1
0
mirror of https://github.com/bitcoin/bips.git synced 2025-10-20 14:07:26 +00:00
bips/bip-0039.mediawiki

164 lines
5.9 KiB
Plaintext
Raw Normal View History

<pre>
2016-02-03 07:02:36 +00:00
BIP: 39
Layer: Applications
2016-02-03 07:02:36 +00:00
Title: Mnemonic code for generating deterministic keys
Author: Marek Palatinus <slush@satoshilabs.com>
Pavol Rusnak <stick@satoshilabs.com>
Aaron Voisine <voisine@gmail.com>
Sean Bowe <ewillbefull@gmail.com>
Comments-Summary: Unanimously Discourage for implementation
Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0039
Status: Proposed
2016-02-03 07:02:36 +00:00
Type: Standards Track
Created: 2013-09-10
</pre>
==Abstract==
This BIP describes the implementation of a mnemonic code or mnemonic sentence --
a group of easy to remember words -- for the generation of deterministic wallets.
2013-12-15 17:23:44 +01:00
2014-07-09 14:18:59 +00:00
It consists of two parts: generating the mnemonic, and converting it into a
binary seed. This seed can be later used to generate deterministic wallets using
BIP-0032 or similar methods.
==Motivation==
2014-07-09 14:18:59 +00:00
A mnemonic code or sentence is superior for human interaction compared to the
2017-08-24 23:50:20 +12:00
handling of raw binary or hexadecimal representations of a wallet seed. The
2014-02-07 20:57:43 +01:00
sentence could be written on paper or spoken over the telephone.
2014-07-09 11:21:34 -07:00
This guide is meant to be a way to transport computer-generated randomness with
a human readable transcription. It's not a way to process user-created
sentences (also known as brainwallets) into a wallet seed.
2013-12-15 17:23:44 +01:00
==Generating the mnemonic==
2014-07-09 11:21:34 -07:00
The mnemonic must encode entropy in a multiple of 32 bits. With more entropy
security is improved but the sentence length increases. We refer to the
initial entropy length as ENT. The allowed size of ENT is 128-256 bits.
First, an initial entropy of ENT bits is generated. A checksum is generated by
taking the first <pre>ENT / 32</pre> bits of its SHA256 hash. This checksum is
2014-09-25 03:55:33 +03:00
appended to the end of the initial entropy. Next, these concatenated bits
are split into groups of 11 bits, each encoding a number from 0-2047, serving
2014-07-09 11:21:34 -07:00
as an index into a wordlist. Finally, we convert these numbers into words and
use the joined words as a mnemonic sentence.
The following table describes the relation between the initial entropy
2014-07-09 11:21:34 -07:00
length (ENT), the checksum length (CS) and the length of the generated mnemonic
sentence (MS) in words.
2013-12-15 17:23:44 +01:00
<pre>
CS = ENT / 32
MS = (ENT + CS) / 11
| ENT | CS | ENT+CS | MS |
+-------+----+--------+------+
| 128 | 4 | 132 | 12 |
| 160 | 5 | 165 | 15 |
| 192 | 6 | 198 | 18 |
| 224 | 7 | 231 | 21 |
| 256 | 8 | 264 | 24 |
</pre>
2013-12-15 17:23:44 +01:00
==Wordlist==
An ideal wordlist has the following characteristics:
a) smart selection of words
2014-07-09 11:21:34 -07:00
- the wordlist is created in such way that it's enough to type the first four
letters to unambiguously identify the word
b) similar words avoided
- word pairs like "build" and "built", "woman" and "women", or "quick" and "quickly"
not only make remembering the sentence difficult, but are also more error
prone and more difficult to guess
c) sorted wordlists
2014-07-09 11:21:34 -07:00
- the wordlist is sorted which allows for more efficient lookup of the code words
(i.e. implementations can use binary search instead of linear search)
- this also allows trie (a prefix tree) to be used, e.g. for better compression
2014-07-09 11:21:34 -07:00
The wordlist can contain native characters, but they must be encoded in UTF-8
2014-02-07 21:01:10 +01:00
using Normalization Form Compatibility Decomposition (NFKD).
2013-12-15 17:23:44 +01:00
==From mnemonic to seed==
2014-07-09 11:21:34 -07:00
A user may decide to protect their mnemonic with a passphrase. If a passphrase is not
present, an empty string "" is used instead.
2014-07-09 11:21:34 -07:00
To create a binary seed from the mnemonic, we use the PBKDF2 function with a mnemonic
sentence (in UTF-8 NFKD) used as the password and the string "mnemonic" + passphrase (again
in UTF-8 NFKD) used as the salt. The iteration count is set to 2048 and HMAC-SHA512 is used as
the pseudo-random function. The length of the derived key is 512 bits (= 64 bytes).
2013-12-15 17:23:44 +01:00
This seed can be later used to generate deterministic wallets using BIP-0032 or
similar methods.
2014-07-09 11:21:34 -07:00
The conversion of the mnemonic sentence to a binary seed is completely independent
from generating the sentence. This results in rather simple code; there are no
2013-12-15 17:23:44 +01:00
constraints on sentence structure and clients are free to implement their own
wordlists or even whole sentence generators, allowing for flexibility in wordlists
for typo detection or other purposes.
2014-07-09 11:21:34 -07:00
Although using a mnemonic not generated by the algorithm described in "Generating the
mnemonic" section is possible, this is not advised and software must compute a
checksum for the mnemonic sentence using a wordlist and issue a warning if it is
2014-02-07 20:57:43 +01:00
invalid.
2014-07-09 11:21:34 -07:00
The described method also provides plausible deniability, because every passphrase
generates a valid seed (and thus a deterministic wallet) but only the correct one
2013-12-15 17:23:44 +01:00
will make the desired wallet available.
2014-02-07 20:43:04 +01:00
==Wordlists==
2014-08-16 01:51:56 +09:00
* [[bip-0039/bip-0039-wordlists.md|Moved to separate document]]
2014-02-07 20:43:04 +01:00
==Test vectors==
2014-07-02 20:58:05 -04:00
The test vectors include input entropy, mnemonic and seed. The
passphrase "TREZOR" is used for all vectors.
https://github.com/trezor/python-mnemonic/blob/master/vectors.json
2014-09-03 23:49:33 +09:00
Also see https://github.com/bip32JP/bip32JP.github.io/blob/master/test_JP_BIP39.json
2014-09-03 23:52:24 +09:00
2014-09-03 23:49:33 +09:00
(Japanese wordlist test with heavily normalized symbols as passphrase)
==Reference Implementation==
Reference implementation including wordlists is available from
http://github.com/trezor/python-mnemonic
2013-12-15 17:23:44 +01:00
2014-02-28 12:28:09 -05:00
==Other Implementations==
Objective-C:
* https://github.com/nybex/NYMnemonic
2014-02-28 12:28:09 -05:00
Haskell:
* https://github.com/haskoin/haskoin
.NET C# (PCL):
* https://github.com/Thashiznets/BIP39.NET
.NET C# (PCL):
* https://github.com/NicolasDorier/NBitcoin
JavaScript:
* https://github.com/bitpay/bitcore-mnemonic
* https://github.com/bitcoinjs/bip39 (used by [[https://github.com/blockchain/My-Wallet-V3/blob/v3.8.0/src/hd-wallet.js#L121-L146|blockchain.info]])
Ruby:
* https://github.com/sreekanthgs/bip_mnemonic
2017-07-26 11:33:34 +08:00
Swift:
* https://github.com/CikeQiu/CKMnemonic
C++:
* https://github.com/libbitcoin/libbitcoin/blob/master/include/bitcoin/bitcoin/wallet/mnemonic.hpp
2017-08-11 22:31:00 +02:00
C (with Python/Java/Javascript bindings):
* https://github.com/ElementsProject/libwally-core