Nano-node: RFC: Standardized Seed Mnemonic System

Created on 8 Mar 2018  路  4Comments  路  Source: nanocurrency/nano-node

Motivation

Creating a standardized mnemonic system for storing seeds seems like it would be a great benefit to the community.

A mnemonic code or sentence is superior for human interaction compared to the handling of raw binary or hexadecimal representations of a wallet seed. The sentence could be written on paper or spoken over the telephone.

This is one of the future items on the docket for nanovault and I think it would a good idea to standardize this across multiple wallets so as not to introduce vendor lock by using a mnemonic to write down your seed.

This standard is meant to be a way to transport computer-generated randomness with a human readable transcription. It's not a way to process user-created sentences (also known as brainwallets) into a wallet seed.

Proposal

My proposal is a standard similar to BIP39, modified for use with our 256 bit seeds. The mnemonic generation would be the same, which is copied here for easy reference:

Generating the mnemonic

The mnemonic must encode entropy in a multiple of 32 bits. With more entropy
security is improved but the sentence length increases. We refer to the
initial entropy length as ENT. The allowed size of ENT is 128-256 bits.

First, an initial entropy of ENT bits is generated. A checksum is generated by
taking the first

ENT / 32
bits of its SHA256 hash. This checksum is
appended to the end of the initial entropy. Next, these concatenated bits
are split into groups of 11 bits, each encoding a number from 0-2047, serving
as an index into a wordlist. Finally, we convert these numbers into words and
use the joined words as a mnemonic sentence.

The following table describes the relation between the initial entropy
length (ENT), the checksum length (CS) and the length of the generated mnemonic
sentence (MS) in words.

CS = ENT / 32
MS = (ENT + CS) / 11

|  ENT  | CS | ENT+CS |  MS  |
+-------+----+--------+------+
|  128  |  4 |   132  |  12  |
|  160  |  5 |   165  |  15  |
|  192  |  6 |   198  |  18  |
|  224  |  7 |   231  |  21  |
|  256  |  8 |   264  |  24  |

Wordlist

An ideal wordlist has the following characteristics:

a) smart selection of words

  • the wordlist is created in such way that it's enough to type the first four
    letters to unambiguously identify the word

b) similar words avoided

  • word pairs like "build" and "built", "woman" and "women", or "quick" and "quickly"
    not only make remembering the sentence difficult, but are also more error
    prone and more difficult to guess

c) sorted wordlists

  • the wordlist is sorted which allows for more efficient lookup of the code words
    (i.e. implementations can use binary search instead of linear search)
  • this also allows trie (a prefix tree) to be used, e.g. for better compression

The wordlist can contain native characters, but they must be encoded in UTF-8
using Normalization Form Compatibility Decomposition (NFKD).

From mnemonic to seed

This section is modified from the BIP39 standard to fit with our seed key length and use the new Argon2 hashing function.

A user may decide to protect their mnemonic with a passphrase. If a passphrase is not present, an empty string "" is used instead.

To create a binary seed from the mnemonic, we use the Argon2 function with a mnemonic sentence (in UTF-8 NFKD) used as the password and the string "mnemonic" + passphrase (again in UTF-8 NFKD) used as the salt.

Argon2di is used as a key derivation function with the parameters:

  • iterations: 128
  • parallelization (number of threads): 1
  • memory size: 1024kb
  • output length: 32 bytes (the default for Argon2)

This gives a good compromise of time and memory protection while being fast enough to calculate relatively quickly even on low-power devices like cell phones.

All 4 comments

euru

In the meantime I use this tool https://github.com/iancoleman/bip39 to generate 24-word seed & use its entropy as seed to Nano Desktop wallet.

I second this

BIP39 please. That would open a potential road / make it easier to integrate into hardware wallets in the future (i.e. Trezor Model T).

Was this page helpful?
0 / 5 - 0 ratings

Related issues

AugustoResende picture AugustoResende  路  3Comments

fallerOfFalls picture fallerOfFalls  路  4Comments

paulmelis picture paulmelis  路  6Comments

BitDesert picture BitDesert  路  6Comments

sacreman picture sacreman  路  6Comments