Published on: 2013-11-17T00:49:00+00:00
Trezor, a hardware wallet for Bitcoin users, has developed a method to prove the integrity of the seed generated by their device. This method involves combining computer-provided entropy and device-provided entropy to create a master private key and derive a master public key. The computer can verify that the master public key was derived from its own entropy without knowing Trezor's random number. However, there are concerns about verifying the mnemonic corresponding to the secret in Trezor. Trust in Trezor is required to ensure the correct derivation of the master public key. Discussions also revolve around the practicality of using mnemonics in embedded devices and the need for modifications or alternative solutions.In terms of communication between Trezor and the computer, proposals have been made for the computer to verify the master public key and confirm it is derived from its own entropy. Considerations include rigging, the use of bip32 public derivations versus private derivations, version numbers in the seed phrase, defining the tree structure, custom wordlists, and best practices for standardization in the use of BIP32. These discussions emphasize the importance of secure seed generation, verification methods, and the need for compatibility and standardization in cryptocurrency wallets.In an email exchange, the discussion focuses on the standardization of including the tree structure or version information inside the seed. Pieter suggests establishing best practices and exploring different wallet structures before finalizing any standards. Marek agrees with the need for hardening and emphasizes that bip39 already includes some strengthening. The email also touches upon bidirectional transformations, backward-compatibility, and the need to cover version bits in the specification to ensure cross-compatibility between clients.A linked Wikipedia page offers implementation methods for BIP0039, including formatting metadata. Developers can follow the guidelines provided on the page to create efficient and user-friendly implementations. Electrum developer ThomasV admits his previous rejection of adding extra information to mnemonic seeds was wrong. He now sees metadata such as a "version number" as necessary for specifying which branches of the HD tree should be used. A new proposal is suggested, similar to Pieter Wuille's proposal but without requiring a dictionary. The encoding is not symmetric, which is not a requirement for Electrum but may be required for Trezor.In a Bitcointalk forum discussion, concerns are raised about BIP0039's compatibility with Electrum and the lack of version number information in seed encoding. Suggestions include allocating a few bits of the mnemonic for encoding a version number. However, implementing both algorithms simultaneously is also proposed. An email conversation from October 2013 addresses these concerns, suggesting a decision tree implementation in Electrum to determine if the mnemonic is Electrum or BIP39. The lack of history on both algorithms would require choosing a preferred one for specific clients.
Updated on: 2023-08-01T06:15:56.935326+00:00