Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanity checks for entropy size #37

Merged
merged 3 commits into from
May 12, 2017
Merged

Sanity checks for entropy size #37

merged 3 commits into from
May 12, 2017

Conversation

rubensayshi
Copy link
Contributor

@rubensayshi rubensayshi commented Oct 5, 2016
edited
Loading

In #33 I tried coming up with a solution to deal witih odd sizes of entropy and the resulting checksum hell.

Instead the only sane solution seems to be to do better sanity checks in the entropy;

  1. It should always be a multitude of 4 bytes, that way it will always result in a multitude of 11 bits (including checksum) and no weird padding things will happen with the checksum.
  2. It should not allow entropy above 1024 bytes, because at that point we've reached the max length of the checksum (sha256) and if we continue (without padding the checksum) the above rule won't hold

The only alternative for the max 1024 bytes would be to pad the checksum to keep the first rule in tact, but since the BIP39 spec doesn't mention anything like that it doesn't seem like a good choice.

@rubensayshi rubensayshi force-pushed the checksum-padding-fix2 branch from 26ba2c2 to 1b8e64b Compare October 5, 2016 15:07
@rubensayshi
Copy link
Contributor Author

@dcousens I think the other PR should be reverted, are you gonna commit revert it or rollback history?

I can rebase after

@rubensayshi rubensayshi force-pushed the checksum-padding-fix2 branch 2 times, most recently from d1f0dc8 to 1f9b012 Compare October 5, 2016 15:48
@afk11
Copy link

afk11 commented Oct 5, 2016

entropy.length % 4 === 0 probably introduces the biggest side effects. I had a situation where the data would vary in length, so I used padding to keep BIP39 happy. This should stop it from producing mnemonics it can't decode.

@dcousens
Copy link
Contributor

dcousens commented Oct 5, 2016

I'm happy for you to revert it in this PR

@dcousens
Copy link
Contributor

dcousens commented Oct 6, 2016

Maybe we should ask @voisine or @prusnak

@dcousens dcousens added this to the 2.3.0 milestone Oct 6, 2016
@rubensayshi rubensayshi force-pushed the checksum-padding-fix2 branch 2 times, most recently from da4a20c to 0023ef8 Compare October 6, 2016 11:46
@rubensayshi
assert that length of entropy is a multitude of 4.
2a5f482 
limit max entropy to 1024 bytes, at which point we've reached the max size of the checksum.
@rubensayshi rubensayshi force-pushed the checksum-padding-fix2 branch from 0023ef8 to 2a5f482 Compare October 6, 2016 12:49
@dcousens
Copy link
Contributor

We shouldn't forget about this.
@afk11 lets try and close this soon too 👍

@afk11
Copy link

afk11 commented Oct 26, 2016
edited
Loading

@dcousens definitely.

We should ping @voisine and @prusnak about the following constraints which apply to BIP39.

  • entropyToMnemonic:
    • byteLength > 0 && byteLength <= 1024
    • byteLength % 4 == 0
  • mnemonicToEntropy
    • derived byteLength <= 1024

I'll open a PR on bitcoin/bips to prompt discussion, since other implementations seem to have made different approaches.

NBitcoin is restrictive, but avoids it by rejecting entropy where the length isn't one of these: 128, 160, 192, 224, 256.
https://github.com/MetacoSA/NBitcoin/blob/733092083ce5b256337be3b6ea8791ddf500b8da/NBitcoin/BIP39/Mnemonic.cs#L91
https://github.com/MetacoSA/NBitcoin/blob/733092083ce5b256337be3b6ea8791ddf500b8da/NBitcoin/BIP39/Mnemonic.cs#L59

Bitcore-Mnemonic produces mnemonics it can't decode:
https://github.com/bitpay/bitcore-mnemonic/blob/master/lib/mnemonic.js#L247

BitcoinPHP (mine) had the same issue, and for variable length entropy, I resorted to padding to avoid problems. Ruben patched it already :)

@afk11 afk11 mentioned this pull request Nov 2, 2016
Closed
@dcousens
Copy link
Contributor

dcousens commented Mar 15, 2017
edited
Loading

Was the conclusion:

please open issues/pull requests to implementations asking them to set limit between 128-256 bits

?
Do I close this and open a limiting PR?

Ref bitcoin/bips@5b1c59d

@dcousens dcousens closed this May 12, 2017
@dcousens dcousens reopened this May 12, 2017
@dcousens dcousens closed this May 12, 2017
@dcousens dcousens reopened this May 12, 2017
@dcousens dcousens merged commit f6bcccc into bitcoinjs:master May 12, 2017
@dcousens dcousens mentioned this pull request May 12, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@dcousens dcousens

@rubensayshi rubensayshi

@afk11 afk11

Labels
None yet
Projects
None yet
Milestone
2.3.0
Development

Successfully merging this pull request may close these issues.
3 participants
@rubensayshi @afk11 @dcousens