Published on: 2016-07-27T20:59:54+00:00
In a bitcoin-dev discussion, concerns were raised about the security of Bip39's use of PBKDF2 with 2048 iterations to protect large amounts of funds. Alternative methods of protection were proposed, including the use of a scheme that supports delegatable hardening or eschewing pretextual 'hardening'. However, these alternatives were rejected by the authors of the Bip39 spec. It was pointed out that Bip39 is not a brainwallet solely protected by the passphrase. The Digital Bitbox team uses PBKDF2 with over 20,000 iterations on the computer and an additional 2048 rounds on-chip to secure user-entered passphrases for their hardware wallet. Adding two random lowercase letters to the passphrase can increase security, but relying solely on a strong passphrase is not recommended. It is important to choose a good passphrase and take measures to ensure the seed is not stolen.Jonas Schnelli expressed concerns over the use of PBKDF2 with 2048 iterations in Bip39, suggesting it is not sufficient to protect large amounts of funds. He questioned alternative methods, such as using an expensive processor and memory in every hardware wallet or waiting ten minutes after entering a passphrase with a million iterations. The idea of adding two random lowercase letters to a passphrase with 2048 iterations was considered to potentially provide better protection. Schnelli advised users to choose a good passphrase or ensure their seed is not stolen.The article explains how a master mnemonic is generated from a standard mnemonic according to BIP39. A new string is created using Count and Strength, where Count represents different derived mnemonics of a given strength, and Strength is calculated based on the desired number of words for the derived mnemonic. The string is then hashed using sha512. The author suggests using sha512_hmac with a passphrase and salt instead of a checksum based on a predetermined wordlist, highlighting security downsides. An alternative idea of deriving a child key after bip32 and using the derived 256bits to encode the mnemonic is proposed. Concerns are raised about users only storing and backing up the bip39 mnemonic, as reconstructing funds from a seed can be difficult without access to a trusted TX-indexed full node. Novice users might underestimate the risk of losing metadata coupled with their transactions when they only store the wallet seed.The author has submitted a draft BIP proposal for derived mnemonics from a master mnemonic, aiming to make it easier to split funds into smaller fractions and use them in an HD-wallet without putting the master mnemonic at risk on an online computer. The master mnemonic is generated offline, and multiple derived mnemonics are generated deterministically offline for online use. The proposed method uses sha512 hashing to generate byte arrays to create new mnemonics. A reference implementation for a 24-word master mnemonic based on BIP44 is available on the provided website. Use cases include splitting funds into fractions, sending them to multiple addresses, giving derived mnemonics to family members with bitcoin, and memorizing only a 12-word seed.
Updated on: 2023-08-01T18:47:37.563336+00:00