Display XPUB

[merland]

IN ORDER TO securely obtain the XPUB of the seed, and then write it down on a piece of paper AS A user who is in the process of generating a secure seed I WANT the last word calculator to also calculate the seed's XPUB and display it.

Rationale: If you have a securely generated seed and its corresponding XPUB, you can use this as an additional factor in a multifactor scheme, without having to buy an additional hardware wallet.

Possible next steps:
Display the derivation path Display the XPUB as QR

Thanks to @mflaxman for this feature request!

[mflaxman]

Awesome!

The ultimate UX would be to build something that is by default compatible with Electrum client's "native segwit multisig" which is p2wsh using derivation path m/48'/1'/0'/2' (Zpub on mainnet and Vpub on testnet). If you go this route, I would recommend this for one key for all users because they're unlikely to mess it up and you eliminate RNG risk.

Another option with a worse UI would be to just allow users to enter a BIP32 derivation path (complicated!) but not allow them to select address encoding (SLIP-132 version bytes). That way they could input their own path and then convert that xpub using these steps: https://github.com/iancoleman/bip39/issues/351

[merland]

Thanks, this looks super helpful! I have a strong preference for small issues, so will probably use this information to create several more issues further on.

On Mon, 16 Sep 2019, 18:04 Michael Flaxman, notifications@github.com wrote:

Awesome!

The ultimate UX would be to build something that is by default compatible with Electrum client's "native segwit multisig" which is p2wsh using derivation path m/48'/1'/0'/2' (Zpub on mainnet and Vpub on testnet). If you go this route, I would recommend this for one key for all users because they're unlikely to mess it up and you eliminate RNG risk.

Another option with a worse UI would be to just allow users to enter a BIP32 derivation path (complicated!) but not allow them to select address encoding (SLIP-132 version bytes https://github.com/satoshilabs/slips/blob/master/slip-0132.md). That way they could input their own path and then convert that xpub using these steps: iancoleman/bip39#351 https://github.com/iancoleman/bip39/issues/351

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/merland/seedpicker/issues/9?email_source=notifications&email_token=AADOTZBUHAAMYW3NCTCCRADQJ6VCHA5CNFSM4IW7OWY2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6ZU3UQ#issuecomment-531844562, or mute the thread https://github.com/notifications/unsubscribe-auth/AADOTZHPZLPVAG6UPBEBF33QJ6VCHANCNFSM4IW7OWYQ .

[merland]

@mflaxman Would you please elaborate on the reason to use exactly m/48'/1'/0'/2' for the derivation path?

[mflaxman]

No good reason, just that this is what Electrum uses for multisig. This makes it currently by far the easiest way to do multi HW wallet multisig.

On Mon, Sep 23, 2019 at 1:17 PM Martin Erlandsson notifications@github.com wrote:

@mflaxman https://github.com/mflaxman Would you please elaborate on the reason to use exactly m/48'/1'/0'/2' for the derivation path?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/merland/seedpicker/issues/9?email_source=notifications&email_token=AADNRBATC27GQRFTCFW2Q43QLEP4PA5CNFSM4IW7OWY2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7MEDRQ#issuecomment-534266310, or mute the thread https://github.com/notifications/unsubscribe-auth/AADNRBA7Q3ZGFZKW3PARD3DQLEP4PANCNFSM4IW7OWYQ .

-- Sent from my iPhone

[merland]

A rough version of this is now deployed to http://seedpicker.net/calculator/last-word.html, please try it out. The XPUB shown is not (yet) converted to Zpub or Vpub, though. Expect more updates soon.

[merland]

Latest deployed version now uses the derivation path m/48'/0'/0'/2'. This is what Electrum multisig uses for bitcoin mainnet.

[merland]

New version that displays Zpub is now live.

[mflaxman]

I just tested and this is amazing, I love it!

I figured out why the difference in paths, Electrum uses m/48'/0'/0'/2' for mainnet and m/48'/1'/0'/2' for testnet (I've been mostly playing on testnet). It's not obvious, but you can see it here: https://github.com/spesmilo/electrum/blob/58681e4d077fe9eb9670222252a19db49f671ddd/electrum/keystore.py#L819

2 resulting extended pubkeys mucks up the UI a bit unfortunately. Would it be possible to show both of these paths and the resulting the Zpub & Vpub, respectively? On that note, I see no reason to include the xpub and it will likely confuse people... Maybe you could have an advanced section where you show that if needed but hide it by default?

[merland]

I figured out why the difference in paths, Electrum uses m/48'/0'/0'/2' for mainnet and m/48'/1'/0'/2' for testnet (I've been mostly playing on testnet).

Yeah, I figured it out too. That's why I deleted my earlier question about it, haha :)

2 resulting extended pubkeys mucks up the UI a bit unfortunately. Would it be possible to show both of these paths and the resulting the Zpub & Vpub, respectively? On that note, I see no reason to include the xpub and it will likely confuse people... Maybe you could have an advanced section where you show that if needed but hide it by default?

This is really good feedback, we'll see what we can do about it (I got my friend @jorgen99 onboard now too).

Not showing the xpub makes sense, I think. Regarding the Vpub, maybe there should be like a "master switch" on the page, to enable switching between mainnet and testnet... Or even two different pages. Testnet is nice but it shouldn't interfere with the UX of those who use only mainnet (which is true for 99.99% of all non-techies, I guess).

[merland]

New version deployed now. Less info for the normal user and more info for the advanced user who clicks the "Show more" button. Any feedback/comments appreciated!

[merland]

Found a flaw in the current version... The Vpub (testnet) is calculated using the mainnet derivation path. Will fix tomorrow.

[merland]

The flaw mentioned in the last comment is fixed now. A new section for testnet specifics has been created at the bottom of the page, below the "show more" button. We've also added some more validations and checks.

[mflaxman]

I found the same flaw in the previous so didn't bother to comment. I just spent a while playing with this version and I think it is fantastic. I want to do more testing to be 100% sure, but my immediate reaction is very positive.

Excellent work, this is a huge improvement in multisig for the masses! Users can now do multi-hw wallet multisig with only 2 hardware wallets by default and eliminate the risk of a compromised CSPRNG. They can then put this seed on a cryptosteel and only ever use it for recover in the future (when there will probably be more hardware wallet options).

Functionally, I think this is awesome, but I have some minor UI concerns that I'll submit as separate tickets. I'd recommend closing this issue now.

Great work!

[merland]

Really glad you like it! We consider the current version as just a first draft to provoke some good feedback, so that was successful :) We will consider your other tickets one by one. Thanks again for your great feedback and ideas. Closing this issue now.