rolling-dice entropy for new seeds

[Monero-HackerIndustrial]

Hello, I am the developer for monerosigner, a monero fork of seedsigner (A DIY hardware wallet built around pi zero).

The generation of new seeds in my project will use dice rolls as an option for entropy generation of new seeds. In the bitcoin space there is a standard under bip39 for raw entropy to seed. There is no equivalent standard for monero.

Here is a work in progress repo for dice roll entropy to monero seed: https://github.com/Monero-HackerIndustrial/MoneroDice-WalletGen

I avoided the simple "rolls to bytes, then hash" and instead opted for key derivation similar to bip39. Below is the first version to my entropy to monero seed:

#the new way uses the key derivation of
# https://github.com/diybitcoinhardware/embit/blob/2bf81739eb5f01f8ad59d23c492fd9d9564eed48/src/embit/bip39.py#L86
PBKDF2_ROUNDS = 2048
#password used for the salt (a sha256sum )
password = hashlib.sha256(dice_rolls.encode()).digest()
entropy_bytes  = hashlib.pbkdf2_hmac(
        "sha512",
        dice_rolls.encode("utf-8"),
        password,
        PBKDF2_ROUNDS,
        32,
    )

hex = entropy_bytes

hex = hex.hex()
s = Seed(hex)
phrase = s.phrase
public_address = s.public_address()

I am relying on the monero python library which handles converting the hex seed into a seed phrase. That part is documented and standardized in multiple libraries and clients.

Do you see any merit in implementing this in feather wallet? If so I am also early enough in this process I would love your input.

[Monero-HackerIndustrial]

I see that the feather seed key derivation is described as such: https://github.com/feather-wallet/feather/tree/master/src/monero_seed

The private key is derived from the 128-bit seed using PBKDF2-HMAC-SHA256 with 4096 iterations.The wallet birthday and the 5 reserved/feature bits are used as a salt. 128-bit seed provides the same level of security as the elliptic curve used by Monero.

Future extensions may define other KDFs.

So feather is using similar key derivations except for 2 differences. sha256 vs sha512

of iterations

4096 vs 2048 The salt being the reserved/feature bits.

Is there an advantage to using PBKDF2-HMAC-SHA256 vs PBKDF2-HMAC-SHA512? Bip39 uses sha512 as the kdf. I was basing my choice off of it.

[chaserene]

@Monero-HackerIndustrial Feather uses the Polyseed seed format (https://github.com/tevador/polyseed), which was developed separately from BIP-0039, for the better or worse. I'd presume the primitives you see are downstream from Polyseed. not all parameters check out, but that's probably because, as the warning at the top says, that library is no longer maintained.

[Monero-HackerIndustrial]

I see the note that the library is vendored inside the feather repo. I see that the original polyseed repo is still getting some updates. I went ahead and asked tevador for some of the reasons he chose that specific KDF. The polyseed repo has updated the KDF from 2048 to 10000 rounds of sha256. This might be something worth updating for the vendored library?

Another question, would you be interested in adding dice entropy for key gen in feather? It looks like Polyseed already has a function for taking raw 128 bit seed and generating a key. You could take raw rolls for a seed or use it as an extra form of entropy for those who are paranoid of not enough entropy in urandom.

[tobtoht]

The monero_seed library and Polyseed are not the same. Feather switched from monero_seed to Polyseed last year. monero_seed is vendored to allow those seeds to be restored, but all newly created seeds use Polyseed.

Another question, would you be interested in adding dice entropy for key gen in feather?

Yes. I haven't gotten around to implementing this.

[Monero-HackerIndustrial]

The monero_seed library and Polyseed are not the same. Feather switched from monero_seed to Polyseed last year. My mistake, that makes sense. Polyseed looks good and sounds like it will be merging to monero core at some point in the future. Yes. I haven't gotten around to implementing this. No worries, I am still learning the reasoning behind certain design choices in Polyseed. Once I have good enough understanding I will add support in MoneroSigner for it. Let me know if you need any help.

[tobtoht]

Added in 6225e0e389b8ce639f25e0801b96facb06cdecfa.

[Monero-HackerIndustrial]

Awesome job!