You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is not possible to maintain one single (mnemonic) seed backup for all keychains used across various wallets because there are a variety of incompatible standards. Sharing of seeds across multiple wallets is not desirable for security reasons. Physical storage of multiple seeds is difficult depending on the security and redundancy required.
24
23
@@ -34,9 +33,6 @@ The terminology related to keychains used in the wild varies widely, for example
34
33
# '''BIP39 mnemonic''' is the mnemonic phrase that is calculated from the entropy used before hashing of the mnemonic in BIP39.
35
34
# '''BIP39 seed''' is the result of hashing the BIP39 mnemonic seed.
36
35
37
-
When in doubt, assume '''big endian''' byte serialization, such that the leftmost
38
-
byte is the most significant.
39
-
40
36
==Motivation==
41
37
42
38
Most wallets implement BIP32 which defines how a BIP32 root key can be used to derive keychains. As a consequence, a backup of just the BIP32 root key is sufficient to include all keys derived from it. BIP32 does not have a human friendly serialization of the BIP32 root key (or BIP32 extended keys in general) which makes paper backups or manually restoring the key more error-prone. BIP39 was designed to solve this problem but rather than serialize the BIP32 root key, it takes some entropy, encoded to a "seed mnemonic", which is then hashed to derive the BIP39 seed which can be turned into the BIP32 root key. Saving the BIP39 mnemonic is enough to reconstruct the entire BIP32 keychain, but a BIP32 root key cannot be reversed back to the BIP39 mnemonic.
@@ -55,9 +51,6 @@ For each application that requires its own wallet, a unique private key is deriv
55
51
56
52
The HMAC-SHA512 function is specified in [http://tools.ietf.org/html/rfc4231 RFC 4231].
57
53
58
-
Application codes may be arbitrary but should be semantic, such as a BIP number,
59
-
ASCII character code sequence, or similar.
60
-
61
54
===Test vectors===
62
55
63
56
====Test case 1====
@@ -85,7 +78,7 @@ BIP85-DRNG-SHAKE256 is a deterministic random number generator for cryptographic
85
78
RSA key generation is an example of a function that requires orders of magnitude more than 64 bytes of random input. Further, it is not possible to precalculate the amount of random input required until the function has completed.
The Application number defines how entropy will be used post processing. Some basic examples follow:
110
102
111
-
Derivation path uses the format <code>m/83696968'/{app}'/{index}'</code> where ''{app}'' is the '''path''' for the application, and ''{index}'' is the index.
103
+
Derivation path uses the format <code>m/83696968'/{app_no}'/{index}'</code> where ''{app_no}'' is the path for the application, and ''{index}'' is the index.
112
104
113
105
===BIP39===
114
106
Application number: 39'
@@ -151,10 +143,6 @@ Language Table
151
143
|-
152
144
| Czech
153
145
| 8'
154
-
|-
155
-
| Portuguese
156
-
| 9'
157
-
|-
158
146
|}
159
147
160
148
Words Table
@@ -219,12 +207,7 @@ OUTPUT:
219
207
===HD-Seed WIF===
220
208
Application number: 2'
221
209
222
-
Uses the most significant 32 bytes<refname="curve-order">
223
-
There is a very small chance that you'll make an invalid
224
-
key that is zero or bigger than the order of the curve. If this occurs, software
225
-
should hard fail (forcing users to iterate to the next index).</ref>
226
-
of entropy as the secret exponent to derive a private key and encode as a compressed
227
-
WIF which will be used as the hdseed for Bitcoin Core wallets.
210
+
Uses 256 bits[1] of entropy as the secret exponent to derive a private key and encode as a compressed WIF which will be used as the hdseed for Bitcoin Core wallets.
228
211
229
212
Path format is <code>m/83696968'/2'/{index}'</code>
230
213
@@ -239,26 +222,17 @@ OUTPUT
239
222
===XPRV===
240
223
Application number: 32'
241
224
242
-
Consistent with BIP32, use the first (leftmost) 32 bytes of the derived entropy as the
243
-
private key<refname="curve-order" />. Prepend an empty byte (<code>0x00</code>)
244
-
per BIP32 on master key serialization. Use the last (rightmost) 32 bytes as the chain code.
245
-
246
-
Child number, depth, and parent fingerprint are forced to zero, as with any root
247
-
private key.
248
-
225
+
Taking 64 bytes of the HMAC digest, the first 32 bytes are the chain code, and second 32 bytes[1] are the private key for BIP32 XPRV value. Child number, depth, and parent fingerprint are forced to zero.
249
226
250
227
Path format is <code>m/83696968'/32'/{index}'</code>
251
228
252
-
253
-
Applications may support Testnet by emitting TPRV keys if and only if the input root key is a Testnet key.
@@ -434,21 +374,9 @@ Many thanks to Peter Gray and Christopher Allen for their input, and to Peter fo
434
374
435
375
BIP32, BIP39
436
376
437
-
==Change Log==
438
-
439
-
* 1.0 (2020-07)
440
-
* 2.0.0 (2024-09-22)
441
-
* Swap chain code and private key bytes in application 32' for consistentcy with BIP-32 (major change)
442
-
* Correct derived entropy for application 128169' test vector (major change)
443
-
* Clarify big endian serialization
444
-
* Add the Portuguese language (9') to application 39'
445
-
* Add dice application 89101'
446
-
* Clarify Testnet support for XPRV application 32'
447
-
* Minor grammar, format, clarity improvements
448
-
449
377
==Footnotes==
450
378
451
-
<references />
379
+
[1] There is a very small chance that you'll make an invalid key that is zero or bigger than the order of the curve. If this occurs, software should hard fail (forcing users to iterate to the next index).
452
380
453
381
From BIP32:
454
382
In case parse<sub>256</sub>(I<sub>L</sub>) is 0 or ≥ n, the resulting key is invalid, and one should proceed with the next value for i. (Note: this has probability lower than 1 in 2<sup>127</sup>.)
0 commit comments