Author

Topic: BIP 39 vs Electrum mnemonic seed (Read 6803 times)

hero member
Activity: 672
Merit: 504
a.k.a. gurnec on GitHub
June 09, 2015, 12:39:34 PM
#8
Doesn't this reduce the entropy of the seed?

Yes, but they compensate those lost entropy bits with other further bits of entropy

How do you mean?

Electrum 2.x by default starts with 136 bits of entropy, and then adds and increments a nonce until the resulting HMAC starts with 000000012, so the result has (slightly less than) 128 bits of entropy (since 28-1 out of every 28 potential mnemonics are discarded).

Slightly less, because Electrum also discards mnemonics which are valid for Electrum 1.x wallets to avoid any confusion from restoring such a mnemonic, which removes an additional small amount of entropy.
legendary
Activity: 3710
Merit: 1586
June 09, 2015, 12:11:18 PM
#7
Doesn't this reduce the entropy of the seed?

Yes, but they compensate those lost entropy bits with other further bits of entropy

How do you mean?
full member
Activity: 142
Merit: 104
June 09, 2015, 12:05:00 PM
#6
Doesn't this reduce the entropy of the seed?

Yes, but they compensate those lost entropy bits with other further bits of entropy
legendary
Activity: 3710
Merit: 1586
June 09, 2015, 12:01:05 PM
#5
To determine if a mnemonic is valid without using a word list, Electrum 2.x takes an HMAC of it (using a hardcoded key) and looks at the first byte. In pseudocode:
Code:
if hmac_sha512(key="Seed version", utf8_encoded_mnemonic_sentence)[0] ≠ 0x01:
    fail("invalid checksum")

The only way Electrum can create a mnemonic whose first byte of HMAC is the byte 0x01 is by generating different mnemonics and trying each's HMAC until it finds a valid one, similar to the way vanity address generators work.

Doesn't this reduce the entropy of the seed? If you are going to discard the majority of them and only use the one's that have a mnemonic with a hash beginning with 01 then that reduces the pool of all possible seeds.
hero member
Activity: 672
Merit: 504
a.k.a. gurnec on GitHub
June 08, 2015, 08:09:27 AM
#4
Thanks for the answer!

edited to add: One other very small disadvantage with Electrum 2.x's method: it takes more effort (CPU time) to create a mnemonic, although this extra effort is small compared to the effort required to run PBKDF2 to generate the binary seed which both methods still require.
I don't undertand this part

To determine if a mnemonic is valid without using a word list, Electrum 2.x takes an HMAC of it (using a hardcoded key) and looks at the first byte. In pseudocode:
Code:
if hmac_sha512(key="Seed version", utf8_encoded_mnemonic_sentence)[0] ≠ 0x01:
    fail("invalid checksum")

The only way Electrum can create a mnemonic whose first byte of HMAC is the byte 0x01 is by generating different mnemonics and trying each's HMAC until it finds a valid one, similar to the way vanity address generators work. This takes on average 256 tries, whereas with BIP-39 only a single mnemonic is created, and then its checksum is simply appended.

In order to go from mnemonic to binary seed, 2048 HMAC-SHA512's are needed for both Electrum and BIP-39, so the effort difference is roughly 2304 for Electrum vs. 2048 for BIP-39, about 12.5% greater, not a big deal....
full member
Activity: 142
Merit: 104
June 08, 2015, 01:51:54 AM
#3
Thanks for the answer!

edited to add: One other very small disadvantage with Electrum 2.x's method: it takes more effort (CPU time) to create a mnemonic, although this extra effort is small compared to the effort required to run PBKDF2 to generate the binary seed which both methods still require.
I don't undertand this part
hero member
Activity: 672
Merit: 504
a.k.a. gurnec on GitHub
June 07, 2015, 07:09:03 AM
#2
Hello folks,

BIP 39 and Electrum works differently to generate seeds, both use lists of words to encode the seed, but the first one use the positions of every word into the list to compute the seed, instead Electrum use the hash of the words as seed.

Not quite.... They both use PBKDF2-HMAC-SHA512 to convert a mnemonic sentence to a binary seed (which becomes the extended master private key). BIP-39 uses the positions to calculate/verify the checksum, whereas Electrum uses an HMAC.

Which is the best approach? Why Electrum doesn't simply follow the standard? (At least from version 2).

With BIP 39 you have to known the wordlist, with Electrum you can (could) modify it, add words and so on; or use other language lists without wait that the list will be included into the standard.

I think you just answered your own question Wink

Electrum 2.x is not tied to any particular wordlist (good), however its mnemonics are not compatible with any other wallet (bad(?)). It's a judgement call....

With BIP 39 could be easyer rescue a damaged seed, since the wordlist is know (Ok, 99% of electrum seeds uses the same list).

True, on both points. Seedrecover.py for example assumes that for Electrum seeds, the word lists which currently ship with Electrum were used. If this assumption is wrong, or if Electrum is updated and I don't notice it and don't update seedrecover, it will silently fail.

Am I missing some point?

One other potential minor negative to Electrum 2.x's method: although both can be used to create weak/ill-advised brain-wallet style mnemonics, Electrum's method makes it a bit easier. For example, these are all perfectly valid (if criminally stupid) Electrum 2.x seeds; feel free to try restoring them into Electrum if you doubt it:

Code:
pass666
pass789
p@ss4word
passw0rd6
pa$sword321
p4ssword44444
password456789999

edited to add: One other very small disadvantage with Electrum 2.x's method: it takes more effort (CPU time) to create a mnemonic, although this extra effort is small compared to the effort required to run PBKDF2 to generate the binary seed which both methods still require.
full member
Activity: 142
Merit: 104
June 06, 2015, 10:00:31 AM
#1
Hello folks,

BIP 39 and Electrum works differently to generate seeds, both use lists of words to encode the seed, but the first one use the positions of every word into the list to compute the seed, instead Electrum use the hash of the words as seed.

Which is the best approach? Why Electrum doesn't simply follow the standard? (At least from version 2).

With BIP 39 you have to known the wordlist, with Electrum you can (could) modify it, add words and so on; or use other language lists without wait that the list will be included into the standard.

With BIP 39 could be easyer rescue a damaged seed, since the wordlist is know (Ok, 99% of electrum seeds uses the same list).

Am I missing some point?
Jump to: