search

bitcoinjs / bip39

JavaScript implementation of Bitcoin BIP39: Mnemonic code for generating deterministic keys
ISC License
1.11k stars 447 forks source link

"Invalid Entropy" when using Mnemonic password derived seed as entropy for new Mnemonic #89

Closed lacksfish closed 6 years ago

lacksfish commented 6 years ago

It seems that mnemonicToSeed() returns a Buffer that contains "too much" entropy? https://github.com/bitcoinjs/bip39/blob/v2.5.0/index.js#L99 will then throw an Exception when I try to feed that entropy seed back into entropyToMnemonic()

Below I share the code with which I tried to create a password derived mnemonic with a passphrase based on the optional BIP39 spec with the bip39.js library. I also add a code snippet of how to achieve the encryption using bitcore-mnemonic

// bip39.js
var mnemonic = bip39.generateMnemonic(256);
var seedFromFirstMnemonic = bip39.mnemonicToSeed(mnemonic, "password");
// next line throws
var encryptedSecondMnemonic = bip39.entropyToMnemonic(seedFromFirstMnemonic);
// bitcore-mnemonic
var mnemonic = new Mnemonic(256, Mnemonic.Words.ENGLISH);
var seed = mnemonic.toSeed("password");
var encryptedMnemonic = Mnemonic.fromSeed(seed, Mnemonic.Words.ENGLISH);

The Exception thrown is

lacksfish@computer:~/tmp/path$ node mnemonic-crypt.js
/tmp/path/bip39/index.js:99
  if (entropy.length > 32) throw new TypeError(INVALID_ENTROPY)
                           ^

TypeError: Invalid entropy
    at Object.entropyToMnemonic (/tmp/path/bip39/index.js:99:34)
    at Object.<anonymous> (/tmp/path/mnemonic-crypt.js:7:37)
    at Module._compile (module.js:653:30)
    at Object.Module._extensions..js (module.js:664:10)
    at Module.load (module.js:566:32)
    at tryModuleLoad (module.js:506:12)
    at Function.Module._load (module.js:498:3)
    at Function.Module.runMain (module.js:694:10)
    at startup (bootstrap_node.js:204:16)
    at bootstrap_node.js:625:3

Most likely I'm doing something wrong. Although what is confusing is that bitcore-mnemonic seems to be using the seed/entropy Buffer the way I'd have expected... ( see https://github.com/bitpay/bitcore-mnemonic/blob/master/lib/mnemonic.js#L71)

Environment: Ubuntu 18.04 , Node v8.12.0

dcousens commented 6 years ago

@lacksfish, please see BIP39

The length of the derived key is 512 bits (= 64 bytes).

The derived key is seedFromFirstMnemonic. You are providing greater than 32 bytes of entropy to entropyToMnemonic, which the strict rules are that 128 <= ENT <= 256.

If you see this being done elsewhere, they are probably not adhering to the standard as strictly.

lacksfish commented 6 years ago

Can you then by any chance share the code snippet using bip39.js to derive a mnemonic from another mnemonic given a password as described by the initial BIP39 spec?

I'd really would like to learn more about the plausible-deniability this BIP39 feature offers and I am confused given this functionality seems to be differentiating amongst BIP39 implementations.