PBKDF2 questions

[Sanglotslongs]

Hello,

I'm trying to understand the PBKFD2 function.

From "learnmeabitcoin" :



So PBKFD2 is HMAC-SHA512 with two parameters :
1) password as "mnemonic sentence"
2) salt as "mnemonic sentence + passphrase".

For my example I will use an empty passphrase.

For HMAC I'm using : https://www.freeformatter.com/hmac-generator.html#ad-output
To check PBKFD2 I'm using https://iancoleman.io/bip39/


BIP39 mnemonic :

Code:

conduct coral enrich local script mountain remain fringe latin throw w

ood web

Entropy HEX :

Code:

2ec6052c41ac1b212d62e87d7c2bf4fc

I did a modification at IANCOLEMAN/BIP39 html file changing :

Code:

var Mnemonic = function(language) {

    var PBKDF2_ROUNDS = 2048;
    var RADIX = 2048;

    var self = this;
    var wordlist = [];

With :

Code:

var Mnemonic = function(language) {

    var PBKDF2_ROUNDS = 1;
    var RADIX = 2048;

    var self = this;
    var wordlist = [];

With my BIP39 file with PBKDF2_ROUNDS = 1 I have :

BIP39 Seed from IANCOLEMAN file :

Code:

001f53a43e04c1dd4980bc65ea6f68c33124a671ce9d407b1c5c52adcbfddef3f51784f824af6c6f8cd7beb2cdad02b39638e3c77dd0fd48865573fcb73cf0df

But with my online tool HMAC-SHA512 :

Code:

6d03c97c00754be669e684b37cdad6a35ac989ce61411ac38823074fdae281b8ad2a707ea0d341e7a5b5b2e6ae465669a635d2402845a20ad80b320abaa45b60

What I'm doing wrong ? I just want to understand this function but I can be wrong in many ways , wrong input type for HMAC, is the default passphrase really empty...
Is "BIP39 seed" from Ian Coleman file the HMAC-SHA512 result from entropy seed?

[1714673341]

1714673341

[1714673341]

1714673341

[1714673341]

1714673341

[1714673341]

1714673341

[NotATether]

When you changed the number of rounds from 2048 to 1, you have changed the numbers of times that HMAC-SHA512 is ran to just once. That is why you're getting a different hash, because instead of hashing subsequent outputs of HMAC-SHA256 it's just hashing the seedphrase and extended words and using that as the result.

[j2002ba2]

So PBKFD2 is HMAC-SHA512 with two parameters :
1) password as "mnemonic sentence"
2) salt as "mnemonic sentence + passphrase".

PBKDF2 is not HMAC-SHA512 (in this case it uses it):
https://en.wikipedia.org/wiki/PBKDF2#Key_derivation_process

HMAC-SHA512 with key="conduct coral enrich local script mountain remain fringe latin throw wood web", and salt="mnemonic"+00000001 gives the correct result.

[ranochigo]

The salt is not the seed itself. While the BIP seems to indicate that the whole mnemonic is used as a salt again, that is not the case. The salt is only "mnemonic".

Try using this: https://stuff.birkenstab.de/pbkdf2/.

Code:

Message (password):
conduct coral enrich local script mountain remain fringe latin throw wood web

Salt:
mnemonic

Iterations: 
1

Key length (dklen): 
64

Generate Hash
Result (hex):
001f53a43e04c1dd4980bc65ea6f68c33124a671ce9d407b1c5c52adcbfddef3f51784f824af6c6f8cd7beb2cdad02b39638e3c77dd0fd48865573fcb73cf0df

[Sanglotslongs]

~

 Hands down  good description  on PBKDF2 function delivered by webtricks: [if there is no passphrase] => salt ≡ 'mnemonic', [if there is  passphrase ≡ 'yourpassphrase' ] => salt ≡ 'mnemonicyourpassphrase'

Hope it will help you.

Thank you !

The salt is not the seed itself. While the BIP seems to indicate that the whole mnemonic is used as a salt again, that is not the case. The salt is only "mnemonic".

Try using this: https://stuff.birkenstab.de/pbkdf2/.

Code:

Message (password):
conduct coral enrich local script mountain remain fringe latin throw wood web

Salt:
mnemonic

Iterations: 
1

Key length (dklen): 
64

Generate Hash
Result (hex):
001f53a43e04c1dd4980bc65ea6f68c33124a671ce9d407b1c5c52adcbfddef3f51784f824af6c6f8cd7beb2cdad02b39638e3c77dd0fd48865573fcb73cf0df

Didn't know this website thank for sharing. Do you know what format are MESSAGE and SALT? I thought parameters must be in binary but inside github :

Code:

export function Pbkdf2HmacSha512(password: Uint8Array, salt: Uint8Array, count: number, length: number): Uint8Array {
  const hmac = new HmacSha512(password);

  return pbkdf2core(hmac, salt, length, count);
}

[j2002ba2]

Didn't know this website thank for sharing. Do you know what format are MESSAGE and SALT? I thought parameters must be in binary but inside github :

All is binary. If you are interested in PBKDF2 and HMAC, it's explained in details in wikipedia.

Code:

password:
636f6e6475637420636f72616c20656e72696368206c6f63616c20736372697074206d6f756e7461696e2072656d61696e206672696e6765206c6174696e207468726f7720776f6f6420776562

salt for pbkdf2:
6d6e656d6f6e6963

salt for the first hmac:
6d6e656d6f6e696300000001

[webtricks]

~~

Didn't know this website thank for sharing. Do you know what format are MESSAGE and SALT? I thought parameters must be in binary but inside github :

Code:

export function Pbkdf2HmacSha512(password: Uint8Array, salt: Uint8Array, count: number, length: number): Uint8Array {
  const hmac = new HmacSha512(password);

  return pbkdf2core(hmac, salt, length, count);
}

As you can see that the function has defined the type of `password` and `salt` parameters as Uint8Array. Uint8Array is a handy way to store and work with bytes in JS (and TS).

In Bitcoin, message and salt are provided as ASCII characters which are then converted in Binary during PBKDF2 function. These values are then used as parameters in pseudorandom function which is iterated c number of times.

The above library is first converting ASCII characters into hexadecimal and then storing each byte as 8-bit unsigned integer in Uint8Array.

[Sanglotslongs]

How long the salt can be ?

[NotATether]

How long the salt can be ?

The salt can be as long as you want as long as the underlying digest function supports salts of that length. The salt is only passed to the HMAC-SHA512 function during the first iteration, and in that particular round the salt is concatenated with 0x01000000 in hex, and this number represents 1 in 32-bit big endian form.

Because of the way PBKDF2 works, it's possible to have an output length that is a multiple of the digest length, for example: PBKDF2 outputting 1024 or 4096 bits, using an HMAC-SHA512 digest function 512 bits wide. In those cases we break the input into blocks of 512 bits and run the digest on each of them, using whichever index number we gave the block of 512 bits instead of "1".

For example, suppose the digest size is 2048 and we have 3 iterations, and are using the digest function HMAC-SHA512:



The + is concatenation and not addition.

HMAC can handle arbitrary-sized salts just fine, because they are directly passed to the hash function (SHA512) which knows how to break it down into manageable blocks sizes as well.