Clarify HMAC and other caveats

bitcoin · Apr 23, 2020 · 42e9f2f · 42e9f2f
1 parent 2b9dc80
commit 42e9f2f
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/bip-entropy.mediawiki b/bip-entropy.mediawiki
@@ -45,7 +45,9 @@ Ultimately, all of the mnemonic/seed schemes start with some "initial entropy" t
 
 We assume a single BIP32 master root key. This specification is not concerned with how this was derived (e.g. directly or via a mnemonic scheme such as BIP39).
 
-For each application the requires its own wallet, a unique private key is derived from the BIP32 master root key using fully hardened derivation path. The resulting private key (k) is then processed with HMAC-SHA512, where the key is "bip-entropy-from-k", and the message payload is `k`: <code>HMAC-SHA512(key="bip-entropy-from-k", msg=k)</code>. The result produces 512 bits of entropy. Each application SHOULD use up to the required number of bits necessary for their operation truncating the rest.
+For each application that requires its own wallet, a unique private key is derived from the BIP32 master root key using fully hardened derivation path. The resulting private key (k) is then processed with HMAC-SHA512, where the key is "bip-entropy-from-k", and the message payload is "k": <code>HMAC-SHA512(key="bip-entropy-from-k", msg=k)</code>. The result produces 512 bits of entropy. Each application SHOULD use up to the required number of bits necessary for their operation truncating the rest.
+
+The HMAC-SHA512 function is specified in [http://tools.ietf.org/html/rfc4231 RFC 4231].
 
 ===Test vectors===
 
@@ -69,7 +71,11 @@ OUTPUT
 
 ==Reference Implementation==
 
-Python implementation: [https://github.com/ethankosakovsky/bipentropy python-bipentropy]
+Python library implementation: [https://github.com/ethankosakovsky/bipentropy python-bipentropy]
+
+===Other Implementations===
+
+Coldcard Firmware: [https://github.com/Coldcard/firmware/pull/39]
 
 ==Applications==
 
@@ -184,6 +190,11 @@ Application number: 2'
 
 Uses 256 bits of entropy as the secret exponent to derive a private key and encode as a compressed WIF which will be used as the hdseed for Bitcoin Core wallets.
 
+There is a very small chance that you'll make an invalid key that is zero or bigger than the order of the curve. If this occurs, software should hard fail (forcing users should iterate to the next index).
+
+From BIP32:
+> In case parse<sub>256</sub>(I<sub>L</sub>) ≥ n or k<sub>i</sub> = 0, the resulting key is invalid, and one should proceed with the next value for i. (Note: this has probability lower than 1 in 2<sup>127</sup>.)
+
 Path format is <code>m/83696968'/2'/{index}'</code>
 
 INPUT: