decred / dcrwallet

A secure Decred wallet daemon written in Go (golang).
https://decred.org
ISC License
222 stars 156 forks source link

Implement BIP39 as an an alternative method of seed encoding #956

Open jpz opened 7 years ago

jpz commented 7 years ago

I am submitting this issue to open up discussion, as it seemed a better place for it than discussing in the Slack channel.

Presently the Decred wallet seed is initialised with a 33 word selection from a 512 word dictionary, the PGP Word List .

BIP39 in comparison for 256 bits of entropy with 8 bits of checksum uses 24 words from a standardised 2048 word dictionary.

In the course of reviewing the history of the Decred implementation, I can see this originates here:

And going back further, seemingly to BTCSuite Paymetheus - https://github.com/btcsuite/Paymetheus/commit/20160432ace3a0806006d3740f8ac659d7351762

My thought is that it would be useful to implement BIP39 as an alternative method of initialising the DCR Wallet seed, even if only at the protocol level, as this would give us compatibility with the methods used by other wallets.

(Analogy - in the Electrum front-end for instance, there is an option to initialise the seed with BIP39, even though they do not regard this as their preferred method.)

My main immediate motivation for this is so that I may initialise the wallet identically to Trezor. While this is may be unwise for the safety of my Trezor protected private key to do so, never the less it can be invaluable for wallet recovery purposes, for both developers and Decred users at large.

In the recovery instructions for Ledger, they point the user to a list of wallets which are BIP39 compatible - presumably because Ledger also is a BIP39 wallet:

Lastly for integrators, it may be convenient if Decred wallet technology was capable of being wholly compatible with Bitcoin wallet library setups and validated against them, as trivial reuse of many parts of altcoin python libraries etc would be much simpler.

While this issue is not intended to advocate specifically a move away from 33 words of PGP to 24 words of BIP39, if this is implemented it gives the flexibility to do this in the future, if we feel it reduces the burden upon new users.

Lastly, just to note that the discussion is not black and white for seed generation, for instance there is some debate over the best way to initialise seeds amongst developers, in researching this I came across a good discussion on BIP39 by Electrum developers here - http://docs.electrum.org/en/latest/seedphrase.html

annawaw commented 6 years ago

Both 33 word from PGP word list and 24 word BIP39 seeds represent 256 bit entropy. PGP word encoding uses parity bit, so in practice, each word stands for 8 bits only. Decred also uses 33rd word as 8 bit checksum.

This means, that it is possible to roundtrip between 33 word decred seed and an equivalent 24 word BIP39.

It should be theoretically possible to support BIP39 in dcrwallet and still be fully backwards compatible: i.e. supporting exporting/importing both 33 word and 24 word seeds.

matheusd commented 6 years ago

While we don't have native support to BIP39 wallets in dcrwallet, this tool can convert a BIP39 mnemonic seed into an hex seed importable into dcrwallet:

https://github.com/matheusd/bip39-to-dcr-seed

mikeyb commented 6 years ago

For those who got my previous comment notification, apologies. Reading github issues before coffee is bad

jrick commented 6 years ago

Yeah, this is tough to do. Existing seeds can not be converted to a BIP39 mnemonic (mnemonic -> seed is a one-way cryptographic operation), so even if this were to be done, we would need to keep both BIP39 and our PGP word list encoding.