aezeed: add new package implementing the aezeed cipher seed scheme

[Roasbeef]

In this PR, we add a new package implementing the aezeed cipher
seed scheme (based on aez).

This is a new scheme developed that aims to overcome the
two major short comings of BIP39: a lack of a version, and a lack of a
wallet birthday. A lack a version means that wallets may not
necessarily know how to re-derive addresses during the recovery
process. A lack of a birthday means that wallets don’t know how far
back to look in the chain to ensure that they derive all the proper
user addresses. Additionally, BIP39 use a very weak KDF. We use
scrypt with modern parameters (n=32768, r=8, p=1). A set of benchmarks has
been added, on my laptop I get about 100ms per attempt):

⛰ go test -run=XXX -bench=.

goos: darwin
goarch: amd64
pkg: github.com/lightningnetwork/lnd/aezeed
BenchmarkToMnenonic-4     	      10	 102287840 ns/op
BenchmarkFromMnenonic-4   	      10	 105874973 ns/op
PASS
ok  	github.com/lightningnetwork/lnd/aezeed	3.036s

Aside from addressing the shortcomings of BIP 39 a cipher seed
can: be upgraded, and have it's password changed,

Sample seed:

ability dance scatter raw fly dentist bar nominee exhaust wine snap super cost case coconut ticket spread funny grain chimney aspect business quiz ginger

Plaintext aezeed encoding

The aezeed scheme addresses these two drawbacks and adds a number of
desirable features. First, we start with the following plaintext seed:

1 byte internal version || 2 byte timestamp || 16 bytes of entropy

The version field is for wallets to be able to know how to re-derive
the keys of the wallet.

The 2 byte timestamp is expressed in Bitcoin Days Genesis, meaning that
the number of days since the timestamp in Bitcoin’s genesis block. This
allow us to save space, and also avoid using a wasteful level of
granularity. With the currently, this can express time up until 2188.

Finally, the entropy is raw entropy that should be used to derive
wallet’s HD root.

aezeed enciphering/deciperhing

Next, we’ll take the plaintext seed described above and encipher it to
procure a final cipher text. We’ll then take this cipher text (the
CipherSeed) and encode that using a 24-word mnemonic. The enciphering
process takes a user defined passphrase. If no passphrase is provided,
then the string “aezeed” will be used.

To encipher a plaintext seed (19 bytes) to arrive at an enciphered
cipher seed (33 bytes), we apply the following operations:

• First we take the external version an append it to our buffer. The
  external version describes how we encipher. For the first version
  (version 0), we’ll use scrypt(n=32768, r=8, p=1) and aezeed.
• Next, we’ll use scrypt (with the version 9 params) to generate a
  strong key for encryption. We’ll generate a 32-byte key using 5 bytes
  as a salt. The usage of the salt is meant to make the creation of
  rainbow tables infeasible.
• Next, the enciphering process. We use aez, modern AEAD with
  nonce-misuse resistance properties. The important trait we exploit is
  that it’s an arbitrary input length block cipher. Additionally, it
  has what’s essentially a configurable MAC size. In our scheme we’ll use
  a value of 8, which acts as a 64-bit checksum. We’ll encrypt with our
  generated seed, and use an AD of (version || salt).
• Finally, we’ll encode this 33-byte cipher text using the default
  world list of BIP 39 to produce 24 english words.

Properties of the aezeed cipher seed

The aezeed cipher seed scheme has a few cool properties, notably:

• The mnemonic itself is a cipher text, meaning leaving it in
  plaintext is advisable if the user also set a passphrase. This is in
  contrast to BIP 39 where the mnemonic alone (without a passrphase) may
  be sufficient to steal funds.
• A cipherseed can be modified to change the passphrase. This
  means that if the users wants a stronger passphrase, they can decipher
  (with the old passphrase), then encipher (with a new passphrase).
  Compared to BIP 39, where if the users used a passphrase, since the
  mapping is one way, they can’t change the passphrase of their existing
  HD key chain.
• A cipher seed can be upgraded. Since we have an external version,
  offline tools can be provided to decipher using the old params, and
  encipher using the new params. In the future if we change ciphers,
  change scrypt, or just the parameters of scrypt, then users can easily
  upgrade their seed with an offline tool.

[alexbosworth]

should this be CipherTextExpansion?

[Roasbeef]

Fixed.

[jonathancross]

This is fantastic! Exactly what we'd need to bring Electrum and BIP39 wallets into a common standard without compromising the benefits of each approach. Will you be submitting a BIP for this?

[wpaulino]

Solid set of changes! Excited to see this merged 💯

I really dig the simplicity of the cipher seed scheme and the properties it enables. I've left a couple comments, but they're mostly pretty minor.

[wpaulino]

typo: generate*

[Roasbeef]

Fixed.

[wpaulino]

nit: s/wallet/wallets

[Roasbeef]

Fixed.

[wpaulino]

nit: s/maintain/maintaining

[Roasbeef]

Fixed.

[wpaulino]

nit: extra "to"

[Roasbeef]

Fixed.

[wpaulino]

nit: s/encode/encoded

[Roasbeef]

Fixed.

[wpaulino]

Shouldn't this be 5 bytes?

[Roasbeef]

Yep, we modified the params a bit recently.

[wpaulino]

nit: missing comment

[Roasbeef]

Added comment.

[wpaulino]

nit: "of" isn't needed

[Roasbeef]

Fixed.

[wpaulino]

This doesn't seem to be used other than setting it when computing the ciphertext. If it's meant to be a cache, then we'd want to check if it was set before trying to compute it.

[Roasbeef]

Yeah I had an initial use for it, but changed my mind towards the end. Updated to remove the field all together.

[wpaulino]

Shouldn't we cache the ciphertext here as well?

[wpaulino]

Also, we'll want to check if a password was provided like in ToMnemonic. It might be better to move the check into encipher to avoid having to do it in both Encipher and ToMnemonic.

[Roasbeef]

Fixed.

[Roasbeef]

@jonathancross once we get a bit of real world usage, we may submit a BIP. For now, it fits our use case precisely, so we'd rather include it immediately in the next release, rather than trying to make it a standard from the get go. Since we have an external version, if anything changes in the process, then we can provide an upgrade tool for anyone with an existing tool.

[cfromknecht]

Super excited about this new seed format, it offers so many benefits/improvements over current BIP39, e.g. birthdays! Also cool to see some more example of the quick testing package in action :)

Biggest change is just a simple %s/mnenonic/mnemonic/g, plus some others that exist due to casing. I tried to comment on the important functions/variables/types that had the mispelling, but there be others.

[cfromknecht]

The bytes.Buffer struct has a 64-byte bootstrap array. We can get rid of two allocations by just using

var seedBytes bytes.Buffer

[cfromknecht]

Comment formatting needs fixing

[cfromknecht]

ignore this, was carried over from review i had started a few days ago

[cfromknecht]

Add note that these constants are tied to external version 0?

[cfromknecht]

dates -> days

[cfromknecht]

unnecessary dereference? or is this our preferred syntax within lnd style guidelines?

[cfromknecht]

mnenonic -> mnemonic

[cfromknecht]

Use saltOffset constant described above here and next line

[cfromknecht]

This operation assumes that every word of mnemonic is actually in the reversed word list. This seems like the logical place to verify that the provided words are valid, maybe returning ErrUnknownMnenomicWord if we don't know a particular one.

[cfromknecht]

NumMnenonicWords -> NumMnemonicWords

[cfromknecht]

almost! BenchmarkToMnenonic -> BenchmarkToMnemonic

[cfromknecht]

Add b.ReportAllocs() here as well

[Roasbeef]

Added.

[cfromknecht]

Add b.ReportAllocs() here so that we can measure bytes/allocs per invocation?

[Roasbeef]

Fixed.

[Roasbeef]

Added.

[ecdsa]

interesting.
do you really need day granularity for the timestamp? you could use block_height//2016

[cfromknecht]

@ecdsa tying the birthday to a particular block height would require the seed format to know about the parameters of the underlying chain. the rationale behind not doing so is that an aezeed can be used to secure keys on any/multiple chains without modification, while also being flexible enough to allow the same seed to add derivation paths for other currencies at a later time.

most importantly, using the block height in the birthday would require you to sync the [header] chain before creating the seed.

that aside, I believe your point is about potentially increasing the granularity? we definitely could increase it, though with day granularity we should be good until almost 2188. with 2-week intervals, it would approach the year 4251. note that this is only a bound on the birthday of the seed, not a bound on the seed's lifetime. IMO I think this is a happy medium in terms of granularity, has a super simple implementation, and works on any chain!

[Roasbeef]

Alrighty, pushed out a fixup commit that adds the ability to detect if a word isn't in the original list, and also if the mnemonic was entered incorrectly.

@cfromknecht PTAL.

[cfromknecht]

Alrighty, I really like this last set of changes. The addition of an external checksum gives us some integrity, as well as a way to distinguish invalid passwords from invalid mnemonics. LGTM conditioned on one last spelling correction! Long live aezeed ⚡️

[cfromknecht]

Nice additions!

[cfromknecht]

😂

[cfromknecht]

remove* and verify

[Roasbeef]

Fixed.

[dabura667]

Super cool.

[halseth]

Is the non-exported version of this method really needed?

[halseth]

extract the default passphrase into constant?

[Roasbeef]

Fixed.

[halseth]

this should be "aezeed"?

[Roasbeef]

Fixed.

[halseth]

s/saw/raw?

[Roasbeef]

Fixed.

[halseth]

I don't get this... That the users can encrypt the plaintext unders distinct passwords, is that a desirable feature or not?

[Roasbeef]

Yes, this means they can replicate the same seed widely under distinct passwords. Each one when decrypted will allow then to restore their wallet.

One can even take an existing seed, and then produce a new one with a diff passphrase.

[cfromknecht]

I thought about the case in which we may want to allow the user to just copy and paste the raw seed output (including the header and footer) and the need to make the seed easily parseable. I made another version that both writes and reads the seed entirely, the primary distinction is that each field is now just <num>:<word> instead of <num>. <word> which makes parsing simpler.

Some demo code in a playground is here: https://play.golang.org/p/nD4YLW_HW5o

This isn't necessary for this PR, but figured I'd make note of it here in case we want to add or come back to this later.

The new logic also is more general to allow us to try varying the number of columns. I still think 4 looks the best, but this should allow us to try out whatever combinations we want :)

[ecdsa]

@Roasbeef can you clarify the purpose of the version number? is it there only in order to be able to upgrade the cipher (and the key derivation remains unspecified, as in BIP43) , or will it also be used to specify the key derivation?

[Roasbeef]

@ecdsa there're two versions: external and internal.

The external version governs how to decipher the cipher seed. So: key derivation parameters, checksum verification, salt. In the future if we upgrade any of these parameters, users can use an offline tool to "upgrade" their seed.

The internal version is for the wallet. It tells that wallet how to go about re-deriving all the addresses for the user. Unlike the external version (in my mental model at least), wallets don't need to agree on what this value is, or how it should be interpreted. So for example a version of 0 could mean to a wallet: "use bip44". While a version of 1 could mean: "use bip49 and bip84". If a wallet gets the deciphered cipher seed, and doesn't recognize the version, then it should reject it.

[jimpo]

Looks really good. The design is sweet.

[jimpo]

tau of 4 bytes

[jimpo]

typo: defaultPassphrase

[jimpo]

Agree with @cfromknecht's comment to move this check into mnemonicToCipherText.

[jimpo]

Would it make sense to roll the salt here as well?

[JeremyRubin]

I know this is already merged, but I wanted to propose an alternative for the birthday mechanism which strengthens the 'exclusion proof' property.

If one uses a block hash instead of a clock-time, it makes it cryptographically impossible to pick a future birthdate. Picking a future time undermines the utility of the birthdate for proving that no transactions would be present before a certain time. However, even an honest seed-creator can't preclude themselves from creating a future-timed seed. This is because a big reorg could place transactions created after the creation of the seed to before the creation of the seed.

Using a blockhash instead of clock-time doesn't solve this problem, but it allows us to detect that this has occurred and then revert to a chain scan up to the most-recent-ancestor of the header hash used.

To keep this from adding overhead to the seed, what can be done is to only allow using every 144th (e.g. bitcoin-day) header hash. This can be specified using the same 2 byte index, then the client simply has to fetch the header-hash from the network and include it. One must be careful to ensure that it is indeed the same blockhash, otherwise no addresses will be found. This risk can be mitigated by not using the indexing trick above to save 30 bytes (storing the header with the seed directly) or by making use of the aez checksum.

[Jason-123-cyber]

OK

[Jason-123-cyber]

TK

[Jason-123-cyber]

K

[Jason-123-cyber]

OK