Author: yanmaani at cock.li 2021-05-08 22:49:01
Published on: 2021-05-08T22:49:01+00:00
Tobias Kaupat recently posted on the bitcoin-dev mailing list, looking for feedback on a proposed solution to a use case he has. He wants to password-protect an existing mnemonic for a hardware wallet by saving it in encrypted form on a paper backup, while still maintaining backup properties like error correction. His suggested solution involves taking the existing mnemonic and extracting the related entropy, creating a SHA526 hash from a user-defined password, using the key as input for an AES CTR to encrypt the entropy, and deriving a new mnemonic from the encrypted entropy to be stored on a paper backup. To restore the original mnemonic, one must know the password and follow the process again. Kaupat's proposed solution is based on provably secure algorithms rather than a "rot23 derivation" like Seedshift, which he considers less secure. While BIP-39 passphrases are used to derive entropy when generating a mnemonic with passphrase, they don't work for an existing mnemonic without a passphrase. Kaupat suggests that if a new mnemonic is needed, PBKDF2 like in the BIP-39 specification or something like scrypt could be used instead of raw SHA-256. However, this would require changing the storage format and storing a salt too, making the mnemonic bigger. Kaupat's proposal needs a security review, and all encryption parameters are up for discussion. He welcomes feedback and suggestions from the community. The GoLang implementation of his proposal can be found on GitHub.
Updated on: 2023-06-14T20:40:51.309256+00:00