[](https://github.com/akarve/bipsea/actions)
# `bipsea`: secure entropy for mnemonics, passwords, PINs, and other secrets
> _One Seed to rule them all,
> One Key to find them,
> One Path to bring them all,
> And in cryptography bind them._
> -[BIP-85](https://github.com/bitcoin/bips/blob/master/bip-0085.mediawiki)
bipsea is composable command-line utility that generates and validates Bitcoin
mnemonics and hierarchical secrets according to BIP-85.
bipsea is designed be usable, readable, and correct via extensive unit tests.
bipsea includes pure Python APIs for BIPs 32, 39, and 85.
**bipsea is currently for experimental purposes only.**
bipsea relies on cryptographic primitives from Python
and the [python-ecdsa](https://github.com/tlsfuzzer/python-ecdsa) module, which
is [vulnerable to side-channel attacks](https://github.com/tlsfuzzer/python-ecdsa?tab=readme-ov-file#security).
bipsea does not rely on third-party libraries from any wallet vendor.
You can run bipsea offline to generate passwords, seed mnemonics, and more.
Consider dedicated cold hardware that runs [Tails](https://tails.net),
has networking disabled, and disables
[Intel Management Engine](https://support.system76.com/articles/intel-me/)
and other possible hardware backdoors.
# Usage
## Installation
```sh
pip install bipsea
```
## Help
```sh
bipsea --help
```
## Commands
bipsea offers four commands that work together:
1. `mnemonic` creates BIP-39 seed mnemonics in 9 languages
1. `validate` validates BIP-39 in 9 languages
1. `xprv` derives a BIP-32 extended private key
1. `derive` applies BIP-85 to an xprv to derive child secrets
# Tutorial
You can compose bipsea commands with a pipe:
```sh
bipsea mnemonic | bipsea validate | bipsea xprv | bipsea derive -a mnemonic -n 12
```
rotate link six joy boss sock unveil achieve charge sweet hidden regular
> Because `bipsea mnemonic` uses random bits from Python's secrets library,
> your output will, with extremely high probability, differ from the above output.
The above generates a fresh mnemonic, validates it against the english word list, converts
it to an xprv, and then derives a new secret according to BIP-85.
## But why would anyone turn one seed mnemonic into another?
We started with a mnemonic and got another one, so what?
As you'll see below you can derive not one but millions of secrets, including
PINs, mnemonics, and passwords, from a single root secret. Thanks to BIP-85, bipsea
enables you to create millions of secure and independent derived secrets.
Even if a child secret were compromised, the parent and root secrets would remain
secure due to the irreversibility of hardened hierarchical derivation.
You can read more on these topics
[below](#how-are-bipsea-and-hierarchical-wallet-derivation-bip-85-useful).
## `bipsea mnemonic`
Suppose you want a 15-word seed phrase in Japanese.
```sh
bipsea mnemonic -t jpn -n 15
```
おかわり おっと ゆにゅう いこつ ろうそく げつれい おかわり きらい ちたん にくまん でんわ ずぶぬれ くださる いらすと のみもの
Or 12 words in English.
```sh
bipsea mnemonic -n 12 --pretty
```
1) beach
2) tail
3) trial
4) design
5) lyrics
6) episode
7) miracle
8) strong
9) slogan
10) pole
11) blood
12) scene
## `bipsea validate`
BIP-39 mnemonics come from localized wordlists, have 12-24 words, and include a checksum.
`validate` checks the integrity of a mnemonic phrase, normalizes the input (NFKD),
then echoes the result so that you can pipe it to `bipsea xprv`.
```sh
bipsea mnemonic -t spa -n 12 | bipsea validate -f spa
```
relleno peón exilio vara grave hora boda terapia dinero vulgar vulgar goloso
## `bipsea xprv`
```sh
bipsea mnemonic | bipsea validate | bipsea xprv
```
xprv9s21ZrQH143K41bKPQ9XHbPoqfdCDmZLBorYHay5E273HTu5yAFm27sSWRoCpisgQNH9vfrL9yVvVg5rBEbMCk2UwQ8K7qCFnZAY7aXhuqV
`bipsea xprv` converts a mnemonic into a master node (the root of your wallet
chain) that serializes as an xprv or _extended private key_.
### xprv from dice rolls (or any string)
```
bipsea validate -f free -m "123456123456123456" | bipsea xprv
```
Warning: Relative entropy of input seems low (0.42). Consider a more complex --mnemonic.
xprv9s21ZrQH143K2Sxhvzbx2vvjLxPB2tJyfh5hm7ags5UWbKRHbm7x1wyCnqN4sdGTqxbq5tJJc3vV4vd51er6WgUiUC7ma1nKtfYRNTYaCeE
You can even load the input from a file.
```sh
bipsea validate -f free -m "$(cat input.txt)"
```
If you are now thinking, _I could use any string to derive a master key_,
then you're ready to learn about BIP-85 with `bipsea derive`.
> **Do not derive valuable keys or secrets from short, simple, or
> predictable strings**. You can only stretch entropy so far.
> **Weak entropy in, weak entropy out**.
> Common phrases are further susceptible to
[rainbow table attacks](https://en.wikipedia.org/wiki/Rainbow_table).
## `bipsea derive`
It's important to use a fixed, trusted, and cold-stored mnemonic so that `derive`
(or any BIP-85 implementation) produces repeatable results.
_If the root xprv changes, so do all of the child secrets._
In the following examples we derive all secrets from a single mnemonic.
```sh
MNEMONIC="elder major green sting survey canoe inmate funny bright jewel anchor volcano"
```
Below are several applications.
`bipsea derive --help` shows all available applications.
### base85 passwords
```
bipsea validate -m $MNEMONIC | bipsea xprv | bipsea derive -a base85
```
iu?42{I|2Ct{39IpEP5zBn=0
`-a` or `--application` tells `derive` what to derive. In this case
we get `-n 20` characters of a base85 password.
### mnemonic phrases
```
bipsea validate -m "$MNEMONIC" | bipsea xprv | bipsea derive -a mnemonic -t jpn -n 12
```
ちこく へいおん ふくざつ ゆらい あたりまえ けんか らくがき ずほう みじかい たんご いそうろう えいきょう
As with all applications, you can change the child index from it's default of zero
to get a fresh, repeatable secret.
### DRNG, enter the matrix
BIP-85 includes a discrete random number generator.
```sh
bipsea validate -m "$MNEMONIC" | bipsea xprv | bipsea derive -a drng -n 1000
```
<1,000 bytes (2,000 hex characters) from the DRNG>
### PIN numbers from the DRNG with `-a dice`
bipsea implements cryptogaphic dice based on the BIP-85 DRNG.
To simulate 100 6-sided die rolls:
```sh
bipsea validate -m "$MNEMONIC" | bipsea xprv | bipsea derive -a dice -n 100 -s 6
```
4,2,5,3,4,4,4,5,0,3
> Die rolls start at 0 so that, for instance, you can get a proper 10-digit PIN.
For a 6-digit PIN roll a 10-sided virtual die.
4,9,9,3,7,6
# Technical discussion
## How are bipsea and hierarchical wallet derivation (BIP-85) useful?
BIP-85 enables you to protect and store a _single_ master secret
that can derive _millions of independent, multi-purpose secrets_.
The following benefits emerge:
1. Offers the security of numerous independent passwords with the operational efficiency
of a single master password. (The master secret can be multi-factor.)
1. Uses Bitcoin's well-tested hierarchical deterministic wallet
tree (including primitives like ECDSA and hardened children).
1. Generates millions of new mnemonics and master keys.
1. Generates millions of new passwords and random streams from a single master key.
Unlike a password manager, which protects many secrets with one hot secret,
BIP-85 _derives_ many secrets from one protected secret. Therefore you only need
to back up the derivation paths and the services they are for. You do not need to
back up the derived secrets.
You could safely store all derivation paths in a hot password manager like Apple Keychain.
You could even store the derived secrets in a hot password manager at no risk to
the master private key.
> bipsea alone is not password manager, but you could use it to implement one.
> See [BIP-?: General secrets keychain with semantic derivation paths](https://github.com/akarve/bip-keychain)
> for more.
## How does it work?
The root of your BIP-85 password tree is an extended master private key (xprv).
> In general, you _should not use a wallet seed with funds in it_.
> In any case, fresh seeds are free and easy to generate with bipsea.
Child keys are then derived according to BIP-32 hierarchical deterministic
wallets with a clever twist:
the derivation path includes a purpose code (`83696968'`) followed by an _application_
code. In this way, each unique derivation path produces unique, independent,
and secure _derived entropy namespace_ as a pure function of the master private key and
derivation path.
BIP-85 specifies a variety of application codes including the following:
| application code | description |
|------------------|-------------|
| `39'` | as in BIP-39, to generate seed words |
| `2'` | for HD-Seed wallet import format ([WIF](https://en.bitcoin.it/wiki/Wallet_import_format)) |
| `32'` | as in BIP-32, to generate extended private keys (xprv) |
| `128169'` | for 16 to 64 bytes of random hex |
| `707764'` | for 20 to 86 characters of a base64 password |
| `707785'` | for 10 to 80 characters of a base85 password |
bipsea implements all of the above applications plus the BIP-85 discrete random
number generator (DRNG).
### Derivation
Consider `m/83696968'/707764'/10'/0'`. It produces a password such as
`dKLoepugzd` according to the following logic:
| path segment | description |
|--------------|-------------------------------------------|
| `m` | master private key |
| `83696968'` | purpose code for BIP-85 |
| `707764'` | application code for base64 password |
| `10'` | number of password characters |
| `0'` | index, 0 to 2³¹ - 1 for millions of unique passwords |
> `'` denotes hardened child derivation, recommended for all BIP-85 applications.
_Hardened_ derivation means that, even if both the parent public key and the child
private key are exposed, the parent private key remains secure.
## BIP-32 hierarchical deterministic wallet tree
## ECDSA for the curious and paranoid
BIP-85 derives the entropy for each application by computing an HMAC of the private
ECDSA key of the last hardened child. Private child keys are pure functions of the
parent key, child index, and depth. In this way BIP-85 entropy is hierarchical,
deterministic, and irreversibly hardened as long as ECDSA remains secure.
ECDSA is believed to be secure but it may not even be possible to _prove_ the security
of _any_ cryptographic algorithm as such a proof would need to demonstrate strong
conjectures similar to "P is not equal to NP."
All of that to say **even the "most secure" algorithms are vulnerable to the**
**problem of induction**.
> Just because no one _has_ broken ECDSA
> doesn't mean no one _will_ break ECDSA.
"break" means the ability to derive a private key from the corresponding
public key, a feat believed but not known to be infeasible in polynomial time
because it requires the attacker to compute the discrete logarithm of the public
key `p = Q*k`, where `Q` is the generator of the `SECP256k1` elliptic curve and
`k` is the private key. `SECP256k1` is a cyclic group under addition modulo `n`,
the order of the curve. We call computing `k` from `Q*k` the "discrete logarithm"
since, the same way `log(a^x) = x` the attacker must reduce the point `Q*k` to `k`.
ECDSA is not [post-quantum secure](https://blog.cloudflare.com/pq-2024).
If someone were to build a so-far elusive quantum computer with sufficiently many
logical q-bits to run Shor's algorithm to compute the discrete log of an ECDSA
private key, ECDSA would be broken.
As unlikely as a quantum computer may seem, the Chromium team is
[taking no chances](https://blog.chromium.org/2024/05/advancing-our-amazing-bet-on-asymmetric.html)
and has begun to roll out quantum-resistant changes to SSL.
# Developer
```
make
make test
```
See [Makefile](./Makefile) for more commands.
## Is the bipsea implementation correct?
bipsea passes all BIP-32, BIP-39, and BIP-85 test vectors in all BIP-39 languages
plus its own unit tests.
There is a single BIP-85 vector, which we believe to be incorrect in the spec,
marked as an xfail and [filed to BIP-85](https://github.com/bitcoin/bips/pull/1600).
# References
1. [BIP-32](https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki)
hierarchical deterministic wallets
1. [BIP-39](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki)
mnemonic seed words
1. [BIP-44](https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki)
generalized BIP-32 paths
1. [BIP-85](https://github.com/bitcoin/bips/blob/master/bip-0085.mediawiki)
generalized cryptographic entropy
# TODO
* [ ] Investigate switch to secure ECDSA libs with constant-time programming and
side-channel resistance.
* [x] https://cryptography.io/en/latest/
* Incomplete support for public key points
Raw data
{
"_id": null,
"home_page": "https://github.com/akarve/bipsea",
"name": "bipsea",
"maintainer": null,
"docs_url": null,
"requires_python": "<4.0,>=3.8.1",
"maintainer_email": null,
"keywords": "Bitcoin, BIP-32, BIP-39, BIP-85, cryptography, secrets, ECDSA, entropy",
"author": "Aneesh Karve",
"author_email": "bonded_metals_0u@icloud.com",
"download_url": "https://files.pythonhosted.org/packages/34/fe/1f61ea1060a0a178dc4d2a940e1f7a9b53352bee3b852e099cabf24eee20/bipsea-3.0.0.tar.gz",
"platform": null,
"description": "[](https://github.com/akarve/bipsea/actions)\n\n# `bipsea`: secure entropy for mnemonics, passwords, PINs, and other secrets\n\n> _One Seed to rule them all, \n> One Key to find them, \n> One Path to bring them all, \n> And in cryptography bind them._ \n> -[BIP-85](https://github.com/bitcoin/bips/blob/master/bip-0085.mediawiki)\n\nbipsea is composable command-line utility that generates and validates Bitcoin\nmnemonics and hierarchical secrets according to BIP-85.\nbipsea is designed be usable, readable, and correct via extensive unit tests.\nbipsea includes pure Python APIs for BIPs 32, 39, and 85.\n**bipsea is currently for experimental purposes only.**\n\nbipsea relies on cryptographic primitives from Python\nand the [python-ecdsa](https://github.com/tlsfuzzer/python-ecdsa) module, which\nis [vulnerable to side-channel attacks](https://github.com/tlsfuzzer/python-ecdsa?tab=readme-ov-file#security).\nbipsea does not rely on third-party libraries from any wallet vendor.\n\nYou can run bipsea offline to generate passwords, seed mnemonics, and more.\nConsider dedicated cold hardware that runs [Tails](https://tails.net),\nhas networking disabled, and disables\n[Intel Management Engine](https://support.system76.com/articles/intel-me/)\nand other possible hardware backdoors.\n\n\n# Usage\n\n\n## Installation\n\n```sh\npip install bipsea\n```\n\n\n## Help\n\n```sh\nbipsea --help\n```\n\n\n## Commands\n\nbipsea offers four commands that work together:\n\n1. `mnemonic` creates BIP-39 seed mnemonics in 9 languages\n1. `validate` validates BIP-39 in 9 languages\n1. `xprv` derives a BIP-32 extended private key\n1. `derive` applies BIP-85 to an xprv to derive child secrets\n\n\n# Tutorial\n\nYou can compose bipsea commands with a pipe:\n\n```sh\nbipsea mnemonic | bipsea validate | bipsea xprv | bipsea derive -a mnemonic -n 12\n```\n rotate link six joy boss sock unveil achieve charge sweet hidden regular\n\n> Because `bipsea mnemonic` uses random bits from Python's secrets library,\n> your output will, with extremely high probability, differ from the above output.\n\nThe above generates a fresh mnemonic, validates it against the english word list, converts\nit to an xprv, and then derives a new secret according to BIP-85.\n\n\n## But why would anyone turn one seed mnemonic into another?\n\nWe started with a mnemonic and got another one, so what?\nAs you'll see below you can derive not one but millions of secrets, including\nPINs, mnemonics, and passwords, from a single root secret. Thanks to BIP-85, bipsea\nenables you to create millions of secure and independent derived secrets.\n\nEven if a child secret were compromised, the parent and root secrets would remain\nsecure due to the irreversibility of hardened hierarchical derivation.\nYou can read more on these topics\n[below](#how-are-bipsea-and-hierarchical-wallet-derivation-bip-85-useful).\n\n\n## `bipsea mnemonic`\n\nSuppose you want a 15-word seed phrase in Japanese.\n\n```sh\nbipsea mnemonic -t jpn -n 15\n```\n \u304a\u304b\u308f\u308a \u304a\u3063\u3068 \u3086\u306b\u3085\u3046 \u3044\u3053\u3064 \u308d\u3046\u305d\u304f \u3051\u3099\u3064\u308c\u3044 \u304a\u304b\u308f\u308a \u304d\u3089\u3044 \u3061\u305f\u3093 \u306b\u304f\u307e\u3093 \u3066\u3099\u3093\u308f \u3059\u3099\u3075\u3099\u306c\u308c \u304f\u305f\u3099\u3055\u308b \u3044\u3089\u3059\u3068 \u306e\u307f\u3082\u306e\n\nOr 12 words in English.\n\n```sh\nbipsea mnemonic -n 12 --pretty\n```\n 1) beach\n 2) tail\n 3) trial\n 4) design\n 5) lyrics\n 6) episode\n 7) miracle\n 8) strong\n 9) slogan\n 10) pole\n 11) blood\n 12) scene\n\n\n## `bipsea validate`\n\nBIP-39 mnemonics come from localized wordlists, have 12-24 words, and include a checksum.\n`validate` checks the integrity of a mnemonic phrase, normalizes the input (NFKD),\nthen echoes the result so that you can pipe it to `bipsea xprv`.\n\n```sh\nbipsea mnemonic -t spa -n 12 | bipsea validate -f spa\n```\n relleno peo\u0301n exilio vara grave hora boda terapia dinero vulgar vulgar goloso\n\n\n## `bipsea xprv`\n\n```sh\nbipsea mnemonic | bipsea validate | bipsea xprv\n```\n xprv9s21ZrQH143K41bKPQ9XHbPoqfdCDmZLBorYHay5E273HTu5yAFm27sSWRoCpisgQNH9vfrL9yVvVg5rBEbMCk2UwQ8K7qCFnZAY7aXhuqV\n\n`bipsea xprv` converts a mnemonic into a master node (the root of your wallet\nchain) that serializes as an xprv or _extended private key_.\n\n\n### xprv from dice rolls (or any string)\n\n```\nbipsea validate -f free -m \"123456123456123456\" | bipsea xprv\n```\n Warning: Relative entropy of input seems low (0.42). Consider a more complex --mnemonic.\n xprv9s21ZrQH143K2Sxhvzbx2vvjLxPB2tJyfh5hm7ags5UWbKRHbm7x1wyCnqN4sdGTqxbq5tJJc3vV4vd51er6WgUiUC7ma1nKtfYRNTYaCeE\n\nYou can even load the input from a file.\n\n```sh\nbipsea validate -f free -m \"$(cat input.txt)\"\n```\n\nIf you are now thinking, _I could use any string to derive a master key_,\nthen you're ready to learn about BIP-85 with `bipsea derive`.\n\n> **Do not derive valuable keys or secrets from short, simple, or\n> predictable strings**. You can only stretch entropy so far.\n> **Weak entropy in, weak entropy out**.\n> Common phrases are further susceptible to\n[rainbow table attacks](https://en.wikipedia.org/wiki/Rainbow_table).\n\n\n## `bipsea derive`\n\nIt's important to use a fixed, trusted, and cold-stored mnemonic so that `derive`\n(or any BIP-85 implementation) produces repeatable results.\n_If the root xprv changes, so do all of the child secrets._\n\nIn the following examples we derive all secrets from a single mnemonic.\n\n```sh\nMNEMONIC=\"elder major green sting survey canoe inmate funny bright jewel anchor volcano\"\n```\n\nBelow are several applications.\n`bipsea derive --help` shows all available applications.\n\n\n### base85 passwords\n```\nbipsea validate -m $MNEMONIC | bipsea xprv | bipsea derive -a base85\n```\n iu?42{I|2Ct{39IpEP5zBn=0\n\n`-a` or `--application` tells `derive` what to derive. In this case\nwe get `-n 20` characters of a base85 password.\n\n\n### mnemonic phrases\n\n```\nbipsea validate -m \"$MNEMONIC\" | bipsea xprv | bipsea derive -a mnemonic -t jpn -n 12\n```\n \u3061\u3053\u304f \u3078\u3044\u304a\u3093 \u3075\u304f\u3055\u3099\u3064 \u3086\u3089\u3044 \u3042\u305f\u308a\u307e\u3048 \u3051\u3093\u304b \u3089\u304f\u304b\u3099\u304d \u3059\u3099\u307b\u3046 \u307f\u3057\u3099\u304b\u3044 \u305f\u3093\u3053\u3099 \u3044\u305d\u3046\u308d\u3046 \u3048\u3044\u304d\u3087\u3046\n\nAs with all applications, you can change the child index from it's default of zero\nto get a fresh, repeatable secret.\n\n\n### DRNG, enter the matrix\n\nBIP-85 includes a discrete random number generator.\n\n```sh\nbipsea validate -m \"$MNEMONIC\" | bipsea xprv | bipsea derive -a drng -n 1000\n```\n <1,000 bytes (2,000 hex characters) from the DRNG>\n\n\n### PIN numbers from the DRNG with `-a dice`\n\nbipsea implements cryptogaphic dice based on the BIP-85 DRNG. \n\nTo simulate 100 6-sided die rolls:\n\n```sh\nbipsea validate -m \"$MNEMONIC\" | bipsea xprv | bipsea derive -a dice -n 100 -s 6\n```\n 4,2,5,3,4,4,4,5,0,3\n\n> Die rolls start at 0 so that, for instance, you can get a proper 10-digit PIN.\n\nFor a 6-digit PIN roll a 10-sided virtual die.\n\n 4,9,9,3,7,6\n\n\n# Technical discussion\n\n## How are bipsea and hierarchical wallet derivation (BIP-85) useful?\n\nBIP-85 enables you to protect and store a _single_ master secret\nthat can derive _millions of independent, multi-purpose secrets_. \nThe following benefits emerge:\n\n1. Offers the security of numerous independent passwords with the operational efficiency\nof a single master password. (The master secret can be multi-factor.)\n1. Uses Bitcoin's well-tested hierarchical deterministic wallet\ntree (including primitives like ECDSA and hardened children).\n1. Generates millions of new mnemonics and master keys.\n1. Generates millions of new passwords and random streams from a single master key.\n\nUnlike a password manager, which protects many secrets with one hot secret,\nBIP-85 _derives_ many secrets from one protected secret. Therefore you only need\nto back up the derivation paths and the services they are for. You do not need to\nback up the derived secrets.\n\nYou could safely store all derivation paths in a hot password manager like Apple Keychain.\nYou could even store the derived secrets in a hot password manager at no risk to\nthe master private key.\n\n> bipsea alone is not password manager, but you could use it to implement one.\n> See [BIP-?: General secrets keychain with semantic derivation paths](https://github.com/akarve/bip-keychain)\n> for more.\n\n\n## How does it work?\n\nThe root of your BIP-85 password tree is an extended master private key (xprv).\n\n> In general, you _should not use a wallet seed with funds in it_.\n> In any case, fresh seeds are free and easy to generate with bipsea.\n\nChild keys are then derived according to BIP-32 hierarchical deterministic\nwallets with a clever twist:\nthe derivation path includes a purpose code (`83696968'`) followed by an _application_\ncode. In this way, each unique derivation path produces unique, independent,\nand secure _derived entropy namespace_ as a pure function of the master private key and\nderivation path.\n\nBIP-85 specifies a variety of application codes including the following:\n\n| application code | description |\n|------------------|-------------|\n| `39'` | as in BIP-39, to generate seed words |\n| `2'` | for HD-Seed wallet import format ([WIF](https://en.bitcoin.it/wiki/Wallet_import_format)) |\n| `32'` | as in BIP-32, to generate extended private keys (xprv) |\n| `128169'` | for 16 to 64 bytes of random hex |\n| `707764'` | for 20 to 86 characters of a base64 password |\n| `707785'` | for 10 to 80 characters of a base85 password |\n\nbipsea implements all of the above applications plus the BIP-85 discrete random\nnumber generator (DRNG).\n\n\n### Derivation\n\nConsider `m/83696968'/707764'/10'/0'`. It produces a password such as\n`dKLoepugzd` according to the following logic:\n\n| path segment | description |\n|--------------|-------------------------------------------|\n| `m` | master private key |\n| `83696968'` | purpose code for BIP-85 |\n| `707764'` | application code for base64 password |\n| `10'` | number of password characters |\n| `0'` | index, 0 to 2\u00b3\u00b9 - 1 for millions of unique passwords |\n\n> `'` denotes hardened child derivation, recommended for all BIP-85 applications.\n_Hardened_ derivation means that, even if both the parent public key and the child\nprivate key are exposed, the parent private key remains secure.\n\n## BIP-32 hierarchical deterministic wallet tree\n\n\n\n\n## ECDSA for the curious and paranoid\n\nBIP-85 derives the entropy for each application by computing an HMAC of the private\nECDSA key of the last hardened child. Private child keys are pure functions of the\nparent key, child index, and depth. In this way BIP-85 entropy is hierarchical,\ndeterministic, and irreversibly hardened as long as ECDSA remains secure.\nECDSA is believed to be secure but it may not even be possible to _prove_ the security\nof _any_ cryptographic algorithm as such a proof would need to demonstrate strong\nconjectures similar to \"P is not equal to NP.\"\n\nAll of that to say **even the \"most secure\" algorithms are vulnerable to the**\n**problem of induction**.\n\n> Just because no one _has_ broken ECDSA \n> doesn't mean no one _will_ break ECDSA.\n\n\"break\" means the ability to derive a private key from the corresponding\npublic key, a feat believed but not known to be infeasible in polynomial time\nbecause it requires the attacker to compute the discrete logarithm of the public\nkey `p = Q*k`, where `Q` is the generator of the `SECP256k1` elliptic curve and\n`k` is the private key. `SECP256k1` is a cyclic group under addition modulo `n`,\nthe order of the curve. We call computing `k` from `Q*k` the \"discrete logarithm\"\nsince, the same way `log(a^x) = x` the attacker must reduce the point `Q*k` to `k`.\n\nECDSA is not [post-quantum secure](https://blog.cloudflare.com/pq-2024).\nIf someone were to build a so-far elusive quantum computer with sufficiently many\nlogical q-bits to run Shor's algorithm to compute the discrete log of an ECDSA\nprivate key, ECDSA would be broken.\nAs unlikely as a quantum computer may seem, the Chromium team is\n[taking no chances](https://blog.chromium.org/2024/05/advancing-our-amazing-bet-on-asymmetric.html)\nand has begun to roll out quantum-resistant changes to SSL.\n\n\n# Developer\n\n```\nmake\nmake test\n```\n\nSee [Makefile](./Makefile) for more commands.\n\n\n## Is the bipsea implementation correct?\n\nbipsea passes all BIP-32, BIP-39, and BIP-85 test vectors in all BIP-39 languages\nplus its own unit tests.\n\nThere is a single BIP-85 vector, which we believe to be incorrect in the spec,\nmarked as an xfail and [filed to BIP-85](https://github.com/bitcoin/bips/pull/1600).\n\n\n# References\n\n1. [BIP-32](https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki)\nhierarchical deterministic wallets\n1. [BIP-39](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki)\nmnemonic seed words\n1. [BIP-44](https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki)\ngeneralized BIP-32 paths\n1. [BIP-85](https://github.com/bitcoin/bips/blob/master/bip-0085.mediawiki)\ngeneralized cryptographic entropy\n\n\n# TODO\n\n* [ ] Investigate switch to secure ECDSA libs with constant-time programming and\nside-channel resistance.\n * [x] https://cryptography.io/en/latest/\n * Incomplete support for public key points\n",
"bugtrack_url": null,
"license": "Apache-2.0",
"summary": "Composable Python CLI for Bitcoin mnemonics and BIP-85 secrets.",
"version": "3.0.0",
"project_urls": {
"Homepage": "https://github.com/akarve/bipsea",
"Repository": "https://github.com/akarve/bipsea"
},
"split_keywords": [
"bitcoin",
" bip-32",
" bip-39",
" bip-85",
" cryptography",
" secrets",
" ecdsa",
" entropy"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "f7b84a8f91948e920d91c1fd5bcc47a84b4c733532f6f1d4c06a732a6f4b51b0",
"md5": "25c1364b9cd2daca3e28a5d10f963868",
"sha256": "cd3cc5740b048a82b49cc826be6ce26310afdef5a652033bfd4bc928e19d573b"
},
"downloads": -1,
"filename": "bipsea-3.0.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "25c1364b9cd2daca3e28a5d10f963868",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0,>=3.8.1",
"size": 92912,
"upload_time": "2024-10-15T18:08:53",
"upload_time_iso_8601": "2024-10-15T18:08:53.957214Z",
"url": "https://files.pythonhosted.org/packages/f7/b8/4a8f91948e920d91c1fd5bcc47a84b4c733532f6f1d4c06a732a6f4b51b0/bipsea-3.0.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "34fe1f61ea1060a0a178dc4d2a940e1f7a9b53352bee3b852e099cabf24eee20",
"md5": "b03464b1f8c62a80691ff3a9b9199e7b",
"sha256": "5c1c44ba65235fc2e9060dc8153b8a5ab62942980eb757b3575f29b6ce817302"
},
"downloads": -1,
"filename": "bipsea-3.0.0.tar.gz",
"has_sig": false,
"md5_digest": "b03464b1f8c62a80691ff3a9b9199e7b",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0,>=3.8.1",
"size": 97699,
"upload_time": "2024-10-15T18:08:55",
"upload_time_iso_8601": "2024-10-15T18:08:55.356654Z",
"url": "https://files.pythonhosted.org/packages/34/fe/1f61ea1060a0a178dc4d2a940e1f7a9b53352bee3b852e099cabf24eee20/bipsea-3.0.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-10-15 18:08:55",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "akarve",
"github_project": "bipsea",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "bipsea"
}
JSON
