From e5b9aaf9fb5ea319e87112719ca38a83dc6c22f7 Mon Sep 17 00:00:00 2001 From: Liraz Siri Date: Fri, 27 Jan 2017 13:48:18 +0200 Subject: [PATCH] entropy requirements not well defined --- Comments:BIP-0039.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/Comments:BIP-0039.md b/Comments:BIP-0039.md index 2771033..1a36d02 100644 --- a/Comments:BIP-0039.md +++ b/Comments:BIP-0039.md @@ -8,4 +8,11 @@ BIP39 was introduced two years after Electrum. BIP39 seeds include a checksum, i * BIP39 seed phrases do not include a version number. This means that software should always know how to generate keys and addresses. BIP43 suggests that wallet software will try various existing derivation schemes within the BIP32 framework. This is extremely inefficient and rests on the assumption that future wallets will support all previously accepted derivation methods. If, in the future, a wallet developer decides not to implement a particular derivation method because it is deprecated, then the software will not be able to detect that the corresponding seed phrases are not supported, and it will return an empty wallet instead. This threatens users funds. -For these reasons, Electrum does not generate BIP39 seeds. \ No newline at end of file +For these reasons, Electrum does not generate BIP39 seeds. + +# Entropy requirements not well defined + +Author: Liraz Siri + +BIP39 requires a minimum 128-bits of entropy. Some people are suggesting this means deterministic Wallet creation procedures cannot output BIP39 because the user may provide less than 128 bits of entropy (e.g., in a passphrase). Another problem is that what constitutes true entropy in this context is not well defined. You can verify conformity to mnemonics and checksums, but it's really hard to verify how much source entropy is in the process that generates the 128/256 bits you feed into a BIP39 compliant generation procedure. A CSPRNG is not necessarily better than a user supplied passphrase fed into a KDF, and may be worse. It depends on the amount of source entropy that goes into the CSPRNG and whether the CSPRNG is operating correctly, which is hard to verify. +