Bitcoin Development Mailinglist
 help / color / mirror / Atom feed
* [bitcoindev] BIP Idea: Scrambling BIP39 recovery seeds
@ 2026-03-28 13:41 dr.oso.phila.cgeyb via Bitcoin Development Mailing List
  2026-03-31  6:37 ` Jameson Lopp
  0 siblings, 1 reply; 2+ messages in thread
From: dr.oso.phila.cgeyb via Bitcoin Development Mailing List @ 2026-03-28 13:41 UTC (permalink / raw)
  To: bitcoindev

[-- Attachment #1: Type: text/plain, Size: 1558 bytes --]

Dear Developers

Thank you for dedicating your time on a thrilling project - Bitcoin.

Recently, this idea came into my mind. I tried to summarize and write it 
down as clear as possible, following BIP3, which states:
"As a first sketch of the proposal is taking shape, the authors should 
present it to the Bitcoin Development Mailing List. This gives the 
authors a chance to collect initial feedback and address fundamental 
concerns."
I refrained from forking the github bitcoin/bips tree just to upload one 
properly formatted document. I am no programmer and unfamiliar to the 
world of bitcoin developers, so forgive me if I do things which seem 
strange to you.

The main question about this idea is: does a suitable function exists? I 
thought of discrete exponentiation. But as a former math student, I 
remember that this does not always work as expected beforehand...
All I know that a similar concept is used in Diffie-Hellman Key Exchange 
and you're more into cryptography as I am. Therefore I thought that it's 
best to ask this question to you. Maybe you have a better idea.

If no idea comes up, well... then it's a dead end.

Best
Dr. Oso Phila, a small bug

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/177470526996.8.13158104493925689779.1256635257%40aleeas.com.

[-- Attachment #2: bi-prop --]
[-- Type: text/plain, Size: 4877 bytes --]

Preamble
BIP: ?
Title: Scrambling BIP39 recovery seeds
Authors: Dr. Oso Phila <dr.oso.phila.cgeyb@aleeas.com>
Status: Draft
Type: ?
Assigned: ?
License: <SPDX License Expression>


Abstract
This BIP describes a concept which helps to keep BIP39 recovery seeds safe if they get in the wrong hands.

Copyright

Motivation
Assume I have a BIP32,39,44 et al compatible wallet with the BIP39 recovery seed ABCD (the letters A, B, C, D, E, ... represent a BIP39 word). Like everybody else I don't like the idea that it could get into the wrong hands.

Let us define the scramble function S. S should work on ENT described in BIP39 (or on chunks of ENT which represent a mnemonic word - see text at the end) rather than on the mnemonic words, but to understand the concept better let us assume one can do math with the BIP39 mnemonic words. Scrambling the recovery seed ABCD with the scrambleword S1 gives S(ABCD,S1) = EFGH. EFGH is a valid BIP39 recovery seed and is safe to write down or to etch on a piece of steel and bury it in the backyard. If someone finds the recovery seed EFGH, he will restore the wrong binary master key. Only if he knows the scrambleword S1 he can descramble and compute S^-1(EFGH,S1) = ABCD and therefore the correct binary master key.

Descrambling with a wrong password S^-1(EFGH,SW) = WXYZ should result in a valid recovery seed. Then we can store a small amount in the first address from EFGH and a suitable amount for dealing with $5 wrench attacks in the first address from WXYZ.

Ideally, the scrambling function is
- asymmetric S(EFGH,S1) not= ABCD
- commutative S(S(ABCD,S1),S2) = S(S(ABCD,S2),S1)
(If I remember correctly from university, the following is a bit tricky to achieve with discrete exponentiation: S(S(S(ABCD,S1),S2),S3) = S(S(S(ABCD,S1),S3),S2) = S(S(S(ABCD,S2),S1),S3) = S(S(S(ABCD,S2),S3),S1) = S(S(S(ABCD,S3),S1),S2) = S(S(S(ABCD,S3),S2),S1) )
(If being commutative only works when S is symmetric, we could define S(ABCD,secret) = s(s(ABCD,sec),ret) = EFGH where s is a symmetric function.)
(If being commutative only works when S is applied 2, 4, 6, ... times, we could define S(ABCD,secret) = s(s(ABCD,sec),ret) = EFGH.)

Then we can extend this concept to heritage:

Assume I have two children. I scramble S(ABCD,S1) = EFGH and S(EFGH,S2) = MNOP. In parallel, I scramble S(ABCD,S2) = IJKL and S(IJKL,S1) = MNOP. I put a small amount into MNOP, a bigger amount into EFGH and IJKL and the major part into ABCD. I give S1 to child 1 and S2 to child 2 and MNOP to both of them. Each child has access to a part of my heritage without consent of the other child, but not to the whole sum. Of course both need to know that they sould never disclose the personal scrambleword to each other.
If I put a third scrambleword S3 before ABCD (in other words: S(TOPS,S3) = ABCD), put the major part into TOPS and give S3 to the executor of my last will, my children will have only access to the full heritage after my death. Non-disclosure of the scramblewords is crucial of course.

If S is only asymmetric (not commutative), we could get a similar result: S(S(ABCD,S1),S2) = MNOP. Assume that S(ABCD,S1) = EFGH. Then we get S^-1(MNOP,S2) = EFGH and S^-1(MNOP,S1) = QRST reveal each a valid recovery seed with a part of the sum.

The scrambling function S should disregard the passphrase described in BIP39. In other words (let P be the passphrase): S(ABCDP,S1) = EFGHP if S(ABCD,S1) = EFGH. Then, we can use the passphrase feature independently of this proposal.

The ideal hardware device or program would never print the recovery seed ABCD. It should, however, enter a "scramble mode" after generating ABCD, then let the user scramble ABCD with different scramblewords / scrambleword chains until everything is fine. In my example: I extract S(ABCD,S1) = EFGH , S(EFGH,S2) = MNOP , S(ABCD,S2) = IJKL , S(S(ABCD,S1),S2) = MNOP , maybe even S^-1(MNOP,SW) = WXYZ. For each of them, I get the chance to see an address to send some coins or even better: the device acts like the scrambled recovery seed is the correct one so I can use it in my favourite software. When I'm finished I confirm that I want to leave the "scramble mode". If I want to produce other scrambled recovery seeds, I have to enter a correct scrambled recovery seed and the corresponding scrambleword to enter the "scramble mode" again.

If the scrambling function S works on chunks of ENT, the implementation could ask for the n-th scrambled word and S1 to compute the n-th unscrambled word. Then S would be independent of the length of ENT. Additionally, access to the "scramble mode" could be made easier by asking only for a part of the scrambled words and compare them to the stored ENT (if it does not compromise safety) or it could be made safer by asking some scrambled words during "scramble mode" (if I leave my computer when my device is in "scramble mode").

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-03-31  9:33 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-03-28 13:41 [bitcoindev] BIP Idea: Scrambling BIP39 recovery seeds dr.oso.phila.cgeyb via Bitcoin Development Mailing List
2026-03-31  6:37 ` Jameson Lopp

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox