even if only the first three characters are significant/considered, the english wordlists differ quite a bit, in terms of population(2048 words vs 1626) as well as content(other language versions probably do too?). Any reason why?
I am comparing electrum's english.txt to monero's english.h
Does this mean that mymonero-simplewallet wouldn't accept a Bitcoin-style seed phrase I generated inside electrum(and not inside monero)?
Neither seed type would be accepted in the current implementation of monero-wallet-cli (--restore-deterministic-wallet) anyway because (the latter) only accepts 25-word seeds. But I tried converting 13word (official)electrum seeds using Luigi's address tool but those are failing too :(
Asked
Active
Viewed 4,606 times
8
kumarz
- 307
- 2
- 10
1 Answers
6
Any reason why?
TL;DR: It's a different convention. Monero is not a fork of Bitcoin, so most things were worked out from scratch.
Does this mean that mymonero-simplewallet wouldn't accept a Bitcoin-style seed phrase I generated inside electrum(and not inside monero)?
Yes
Neither seed type would be accepted in the current implementation of monero-wallet-cli (--restore-deterministic-wallet) anyway because (the latter) only accepts 25-word seeds. But I tried converting 13word (official)electrum seeds using Luigi's address tool but those are failing too :(
That's to be expected because it's a different convention. It's not only the matter of wordlist and length, but the whole checksum and key derivation process.
If you really want to have one mnemonic for both Bitcoin and Monero, you'd have to hash the Electrum mnemonic with something to get a 256-bit integer, and continue from there, or invent some other method.
Simplest way is to input your Electrum seed into "custom entropy" box on Monero offline wallet generator. If you go this way, save a copy of that page somewhere for future reference. Given the same input, it will always create the same Monero wallet with the corresponding Monero mnemonic. This will run the string through 10000 rounds of Keccak-256 and use the result as your seed and private key. Looking at the source of the site, your seed will be derived using:
seed = cnUtil.sc_reduce32(poor_mans_kdf(user_entropy));
function poor_mans_kdf(str)
{
var hex = cnBase58.bintohex(cnBase58.strtobin(str));
for (var n = 0; n < 10000; ++n)
hex = keccak_256(cnBase58.hextobin(hex));
return hex;
}
Note that sc_reduce32 actually performs a = a mod l operation, where l is defined in CryptoNote whitepaper. This is to make the seed a point on the elliptic curve and a valid private key.
Any reason why?
Long answer
Looking at Electrum documentation, we find the following:
Electrum was the first Bitcoin wallet to derive private keys from a seed phrase made of English words. Early versions of Electrum (before 2.0) used a bidirectional encoding between seed phrase and entropy. This type of encoding requires a fixed wordlist. This means that future versions of Electrum must ship with the exact same wordlist, in order to be able to read old seed phrases.
BIP39 was introduced two years after Electrum. BIP39 seeds include a checksum, in order to help users figure out typing errors. However, BIP39 suffers the same shortcomings as early Electrum seed phrases:
...
Electrum currently use the same wordlist as BIP39 (2048 words). A typical seed has 12 words, which results in 132 bits of entropy in the choice of the seed.
In Electrum, the seed is used as the root for deriving individual Bitcoin keys (addresses). Since Monero only needs one address, the seed is used to derive the private key of the address, and that's all it's used for. Actually, seed == private spend key, and the private view key is derived from it. Public counterparts of those are what makes a Monero address.
Electrum is trying to achieve the following: have the mnemonic seed generate the same HD wallet, without having to know the dictionary used to create it. The size of dictionary was chosen to give exactly 11-bits of entropy to each word in the mnemonic, resulting in total of 132-bits for 12 words.
Monero is not a fork of Bitcoin and neither is Monero wallet software a fork of Electrum, so it did not inherit this.
Monero uses another philosophy. A seed mnemonic is just an encoding of a 256-bit integer seed. It's 2-way. You can always calculate back and forth BUT you need to have the dictionary to recover the wallet. This has a benefit that you can convert an English seed into Japanese, or any other language and get the same result. This allows far more flexibility but the "drawback" is that you have to keep the dictionary around. I'd argue you always need to keep something around (with Electrum, it would be the technical specification of the method used) anyway, so what's the point of wanting to get rid of the dictionary?
The number of words is such that there's approx. same number of combinations of 24 words as there is 256-bit numbers. The words were chosen to prevent mix-up, and also for all to have unique 3-letter prefix. We see that 24^1626 is approximately equal to 2^256 so it's possible to encode 256 bits to 24 words (25th is the checksum).
For more details:
