, but there is also > no easy way to make as a human readable/typeable like BIP39 mnemonics. Most > wallets don't allow you to import an xprv anyway, but again, good luck typing > it. > > What we are left with is an ecosystem that widely implements BIP39, so > practically speaking if I want to use multiple wallets and cannot share an > existing seed with that device, I need separate 12 or 24 word mnemonics. > That's 5 times the complexity to store than one (in my case). I need a new > cryptosteel. If I have two different geological locations for backup, it's > hard to add more, since I need to travel. The whole point of BIP32 was one > master key would rule them all - set up once, back up once and it's done. > BIP39 was simply to make it human friendly to write down the seed on paper. > > The easy solution as I see it is have one BIP39 mnemonic as my "master > root key". From there it makes a BIP32 keychain and I can deterministically > create child BIP39 seeds by taking a hardened path, using the private key as > entropy ENT to create a new BIP39 mnemonic. If I do it this way I can have > one initial backup, and if I need more wallets with a different seed, I can > do it without worrying about backups. I'm future proof this way. > > Ethan > > ‐‐‐ Original Message ‐‐‐ > On Friday, March 20, 2020 5:29 PM, Pavol Rusnak st...@satoshilabs.com > wrote: > > > > On 20/03/2020 16:44, Ethan Kosakovsky via bitcoin-dev wrote: > > > > > I would like to present a proposal for discussion and peer review > > > > I read your proposal twice and I still don't know what kind of problem > > are you trying to solve. > > This should be obvious from the "Abstract" and it's bad if it's not. > > > > Best Regards / S pozdravom, > > Pavol "stick" Rusnak > > CTO, SatoshiLabs ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] RFC: Deterministic Entropy From BIP32 Keychains
Pavol, Yes thank you. I find abstracts hard, I will try again. Currently I need a separate BIP30 for many of my wallets. I cant have one master seed for all my wallets because some are less safe than others and storing the master in each environment will increase the chance it could be compromised (e.g. hot environments). I cant export a hardened xprv from my main BIP32 keychain and import it to my JM/Android wallet because they dont support it. There's also a usability issue there since xprvs are not easy to type. e.g. 1. Join Market server (online) 2. Lightning node (online) 3. Trezor (offline) 4. Smartphone wallet with coffee money (online) (and no HWW support) 5. Bitcoin Core (doesn't use BIP39 at all) I cannot use the same BIP39 seed across all these services. 1,2,4,5 are effectively hot wallets. The problem is BIP39. BIP32 is fine but the backup process is not human friendly. It would have been better to simply serialize 128 or 256 bits of entropy into words like BIP39 does and be done with it. After that, it's all deterministic anyway. Instead BIP39 tries to ensure pseudorandom entropy by hash-stretching the initial entropy. We can already export keychains from BIP32, as xprvs, but there is also no easy way to make as a human readable/typeable like BIP39 mnemonics. Most wallets don't allow you to import an xprv anyway, but again, good luck typing it. What we are left with is an ecosystem that widely implements BIP39, so practically speaking if I want to use multiple wallets and cannot share an existing seed with that device, I need separate 12 or 24 word mnemonics. That's 5 times the complexity to store than one (in my case). I need a new cryptosteel. If I have two different geological locations for backup, it's hard to add more, since I need to travel. The whole point of BIP32 was one master key would rule them all - set up once, back up once and it's done. BIP39 was simply to make it human friendly to write down the seed on paper. The easy solution as I see it is have one BIP39 mnemonic as my "master root key". From there it makes a BIP32 keychain and I can deterministically create child BIP39 seeds by taking a hardened path, using the private key as entropy ENT to create a new BIP39 mnemonic. If I do it this way I can have one initial backup, and if I need more wallets with a different seed, I can do it without worrying about backups. I'm future proof this way. Ethan ‐‐‐ Original Message ‐‐‐ On Friday, March 20, 2020 5:29 PM, Pavol Rusnak wrote: > On 20/03/2020 16:44, Ethan Kosakovsky via bitcoin-dev wrote: > > > I would like to present a proposal for discussion and peer review > > I read your proposal twice and I still don't know what kind of problem > are you trying to solve. > > This should be obvious from the "Abstract" and it's bad if it's not. > > > - > > Best Regards / S pozdravom, > > Pavol "stick" Rusnak > CTO, SatoshiLabs ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] RFC: Deterministic Entropy From BIP32 Keychains
On 20/03/2020 16:44, Ethan Kosakovsky via bitcoin-dev wrote: > I would like to present a proposal for discussion and peer review I read your proposal twice and I still don't know what kind of problem are you trying to solve. This should be obvious from the "Abstract" and it's bad if it's not. -- Best Regards / S pozdravom, Pavol "stick" Rusnak CTO, SatoshiLabs ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
[bitcoin-dev] RFC: Deterministic Entropy From BIP32 Keychains
I would like to present a proposal for discussion and peer review. It aims to solve the problem of "too many seeds and too many backups" due to the many reasons stipulated in the proposal text. https://gist.githubusercontent.com/ethankosakovsky/f7d148f588d14e0bb4f70bb6afc509d0/raw/6da51e837b0e1f1b2b21f3d4cbc2c5a87969ffd5/bip-entropy-from-bip32.mediawiki BIP: Title: Deterministic Entropy From BIP32 Keychains Author: Ethan Kosakovsky Comments-Summary: No comments yet. Comments-URI: Status: Proposed Type: Standards Track Created: 2020-03-20 License: BSD-2-Clause OPL ==Abstract== This proposal provides a way to derive entropy from a HD keychain path in order to deterministically derive the initial entropy used to create keychain mnemonics and seeds. ==Motivation== BIP32 uses some initial entropy as a seed to deterministically derive a BIP32 root for hierarchical deterministic keychains. BIP39 introduced a method of encoding initial entropy into a mnemonic phrase which is used as input to a one way hash function in order to deterministically derive a BIP32 seed. The motivation behind mnemonic phrases was to make it easier for humans to backup and store offline. There are also other variations of this theme. The initial motivation of BIP32 was to make handling of large numbers of private keys easier to manage and backup, since you only need one BIP32 seed to cover all possible keys in the keychain. In practice however, due to various wallet implementations and security models, the average user may be faced with the need to handle an ever growing number of seeds/mnemonics. This is due to incompatible wallet standards, hardware wallets (HWW), seed formats and standards, as well as, the need to used a mix of hot and cold wallets depending on the application and environment. Examples would span wallets on mobile phones, online servers running protocols like Join Market or Lightning, and the difference between Electrum and BIP39 mnemonic seed formats. The reference implementation of Bitcoin Core uses BIP32, while other cryptocurrencies like Monero use different mnemonic encoding schemes. We must also consider the different variety of physical backups including paper, metal and other physical storage devices, as well as the potentially splitting backups across different geographical locations. This complexity may result in less care being taken with subsequently generated seeds for new wallets need to be stored and it ultimately results in less security. In reality, the idea of having "one seed for all" has proven to be more difficult in practice than originally thought. Since all these derivation schemes are deterministic based on some initial entropy, this proposal aims to solve the above problems by detailing a way to deterministically derive the initial entropy used for new root keychains using a single BIP32 style "master root key". This will allow one root key or mnemonic to derive any variety of different root keychains in whatever format is required (like BIP32 and BIP39 etc). ==Specification== Input starts with a BIP32 seed. Derivation scheme uses the format `m/83696968'/type'/index'` where `type` is the final seed type, and `index` in the key index of the hardened child private key. | type | bits| output| |--|-|---| | 0 | 128 | 12 word BIP39 mnemonic| | 1 | 256 | 24 word BIP39 mnemonic| | 2 | 128 | 12 word Electrum mnemonic | | 3 | 256 | 24 word Electrum mnemonic | | 4 | 256 | WIF for Bitcoin Core | | 5 | 256 | 25 word Monero mnemonic | Entropy is calculated from the HMAC-SHA512(key=k, msg='bip-entropy-from-bip32') of the derived 32 byte private key (k). Entropy is taken from the result according to the number of bits required. This entropy can then be used as input to derive a mnemonic, wallet etc according to the `type` specified. ==Compatibility== In order to maintain the widest compatibility, the input to this function is a BIP32 seed, which may or may not have been derived from a BIP39 like mnemonic scheme. This maintains the original motivation that one backup can store any and all child derivation schemes depending on the user's preference or hardware signing devices. For example, devices that store the HD seed as a BIP39 mnemonic, Electrum seed, or BIP32 root key would all be able to implement this standard. ==Discussion== This proposal could be split into multiple discrete BIPs in the same way that BIP32 described the derivation mechanics, BIP39 the input encoding with mnemonics, and the derivation paths like BIP44, BIP49 and BIP84. This has been avoided to reduce complexity. The resulting private key processed with HMAC-SHA512 and truncated as necessary. HMAC-SHA512 was chosen because it may have better compatibility in embedded devices as it's already required in devices supporting BIP32. ==Test Vectors== ===Test ca
