Fixup aezeed

This commit is contained in:
Jonathan Cross 2019-01-14 20:42:36 +01:00
parent 55b580f2b8
commit 072de26354
No known key found for this signature in database
GPG Key ID: D8578DF8EA7CCF1B

@ -1,11 +1,11 @@
# aezeed # aezeed
[In this PR](https://github.com/lightningnetwork/lnd/pull/773) we add a new package implementing the aezeed cipher [In this PR](https://github.com/lightningnetwork/lnd/pull/773) we added a new package implementing the aezeed cipher
seed scheme (based on [aez](http://web.cs.ucdavis.edu/~rogaway/aez/) ). seed scheme (based on [aez](http://web.cs.ucdavis.edu/~rogaway/aez/)).
This is a new scheme developed that aims to overcome the This new scheme aims to address
two major short comings of BIP39: a lack of a version, and a lack of a two major features lacking in BIP39: versioning, and a
wallet birthday. A lack a version means that wallets may not wallet birthday. The lack a version means that wallets may not
necessarily know how to re-derive addresses during the recovery necessarily know how to re-derive addresses during the recovery
process. A lack of a birthday means that wallets dont know how far process. A lack of a birthday means that wallets dont know how far
back to look in the chain to ensure that they derive all the proper back to look in the chain to ensure that they derive all the proper
@ -25,8 +25,8 @@ PASS
ok github.com/lightningnetwork/lnd/aezeed 4.168s ok github.com/lightningnetwork/lnd/aezeed 4.168s
``` ```
Aside from addressing the shortcomings of BIP 39 a cipher seed Aside from addressing the shortcomings of BIP 39, an aezeed cipher seed
can: be upgraded, and have it's password changed, can both be upgraded, and have its password changed.
Sample seed: Sample seed:
@ -49,23 +49,23 @@ the keys of the wallet.
The 2 byte timestamp is expressed in Bitcoin Days Genesis, meaning that The 2 byte timestamp is expressed in Bitcoin Days Genesis, meaning that
the number of days since the timestamp in Bitcoins genesis block. This the number of days since the timestamp in Bitcoins genesis block. This
allow us to save space, and also avoid using a wasteful level of allow us to save space, and also avoid using a wasteful level of
granularity. With the currently, this can express time up until 2188. granularity. This can currently express time up until 2188.
Finally, the entropy is raw entropy that should be used to derive Finally, the entropy is raw entropy that should be used to derive the
wallets HD root. wallets HD root.
## aezeed enciphering/deciperhing ## aezeed enciphering/deciperhing
Next, well take the plaintext seed described above and encipher it to Next, well take the plaintext seed described above and encipher it to
procure a final cipher text. Well then take this cipher text (the procure a final cipher text. Well then take this cipher text (the
CipherSeed) and encode that using a 24-word mnemonic. The enciphering _CipherSeed_) and encode that using a 24-word mnemonic. The enciphering
process takes a user defined passphrase. If no passphrase is provided, process takes a user-defined passphrase. If no passphrase is provided,
then the string “aezeed” will be used. then the string “aezeed” will be used.
To encipher a plaintext seed (19 bytes) to arrive at an enciphered To encipher a plaintext seed (19 bytes) to arrive at an enciphered
cipher seed (33 bytes), we apply the following operations: cipher seed (33 bytes), we apply the following operations:
* First we take the external version an append it to our buffer. The * First we take the external version and append it to our buffer. The
external version describes how we encipher. For the first version external version describes how we encipher. For the first version
(version 0), well use scrypt(n=32768, r=8, p=1) and aezeed. (version 0), well use scrypt(n=32768, r=8, p=1) and aezeed.
* Next, well use scrypt (with the version 9 params) to generate a * Next, well use scrypt (with the version 9 params) to generate a
@ -79,15 +79,15 @@ has whats essentially a configurable MAC size. In our scheme well use
a value of 8, which acts as a 64-bit checksum. Well encrypt with our a value of 8, which acts as a 64-bit checksum. Well encrypt with our
generated seed, and use an AD of (version || salt). generated seed, and use an AD of (version || salt).
* Finally, well encode this 33-byte cipher text using the default * Finally, well encode this 33-byte cipher text using the default
world list of BIP 39 to produce 24 english words. word list of BIP 39 to produce 24 English words.
## Properties of the aezeed cipher seed ## Properties of the aezeed cipher seed
The aezeed cipher seed scheme has a few cool properties, notably: The aezeed cipher seed scheme has a few cool properties, notably:
* The mnemonic itself is a cipher text, meaning leaving it in * The mnemonic itself is a cipher text, meaning leaving it in
plaintext is advisable if the user also set a passphrase. This is in plaintext is advisable if the user also sets a passphrase. This is in
contrast to BIP 39 where the mnemonic alone (without a passrphase) may contrast to BIP 39 where the mnemonic alone (without a passphrase) may
be sufficient to steal funds. be sufficient to steal funds.
* A cipherseed can be modified to change the passphrase. This * A cipherseed can be modified to change the passphrase. This
means that if the users wants a stronger passphrase, they can decipher means that if the users wants a stronger passphrase, they can decipher