soqt
commented
6 years ago Thanks for your suggestion. Will change the default to 24 words & use the same derivation as Ledger.
Open murbard opened 6 years ago
soqt
commented
6 years ago Thanks for your suggestion. Will change the default to 24 words & use the same derivation as Ledger.
murbard
commented
6 years ago Note that the ledger derivation will soon change for tz1 addresses. Currently it is using a version of bip32 for ed25519 which only allows to derive hardened keys. Ledger has indicated they will use bip32-ed25519 in the next firmware release.
An implementation of bip32-ed25519 is available in OCaml (and Python in the test directory) here https://github.com/vbmithr/ocaml-bip32-ed25519
soqt
commented
6 years ago I noticed there are a couple version of bip32 ed25519 specifications. The python version of the repo above uses pure SHA512 without message parameter to derive the root key. However, both hdkey and ed25519-hd-key use HMAC-SHA512 with message to derive root key from seed. They are resulting different private key and corresponding public key. The ed25519-hd-key node module follows SLIP-0010 - Specification, and the repo above follows bip-ed25519 paper. Is that safe to use ed25519-hd-key node module to derive keys?
murbard
commented
6 years ago Good question. I would recommend following bip32-ed25519.
Currently the Ledger app uses SLIP-0010, but the next firmware update is supposed to migrate to bip32-ed25519. Initially the app will likely have a setting that lets users select which key derivation method to use, but it'll default to bip32-ed25519.
soqt
commented
6 years ago Thanks for your answer! bip32-ed25519 should be ready in very soon as I'm working on it.
24 words provide more entropy, more checksum bits and are the default on Ledger devices. Support for 15 word mnemonics from other wallets makes sense, but it would be better to default to 24 words and use the same derivation used for the Ledger application.