Topic: BIP 32 questions (Read 2807 times)

1. Not that I particularly endorse this method but you can go to bip32.org (or run it locally). There is an option for entering a passphrase manually.

Copy the resulting BIP32 extended key. It begins with xprv.

Open Electrum on your offline computer and choose File/New Restore/Restore a wallet. Paste the master private key.
You can check the list of receiving addresses against the addresses on the website by choosing "Derivation path" m/0/i, and then 0, 1, etc. in key pair index.

Do the same on your online computer but with your master public key. It begins with xpub. You can get it by choosing 'Derivation Path' 'Info m' and picking the derived public key. Then again, check that the receiving addresses match with your offline computer.

2. Your online computer will show the balance across all your addresses without putting any fund at risk. your private keys are in cold storage.

We are not talking about that, at all. We are discussing where to collect randomness from. A weak source of randomness will render the best cypher useless.
Also, if I want to extract randomness from /dev/urandom myself to pipe into electrum or sx, does it still count as 'doing it myself'?

Anyways, could anybody answer the questions in the opening post?

Abdussamad already answered partially.

I took that Stanford crypto class (and just barely passed it, dear god it was difficult), and the main thing I took away from it was "ZOMG DONT MAKE YOUR OWN CRYPTO."  Just use standard libraries and time-tested algorithms.  The best minds in the world came up with those and if they've been around a while, they're probably as good as you're gonna get.  Anything you come up with yourself is probably wrong, and you won't know it until you get hacked, because it hasn't been in the wild being tested and attacked.  Don't roll your own crypto!  Don't roll your own implementation!  Use the standard libraries.  That's what they're there for!!!

It's very difficult to convince someone that they're not as smart as they think they are.

What it really comes down to is this: if you're not a cryptographer, you shouldn't be coming up with your own cryptography (and that definitely applies to coming up with your own RNG). To do otherwise is simply hubris.

I don't mean any disrespect in what I wrote above, it's just that cryptography (and by extension CSPRNGs) is an extremely complex subject which is studied by experts who devote their entire professional life towards that study (and even they frequently make mistakes!). I know I'm not in that league, and I can only presume you're in the same boat, therefore the best advice is to follow the advice of people who know better than either of us.

All of this is why using /dev/urandom is a good idea: it was developed by experts, and it's also why any scheme developed by you or I is fraught with serious risk. (I did not develop the "feed a shuffled deck into a hash function" scheme by the way, i just wrote that simple python script.)

The difference is that your computer is not biased while human beings are biased. We tend to pick similar words. Sentences have structures which limit the possibilities. There are statistical models for all of this stuff.

just dont do it - nothing more to add

In that case every possible way of collecting randomness is a scheme. What is probing /dev/urandom everytime you need a random number, if not a scheme?

Obviously, gmaxwel's quote was refering to a simple deterministic function whose input is a known literary work, I'll agree that if it is simple to memorize such a scheme, then it is quite likely that other people could come up with it, then running it against known corpora is a matter of having the resources to do so. Such resources are relatively accessible nowadays.

A sentence from a book, regardless the language is a very bad idea, but it is not a relevant example in the context of this thread.

Well what is this below if not a scheme?


There was a guy who created a brainwallet from some text in Afrikaans language. He thought he was safe because it wasn't in English. Somebody guessed that text and he lost all his bitcoins.

Human beings aren't very good at this sort of thing.

If you insist on doing this at least use a pbkdf like scrypt instead of a fast hashing function. Google warpwallet for one example. Again gmaxwell is going to complain that no javascript implementation is going to be good enough because its too slow compared to what the crackers are using.

It doesn't apply. It refers to memorable brainwallets extracted from existing texts using schemes. No single condition of those three applies in here.

No sarcasm intended, why does everybody reads "manually entering randomness with a keyabord" as "making a brainwallet from a short memorizable string"? I ask because every single time this subject is touch, all the energy is spent pointing out the weaknesses of brain wallets, which is only remotely related. How de we discuss this without getting tremendously off-topic?

Quote from bitcoinj javadocs

https://bitcoinj.github.io/javadoc/0.12/org/bitcoinj/crypto/HDKeyDerivation.html#createMasterPrivateKey-byte:A-

I don't understand this reasoning, what is wrong with using a string? This is even harmful, I guess some people will feed a byte array with low randomness into that function and think "I'm good, because I didn't use a string".

Read this:

https://bitcointalksearch.org/topic/m.3345309

Why do people assume they are short? I don't need to save the string, it can be a few hundred chars text. I fail to understand how/why this would be a bad idea. Could you guys be more specific?

Say, for example, the body of this forum post I am writting at the momment. Why is it a bad source of randomness? Of course, if post it in here it becomes public, but before I submit it.

Yeah well this is not about short strings. That was just an example. This is about converting user provided entropy into something usable. Ideally the input would be a string representing cards from a deck that the user shuffled. Or coin tosses.

It's really really inadvisable to do this, short human generated strings have very low entropy even (or especially) when you think you're being clever about it. Many people have lost substantial amounts of Bitcoin this way.

Another way to convert your custom string into an electrum wallet is to do a sha256sum md5sum of it. If you are on a nix system:


It will output a hexadecimal number. Then run electrum, select restore from seed and paste in the hex to create a wallet.

edit: 64 hex digits from sha256sum doesn't work in the latest version of electrum. It will only work if you have 32 hex digits i.e. an md5sum.

A computer is generally better at producing random numbers than a human. Methods like shuffling cards, flipping coins, have been shown to be worse than a CRNG. Of course it relies on having access to one. The examples you mentioned just show that popular means little. Two fun facts:
- Casino slot machines use RNG
- Flipping is coin is biased towards the starting state

In any case, it's a matter of being practical too. Flipping a coin 128 times to get a seed is fine. Doing it for every address generated is crazy. I remember a story about the one time pad. During WW2, a team was in charge of making the pads. After a while, they got tired and started reusing them. It didn't take long before the codes were broken.

Thank you for your replies. Abdussamad, that is kind of what I want but I think I prefer bip32. I'll look around a little bit more, it should be possible to do someting similar with sx, or other similar tool, but outputing a bip32 wallet instead.

Now, on a related topic, about the randomness of a randomness source, I am genuinely puzzled with some common advice I see. I might be missing something, but my biggest fear of loosing my coins comes exactly from RNGs. I do not trust them. We just need to look back a year or so to witness many "oh, the RNG was not so random after all", blockchain.info annd android bitcoin wallet have both proven to be weak on this particular matter.
I do not intend to criticize any of these services, quite the contrary, the fact that two well established wallets/services have been successfully targeted by RNG attacks goes to show that random number generation is indeed a weak link in the security chain. Therefore I feel much more peace of mind by controlling the source randomness myself.
I am not worried about replacing some randomness generated or collected by a piece of software on a machine called computer, what I am worried about is using that exact randomness. The reason being that it might not be so random.

btchris, I mean no sarcasm, irony whatsoever, but this confuses me:


If I type a long paragraph talking about a random topic on my mind, I can tell you with all  practical certainty that no other human being will come up with the exact same string, regardless of whatever method he uses to generate strings. I even believe 'banging on the keyboard for a while' could go a long way. In all seriousness, if the concern is reproducible patterns like "asdf"... then I think we're talking about people with very little understanding of large numbers, probabilities, etc. I think we can accept that a person can 'bang on the keyboard for a minute' and get a very random number as the outcome. Or, genuinely curious, why wouldn't this be true?

Please be careful if you use this feature. The entropy integer replaces some of the entropy which Electrum would normally use; if the entropy integer is long enough (39 digits for a 128 bit seed), it will replace almost all of the entropy which Electrum normally uses.

If your integer comes from a good source of entropy, then none of this is any concern. But if not, you're asking for trouble.


If by gibberish you mean dice roles, a well-shuffled deck, or similar, I'd say that's a very good way to generate a wallet. If you mean "banging on the keyboard for a while", I'd be concerned. If you're going to go through all the effort to make your own entropy and store it cold, please take the extra step of using a real entropy source. Otherwise, your "banging on the keyboard" may end up making your wallet weaker than if you had just used the default OS-provided source of pseudo-entropy in the first place (as most wallets do, including Electrum).

If you're getting your entropy from a good source, you can do something like this do convert it to an integer for use with Electrum 2.x (at the command line; if you're on Windows, you need to download Python 3 first, and it's called python.exe instead of python3):


In that case, I used a well-shuffled deck. You only really need the first 25 cards, but a few more wouldn't hurt. I entered "128" for the estimate of bits, this number should be somewhere between 8 and the seed length in bits, usually 128. If you're using a well-shuffled deck, entering 128 is fine, but if you're using something else and if you overestimate how much entropy you've got, you'll end up decreasing the security of your wallet (because of what I described above), so just be careful . For 6-sided dice, you'd need 50 rolls for 128 bits. For 20-sided, 30 rolls. If you're feeling lazy, you can decrease this, but you must decrease the bit count proportionally (and then Electrum will fill in the rest from the OS's pseudo-entropy).

There is no wallet that supports all of these 3. Note also that bip44 is a standard for structuring HD wallets and has nothing to do with mnemonics. That comes with bip39.

electrum 2.0 is a bip32 hd wallet that answers all your questions below but it is *not* bip39/44/38.


You can do this with electrum 2.0 using the command line:


It'll output 12 words which is the seed in mnemonic form. Then run electrum and use the restore wallet option to create a wallet using that seed.



Electrum allows watch only wallets. To create a watch only wallet use the restore option and enter the master public key of the wallet you want to watch (There used to be a great guide but they've removed it from the site). On the "seeded wallet" (the one with the private keys i.e. not watch only) use wallet menu > master public key to get the mpk.


Yes that's what electrum watch only is. All the addresses in your wallet but none of the private keys so you can't spend from the watch only wallet.

I've been looking into switching to HD wallets but there is still some things I prefer about vanilla bitcoin single addresses. I don't keep an wallet per se. I have my keys on cold storage and whenever I need to spend from them, I use mycelium feature "spen from cold storage".

I do not intend to radically change the way I use bitcoin as I feel that I have the amount of security I desire. However, I do want  to start using bip32 wallets instead and possible bip38 encription and possibly bip44 mnemonics.

So the first question is: How do I manually input randomness to a bip32 seed generator tool?
My favorite way of creating keys is manually feeding a very long string of gebrish to a brain wallet tool. I would like to do something like this, but instead of getting a plain bitcoin private key, I want a bip32 seed. If possible bip38 protected and in mnemonic format. I don't know if there is good support for combining these three. By good suport I mean, easily import it to a wallet software in the future. Or, even better, use something like mycelium's 'spend from cold storage' feature.

Another question is: How easy would it be to monitor the balance of an HD wallet?
I carry around the addresses on mycelium as watch-only addresses. I would absolutely want easy access to the balance while having my private keys secured somewhere else. I read that HD wallets have this number ( which name I can't recall ATM ) that is used to derive an address from other address. If I understand this correctly, compromising security of that number would only compromise privacy in the sense that the address hierarchy can be revealed, but the private keys would still be secure. Please correct me if I am wrong in here.
I do not mind managing those numbers with less security than my private keys, but one question still remains: how would easily check the ballance of an HD hierarchy of addresses? Do most wallets suport something like "HD watch only hierarchy"?

thanks in advance.