Bitgen - tool for addresses, signatures, encryption and transactions

[Financisto]

Very good update this one!

Keep up the good development...

[1714845814]

1714845814

[1714845814]

1714845814

[1714845814]

1714845814

[bit22gen]

Bitgen 0.16 has been released:

http://bitgen.org/

This release includes support for mnemonics to extended addresses for HD wallets (BIP 32).
Random mnemonics are created by bitgen, and the corresponding xprv/xpub addresses are calculated and displayed.

Here is an example of a mnemonic generated by bitgen:

Private part:
http://bitgen.org/mnemonic_sample_private.pdf

Public part:
http://bitgen.org/mnemonic_sample_share.pdf

The supported randomness functions are "random", "dice", "hash" and "hex".
Also an existing mnemonic can be specified.

To generate a 24 word random mnemonic the following command is used:

$ bitgen genMnemonic random

It is possible to create mnemonics with fewer than 24 words. The values 12, 15, 18, 21 and 24 are supported.
If so, the number of words should be specified directly after the "genMnemonic" command, for example:

$ bitgen genMnemonic 15 random

However, 24 word mnemonics are recommended since fewer words reduces the strength of the random data.

If "dice", "hash" or "hex" generation is used the corresponding random data should be given.
For example, the following command will generate a mnemonic from hash data:

$ bitgen genMnemonic hash hJhKHUiisdfiosduoiuueuUUIDUoiudfiosnNMMMDDFSSDFiuUDFIDSFUoiFUiodfOIUoiuqoiuqoiu auiodsodifusdofiuIUIOUOIUDSFoiusdfiouIUFDSfs7dfsd8f7sdfkjsdfsdjfhj3242h34kjsadf kjhsdkjHJKJKJFskjdhfskjdhhsdfhghqhqhqiaibbxvvzzaajassiusadasiduasidfusujhYYUYhJ jsi

If an existing mnemonic is used, the "mnemonic" generation type can be used to calculate the corresponding xprv/xpub addresses.
For example:

$ bitgen genMnemonic mnemonic "tortoise wool skate ribbon tragic noise disorder napkin gossip slice improve vapor"

In the ps/pdf files the lower right QR code is the mnemonic.
The lower left QR code is the corresponding xprv address.
The top left QR code is the xpub corresponding to the xprv.
The top right QR code is the derived address for the derivation path "m/44H/0H/0H".

The derivation path "m/44H/0H/0H" can for example be used with electrum to create a watching only wallet for the addresses corresponding to the mnemonic.

The txt files that are created includes the same information in text form.

[bit22gen]

Bitgen 0.17 has been released:

http://bitgen.org/

This release includes support for split wallets using one-time-pads.

When using split keys, the private key is split in two (or more) parts that all needs to be used in order
to recreate the secret key. The parts by themself do not give information about the private key.

When a split key is created, several 256-bit random numbers are generated instead of just one.
Then the final private key is created by doing bitwise XOR on the parts.

For example, if the following parts are randomly generated:
DBD2CECBBBA5D7D3FAFFB573B59E43A92C50D3135DE89A91614322A36D14ECC0
42EDDF6112DC308EFEAFEB4A8907AF4164FBF1C4DF5A32DEF55AD90DEB96D006

The bitwise XOR of these parts gives the following private key:
993F11AAA979E75D04505E393C99ECE848AB22D782B2A84F9419FBAE86823CC6

More than two parts can be used, in that case N random numbers are generated,
and the private key is the XOR of all N random numbers.

The parts can for example be stored in separate places. If one part should be stolen,
the private key is still safe since all parts are needed to recreate the private key.
With N parts (N-1) parts are not enough to recreate the private key.

To use split wallet with one-time-pad in bitgen, the otpgen command is used, for example:

$ bitgen otpgen 2 random

This will generate two random parts ("pads"), here is an example:
http://bitgen.org/split_wallet_example_private_pad1.pdf
http://bitgen.org/split_wallet_example_private_pad2.pdf

To create the private key the otp command is used with the pads as arguments,

$ bitgen otp DBD2CECBBBA5D7D3FAFFB573B59E43A92C50D3135DE89A91614322A36D14ECC0 42EDDF6112DC308EFEAFEB4A8907AF4164FBF1C4DF5A32DEF55AD90DEB96D006

This will give the private key, for example:
http://bitgen.org/split_wallet_example_private.pdf

To create random numbers, the methods "random", "dice", "hash" and "hex" can be used.

For example when using "hash", the following command can be used:
$ bitgen otpgen 2 hash sdfsdfsdfsdflkjsdlkfjsdlkfjsiusdyfisudyfsiduyfiusdyfiusdyfiudsyfiusdyfiusydfiuy sdifuydsiufysdiufysdiufysdiufysdiuyfisudyfisudyfiusdyfiudsyfiudsyfiudsyfiusdfyu syasuauuuauuasdiasudyasiudyaiusydasoidasdasidiasdiasodiasodiasodiasodi

More about one-time-pads:
https://en.wikipedia.org/wiki/One-time_pad

[bit22gen]

Bitgen 0.18 has been released:

http://bitgen.org/

This release includes support for electrum seed generation.

Here is an example:
http://bitgen.org/electrum_btc_example_private.pdf

To generate an electrum seed, use the command "electrum" followed by the generation method, for example:

$ bitgen electrum random

This will generate a 24 word seed using random data from "/dev/random"

Other possible generation methods are "hash", "mnemonic", "hex", "dice" and "brain".

For example, the following command will generate a 24 word seed from 100 dice values:

$ bitgen electrum dice 6123623123652635162356516316213666166253162356253654545162456125213612536523615 236512631532131236616

The default seed size is 24 words, but this can be changed by adding "words" followed by the desired number.
The following command will generate a 18 word seed:

$ bitgen electrum random words 18

Possible values are 12, 15, 18, 21 and 24.

An optional "account name" can be specified by using "name", for example:

$ bitgen electrum random name "My test"

[Financisto]

I have noticed the compile error for the "SSE2 instruction set" for some computers.
This seems to be related to the physical machine that is used.
Argon2 is optimized for the x86 architecture, and this is the cause of the compile error.

I have three Ubuntu 14.04 machines, and the two 64-bit machines compile the source without errors, one Intel and one AMD machine.

But the older 32 bit machine with an Intel Atom processor get the compile error.
I will fix this.


Yes, Bitgen is currently using Argon2d (and not Argon2i), but the choice was not an easy one.

The choice of the "d" version instead of "i" was motivated  since a dedicated machine without any internet connection should not have any side-channels for timing attacks(?)
For example, on a shared Linux-machine were several persons are logged in at the same time there will be possible to use side-channels when someone is changing a password.

I also interpret "being faster" as positive regarding ASIC-resistance.
If it is faster on a normal PC, it will perform better compared to a dedicated ASIC hardware.

The parameters for the "hardness" of the Argon2 function have been choose so it will take about 10 seconds to  perform the key derivation.

Here are the choosen parameters:

   const unsigned t_cost = 5;
   const unsigned m_cost = 100000;
   const unsigned thr = 8;


However, it is not too late to change if there is enough reason to do so.


I have to update the documentation, will be done in the next release.

Hello there @bit22gen

How are you doing? Long time no talk...

You still around? Are you still coding for this project of yours sometimes?

Revisiting your project here made me think about what we discussed years ago about using different versions of Argon2 KDF algo.

I ended stepping on this project that also uses Argon2. It's a similar project that already did something like Warp Wallet (although they used the Argon2i version):

https://github.com/patcito/mindwallet

Just to clarify (from the famous Wikipedia):

Argon2 is a key derivation function that was selected as the winner of the Password Hashing Competition in July 2015. It was designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich from the University of Luxembourg. The reference implementation of Argon2 is released under a Creative Commons CC0 license (i.e. public domain) or the Apache License 2.0, and provides three related versions:

a) Argon2d maximizes resistance to GPU cracking attacks. It accesses the memory array in a password dependent order, which reduces the possibility of time–memory trade-off (TMTO) attacks, but introduces possible side-channel attacks.

b) Argon2i is optimized to resist side-channel attacks. It accesses the memory array in a password independent order.

c) Argon2id is a hybrid version. It follows the Argon2i approach for the first pass over memory and the Argon2d approach for subsequent passes. The Internet draft recommends using Argon2id except when there are reasons to prefer one of the other two modes.

So maybe replacing the implemented Argon2d (used by bitgen) by Argon2id should be a reasonable decision in order to improve (even more) the security for brainwallets created by this tool.

What do you think about it?