* embedded wallet birthday to optimize restoring from the seed (only blocks after the wallet birthday have to be scanned for transactions)
* embedded network type (mainnet/stagenet/testnet) to prevent accidental misuse of the seed on a different network
* advanced checksum based on Reed-Solomon linear code, which allows certain types of errors to be detected without false positives and provides limited error correction capability
* built-in way to make seeds incompatible between different coins, e.g. a seed for Aeon cannot be accidentally used to restore a Monero wallet
## Usage
### Create a new seed
The sole argument is the wallet creation date in `yyyy/MM/dd` format.
```
> ./monero-seed --create 2100/03/14
Mnemonic phrase: pumpkin alter spice lend position sentence surface snow atom lobster exotic robot profit chase
The mnemonic phrase contains 154 bits of data, which are used as follows:
* 3 bits for version (this allows the format to be updated up to 7 times)
* 2 bits reserved for future use
* 10 bits for approximate wallet creation date
* 2 bits for the network type
* 3 bits reserved for future use
* 10 bits for approximate wallet birthday
* 128 bits for the private key seed
* 11 bits for error detection/correction
* 11 bits for checksum
### Wordlist
Uses the wordlist from BIP-39. It has 2048 words, allowing 11 bits to be stored in each word. It has some additional useful properties,
for example each word can be uniquly identified by its first 4 characters.
The mnemonic phrase uses the BIP-39 wordlist, which has 2048 words, allowing 11 bits to be stored in each word. It has some additional useful properties,
for example each word can be uniquly identified by its first 4 characters. The wordlist is available for 9 languages (this repository only uses the English list).
### Wallet creation date
### Network type
The mnemonic phrase doesn't store block height, but the time when the wallet was created. This allows the seed to be generated
offline without access to the blockchain. Wallet software can easily convert a date to the corresponding block height when restoring a seed.
The wallet creation date has a resolution of 2629746 seconds (1/12 of the average Gregorian year). All dates between June 2020
and September 2105 can be represented.
The network type is stored in 2 bits as follows:
### Private key seed
* `00` = mainnet
* `01` = stagenet
* `10` = testnet
* `11` = invalid
PBKDF2 with 4096 iterations is used to generate the private key from the 128-bit seed included in the mnemonic phrase. The wallet creation date is used as a salt. 128-bit seed provides the same level of security as the elliptic curve used by Monero.
The "Iinvalid" value can be used to support future extensions of the mnemonic seed to more than 14 words. Setting these two bits to `11` will prevent the first 14-words of a longer seed from being a valid 14-word seed (the checksum alone cannot prevent this).
### Reserved bits
There are 2 reserved bits for future use. Possible use cases:
There are 3 reserved bits for future use. Since there is no dedicated "version" field, the current implementation requires all reserved bits to be set to `0` for backwards compatibility.
Possible use cases for the reserved bits include:
* a flag to differentiate between normal and "short" address format (with view key equal to the spend key)
* different KDF algorithms for generating the private key
* seed encrypted with a passphrase
### Wallet birthday
The mnemonic phrase doesn't store block height but the approximate date when the wallet was created. This allows the seed to be generated offline without access to the blockchain. Wallet software can easily convert a date to the corresponding block height when restoring a seed.
The wallet creation date has a resolution of 2629746 seconds (1/12 of the average Gregorian year). All dates between June 2020 and September 2105 can be represented.
### Private key seed
The private key is derived from the 128-bit seed using PBKDF2-HMAC-SHA256 with 4096 iterations.The wallet birthday and network type are used as a salt. 128-bit seed provides the same level of security as the elliptic curve used by Monero.
Future extensions may define other KDFs.
### Checksum
### Error detection/correction
The mnemonic phrase can be treated as a polynomial over GF(2048), which allows us to use an efficient Reed-Solomon error correction code with one check word. All single-word errors can be detected and all single-word erasures can be corrected without false positives.
The mnemonic phrase can be treated as a polynomial over GF(2048), which allows us to use an efficient Reed-Solomon ECC with one check word. All single-word errors can be detected and all single-word erasures can be corrected.
To prevent the seed from being accidentally used with a different cryptocurrency, a coin-specific value is subtracted from the first data-word after the checksum is calculated. Checksum validation will fail unless the wallet software adds the same value back to the first data-word when restoring.