[INFO - DISCUSSION] Mnemonic Code Words (BIP39)

[cygan]

bip39 is a design implementation that lays out how cryptocurrency wallets create the set of words (mnemonic codes) that make up a mnemonic set, and how the wallet converts the seed into mnemonic codes that are used to derive extended keys that can be used to derive private bitcoin keys. with these 4 foils i would like to bring you closer to this important topic. there are also numerous threads about it but to continue working on my 'slide threads' i decided to create a new one
i hope that this topic will be well received by you and will appeal to more users

BIP: 39
  Layer: Applications
  Title: Mnemonic code for generating deterministic keys
  Author: Marek Palatinus <slush@satoshilabs.com>
          Pavol Rusnak <stick@satoshilabs.com>
          Aaron Voisine <voisine@gmail.com>
          Sean Bowe <ewillbefull@gmail.com>
  Comments-Summary: Unanimously Discourage for implementation
  Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0039
  Status: Proposed
  Type: Standards Track
  Created: 2013-09-10

https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki



https://twitter.com/BTCillustrated

[1715470821]

1715470821

[1715470821]

1715470821

[BlackHatCoiner]

and how the wallet converts them into a binary 'seed'

It doesn't convert the mnemonics into a seed. It converts the seed into mnemonic. As you demonstrate in the slides, the computer firstly generates 128 + 4 bits, and converts these to mnemonic phrase.

that is used to create encryption keys that are then used to execute cryptocurrency transactions.

The seed isn't used to create encryption keys, it is used to derive extended keys, which can be used to derive Bitcoin private keys.

[cygan]

@BlackHatCoiner you are absolutely right. i was writing too fast again and already had other thoughts in my head before i wanted to finish the actual sentence/topic
have of course now improved - shame on me

[pooya87]

In the slide before last it is misleading to call PBKDF2 a "key stretching" function because although it is how PBKDF2 is categorized but key stretching algorithms are used to make a weak key more secure against brute force attacks.
In case of BIP39, the key (ie. the initial entropy) is not weak at all and it doesn't need to be secured. In other words PBKDF2 in this context is only used as a key derivation function not a key stretching function.

[Cricktor]

Aren't the 2048 rounds of HMAC-SHA-512 as PBKDF2 there to also make the derivation from the initial seed computationally expensive so that brute-forcing is rendered considerably slower? I don't know much about SHA-512 compared to SHA-256 in terms of computational complexity and expense, though.

[ABCbits]

Aren't the 2048 rounds of HMAC-SHA-512 as PBKDF2 there to also make the derivation from the initial seed computationally expensive so that brute-forcing is rendered considerably slower?

While it makes brute-force slower, BIP 39 only state "The iteration count is set to 2048 and HMAC-SHA512 is used as the pseudo-random function."[1].

I don't know much about SHA-512 compared to SHA-256 in terms of computational complexity and expense, though.

Theoretically SHA-512 is computationally more complex. Although depending on the hardware and OS, SHA-512 might run faster[1-2].

[1] https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#from-mnemonic-to-seed
[2] https://crypto.stackexchange.com/a/26340
[3] https://crypto.stackexchange.com/a/52646

[o_e_l_e_o]

Aren't the 2048 rounds of HMAC-SHA-512 as PBKDF2 there to also make the derivation from the initial seed computationally expensive so that brute-forcing is rendered considerably slower?

It's certainly slower, but it definitely isn't slow and it definitely isn't considerably slower either. PBKDF2 is already pretty weak, and 2048 rounds is nothing. This is why tools like btcrecover can still check tens of thousand possible seed phrase combinations a second (even once you exclude those with an invalid checksum).

If you wanted actual protection against brute-force attacks, then you would need to up the iteration count to the millions or switch to an algorithm which is actually computational expensive. BIP39 survives without these things due to the initial entropy being at least 2¹²⁸, not because it is difficult to attack.