Pages:
Author

Topic: Why is bip 39 a very much reoccurring word in Bitcoin (Read 424 times)

legendary
Activity: 3472
Merit: 10611
The problem (if any), lies in PBKDF, which produces the seed from the mnemonic phrase. People say that this can reduce the initial entropy. I silently agree with them, but I a need to educate myself more before writing something here.
The only way I can see this being problem (although it doesn't seem to be) is because mnemonic is used in PBKDF2 as a UTF8 string not the initial entropy (raw bits it represents). That could create bias in the KDF entry which has to be analyzed by experts to conclude whether this also reduces security or not.

The fix would be simple though, all it takes is to convert the string into its initial entropy representation and use that raw bits (128 bit to 256 bit) in the KDF instead of using the string.
hero member
Activity: 560
Merit: 1060
I'm no expert either but frankly I don't see how the base security of a random chunk of 128 or 256 bits is hampered by BIP39 representation of it with human readable and easily writable words.

Disclaimer: I still use BIP39 wallets, but the majority of my wallets are Electrum ones.

I will derail a little, but the reason why I will do that will be to express an opinion that BIP39 is not bad by default.
Yes, there are issues with BIP39, but after all, it still represents a universal way to secure bitcoin, which is addressed to the great majority of people.

Bitcoin's cryptographical security is 128 bits.
Bitcoin uses the secp256k1 elliptic curve to derive a public key from the equivalent private key.
That said, if someone wanted to solve the ECDSA algorithm in reverse order (to derive the private key from the public key), they would need to put an effort that is, on average, equivalent to n/2 = 256/2 = 128 bits.
So, there is absolutely no way to get a higher average security than 128 bits.

Entropy's security is 128 - 256 bits (but there is catch, because it can actually range from 0 to 256).
12 words in BIP39 is a representation of 128 bits of initial entropy (like you said).
24 words in BIP39 is a represantation of 256 bits of initial entropy.
A sequence of bits (entropy) when it's gathered from a good entropy source can be as high as 128 or 256 bits.
A sequence of bits (entropy) when it's gathered from a human brain can be as low as 0 bits.

Final notes:
  • 12 words in BIP39 is more than enough, security-wise, provided the entropy is produced from a good source. The problem (if any), lies in PBKDF, which produces the seed from the mnemonic phrase. People say that this can reduce the initial entropy. I silently agree with them, but I a need to educate myself more before writing something here.
  • We are doing multisig, passphrases etc., in order to avoid human error as much as we can, or in order to avoid the chance that a thief can compromise one of our backups and retrieve all of our funds. I could theoretically have a 5-of-5 multisig vault where all the cosigners are produced from different, good sources of entropy. I could also make sure that nobody had access to any of these cosigners. Then, I could send some funds to one of the addresses of this vault. Then, an attacker, would still need on average 128 bits of effort to create a script that unlocks my funds on that address.
  • It is expotentially easier for a wallet to be compromised by human error, rather than by compromising bitcoin's cryptographical security.
  • The private key cd6357efdd966de8c0cb2f876cc89ec74ce35f0968e11743987084bd42fb8944 looks like a random hexadecimal number. If you try to solve the ECDLP backwards, you will indeed need 128 bits of effort to retrieve this private key from the corresponding public key. But if you try something more sophisticated, you will very easily realise that this private key is the sha256("dog"). So bitcoin can give you 128 bits of security but you are responsible not to make stupid moves to diminish this security.
  • The most important thing in bitcoin is the backup system. This is where security lies. This is where people lose funds from. If you create a wallet using a reputable entropy source on an airgapped device, write down your seed phrase (12 words) twice, and then store the 2 pieces of paper in separate locations, the only way that you can lose funds is if someone finds these backups. So again, it won't be the BIP39, nor Bitcoin to blame. I t will be your (or better say, our) inability to find a secure place to store our seed phrase.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
I found this diagram somewhere in this forum, sorry, can't recall where originally:



It describes how starting from a random entropy of usually 128 or 256 bits (then represented by 12 or 24 recovery words defined by BIP39) a HD wallet derives it's keys and addresses (also involved are BIP32 Root Key Derivation and later BIP44, BIP49 and BIP84 derivation path stuff and more (hard to condense in a few words).

I'm no expert either but frankly I don't see how the base security of a random chunk of 128 or 256 bits is hampered by BIP39 representation of it with human readable and easily writable words. The words just represent the initial random entropy together with a partial SHA256 hash checksum. Not more, not less.

Further steps in key derivation don't seem to use insecure crypto hash functions, either. And so far it seems to be secure enough.
legendary
Activity: 2730
Merit: 7065
In BIP39 our "password" is the mnemonic which is encoded from an already strong entropy of between 128 to 256 bits. Adding more "security strength" on top of it is not needed.
I agree with this and it seems logical, but I want to point out that I don't possess enough technical know-how to actually know if your interpretation is correct.
BIP39 seeds are a much more user-friendly representation of a long string that can easily be read by humans. Usually, when you add user-friendliness and simplicity to something, you also compromise security to some degree. How much and if any security at all was compromised with the introduction of the BIP39 standard is something for the more technically-gifted to comment on.
legendary
Activity: 3472
Merit: 10611
Why do they consider it weak from a security standpoint? In other words, how much less secure is it, and are we talking about a worrying threat to a user's coins? A threat that is significant enough to not want to touch it. 
Generally speaking PBKDF2 is considered a weak Key Derivation Function because of how the algorithm is designed. For example RFC-8018 suggests that for anything security critical an iteration above ten million should be used (we use 2048 in BIP39).

The reason I disagree with this part is because there is no need for the KDF to give us any security here because we aren't salting user's entered passwords that may be weak, we are just deriving child keys from an already strong entropy.

An iteration count has traditionally served the purpose of increasing the cost of producing keys from a password, thereby also increasing the difficulty of attack.  Mathematically, an iteration count of c will increase the security strength of a password by log2(c) bits against trial-based attacks like brute force or dictionary attacks.
In BIP39 our "password" is the mnemonic which is encoded from an already strong entropy of between 128 to 256 bits. Adding more "security strength" on top of it is not needed.
legendary
Activity: 2730
Merit: 7065
Neither of the three. According to this reply from Bitcoin Core developer achow101, it is not considered "safe enough":
I would say that falls in the 'not want to' category for the reason of the implementation not being safe enough.

As @BlackHatCoiner said they don't consider it safe enough...
You missed the word "don't" in your post above.
legendary
Activity: 3472
Merit: 10611
That's correct. The reference implementation of Bitcoin called "bitcoin core" doesn't support mnemonic algorithms so if you want to use your BIP39 mnemonic in it you'll have to derive the extended private key (xprv) from that seed phrase and then import that into core using "getdescriptorinfo" command with the desired derivation path.
Some people may hate me after I say this, but Bitcoin Core isn't a very newbie-friendly bitcoin wallet. BIP39 has been around for a decade, and they could have added support for it. The developers either don't want to, don't see a great need for it, or there aren't enough requests to add it. Sure, you can use the master private key instead, but it's even easier with a seed. Bitcoin Core's biggest plus is the full-node feature and being able to use a locally verified copy of the blockchain. Bitcoin Core as a wallet is of secondary importance and isn't for everyone.
Yeah, unfortunately core team hasn't focused on user friendliness as much as we'd like. There are still many things you can only perform through the console by typing commands which is not user friendly at all.

Lack of support for a mnemonic algorithm is one of the missing features. As @BlackHatCoiner said they don't consider it safe enough although I don't agree with the reasoning (PBKDF2 being weak) regarding the quote below from SE I have to point out that Electrum also uses PBKDF2 with the same exact settings as BIP39 (2048 iterations with HMACSHA512), they defined their own algorithm before BIP39 and they use it because of the additional "features" it provides such as a version and a custom word-list not because BIP39 algorithm was weak security-wise.

Quote
Also, more generally, many Bitcoin Core contributors don't consider BIP 39 to be secure. It uses PBKDF2 which is generally regarded to be a fairly weak KDF so it isn't considered to be good for the secure storage of all of your Bitcoin. Some software (such as Electrum) used BIP 39 in the past but have switched to using their own mnemonic algorithm because of this weakness in BIP 39.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
BIP39 algorithm is open source (is known) and pretty straight forward so it is very easy to implement. This means there isn't a need for a special software written by some super expert programmer to be used. If you know basic programming you can write a tiny script that performs what's needed in BIP39 to convert your seed phrase to a private key.
Nonetheless, people shouldn't be expected to write their own recovery software, no matter how simple it might be. That's recipe for disaster.

Some people may hate me after I say this, but Bitcoin Core isn't a very newbie-friendly bitcoin wallet. BIP39 has been around for a decade, and they could have added support for it. The developers either don't want to, don't see a great need for it, or there aren't enough requests to add it.
Neither of the three. According to this reply from Bitcoin Core developer achow101, it is not considered "safe enough":
BIP 39 is not in Bitcoin Core largely for implementation reasons and because BIP 39 is not as secure as it could be.

The structure of Bitcoin Core's wallet doesn't really allow for BIP 39 to be implemented. The current structure doesn't allow for 512 bit seeds as BIP 39 specifies, and adding it would require some significant changes to the wallet code. Implementing BIP 39 would also require implementation of PBKDF2, although that isn't very hard.

Also, more generally, many Bitcoin Core contributors don't consider BIP 39 to be secure. It uses PBKDF2 which is generally regarded to be a fairly weak KDF so it isn't considered to be good for the secure storage of all of your Bitcoin. Some software (such as Electrum) used BIP 39 in the past but have switched to using their own mnemonic algorithm because of this weakness in BIP 39.

BIP 39 mnemonics have some other issues as well such as version numbering (or rather lack of) and the use of a fixed wordlist. Electrum has documented their reasons for why they don't support BIP 39, and those reasons are the same for Bitcoin Core.

That does not explain why they haven't come up with a similar, more secure standard like Electrum, though.
legendary
Activity: 2730
Merit: 7065
By the way, is there a safer way to get the xpriv root bip32 to import into bitcoin core as a descriptor without using iancolam.io, since it is an html file that opens in the browser?
I don't use Bitcoin Core so I don't know the answer to your question. However, you should download the IanColeman tool and use it offline on an airgapped setup. That's the safest and most recommended way to work with it. If you use the tool on an airgapped computer, nothing can leak from it, which isn't the case when you use it on an internet-connected PC.
hero member
Activity: 1120
Merit: 540
Duelbits - Play for Free | Win for Real
-
It would be much more practical to support mnemonics in bitcoin core, at least for import, instead of using xprivs in the descriptor, we would have an extra function to import a descriptor containing a mnemonic, e.g.:
importdescriptors '[{"desc":"combo(bip39([word1,word2,word3...],passphrase/0/*))#fingerprint","timestamp":"now"}]'

By the way, is there a safer way to get the xpriv root bip32 to import into bitcoin core as a descriptor without using iancolam.io, since it is an html file that opens in the browser?

legendary
Activity: 2730
Merit: 7065
That's correct. The reference implementation of Bitcoin called "bitcoin core" doesn't support mnemonic algorithms so if you want to use your BIP39 mnemonic in it you'll have to derive the extended private key (xprv) from that seed phrase and then import that into core using "getdescriptorinfo" command with the desired derivation path.
Some people may hate me after I say this, but Bitcoin Core isn't a very newbie-friendly bitcoin wallet. BIP39 has been around for a decade, and they could have added support for it. The developers either don't want to, don't see a great need for it, or there aren't enough requests to add it. Sure, you can use the master private key instead, but it's even easier with a seed. Bitcoin Core's biggest plus is the full-node feature and being able to use a locally verified copy of the blockchain. Bitcoin Core as a wallet is of secondary importance and isn't for everyone.
legendary
Activity: 3472
Merit: 10611
i know these are broadly used (seed phrases) but are any experts on these boards concerned about having to rely on more than btc core and using or possibility losing the ability to use them in the future (losing your keys?) due to not having access to the software to access (apps that implement BIP39)

is that idea i have unfounded?
BIP39 algorithm is open source (is known) and pretty straight forward so it is very easy to implement. This means there isn't a need for a special software written by some super expert programmer to be used. If you know basic programming you can write a tiny script that performs what's needed in BIP39 to convert your seed phrase to a private key.
newbie
Activity: 24
Merit: 21
Most wallets use the BIP39 standard for generating your wallet backups. Even altcoin wallets use BIP39 seed phrases. With this phrase you can restore all of your addresses and private keys in any wallet that is compatible with this standard.

but this is not native to btc core, correct? so if one uses a "seed phrase" for their keys, they always need some sort of software wallet to.....im not sure how to say it. make the seed phrase usable?
That's correct. The reference implementation of Bitcoin called "bitcoin core" doesn't support mnemonic algorithms so if you want to use your BIP39 mnemonic in it you'll have to derive the extended private key (xprv) from that seed phrase and then import that into core using "getdescriptorinfo" command with the desired derivation path.
i know these are broadly used (seed phrases) but are any experts on these boards concerned about having to rely on more than btc core and using or possibility losing the ability to use them in the future (losing your keys?) due to not having access to the software to access (apps that implement BIP39)

is that idea i have unfounded?



legendary
Activity: 3472
Merit: 10611
Most wallets use the BIP39 standard for generating your wallet backups. Even altcoin wallets use BIP39 seed phrases. With this phrase you can restore all of your addresses and private keys in any wallet that is compatible with this standard.

but this is not native to btc core, correct? so if one uses a "seed phrase" for their keys, they always need some sort of software wallet to.....im not sure how to say it. make the seed phrase usable?
That's correct. The reference implementation of Bitcoin called "bitcoin core" doesn't support mnemonic algorithms so if you want to use your BIP39 mnemonic in it you'll have to derive the extended private key (xprv) from that seed phrase and then import that into core using "getdescriptorinfo" command with the desired derivation path.
newbie
Activity: 24
Merit: 21
Most wallets use the BIP39 standard for generating your wallet backups. Even altcoin wallets use BIP39 seed phrases. With this phrase you can restore all of your addresses and private keys in any wallet that is compatible with this standard.

but this is not native to btc core, correct? so if one uses a "seed phrase" for their keys, they always need some sort of software wallet to.....im not sure how to say it. make the seed phrase usable?
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
BIP39 provides a way to deterministically produce the same pairs of keys by using the same set of 12 words.

The deterministic generation part was technically created in BIP32 and BIP44 not BIP39.

That's where derivation paths and the process of creating private keys from other private keys came from. Eg. m/44'/0'/0' syntax was invented by those two BIPs.

BIP39 invented the word list that you can use to generate all those private keys from.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
I was reading the Bitcoin book on github

Help enlighten me on what the bip 39 is?.

Do you mean this book https://github.com/bitcoinbook/bitcoinbook? If yes, you need to read entire chapter 5 which already explain about BIP 39. Anyway, it'd be great if you have more specific question about BIP 39.
hero member
Activity: 560
Merit: 1060
Bitcoin consists of key-pairs (private - public).

BIP39 provides a way to deterministically produce the same pairs of keys by using the same set of 12 words.

So, it essentially offers an easy-to-read and easy-to-maintain backup solution for your keys. You only have to make sure you backup the 12 words (offline) and you will always have access to your keys. The keys are important because they allow you to spend the coins you have.

I don't like quoting myself, but I don't want to copy paste. This is how BIP39 works technically-wise:

Let's examine how BIP39 works.

So, your device generates 128 bits of entropy (assuming you want 12 words seed phrase). Then the entropy looks like this:

Code:
10001001011110001...001

Then the entropy is hashed with SHA256. From the output, you will hold only the first 4 bits.

So now you have 128 bits of entropy + 4 bits that are called "checksum".

We will split these 132 bits into 12 segments of 11-bits each.

Imagine something like:

Code:
10001001011
11000100100
...
01000100001

Now we will convert those binaries to decimals:

Code:
1099
1572
...
545

Let's go to the BIP39 wordlist and check where these numbers correspond to:

Code:
matter
settle
...
dune
sr. member
Activity: 1680
Merit: 379
Top Crypto Casino
Most wallets use the BIP39 standard for generating your wallet backups. Even altcoin wallets use BIP39 seed phrases. With this phrase you can restore all of your addresses and private keys in any wallet that is compatible with this standard.
legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
BIP39 is a standard used for generating mnemonic phrases or also known as seed phrase backup. It consists of 2048 words that are used to generate 12 to 24 words seed phrase.

All words are listed here https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

It is widely adopted that support other coins and it is mostly used on hardware wallets. They created BIP39 to make backup easier for users compared to saving all key pairs(Public and private keys).

If you are looking for more info about this better check the wiki here https://en.bitcoin.it/wiki/Seed_phrase

More here https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki
Pages:
Jump to: