mirror of
https://github.com/bitcoin/bips.git
synced 2025-05-12 12:03:29 +00:00
Wladimir J. van der Laan
commit
c0ca4051d5
@ -26,25 +26,25 @@ A mnemonic code or sentence is superior for human interaction compared to the
|
|||||||
handling of raw binary or hexidecimal representations of a wallet seed. The
|
handling of raw binary or hexidecimal representations of a wallet seed. The
|
||||||
sentence could be written on paper or spoken over the telephone.
|
sentence could be written on paper or spoken over the telephone.
|
||||||
|
|
||||||
This guide meant to be as a way to transport computer-generated randomness over
|
This guide is meant to be a way to transport computer-generated randomness with
|
||||||
human readable transcription. It's not a way how to process user-created
|
a human readable transcription. It's not a way to process user-created
|
||||||
sentences (also known as brainwallet) to wallet seed.
|
sentences (also known as brainwallets) into a wallet seed.
|
||||||
|
|
||||||
==Generating the mnemonic==
|
==Generating the mnemonic==
|
||||||
|
|
||||||
The mnemonic must encode entropy in any multiple of 32 bits. With larger entropy
|
The mnemonic must encode entropy in a multiple of 32 bits. With more entropy
|
||||||
security is improved but the sentence length increases. We can refer to the
|
security is improved but the sentence length increases. We refer to the
|
||||||
initial entropy length as ENT. The recommended size of ENT is 128-256 bits.
|
initial entropy length as ENT. The recommended size of ENT is 128-256 bits.
|
||||||
|
|
||||||
First, an initial entropy of ENT bits is generated. A checksum is generated by
|
First, an initial entropy of ENT bits is generated. A checksum is generated by
|
||||||
taking the first <pre>ENT / 32</pre> bits of its SHA256 hash. This checksum is
|
taking the first <pre>ENT / 32</pre> bits of its SHA256 hash. This checksum is
|
||||||
appended to the end of the initial entropy. Next, these concatenated bits
|
appended to the end of the initial entropy. Next, these concatenated bits
|
||||||
are split into groups of 11 bits, each encoding a number from 0-2047, serving
|
are split into groups of 11 bits, each encoding a number from 0-2047, serving
|
||||||
as an index to a wordlist. Later, we will convert these numbers into words and
|
as an index into a wordlist. Finally, we convert these numbers into words and
|
||||||
use the joined words as a mnemonic sentence.
|
use the joined words as a mnemonic sentence.
|
||||||
|
|
||||||
The following table describes the relation between the initial entropy
|
The following table describes the relation between the initial entropy
|
||||||
length (ENT), the checksum length (CS) and length of the generated mnemonic
|
length (ENT), the checksum length (CS) and the length of the generated mnemonic
|
||||||
sentence (MS) in words.
|
sentence (MS) in words.
|
||||||
|
|
||||||
<pre>
|
<pre>
|
||||||
@ -65,7 +65,7 @@ MS = (ENT + CS) / 11
|
|||||||
An ideal wordlist has the following characteristics:
|
An ideal wordlist has the following characteristics:
|
||||||
|
|
||||||
a) smart selection of words
|
a) smart selection of words
|
||||||
- wordlist is created in such way that it's enough to type the first four
|
- the wordlist is created in such way that it's enough to type the first four
|
||||||
letters to unambiguously identify the word
|
letters to unambiguously identify the word
|
||||||
|
|
||||||
b) similar words avoided
|
b) similar words avoided
|
||||||
@ -74,39 +74,39 @@ b) similar words avoided
|
|||||||
prone and more difficult to guess
|
prone and more difficult to guess
|
||||||
|
|
||||||
c) sorted wordlists
|
c) sorted wordlists
|
||||||
- wordlist is sorted which allows for more efficient lookup of the code words
|
- the wordlist is sorted which allows for more efficient lookup of the code words
|
||||||
(i.e. implementation can use binary search instead of linear search)
|
(i.e. implementations can use binary search instead of linear search)
|
||||||
- this also allows trie (prefix tree) to be used, e.g. for better compression
|
- this also allows trie (a prefix tree) to be used, e.g. for better compression
|
||||||
|
|
||||||
The wordlist can contain native characters, but they have to be encoded in UTF-8
|
The wordlist can contain native characters, but they must be encoded in UTF-8
|
||||||
using Normalization Form Compatibility Decomposition (NFKD).
|
using Normalization Form Compatibility Decomposition (NFKD).
|
||||||
|
|
||||||
==From mnemonic to seed==
|
==From mnemonic to seed==
|
||||||
|
|
||||||
A user may decide to protect their mnemonic by passphrase. If a passphrase is not
|
A user may decide to protect their mnemonic with a passphrase. If a passphrase is not
|
||||||
present, an empty string "" is used instead.
|
present, an empty string "" is used instead.
|
||||||
|
|
||||||
To create a binary seed from the mnemonic, we use PBKDF2 function with a mnemonic
|
To create a binary seed from the mnemonic, we use the PBKDF2 function with a mnemonic
|
||||||
sentence (in UTF-8 NFKD) used as a password and string "mnemonic" + passphrase (again
|
sentence (in UTF-8 NFKD) used as the password and the string "mnemonic" + passphrase (again
|
||||||
in UTF-8 NFKD) used as a salt. Iteration count is set to 2048 and HMAC-SHA512 is used as
|
in UTF-8 NFKD) used as the salt. The iteration count is set to 2048 and HMAC-SHA512 is used as
|
||||||
a pseudo-random function. Desired length of the derived key is 512 bits (= 64 bytes).
|
the pseudo-random function. The length of the derived key is 512 bits (= 64 bytes).
|
||||||
|
|
||||||
This seed can be later used to generate deterministic wallets using BIP-0032 or
|
This seed can be later used to generate deterministic wallets using BIP-0032 or
|
||||||
similar methods.
|
similar methods.
|
||||||
|
|
||||||
The conversion of the mnemonic sentence to binary seed is completely independent
|
The conversion of the mnemonic sentence to a binary seed is completely independent
|
||||||
from generating the sentence. This results in rather simple code; there are no
|
from generating the sentence. This results in rather simple code; there are no
|
||||||
constraints on sentence structure and clients are free to implement their own
|
constraints on sentence structure and clients are free to implement their own
|
||||||
wordlists or even whole sentence generators, allowing for flexibility in wordlists
|
wordlists or even whole sentence generators, allowing for flexibility in wordlists
|
||||||
for typo detection or other purposes.
|
for typo detection or other purposes.
|
||||||
|
|
||||||
Although using mnemonic not generated by algorithm described in "Generating the
|
Although using a mnemonic not generated by the algorithm described in "Generating the
|
||||||
mnemonic" section is possible, this is not advised and software must compute
|
mnemonic" section is possible, this is not advised and software must compute a
|
||||||
checksum of the mnemonic sentence using wordlist and issue a warning if it is
|
checksum for the mnemonic sentence using a wordlist and issue a warning if it is
|
||||||
invalid.
|
invalid.
|
||||||
|
|
||||||
Described method also provides plausible deniability, because every passphrase
|
The described method also provides plausible deniability, because every passphrase
|
||||||
generates a valid seed (and thus deterministic wallet) but only the correct one
|
generates a valid seed (and thus a deterministic wallet) but only the correct one
|
||||||
will make the desired wallet available.
|
will make the desired wallet available.
|
||||||
|
|
||||||
==Wordlists==
|
==Wordlists==
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user