mirror of
https://github.com/bitcoinbook/bitcoinbook
synced 2024-11-25 09:28:25 +00:00
162 lines
5.4 KiB
Plaintext
162 lines
5.4 KiB
Plaintext
----------------------------------------------------------
|
||
BIP: BIP-0039
|
||
Title: Mnemonic code for generating deterministic keys
|
||
Authors: Marek Palatinus <slush@satoshilabs.com>
|
||
Pavol Rusnak <stick@satoshilabs.com>
|
||
ThomasV <thomasv@bitcointalk.org>
|
||
Aaron Voisine <voisine@gmail.com>
|
||
Sean Bowe <ewillbefull@gmail.com>
|
||
Status: Draft
|
||
Type: Standards Track
|
||
Created: 2013-09-10
|
||
----------------------------------------------------------
|
||
|
||
[[abstract]]
|
||
Abstract
|
||
~~~~~~~~
|
||
|
||
This BIP describes the implementation of a mnemonic code or mnemonic
|
||
sentence -- a group of easy to remember words -- for the generation of
|
||
deterministic wallets.
|
||
|
||
It consists of two parts: generating the mnenomic, and converting it
|
||
into a binary seed. This seed can be later used to generate
|
||
deterministic wallets using BIP-0032 or similar methods.
|
||
|
||
[[motivation]]
|
||
Motivation
|
||
~~~~~~~~~~
|
||
|
||
A mnenomic code or sentence is superior for human interaction compared
|
||
to the handling of raw binary or hexidecimal representations of a wallet
|
||
seed. The sentence could be written on paper or spoken over the
|
||
telephone.
|
||
|
||
This guide meant to be as a way to transport computer-generated
|
||
randomnes over human readable transcription. It's not a way how to
|
||
process user-created sentences (also known as brainwallet) to wallet
|
||
seed.
|
||
|
||
[[generating-the-mnemonic]]
|
||
Generating the mnemonic
|
||
~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
The mnemonic must encode entropy in any multiple of 32 bits. With larger
|
||
entropy security is improved but the sentence length increases. We can
|
||
refer to the initial entropy length as ENT. The recommended size of ENT
|
||
is 128-256 bits.
|
||
|
||
First, an initial entropy of ENT bits is generated. A checksum is
|
||
generated by taking the first
|
||
|
||
--------
|
||
ENT / 32
|
||
--------
|
||
|
||
bits of its SHA256 hash. This checksum is appended to the end of the
|
||
initial entropy. Next, these concatenated bits are are split into groups
|
||
of 11 bits, each encoding a number from 0-2047, serving as an index to a
|
||
wordlist. Later, we will convert these numbers into words and use the
|
||
joined words as a mnemonic sentence.
|
||
|
||
The following table describes the relation between the initial entropy
|
||
length (ENT), the checksum length (CS) and length of the generated
|
||
mnemonic sentence (MS) in words.
|
||
|
||
------------------------------
|
||
CS = ENT / 32
|
||
MS = (ENT + CS) / 11
|
||
|
||
| ENT | CS | ENT+CS | MS |
|
||
+-------+----+--------+------+
|
||
| 128 | 4 | 132 | 12 |
|
||
| 160 | 5 | 165 | 15 |
|
||
| 192 | 6 | 198 | 18 |
|
||
| 224 | 7 | 231 | 21 |
|
||
| 256 | 8 | 264 | 24 |
|
||
------------------------------
|
||
|
||
[[wordlist]]
|
||
Wordlist
|
||
~~~~~~~~
|
||
|
||
An ideal wordlist has the following characteristics:
|
||
|
||
\a) smart selection of words
|
||
|
||
` - wordlist is created in such way that it's enough to type the first four` +
|
||
` letters to unambiguously identify the word`
|
||
|
||
\b) similar words avoided
|
||
|
||
` - word pairs like "build" and "built", "woman" and "women", or "quick" and "quickly"` +
|
||
` not only make remembering the sentence difficult, but are also more error` +
|
||
` prone and more difficult to guess`
|
||
|
||
\c) sorted wordlists
|
||
|
||
` - wordlist is sorted which allows for more efficient lookup of the code words` +
|
||
` (i.e. implementation can use binary search instead of linear search)` +
|
||
` - this also allows trie (prefix tree) to be used, e.g. for better compression`
|
||
|
||
The wordlist can contain native characters, but they have to be encoded
|
||
in UTF-8 using Normalization Form Compatibility Decomposition (NFKD).
|
||
|
||
[[from-mnemonic-to-seed]]
|
||
From mnemonic to seed
|
||
~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
A user may decide to protect their mnemonic by passphrase. If a
|
||
passphrase is not present, an empty string "" is used instead.
|
||
|
||
To create a binary seed from the mnemonic, we use PBKDF2 function with a
|
||
mnemonic sentence (in UTF-8 NFKD) used as a password and string
|
||
"mnemonic" + passphrase (again in UTF-8 NFKD) used as a salt. Iteration
|
||
count is set to 2048 and HMAC-SHA512 is used as a pseudo-random
|
||
function. Desired length of the derived key is 512 bits (= 64 bytes).
|
||
|
||
This seed can be later used to generate deterministic wallets using
|
||
BIP-0032 or similar methods.
|
||
|
||
The conversion of the mnemonic sentence to binary seed is completely
|
||
independent from generating the sentence. This results in rather simple
|
||
code; there are no constraints on sentence structure and clients are
|
||
free to implement their own wordlists or even whole sentence generators,
|
||
allowing for flexibility in wordlists for typo detection or other
|
||
purposes.
|
||
|
||
Although using mnemonic not generated by algorithm described in
|
||
"Generating the mnemonic" section is possible, this is not advised and
|
||
software must compute checksum of the mnemonic sentence using wordlist
|
||
and issue a warning if it is invalid.
|
||
|
||
Described method also provides plausible deniability, because every
|
||
passphrase generates a valid seed (and thus deterministic wallet) but
|
||
only the correct one will make the desired wallet available.
|
||
|
||
[[wordlists]]
|
||
Wordlists
|
||
~~~~~~~~~
|
||
|
||
* link:bip-0039/english.txt[English]
|
||
|
||
[[test-vectors]]
|
||
Test vectors
|
||
~~~~~~~~~~~~
|
||
|
||
See https://github.com/trezor/python-mnemonic/blob/master/vectors.json
|
||
|
||
[[reference-implementation]]
|
||
Reference Implementation
|
||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
Reference implementation including wordlists is available from
|
||
|
||
http://github.com/trezor/python-mnemonic
|
||
|
||
[[other-implementations]]
|
||
Other Implementations
|
||
~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
Objective-C - https://github.com/nybex/NYMnemonic
|