Preamble BIP: ? Title: Scrambling BIP39 recovery seeds Authors: Dr. Oso Phila Status: Draft Type: ? Assigned: ? License: Abstract This BIP describes a concept which helps to keep BIP39 recovery seeds safe if they get in the wrong hands. Copyright Motivation Assume I have a BIP32,39,44 et al compatible wallet with the BIP39 recovery seed ABCD (the letters A, B, C, D, E, ... represent a BIP39 word). Like everybody else I don't like the idea that it could get into the wrong hands. Let us define the scramble function S. S should work on ENT described in BIP39 (or on chunks of ENT which represent a mnemonic word - see text at the end) rather than on the mnemonic words, but to understand the concept better let us assume one can do math with the BIP39 mnemonic words. Scrambling the recovery seed ABCD with the scrambleword S1 gives S(ABCD,S1) = EFGH. EFGH is a valid BIP39 recovery seed and is safe to write down or to etch on a piece of steel and bury it in the backyard. If someone finds the recovery seed EFGH, he will restore the wrong binary master key. Only if he knows the scrambleword S1 he can descramble and compute S^-1(EFGH,S1) = ABCD and therefore the correct binary master key. Descrambling with a wrong password S^-1(EFGH,SW) = WXYZ should result in a valid recovery seed. Then we can store a small amount in the first address from EFGH and a suitable amount for dealing with $5 wrench attacks in the first address from WXYZ. Ideally, the scrambling function is - asymmetric S(EFGH,S1) not= ABCD - commutative S(S(ABCD,S1),S2) = S(S(ABCD,S2),S1) (If I remember correctly from university, the following is a bit tricky to achieve with discrete exponentiation: S(S(S(ABCD,S1),S2),S3) = S(S(S(ABCD,S1),S3),S2) = S(S(S(ABCD,S2),S1),S3) = S(S(S(ABCD,S2),S3),S1) = S(S(S(ABCD,S3),S1),S2) = S(S(S(ABCD,S3),S2),S1) ) (If being commutative only works when S is symmetric, we could define S(ABCD,secret) = s(s(ABCD,sec),ret) = EFGH where s is a symmetric function.) (If being commutative only works when S is applied 2, 4, 6, ... times, we could define S(ABCD,secret) = s(s(ABCD,sec),ret) = EFGH.) Then we can extend this concept to heritage: Assume I have two children. I scramble S(ABCD,S1) = EFGH and S(EFGH,S2) = MNOP. In parallel, I scramble S(ABCD,S2) = IJKL and S(IJKL,S1) = MNOP. I put a small amount into MNOP, a bigger amount into EFGH and IJKL and the major part into ABCD. I give S1 to child 1 and S2 to child 2 and MNOP to both of them. Each child has access to a part of my heritage without consent of the other child, but not to the whole sum. Of course both need to know that they sould never disclose the personal scrambleword to each other. If I put a third scrambleword S3 before ABCD (in other words: S(TOPS,S3) = ABCD), put the major part into TOPS and give S3 to the executor of my last will, my children will have only access to the full heritage after my death. Non-disclosure of the scramblewords is crucial of course. If S is only asymmetric (not commutative), we could get a similar result: S(S(ABCD,S1),S2) = MNOP. Assume that S(ABCD,S1) = EFGH. Then we get S^-1(MNOP,S2) = EFGH and S^-1(MNOP,S1) = QRST reveal each a valid recovery seed with a part of the sum. The scrambling function S should disregard the passphrase described in BIP39. In other words (let P be the passphrase): S(ABCDP,S1) = EFGHP if S(ABCD,S1) = EFGH. Then, we can use the passphrase feature independently of this proposal. The ideal hardware device or program would never print the recovery seed ABCD. It should, however, enter a "scramble mode" after generating ABCD, then let the user scramble ABCD with different scramblewords / scrambleword chains until everything is fine. In my example: I extract S(ABCD,S1) = EFGH , S(EFGH,S2) = MNOP , S(ABCD,S2) = IJKL , S(S(ABCD,S1),S2) = MNOP , maybe even S^-1(MNOP,SW) = WXYZ. For each of them, I get the chance to see an address to send some coins or even better: the device acts like the scrambled recovery seed is the correct one so I can use it in my favourite software. When I'm finished I confirm that I want to leave the "scramble mode". If I want to produce other scrambled recovery seeds, I have to enter a correct scrambled recovery seed and the corresponding scrambleword to enter the "scramble mode" again. If the scrambling function S works on chunks of ENT, the implementation could ask for the n-th scrambled word and S1 to compute the n-th unscrambled word. Then S would be independent of the length of ENT. Additionally, access to the "scramble mode" could be made easier by asking only for a part of the scrambled words and compare them to the stored ENT (if it does not compromise safety) or it could be made safer by asking some scrambled words during "scramble mode" (if I leave my computer when my device is in "scramble mode").