[Bitcoin-development] Proposal to replace BIP0039

Thomas Voegtlin thomasv1 at gmx.de
Thu Oct 31 09:13:43 UTC 2013


Indeed, I want to include a version number in the seed phrase because 
there are
multiple ways to define the tree structure used with BIP32. It is 
certainly too early
to make final decisions on that, or to achieve a common standard.
Also, I can imagine that bip32 itself might be superseeded in the future.

I understand that encapsulating a version number in the seed phrase might
not be as important for other wallets as it is for Electrum. So it is 
probably not
necessary to propose another BIP for that. I will simply implement it 
for Electrum,
and I will try to do it in such a way that other wallets can use the 
same format.

The other question we might be solving is strenghtening (your proposal). 
I consider
that this is not a strong requirement for Electrum, because it does not 
let the user
choose their seed phrase. However, if a few bits of the seed phrase are 
allocated
for metadata, then I guess strenghtening can be part of it. That's 
another good
reason to have a version number encapsulated in the seed.

I too wonder why the transformation needs to be bidirectional in bip39.




Le 26/10/2013 23:30, Pieter Wuille a écrit :
> Let's first try to agree on what we are solving.
>
> It seems that Thomas wants - in addition to the cryptographic data -
> to encode the tree structure, or at least version information about
> what features are used in it, inside the seed.
>
> I'm not sure whether we're ready to standardize on something like that
> yet, not having established best practices regarding different wallet
> structures. I do think we first need to see what possibilities and
> developments are possible related to it.
>
> In addition, information about the wallet structure is strictly less
> secret than the key data - it is even less confidential than address
> book data, transaction annotations, labels and comments and
> bookkeeping information. It could be backed up anywhere and everywhere
> without any repercussions, as far as I can see. I understand that in
> the case of Electrum, there is a strong reason to want this
> encapsulated together with the seed, but it's not really a requirement
> for most wallets.
> (if really needed, any key derivation scheme that starts from random
> strings can be augmented with metadata by enforcing property-bits on a
> hash of the string (so not of the output), as this data doesn't need
> protection from brute-forcing).
>
> Regarding other requirements, I wonder why we want the transformation
> to be bidirectional? If it is just about generating master seeds, one
> direction should be enough, and allows far nicer properties w.r.t.
> security. If we do settle on a standard for 'brainwallets', I would
> strongly prefer if it had at least some strengthening built-in, to
> decrease the impact of worst-case situations.
> If the reason is backward-compatibility, I think that any client that
> supports seeds already can just keep supporting whatever they
> supported before. Only if it matches both encoding schemes (as
> mentioned before) there is a potential collision (and in that case,
> the user could just be asked).
>





More information about the bitcoin-dev mailing list