Browse Source

README: edit BIP32 section

MMGen 6 years ago
parent
commit
29933ce0bf
1 changed files with 31 additions and 15 deletions
  1. 31 15
      README.md

+ 31 - 15
README.md

@@ -74,21 +74,36 @@ wallet file.
 
 #### Why MMGen is not a BIP32 wallet
 
-Most popular deterministic wallets use the elliptic-curve-based BIP32 or
-Electrum protocols to generate their key/address pairs.  MMGen, on the other
-hand, uses a much simpler system: a SHA-512 hash chain with double SHA-256
-branches.  One advantage of this system is that you can recover your keys from
-an MMGen seed without the MMGen program itself using standard command-line
-utilities.  But the most important advantage is security: elliptic-curve wallets
-are not only cryptographically weaker than hash-bashed ones but have a dangerous
-flaw -- their “master public key” feature allows an attacker to recover any key
-in the wallet from a single compromised key (for a detailed discussion of this
-problem, see Vitalik Buterin’s article [Deterministic Wallets, Their Advantages
-and Their Understated Flaws][7]).  Though the master public key feature of BIP32
-and Electrum wallets is undeniably convenient, MMGen makes up for its absence by
-allowing you to save a virtually unlimited number of Bitcoin addresses for
-future use in an address file, which addresses may safely be made public.
-
+Most popular wallets today are based on the [BIP32][w] protocol.  But while
+BIP32 is undeniably powerful and flexible, it has two significant weaknesses, in
+our view.  First of all, it relies on elliptic-curve cryptography, which means
+that with the advent of quantum computing, or perhaps the discovery of a
+weakness in the secp256k1 curve, not only will your individual keys be at risk
+but the entire system used to derive them.  Thus an attacker could conceivably
+gain access to all your crypto assets in one fell swoop.  With MMGen you're
+protected against this danger, as its key derivation scheme relies entirely on
+the SHA256 and SHA512 cryptographic hash algorithms, which use no complex math
+and are generally considered quantum-safe.  Incidentally, a nice side-effect of
+MMGen's hash-based KD scheme is that you can [recover your keys from an MMGen
+seed without the MMGen program itself][r] using standard command-line utilities.
+
+A second critical weakness of BIP32 is mentioned in the [text of the BIP][w]:
+
+> *One weakness that may not be immediately obvious, is that knowledge of a
+> parent extended public key plus any non-hardened private key descending from
+> it is equivalent to knowing the parent extended private key (and thus every
+> private and public key descending from it).*
+
+This means that the compromise of a single key could lead to the theft of
+other, **or even all,** of your keys, something that MMGen's hash-based
+derivation scheme once again protects you against.  True, BIP32 does implement
+“hardened” keys to counter this vulnerability, but with their use you lose the
+ability to generate addresses from a master public key, which is the only
+functionality an EC-based wallet provides over a hash-based one in the first
+place.  In which case you might as well be using a hash-based wallet like MMGen
+for the additional security it provides.  As to the master public key feature,
+MMGen makes up for its absence by allowing you to easily generate address lists
+for distribution to potential payers.
 
 ### Download/Install
 
@@ -132,3 +147,4 @@ Donate (BTC,BCH): 15TLdmi5NYLdqmtCqczUs5pBPkJDXRs83w
 [r]: https://github.com/mmgen/mmgen/wiki/Recovering-Your-Keys-Without-the-MMGen-Software
 [x]: https://github.com/mmgen/mmgen/wiki/Getting-Started-with-MMGen#a_alt
 [z]: https://user-images.githubusercontent.com/6071028/31656274-a35a1252-b31a-11e7-93b7-3d666f50f70f.png
+[w]: https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki