Title: PBKDF2 questions Post by: Sanglotslongs on March 31, 2021, 10:04:18 AM Hello,
I'm trying to understand the PBKFD2 function. From "learnmeabitcoin (https://learnmeabitcoin.com/technical/mnemonic)" : https://imgur.com/LygBg72 So PBKFD2 is HMAC-SHA512 with two parameters : 1) password as "mnemonic sentence" 2) salt as "mnemonic sentence + passphrase". For my example I will use an empty passphrase. For HMAC I'm using : https://www.freeformatter.com/hmac-generator.html#ad-output To check PBKFD2 I'm using https://iancoleman.io/bip39/ BIP39 mnemonic : Code: conduct coral enrich local script mountain remain fringe latin throw w Entropy HEX : Code: 2ec6052c41ac1b212d62e87d7c2bf4fc I did a modification at IANCOLEMAN/BIP39 html file changing : Code: var Mnemonic = function(language) { With : Code: var Mnemonic = function(language) { With my BIP39 file with PBKDF2_ROUNDS = 1 I have : BIP39 Seed from IANCOLEMAN file : Code: 001f53a43e04c1dd4980bc65ea6f68c33124a671ce9d407b1c5c52adcbfddef3f51784f824af6c6f8cd7beb2cdad02b39638e3c77dd0fd48865573fcb73cf0df But with my online tool HMAC-SHA512 : Code: 6d03c97c00754be669e684b37cdad6a35ac989ce61411ac38823074fdae281b8ad2a707ea0d341e7a5b5b2e6ae465669a635d2402845a20ad80b320abaa45b60 What I'm doing wrong ? I just want to understand this function but I can be wrong in many ways , wrong input type for HMAC, is the default passphrase really empty... Is "BIP39 seed" from Ian Coleman file the HMAC-SHA512 result from entropy seed? Title: Re: PBKDF2 questions Post by: NotATether on March 31, 2021, 11:15:18 AM When you changed the number of rounds from 2048 to 1, you have changed the numbers of times that HMAC-SHA512 is ran to just once. That is why you're getting a different hash, because instead of hashing subsequent outputs of HMAC-SHA256 it's just hashing the seedphrase and extended words and using that as the result.
Title: Re: PBKDF2 questions Post by: j2002ba2 on March 31, 2021, 11:22:41 AM So PBKFD2 is HMAC-SHA512 with two parameters : 1) password as "mnemonic sentence" 2) salt as "mnemonic sentence + passphrase". PBKDF2 is not HMAC-SHA512 (in this case it uses it): https://en.wikipedia.org/wiki/PBKDF2#Key_derivation_process HMAC-SHA512 with key="conduct coral enrich local script mountain remain fringe latin throw wood web", and salt="mnemonic"+00000001 gives the correct result. Title: Re: PBKDF2 questions Post by: ranochigo on March 31, 2021, 11:23:08 AM The salt is not the seed itself. While the BIP seems to indicate that the whole mnemonic is used as a salt again, that is not the case. The salt is only "mnemonic".
Try using this: https://stuff.birkenstab.de/pbkdf2/. Code: Message (password): Title: Re: PBKDF2 questions Post by: Sanglotslongs on March 31, 2021, 01:07:24 PM ~ Hands down good description on PBKDF2 (https://bitcointalk.org/index.php?topic=5316005#post_four) function delivered by webtricks: [if there is no passphrase] => salt ≡ 'mnemonic', [if there is passphrase ≡ 'yourpassphrase' ] => salt ≡ 'mnemonicyourpassphrase' Hope it will help you. Thank you ! The salt is not the seed itself. While the BIP seems to indicate that the whole mnemonic is used as a salt again, that is not the case. The salt is only "mnemonic". Try using this: https://stuff.birkenstab.de/pbkdf2/. Code: Message (password): Didn't know this website thank for sharing. Do you know what format are MESSAGE and SALT? I thought parameters must be in binary but inside github : Code: export function Pbkdf2HmacSha512(password: Uint8Array, salt: Uint8Array, count: number, length: number): Uint8Array { Title: Re: PBKDF2 questions Post by: j2002ba2 on March 31, 2021, 01:37:52 PM Didn't know this website thank for sharing. Do you know what format are MESSAGE and SALT? I thought parameters must be in binary but inside github : All is binary. If you are interested in PBKDF2 and HMAC, it's explained in details in wikipedia. Code: password: Title: Re: PBKDF2 questions Post by: webtricks on March 31, 2021, 02:35:42 PM ~~ Didn't know this website thank for sharing. Do you know what format are MESSAGE and SALT? I thought parameters must be in binary but inside github : Code: export function Pbkdf2HmacSha512(password: Uint8Array, salt: Uint8Array, count: number, length: number): Uint8Array { As you can see that the function has defined the type of `password` and `salt` parameters as Uint8Array. Uint8Array is a handy way to store and work with bytes in JS (and TS). In Bitcoin, message and salt are provided as ASCII characters which are then converted in Binary during PBKDF2 function. These values are then used as parameters in pseudorandom function which is iterated c number of times. The above library is first converting ASCII characters into hexadecimal and then storing each byte as 8-bit unsigned integer in Uint8Array. Title: Re: PBKDF2 questions Post by: Sanglotslongs on March 31, 2021, 02:42:43 PM How long the salt can be ?
Title: Re: PBKDF2 questions Post by: NotATether on March 31, 2021, 04:50:30 PM How long the salt can be ? The salt can be as long as you want as long as the underlying digest function supports salts of that length. The salt is only passed to the HMAC-SHA512 function during the first iteration, and in that particular round the salt is concatenated with 0x01000000 in hex, and this number represents 1 in 32-bit big endian form. Because of the way PBKDF2 works, it's possible to have an output length that is a multiple of the digest length, for example: PBKDF2 outputting 1024 or 4096 bits, using an HMAC-SHA512 digest function 512 bits wide. In those cases we break the input into blocks of 512 bits and run the digest on each of them, using whichever index number we gave the block of 512 bits instead of "1". For example, suppose the digest size is 2048 and we have 3 iterations, and are using the digest function HMAC-SHA512: https://i.ibb.co/DL4ZX0h/pbkdf2.png The + is concatenation and not addition. HMAC can handle arbitrary-sized salts just fine, because they are directly passed to the hash function (SHA512) which knows how to break it down into manageable blocks sizes as well. |