Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update BIP32: 'hardened' terminology + explicit conversions #12

Merged
merged 1 commit into from
Mar 13, 2014
Merged

Update BIP32: 'hardened' terminology + explicit conversions #12

merged 1 commit into from
Mar 13, 2014

Conversation

sipa
Copy link
Member

@sipa sipa commented Jan 25, 2014

No description provided.

@sipa
Copy link
Member Author

sipa commented Jan 25, 2014

@mikehearn Please have a look!

This is a significant rewrite; it's probably better to look at the formatted result (https://github.com/sipa/bips/blob/bip32update/bip-0032.mediawiki) than at the diff.

@sipa
Copy link
Member Author

sipa commented Jan 26, 2014

Request for comments:

  • Are the explicit conversion functions (serpoint, ser32, ser256, parse256) useful, or do they clutter?
  • Same for the N() (neuter) function: useful to explicitly make derivation chains private or public?
  • Is using a function (point(k)) an improvement over writing k*G (making it clear that it's sort of a conversion, but I'm not entirely happy with the name "point").
  • Notation for hardened keys: is the suffix "h" better than just "'"? It's sort of ugly when preceded by a variable.
  • Shorter function names, or are these long ones more readable?

@mikehearn
Copy link
Contributor

I think this is a huge improvement, thanks! Just a couple of very minor things:

  • changelog at the top could be updated
  • There's a Java impl in bitcoinj as well (code.google.com/p/bitcoinj)

laanwj
laanwj reviewed Jan 27, 2014
View reviewed changes
bip-0032.mediawiki
@@ -170,63 +190,66 @@ In addition to the expectations from the EC public-key cryptography itself:
* Given a public key K, an attacker cannot find the corresponding private key more efficiently than by solving the EC discrete logarithm problem (assumed to require 2<sup>128</sup> group operations).
the intended security properties of this standard are:
* Given a child extended private key (k<sub>i</sub>,c<sub>i</sub>) and the integer i, an attacker cannot find the parent private key k<sub>par</sub> more efficiently than a 2<sup>256</sup> brute force of HMAC-SHA512.
* Given any number (2 <= N <= 2<sup>32</sup>-1) of (index, extended private key) tuples (i<sub>j</sub>,(p<sub>j</sub>,c<sub>j</sub>)), with distinct i<sub>j</sub>'s, determining whether they are derived from a common parent extended private key (i.e., whether there exists a (p<sub>par</sub>,c<sub>par</sub>) such that for each j in [0..N-1] CKD((p<sub>par</sub>,c<sub>par</sub>),i<sub>j</sub>)=(p<sub>j</sub>,c<sub>j</sub>)), cannot be done more efficiently than a 2<sup>256</sup> brute force of HMAC-SHA512.
* Given any number (2 N 2<sup>32</sup>-1) of (index, extended private key) tuples (i<sub>j</sub>,(k<sub>i<sub>j</sub></sub>,c<sub>i<sub>j</sub></sub>)), with distinct i<sub>j</sub>'s, determining whether they are derived from a common parent extended private key (i.e., whether there exists a (k<sub>par</sub>,c<sub>par</sub>) such that for each j in (0..N-1) CKDpriv((k<sub>par</sub>,c<sub>par</sub>),i<sub>j</sub>)=(k<sub>i<sub>j</sub></sub>,c<sub>i<sub>j</sub></sub>)), cannot be done more efficiently than a 2<sup>256</sup> brute force of HMAC-SHA512.
Note however that the following properties does not exist:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does not -> do not

@laanwj
Copy link
Member

laanwj commented Jan 27, 2014

I like the explicit conversion functions, especially as they are described in detail in an initial conventions section, this makes the document more accessible. The longer names are also easy to look up when needed. They don't appear to cause clutter anywhere.

laanwj
laanwj reviewed Jan 27, 2014
View reviewed changes
bip-0032.mediawiki

* m/i'/0/k corresponds to the k'th keypair of the external chain of account number i of the HDW derived from master m.
* m/i'/1/k corresponds to the k'th keypair of the internal chain of account number i of the HDW derived from master m.
Each account is composed of two keypair chains: an internal and an external one. The external keychain is used to generate new public addresses, while the internal keychain is used for all other operations (change addresses, generation addresses, ..., anything that doesn't need to be communicated). Clients that do not support separate keychains for these should use the external one for everything.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No motivation is given for having separate internal/external chains. I suppose this is because they have different look-ahead properties (as mentioned later under wallet sharing) but it may be useful to mention this here.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll address this in a separate change.

@sarchar
Copy link
Contributor

sarchar commented Jan 30, 2014

Notation for hardened keys: is the suffix "h" better than just "'"? It's sort of ugly when preceded by a variable.

My only concern is that for my site (http://bip32.org/), the subscripted "h" can't (easily?) be typed into the custom derivation path. I don't know how big of a concern that is because 99% of users will never see a derivation path, but at least for my site I won't be able to support the "h" in custom paths.

@sipa
Copy link
Member Author

sipa commented Jan 30, 2014

@sarchar How about a non-subscripted h?

Given that the other usage of ' has been removed, I can just revert to using it for hardened derivation steps. Maybe others already depend on that notation too.

@sarchar
Copy link
Contributor

sarchar commented Jan 30, 2014

Would a non-subscripted h make it look like a hex number?

How about a plus sign?

@laanwj
Copy link
Member

laanwj commented Feb 10, 2014

@sipa is this ready for merging or are you still planning to update it?

@sipa
Copy link
Member Author

sipa commented Mar 12, 2014

I've added a note that the old notation (i') is also allowed, in addition to i_H.

sipa added a commit that referenced this pull request Mar 13, 2014
@sipa
Merge pull request #12 from sipa/bip32update
6145e1e 
Update BIP32: 'hardened' terminology + explicit conversions
@sipa sipa merged commit 6145e1e into bitcoin:master Mar 13, 2014
luke-jr pushed a commit that referenced this pull request Mar 17, 2016
@techguy613
Merge pull request #12 from jmacwhyte/proofread
d8ec771 
Renamed to BIP75, added extensions to BIP70 payment details
luke-jr pushed a commit to luke-jr/bips that referenced this pull request Jun 6, 2017
@rustyrussell
Merge pull request bitcoin#12 from pm47/patch-1
5e40cf2 
minor: close_signature -> closing_signed
real-or-random pushed a commit to real-or-random/bips that referenced this pull request Nov 5, 2018
@sipa
Merge pull request bitcoin#12 from real-or-random/bip-schnorr
7511d17 
Improve readability of Python implementation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@sipa @mikehearn @laanwj @sarchar