Hi all,
At WizardSardine (where we’re building Liana wallet) we have been
discussing an encryption scheme for descriptors for at least two years.
A few months ago Salvatore Ingala published on delvingbitcoin a clear
scheme that matches our requirements.
I have been working on implementing this scheme over the past few weeks
and would like to share a draft implementations & BIP in order to
collect feedback, remarks, and reviews.
Draft BIP:
https://github.com/bitcoin/bips/pull/1951
Rust implementation + CLI:
https://github.com/pythcoiner/encrypted_backup
A simple GUI using rust implem:
https://github.com/pythcoiner/bed
Salvatore delving post:
https://delvingbitcoin.org/t/a-simple-backup-scheme-for-wallet-accounts
**Open questions**
- **Deterministic nonce:** Currently the nonce is generated randomly.
Is it safe to produce a deterministic nonce, e.g. `hash("NONCE" ||
plaintext || key_1 || … || key_n)`, or are there known security
concerns with this approach?
- **Cipher choice:** I arbitrarily chose AES‑GCM‑256. Is this the best
choice for this use case, or would another construction be preferable?
- **Byte order:** All fields are defined to be encoded in big‑endian.
Is there any reason to consider a different endianness?
Any thoughts, suggestions, or references are welcome.
Thanks,
pyth