From 29933ce0bfd28dc946f1b2e8e7cd89db5a9b3ec1 Mon Sep 17 00:00:00 2001 From: MMGen Date: Sat, 29 Sep 2018 10:46:23 +0000 Subject: [PATCH] README: edit BIP32 section --- README.md | 44 ++++++++++++++++++++++++++++++-------------- 1 file changed, 30 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 2a5639a5..06416826 100644 --- a/README.md +++ b/README.md @@ -74,21 +74,36 @@ wallet file. #### Why MMGen is not a BIP32 wallet -Most popular deterministic wallets use the elliptic-curve-based BIP32 or -Electrum protocols to generate their key/address pairs. MMGen, on the other -hand, uses a much simpler system: a SHA-512 hash chain with double SHA-256 -branches. One advantage of this system is that you can recover your keys from -an MMGen seed without the MMGen program itself using standard command-line -utilities. But the most important advantage is security: elliptic-curve wallets -are not only cryptographically weaker than hash-bashed ones but have a dangerous -flaw -- their “master public key” feature allows an attacker to recover any key -in the wallet from a single compromised key (for a detailed discussion of this -problem, see Vitalik Buterin’s article [Deterministic Wallets, Their Advantages -and Their Understated Flaws][7]). Though the master public key feature of BIP32 -and Electrum wallets is undeniably convenient, MMGen makes up for its absence by -allowing you to save a virtually unlimited number of Bitcoin addresses for -future use in an address file, which addresses may safely be made public. +Most popular wallets today are based on the [BIP32][w] protocol. But while +BIP32 is undeniably powerful and flexible, it has two significant weaknesses, in +our view. First of all, it relies on elliptic-curve cryptography, which means +that with the advent of quantum computing, or perhaps the discovery of a +weakness in the secp256k1 curve, not only will your individual keys be at risk +but the entire system used to derive them. Thus an attacker could conceivably +gain access to all your crypto assets in one fell swoop. With MMGen you're +protected against this danger, as its key derivation scheme relies entirely on +the SHA256 and SHA512 cryptographic hash algorithms, which use no complex math +and are generally considered quantum-safe. Incidentally, a nice side-effect of +MMGen's hash-based KD scheme is that you can [recover your keys from an MMGen +seed without the MMGen program itself][r] using standard command-line utilities. +A second critical weakness of BIP32 is mentioned in the [text of the BIP][w]: + +> *One weakness that may not be immediately obvious, is that knowledge of a +> parent extended public key plus any non-hardened private key descending from +> it is equivalent to knowing the parent extended private key (and thus every +> private and public key descending from it).* + +This means that the compromise of a single key could lead to the theft of +other, **or even all,** of your keys, something that MMGen's hash-based +derivation scheme once again protects you against. True, BIP32 does implement +“hardened” keys to counter this vulnerability, but with their use you lose the +ability to generate addresses from a master public key, which is the only +functionality an EC-based wallet provides over a hash-based one in the first +place. In which case you might as well be using a hash-based wallet like MMGen +for the additional security it provides. As to the master public key feature, +MMGen makes up for its absence by allowing you to easily generate address lists +for distribution to potential payers. ### Download/Install @@ -132,3 +147,4 @@ Donate (BTC,BCH): 15TLdmi5NYLdqmtCqczUs5pBPkJDXRs83w [r]: https://github.com/mmgen/mmgen/wiki/Recovering-Your-Keys-Without-the-MMGen-Software [x]: https://github.com/mmgen/mmgen/wiki/Getting-Started-with-MMGen#a_alt [z]: https://user-images.githubusercontent.com/6071028/31656274-a35a1252-b31a-11e7-93b7-3d666f50f70f.png +[w]: https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki