Table of Contents
- Electrum criticism of BIP39
- Entropy requirements not well defined
- Alternative binary-to-word encodings
- Inflexibility: entropy of 128, 160, 192, 224, 256 bit length limit is imposed instead of accepting any length (between 128-256).
- Complexity: SHA-256 calculation may be avoided and/or separated (option)
- Separation of concerns: key generation technique
- Robustness: POSIX shell reserved words are used in the BIP39 wordlist
Electrum criticism of BIP39
Source: http://docs.electrum.org/en/latest/seedphrase.html (as of 2017-1-27)
BIP39 was introduced two years after Electrum. BIP39 seeds include a checksum, in order to help users figure out typing errors. However, BIP39 suffers the same shortcomings as early Electrum seed phrases:
-
A fixed wordlist is still required. Following our recommendation, BIP39 authors decided to derive keys and addresses in a way that does not depend on the wordlist. However, BIP39 still requires the wordlist in order to compute its checksum, which is plainly inconsistent, and defeats the purpose of our recommendation. This problem is exacerbated by the fact that BIP39 proposes to create one wordlist per language. This threatens the portability of BIP39 seed phrases.
-
BIP39 seed phrases do not include a version number. This means that software should always know how to generate keys and addresses. BIP43 suggests that wallet software will try various existing derivation schemes within the BIP32 framework. This is extremely inefficient and rests on the assumption that future wallets will support all previously accepted derivation methods. If, in the future, a wallet developer decides not to implement a particular derivation method because it is deprecated, then the software will not be able to detect that the corresponding seed phrases are not supported, and it will return an empty wallet instead. This threatens users funds.
For these reasons, Electrum does not generate BIP39 seeds.
Entropy requirements not well defined
Author: Liraz Siri 2017-1-27
BIP39 requires a minimum 128-bits of entropy. Some people are suggesting this means deterministic Wallet creation procedures cannot output BIP39 because the user may provide less than 128 bits of entropy (e.g., in a passphrase). Another problem is that what constitutes true entropy in this context is not well defined. You can verify conformity to mnemonics and checksums, but it's hard to verify how much source entropy is in the process that generates the 128/256 bits you feed into a BIP39 compliant generation procedure. A CSPRNG is not necessarily better than a user supplied passphrase fed into a KDF, and may be worse. It depends on the amount of source entropy that goes into the CSPRNG and whether the CSPRNG is operating correctly. Whether something is or isn't conforming to BIP39 shouldn't depend on unverifiable premises.
--
The lack of versioning is a serious design flaw in this proposal. On this basis alone I would recommend against use of this proposal. The general design is a thinly disguised brainwallet. Experience with user behavior shows that the user of user passphrases is more or less unconditionally unsafe and yet very attractive to users. If this proposal is implemented it should not be implemented without the checksum enforced. Without it this proposal is an attractive nuisance which has directly caused funds loss.-- Greg Maxwell 2017-03-14
Alternative binary-to-word encodings
There are alternative binary-to-word encodings, e.g. PGP word list (a.k.a biometric Word List), EEF Word Lists (https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases), RFC-1760 2048 words (a.k.a. S/KEY 6-Words ). There aren't adventages and disadvantages of BIP-39 in comparison to the alternatives described. --Greg Tonoski, 2023-09-13
Inflexibility: entropy of 128, 160, 192, 224, 256 bit length limit is imposed instead of accepting any length (between 128-256).
--Greg Tonoski, 2023-09-13
Complexity: SHA-256 calculation may be avoided and/or separated (option)
Are there any benefits of SHA-256-derived checksum requirement? User ends up in the same situation if they input incorrect words - irrespectively of the checksum appended. Typing errors are not prevented. --Greg Tonoski, 2023-09-13
Separation of concerns: key generation technique
Key generation techniques may vary and co-exist. They are not dependent on Bitcoin protocol and vice-versa. While there are benefits of interoperability (e.g. standardized format of keys), the key generation techniques (e.g. PBKDF2, "The iteration count is set to 2048", source of randomness) may be treated separately and individually. --Greg Tonoski, 2023-09-13
Robustness: POSIX shell reserved words are used in the BIP39 wordlist
Shells may interpret some words as reserved ones if not quoted, e.g. time, then, select, until. --Greg Tonoski, 2023-09-14