New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect mnemonic calculated from entropy #52
Comments
Fix is quite simple, but I don't know the intention of all this hashing inside setMnemonicFromEntropy function. Form my purpose I changed this part of code:
with this:
|
The reason for using a hash is given in this comment of issue 33 - using shuffled cards loses entropy and further context for entropy is in #21 and #33 The hash of entropy is used because when sourcing entropy from a deck of cards, the total bits of entropy the user has entered is unknown. By hashing the entropy value, the user can generate their desired length of mnemonic at their desired strength, regardless of the calculated number of bits their entropy may or may not represent. There is no 'correct' conversion of entropy to mnemonic. If a standard exists I would be glad to know of it. You can see from the linked issues that I greatly favor the first option of 'raw entropy', however it isn't always appropriate. Since it's possible to create the 'correct' mnemonic from Andreas's entropy using the tool, I'm unclear what change is desired from this issue. Steps to produce the 'correct' behavior:
|
The problem is with the second step, because there is no "use raw entropy" option in the combo. There is option ("From entropy length (3 words per 32 bits)"), which produces expected result, but I think its name is not obvious for the user. Maybe I don't clearly understand the purpose of the tool's input controls labeled "Entropy" and "Mnemonic length", but I assumed, that the meaning of the former is the same as the concept of 'entropy' from BIP39 specification (https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki). According to this (and my understanding), entropy is always the last stage before converting it's value to mnemonic (and is always 'raw'). Yes, generating entropy has no the only and 'correct' way and should be as random as possible, but generating mnemonics from existing entropy seems to be strict and simple:
Your tool was mentioned in a Andreas' Antonopolous book (second edition of "Mastering Bitcoin"). When reading "Mnemonic Code Words (BIP-39)" chapter I decided to verify examples provided by the author and found that the results differ, so I was a bit confused. I had to debug code to deduct what I should do to generate expected results. I also verified python-mnemonic library of Satoshi Labs (AFAIK they issued BIP39) and it gives result corresponding with my understanding of BIP39 and identical with this from and Adreas' book. Maybe such behavior was intended, but as a user I expected, that selecting specific number of words in the combo will end in the following behavior:
From my point of view entropy provided by the user should not be modified, regardless what user selects in the combobox or the it's label should be different. BTW thanks for the great and quite helpful tool. |
Good points and I agree with what you say. Raw entropy should be the default. Just to clarify one aspect of entropy
'the entropy' is not as simple or strict in the context of this tool vs that of BIP39. 'the entropy' used by BIP39 should be a binary string (or equivalent encoding), but this tool accepts inputs that are not necessarily an encoding of binary. This happens for card entropy (specifically drawing cards without replacement). There's no clear way to convert that sequence of events to binary entropy. Consider the sequence of I think appropriate steps to resolve this issue would be
@dooglus your thoughts on the proposed changes would be welcome. A final aside: |
Yes, from my perspective both proposals are OK. Renaming combobox item to "from raw entropy" would eliminate my assumption, that all combobox items relate to an entropy in a raw form. |
See 5ed50bd - Raw Entropy is the default for mnemonic length |
Great. Thanx. |
It was confusing for me as well that providing 128 bits of entropy, I get different result with "Raw entropy" and "12 words". If my entropy source is reliably pseudo-random, which option is considered to be more secure? |
The 'X words' options in the select is a way to force 'Y bits of entropy' into 'X words'. I personally don't like it because it isn't following any sort of standard (I prefer only using raw entropy), but it does allow encoding of any amount of entropy into any amount of words, and I can understand why people might want that. The process of converting any entropy into 'X words' is to sha256 the entropy and take the appropriate number of bits to form the mnemonic. Neither is more secure than the other, although raw entropy is closer to the bip39 standard so for that reason I say it's the superior option. In practice they are equally secure. |
When choosing "Supply my own source of entropy" option and entering mnemonic length any from 12 to 24 words, mnemonic calculated is incorrect.
Let's use 128 bit entropy example from Andreas Antonopolous book: 0c1e24e5917779d297e14d45f14e1a1a. Enter this to the "Entropy" field and then, from combo "Mnemonic length" choose "12 words" option. After that, mnemonic calculated is as follows: "enact swarm curious dash next scorpion couple fabric hour loop can diamond" instead of the correct one: "army van defense carry jealous true garbage claim echo media make crunch".
The problem is inside the function setMnemonicFromEntropy. If user selects any option other than the first one in the "Mnemonic Length" combobox, all bits from user's entropy are overwritten with the SHA256 hash of it. After that, calculation of mnemonic is based on hash instead of entropy.
The text was updated successfully, but these errors were encountered: