Skip to content

Instantly share code, notes, and snippets.

@ksedgwic

ksedgwic/seedtool-cli-notes.md

Created April 7, 2020 16:29
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ksedgwic/1dc364a17f4d074a2faa47715ddcda70 to your computer and use it in GitHub Desktop.
Save ksedgwic/1dc364a17f4d074a2faa47715ddcda70 to your computer and use it in GitHub Desktop.
Download ZIP
Seedtool Specification Notes
Raw
seedtool-cli-notes.md

Some thoughts about the Seedtool Specification

Default Sizes

I think the default (encouraged) sizes for BIP-39 should be 12 words and SLIP-39 shares should be 20 words.

The only arguments I'm aware of for the larger sizes are:

  1. They are much more secure. I think this is a really bad deal. 128 bits of entropy are completely adequte and the additional cost of recording, transcribing etc of the larger sizes have a terrible cost, especially with the low-tech methods we otherwise desire for cold storage security.

  2. They help secure the recovery procedure of the Trezor One. The Trezor Wiki describes it well:

To mitigate any risks of the seed being compromised by malicious key-logging software, the Trezor One device instructs the user to enter the individual words in random order - instead of entering all words in sequence from the first word to the last one. Computing a valid seed out of 24 random seed words is almost impossibly difficult (i.e., this never happens).

To add more strength (randomness) when recovering a 12-word seed on Trezor One, there are 12 fake dummy words introduced by the device and mixed in the pool with the real words. The user inputs the real words mixed with the fake ones, all randomly shuffled, and the device itself sorts them out.

The recovery process using Trezor Model T is limited to the "on-device" input, meaning that the words never touch a potentially compromised environment and always stay safe as you type them in using the touchscreen. In this case, 12 words are sufficient. The 128-bit entropy (randomness) provided by 12 words is widely considered to be plenty secure.

Default Truncation of the Seed

The proposal is to use all 32 bytes of the SHA256 hash as a seed:

The SHA256 is then taken of the resulting array, yielding a deterministic seed.

If a smaller seed is desired, the --count option can specify that the SHA256 be truncated to a fewer number of bytes.

I am aware of 3 similar tools:

All three use the first 16 bytes of the SHA256 hash as the seed. All three generate the same mnemonic passphrase for the dice roll of "123456".

PyMultiWallet:

[user@arduino pymultiwallet] git:(master)$ mw --entropy --generate
Enter entropy string followed by a \n. No entropy is added, make sure you provide enough.
: 123456
mirror reject rookie talk pudding throw happy era myth already payment owner

Mnemonic Code Converter:

settings: "Show entropy details", Entropy="123456", "Base 10", "12 words"

Mnemonic Code Converter Mnemonic Code Converter

Seedtool: Lethekit Seedtool

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment