Expand BIP85 to include ECC key types #1968

pull 3rdIteration wants to merge 12 commits into bitcoin:master from 3rdIteration:BIP85-ExpandCurveTypes changing 1 files +243 −13
  1. 3rdIteration commented at 7:28 PM on September 15, 2025: contributor

    So I'm doing some work on extending BIP85 functionality on SeedSigner to include GPG key generation, file verification, encrypted messaging, etc, but the resource limitation on low power devices like the Raspberry Pi really makes RSA keys quite painful to use at any useful bit length. (RSA3072 takes 15-20 minutes for a primary key + 3 subs)

    Basically I'm suggesting an expansion of the current functionality to add support for some common ECC curves and provide a bit of a process for future curves to be added in a way that doesn't break existing implementations. (The simplest solution is to just use ECC with key length on the existing RSA derivation, but that doesn't seem very consistent with how BIP85 works for other similar use cases where the derivation path should tell you everything you need to know about the output data/entropy/usage)

    While it would have been nice to have a separate derivation level for key_type, that ship has probably sailed, so rather than add that, I am just suggesting a different applicationID for each key type. (Similar to how variations are handled with the existing password application type)

    While I'm at it, I'm also suggesting some information about how additional and mixed key types should be handled.

    Anyway, just keen to get some input on a way forward, can add some additional test vectors and stuff once others have provided some input about a preferred way forward.

  2. Expand BIP85 to include ECC key types 3728f8e12f
  3. odudex commented at 8:00 PM on September 15, 2025: none

    The inclusion of GPG ECC key specifications also interests me. I'm developing tools to derive secp256k1 GPG key material on Krux My implementation differs slightly, as it relies on a PC-based coordinator app to handle metadata and prepare files for GPG signing.

    Although the approach is different from @3rdIteration’s, he confirmed that the results are compatible, currently using the RSA derivation path in preliminary tests.

    My long-term goal is to also support the creation of encryption subkeys.

    Having two independent projects producing different, yet compatible implementations creates an excellent opportunity to include ECC keys in the BIP85 specifications.

  4. 3rdIteration commented at 8:06 PM on September 15, 2025: contributor

    I didn't include it in the body of the wiki, but I would suggest that basically this approach would mean that the 8283 prefix for applications types is reserved for GPG related keys

  5. jonatack added the label Proposed BIP modification on Sep 17, 2025
  6. jonatack added the label Pending acceptance on Sep 17, 2025
  7. in bip-0085.mediawiki:388 in 3728f8e12f 
     387 | +| 828369'
 388 | +|-
 389 | +|}
 390 |  
 391 | -The RSA key generator should use BIP85-DRNG as the input RNG function.
 392 | +The RSA key generator should use BIP85-DRNG as the input RNG function. Likewise, any ECC key types over 256bit should use BIP85-DRNG.
    jonatack commented at 3:56 PM on September 17, 2025: 
    The RSA key generator should use BIP85-DRNG as the input RNG function. Likewise, any ECC key types over 256 bits should use BIP85-DRNG.
  8. in bip-0085.mediawiki:402 in 3728f8e12f outdated 
     406 |      - sub_key <code>0'</code> is used as the ENCRYPTION key
 407 |      - sub_key <code>1'</code> is used as the AUTHENTICATION key
 408 |      - sub_key <code>2'</code> is usually used as SIGNATURE key
 409 |  
 410 | -Note on timestamps:
 411 | +Additional subkeys can be added to a primary key, including keys of a different key type, following the role pattern defined above, but the key_index MUST be incremented with each subkey.
    jonatack commented at 4:01 PM on September 17, 2025:

    Could this change break anything?

    3rdIteration commented at 5:23 PM on September 17, 2025:

    Could this change break anything?

    It doesn't break the existing RSA implementations, but does add the possibility of having something like an RSA primary key and non-RSA subkeys. (Though the overall RSA fingerprint would remain the same) There is actually already ambiguity in BIP85 as to whether the subkeys should/must have the same key bits as the primary key. (Even if it is a general convention that they align)

    The use-case to consider here is basically that someone might want to revoke a subkey(s) (or have some expire) and create some additional subkeys that they can continue using while preserving the original primary key. (Which is normal in the context of GPG)

    The question of whether mixing key types should be allowed is a separate matter, but the use-case for this is basically scenarios where someone may want a strong and long-lived primary key that for their identity, but use different keys for the actual signing and stuff. (Whether due to limitations on smartcards, etc) For example, someone may have an ED25119 primary key and have subkeys use something like P256 or RSA subkeys for compatibility reasons.

    akarve commented at 1:51 AM on October 6, 2025:

    As for mixing types I would discourage that unless there's a really good reason. For one thing are we nesting derivation paths at that point? A worked example of mixed subkeys would help.

    akarve commented at 2:20 AM on October 6, 2025:

    the use-case for this is basically scenarios where someone may want a strong and long-lived primary key that for their identity, but use different keys for the actual signing and stuff. (Whether due to limitations on smartcards, etc) For example, someone may have an ED25119 primary key and have subkeys use something like P256 or RSA subkeys for compatibility reasons.

    reasonable enough. at that point why not turtles all the way down, e.g. the following or something like it?

    {same_app_number_for_all}/
{key_type}/{key_bits}/key_index}/
{key_type}/{key_bits}/sub_key_index}/
...
    3rdIteration commented at 6:32 PM on October 6, 2025:

    the use-case for this is basically scenarios where someone may want a strong and long-lived primary key that for their identity, but use different keys for the actual signing and stuff. (Whether due to limitations on smartcards, etc) For example, someone may have an ED25119 primary key and have subkeys use something like P256 or RSA subkeys for compatibility reasons.

    reasonable enough. at that point why not turtles all the way down, e.g. the following or something like it?

    {same_app_number_for_all}/
{key_type}/{key_bits}/key_index}/
{key_type}/{key_bits}/sub_key_index}/
...

    I think that would be a better approach overall, to have an app number to signify GPG keys generally and then an additional level of derivation for key type, but this would break compatibility with existing RSA implementations. (Even though it doesn't seem to me that there are any in the wild) The reality is that new key types will likely continue to be added to GPG, so the ability to add more in a neat way would be better long term. (With the rational for different applications for each key type being related to respecting the status of this BIP as 'Final')

    3rdIteration commented at 6:38 PM on October 6, 2025:

    As for mixing types I would discourage that unless there's a really good reason. For one thing are we nesting derivation paths at that point? A worked example of mixed subkeys would help.

    Even with that example, it's not really an issue to just assert that mixed key types are beyond the scope of the spec. (As most people will just use the same key type for everything)

  9. jonatack commented at 4:05 PM on September 17, 2025: member

    Pinging @akarve and @scgbckbone for feedback, BIP85 is in use and in Final status (https://github.com/bitcoin/bips/pull/1676), so no potentially breaking changes may be introduced.

  10. in bip-0085.mediawiki:365 in 3728f8e12f outdated 
     359 | @@ -360,36 +360,58 @@ OUTPUT
 360 |  * DERIVED ENTROPY=f7cfe56f63dca2490f65fcbf9ee63dcd85d18f751b6b5e1c1b8733af6459c904a75e82b4a22efff9b9e69de2144b293aa8714319a054b6cb55826a8e51425209
 361 |  * DERIVED PWD=_s`{TW89)i4`
 362 |  
 363 | -===RSA===
 364 | +===GPG Keys===
 365 |  
 366 | -Application number: 828365'
 367 | +Application number is dependant on the key type.
    akarve commented at 1:47 AM on October 6, 2025:

    I would recommend a single application number and then extend the path for different key types. That's more consistent with the rest of BIP85:

    {same_app_number_for_all}/{key_type}/{key_bits}/{key_index}
    3rdIteration commented at 6:36 PM on October 6, 2025:

    This would be the neatest solution

  11. in bip-0085.mediawiki:394 in 3728f8e12f outdated 
     397 | -Keys allocated for RSA-GPG purposes use the following scheme:
 398 | +Keys allocated for GPG purposes use the following scheme:
 399 |  
 400 | - - Main key <code>m/83696968'/828365'/{key_bits}'/{key_index}'</code>
 401 | - - Sub keys:  <code>m/83696968'/828365'/{key_bits}'/{key_index}'/{sub_key}'</code>
 402 | + - Primary key <code>m/83696968'/{key_type}'/{key_bits}'/{key_index}'</code>
    akarve commented at 1:48 AM on October 6, 2025:

    Here and elsewhere these list nested code blocks don't render as expected (... > View file)

    akarve commented at 1:50 AM on October 6, 2025:

    In the description please motivate the need and intent of sub keys. It's not immediately obvious why this is needed above and beyond the standard key index.

    3rdIteration commented at 6:36 PM on October 6, 2025:

    It's mostly about trying to follow the process elsewhere in BIP85 where a given derivation path will always map to a certain use case 1:1.

    One solution to all of this is to basically just have BIP85 use the same derivation path for both primary keys and subkeys, regardless of the key algo being used.

  12. akarve commented at 1:53 AM on October 6, 2025: contributor

    @3rdIteration howdy, feedback provided. please also do a patch entry to the changelog.

  13. in bip-0085.mediawiki:363 in 3728f8e12f outdated 
     359 | @@ -360,36 +360,58 @@ OUTPUT
 360 |  * DERIVED ENTROPY=f7cfe56f63dca2490f65fcbf9ee63dcd85d18f751b6b5e1c1b8733af6459c904a75e82b4a22efff9b9e69de2144b293aa8714319a054b6cb55826a8e51425209
 361 |  * DERIVED PWD=_s`{TW89)i4`
 362 |  
 363 | -===RSA===
 364 | +===GPG Keys===
    akarve commented at 1:57 AM on October 6, 2025:

    Definitely need test vectors and expected outputs for all applications and sub applications. I can also add it to the reference implementation but won't be able to get to that right away. PRs welcome. https://github.com/akarve/bipsea

    3rdIteration commented at 6:40 PM on October 6, 2025:

    I'm happy to work up some test vectors and a reference implementation once there is some agreement on a general direction :)

    akarve commented at 8:13 PM on April 4, 2026:

    there's a pretty simple app protocol in the ref. implementation now: https://github.com/akarve/bipsea/blob/main/src/bipsea/apps/README.md

    3rdIteration commented at 10:53 PM on April 4, 2026:

    I have actually got a working implementation of the draft spec (as per the last edit) here: https://github.com/3rdIteration/bipsea

  14. Update bip-0085.mediawiki
    Co-authored-by: Jon Atack <jon@atack.com>
    56a8de8209
  15. Update bip-0085.mediawiki
    Co-authored-by: Aneesh Karve <akarve@users.noreply.github.com>
    31eea92063
  16. in bip-0085.mediawiki:414 in 3728f8e12f outdated 
     419 |  
 420 |  GPG capable smart-cards SHOULD be loaded as follows: The encryption slot SHOULD be loaded with the ENCRYPTION capable key; the authentication slot SHOULD be loaded with the AUTHENTICATION capable key. The signature capable slot SHOULD be loaded with the SIGNATURE capable key.
 421 |  
 422 |  However, depending on available slots on the smart-card, and preferred policy, the CERTIFY capable key MAY be flagged with CERTIFY and SIGNATURE capabilities and loaded into the SIGNATURE capable slot (for example where the smart-card has only three slots and the CERTIFY capability is required on the same card). In this case, the SIGNATURE capable sub-key would be disregarded because the CERTIFY capable key serves a dual purpose.
 423 |  
 424 | +
    akarve commented at 1:57 AM on October 6, 2025:
  17. jonatack commented at 2:25 PM on October 14, 2025: member

    Hi @3rdIteration, mind addressing the remaining feedback here?

    Edit: per #1967 (review), when in doubt might be most prudent to go with option c?

  18. jonatack added the label PR Author action required on Oct 14, 2025
  19. 3rdIteration commented at 10:01 PM on October 14, 2025: contributor

    Are there any that aren't addressed? (In terms of the other PR, I agree that option C makes the most sense)

    It also gives more scope to make some changes that make this neater overall, even if it deviates from the original RSA-Only implementation.

  20. jonatack commented at 10:36 PM on October 14, 2025: member

    Are there any that aren't addressed? (In terms of the other PR, I agree that option C makes the most sense) @3rdIteration the changelog update, not sure for the rest of @akarve's feedback

  21. jonatack commented at 5:38 PM on October 15, 2025: member

    #1967 has been merged, so this can now be rebased to master and the changelog updated.

  22. 3rdIteration commented at 12:48 PM on November 2, 2025: contributor

    #1967 has been merged, so this can now be rebased to master and the changelog updated.

    Yep, will do in the next week or two.

    I'll throw in some test vectors while I'm at it as well :)

  23. murchandamus commented at 12:08 AM on February 28, 2026: member

    Hi @3rdIteration, are you still working on this PR?

  24. 3rdIteration commented at 12:10 AM on February 28, 2026: contributor

    Hi @3rdIteration, are you still working on this PR?

    It's still on my list and just got delayed, but still very keen.

    Will look at it next week :)

  25. Update bip-0085.mediawiki 94796129c7
  26. 3rdIteration requested review from Copilot on Feb 28, 2026
  27. ?
    copilot_work_started 3rdIteration
  28. in bip-0085.mediawiki:380 in 94796129c7 outdated 
     379 | +| RSA
 380 | +| 0'
 381 | +|-
 382 | +| ECC(Curve25519)
 383 | +| 1'
 384 | +|-
    Copilot commented at 3:28 AM on February 28, 2026:

    The derivation path format already hardens the key_type component ("{key_type}'"), but the table also defines key_type values with a trailing apostrophe (e.g., "0'", "1'"). This is ambiguous and can lead to double-hardening / inconsistent interpretation across implementations. Define key_type as a plain integer (0..4) and state that the path component is always hardened, or remove the apostrophe from the path placeholder.

    3rdIteration commented at 3:30 AM on February 28, 2026:

    @copilot code review[agent] Can you add a note for the ECC key_types that mentions which key_bits lengths are valid

  29. in bip-0085.mediawiki:388 in 94796129c7 outdated 
     387 | +|-
 388 | +| ECC(NIST)
 389 | +| 3'
 390 | +|-
 391 | +| ECC(Brainpool)
 392 | +| 4'
    Copilot commented at 3:28 AM on February 28, 2026:

    The spec introduces ECC key types but does not define how {key_bits} selects a specific curve/algorithm for each key_type (e.g., which NIST curve corresponds to which key_bits, and similarly for Brainpool). For fixed-size curves like Curve25519 and secp256k1, it’s also unclear what {key_bits} is expected to be (and whether other values are invalid). Please add explicit, deterministic mappings/constraints so independent implementations derive identical keys for the same path.

  30. in bip-0085.mediawiki:407 in 94796129c7 outdated 
     414 | +** key_index is the parent key for CERTIFY capability
 415 | +** sub_key <code>0'</code> is used as the ENCRYPTION key
 416 | +** sub_key <code>1'</code> is used as the AUTHENTICATION key
 417 | +** sub_key <code>2'</code> is usually used as SIGNATURE key
 418 | +
 419 | +All subkeys SHOULD use the same key_type as the primary key. Mixed key types across primary and subkeys are out of scope for this specification. Additional subkeys may be added following the same role pattern, incrementing the sub_key index.
    Copilot commented at 3:28 AM on February 28, 2026:

    For Curve25519, OpenPGP typically uses different algorithms for different capabilities (e.g., Ed25519 for certify/sign/auth vs X25519/Curve25519 ECDH for encryption). The current text says all subkeys SHOULD use the same key_type, but doesn’t specify the required per-capability algorithm mapping within that key_type. Please clarify the exact OpenPGP public-key algorithm/curve used for primary vs encryption/auth/sign subkeys under key_type=Curve25519 to avoid incompatible key material generation.

    All subkeys SHOULD use the same key_type (i.e. the same underlying curve family) as the primary key. Mixed key types across primary and subkeys are out of scope for this specification. For <code>key_type = Curve25519</code>, implementations MUST generate OpenPGP keys as follows: the primary CERTIFY key and any SIGNATURE or AUTHENTICATION subkeys MUST use Ed25519 (OpenPGP EdDSA with curve Ed25519), while ENCRYPTION subkeys MUST use X25519/Curve25519 ECDH (OpenPGP ECDH with curve Curve25519). Additional subkeys may be added following the same role pattern, incrementing the sub_key index.
  31. in bip-0085.mediawiki:392 in 94796129c7 outdated 
     391 | +| ECC(Brainpool)
 392 | +| 4'
 393 | +|-
 394 | +|}
 395 | +
 396 | +The RSA key generator should use BIP85-DRNG as the input RNG function. Likewise, any ECC key types over 256 bits should use BIP85-DRNG.
    Copilot commented at 3:28 AM on February 28, 2026:

    The guidance on when to use BIP85-DRNG for ECC ("over 256 bits") doesn’t align with the earlier definition of BIP85-DRNG being needed when more than 64 bytes of random input are required. Consider specifying DRNG usage based on the keygen’s required randomness/bytes (or explicitly justify why >256-bit ECC needs DRNG), otherwise implementers may diverge on whether to use DRNG for common curves like P-384.

    The RSA key generator should use BIP85-DRNG as the input RNG function. Likewise, any ECC key types whose key generation requires more than 64 bytes of random input should use BIP85-DRNG.
  32. in bip-0085.mediawiki:411 in 94796129c7 outdated 
     418 | +
 419 | +All subkeys SHOULD use the same key_type as the primary key. Mixed key types across primary and subkeys are out of scope for this specification. Additional subkeys may be added following the same role pattern, incrementing the sub_key index.
 420 | +
 421 | +<b>Note on timestamps:</b>
 422 |  
 423 |  The resulting RSA key can be used to create a GPG key where the creation date MUST be fixed to unix Epoch timestamp 1231006505 (the Bitcoin genesis block time <code>'2009-01-03 18:05:05'</code> UTC) because the key fingerprint is affected by the creation date (Epoch timestamp 0 was not chosen because of legacy behavior in GNUPG implementations for older keys). Additionally, when importing sub-keys under a key in GNUPG, the system time must be frozen to the same timestamp before importing (e.g. by use of <code>faketime</code>).
    Copilot commented at 3:28 AM on February 28, 2026:

    This section now covers multiple GPG key types, but the timestamp note still refers specifically to "The resulting RSA key". Either generalize the statement to apply to all OpenPGP keys derived here (including ECC), or explicitly scope the timestamp requirement to RSA-only if ECC behavior differs.

  33. in bip-0085.mediawiki:367 in 94796129c7 outdated 
     364 | +===GPG Keys===
 365 |  
 366 |  Application number: 828365'
 367 |  
 368 | -The derivation path format is: <code>m/83696968'/828365'/{key_bits}'/{key_index}'</code>
 369 | +The derivation path format is: <code>m/83696968'/828365'/{key_type}'/{key_bits}'/{key_index}'</code>
    Copilot commented at 3:28 AM on February 28, 2026:

    Changing the GPG derivation path from the previously-specified RSA format (which did not include {key_type}) will change the derived material for existing paths and break interoperability with any current implementations/vectors. If backward compatibility is a goal, consider keeping the legacy RSA path intact and allocating new application numbers for ECC (or otherwise defining a legacy/compat mode) rather than inserting a new path level under the same application number.

    akarve commented at 8:25 PM on April 4, 2026:

    this is a major issue. given that this BIP is widely implemented we have to preserve backward compatibility. we either need to extend and not break the existing paths (including what was sub_key) or we can do this in a clean GPG application.

    3rdIteration commented at 10:54 PM on April 4, 2026:

    This was my original suggestion, basically just add additional application numbers for ECC (Or perhaps a separate application for ECC and child derivation as per this current draft), but folk seemed to want to go with a 3.0 change that wasn't backwards compatible earlier in the discussion thread.

  34. Copilot commented at 3:28 AM on February 28, 2026: none

    Pull request overview

    Updates the BIP-0085 specification’s OpenPGP/GPG key derivation section to support additional (ECC) key types, aiming to make deterministic GPG key generation practical on low-power devices.

    Changes:

    • Replaces the prior RSA-focused GPG section with a generalized “GPG Keys” section and introduces a key_type path component.
    • Adds a key type table covering RSA plus several ECC curve families.
    • Adds a new 2.0.0 changelog entry describing the ECC additions and the GPG section restructure.

    💡 <a href="/bitcoin/bips/new/master?filename=.github/instructions/*.instructions.md" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Add Copilot custom instructions</a> for smarter, more guided reviews. <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Learn how to get started</a>.

  35. Update bip-0085.mediawiki 729f412f1d
  36. incorporate improment suggestions 86a64f1fdd
  37. in bip-0085.mediawiki:480 in 94796129c7 outdated 
     475 | +
 476 | +* ECC GPG key types for OpenPGP: Curve25519 (key_type 1'), secp256k1 (key_type 2'), NIST (key_type 3'), Brainpool (key_type 4')
 477 | +
 478 | +====Changed====
 479 | +
 480 | +* GPG key section restructured to use a single application number (828365') with <code>key_type</code> as a path level component, replacing separate per-type application numbers
    Copilot commented at 3:28 AM on February 28, 2026:

    The 2.0.0 changelog entry says the GPG section now uses a single application number with key_type, "replacing separate per-type application numbers", which doesn’t match the earlier changelog/history in this document (it previously introduced an RSA application at 828365'). Also, this conflicts with the PR description’s stated approach of using different application IDs per key type. Please reconcile the changelog text (and/or the spec approach) so the intended compatibility strategy is clear.

  38. in bip-0085.mediawiki:472 in 94796129c7 outdated 
     468 | @@ -443,6 +469,16 @@ BIP32, BIP39
 469 |  
 470 |  ==Changelog==
 471 |  
 472 | +===2.0.0===
    Copilot commented at 3:28 AM on February 28, 2026:

    Changelog entries below include dates (e.g., "1.3.0 (2024-10-22)"), but the new "2.0.0" entry has no date. Add a date (or follow whatever versioning/date convention the document uses) to keep the changelog consistent.

    ===2.0.0 (2024-11-01)===
  39. 3rdIteration force-pushed on Feb 28, 2026
  40. Fix typos 04995e6150
  41. Enhance ECC and RSA key generation guidelines
    Expanded the section on ECC scalar derivation and RSA key generation, detailing the use of BIP85-DRNG and compliance requirements.
    00a7583b15
  42. Add test vectors for key types in bip-0085
    Added test vectors for various key types including RSA, Curve25519, secp256k1, NIST, and Brainpool.
    b7756c9975
  43. Fix heading format for Test vectors section c44de4611b
  44. Merge branch 'master' into BIP85-ExpandCurveTypes 8b1397a156
  45. in bip-0085.mediawiki:421 in 8b1397a156 
     420 | +|-
 421 | +|}
 422 | +
 423 | +For key_types with a fixed curve (1 and 2), key_bits MUST be 256. Any other value is invalid.
 424 | +
 425 | +BIP85-DRNG MUST be used as the input RNG function when key generation requires more than 64 bytes of random input. This applies to all RSA key sizes and to NIST P-521 (key_bits=521). All other supported ECC key types use the 64-byte HMAC output directly.
    akarve commented at 7:58 PM on April 4, 2026:

    minor: aim for ~80 wide for terminal readability:

    BIP85-DRNG MUST be used as the input RNG function when key generation requires more than 64 bytes of
random input. This applies to all RSA key sizes and to NIST P-521 (key_bits=521). All other supported ECC
key types use the 64-byte HMAC output directly.
  46. in bip-0085.mediawiki:369 in 8b1397a156 outdated 
     368 |  
 369 | -The RSA key generator should use BIP85-DRNG as the input RNG function.
 370 | +All path components are hardened (denoted by <code>'</code>). The key_type values are plain integers:
 371 |  
 372 | -===RSA GPG===
 373 | +{|
    akarve commented at 8:01 PM on April 4, 2026:

    i think this can be one big table and will read better; there's already a common join key and both are small

  47. in bip-0085.mediawiki:497 in 8b1397a156 outdated 
     505 |  
 506 | +<b>Note on timestamps:</b>
 507 |  The resulting RSA key can be used to create a GPG key where the creation date MUST be fixed to UNIX Epoch timestamp 1231006505 (the Bitcoin genesis block time <code>'2009-01-03 18:15:05'</code> UTC)<ref>The human-readable datetime string was incorrectly noted as '2009-01-03 18:05:05' prior to v2.0.0 of this BIP, so implementations that relied on it rather than UNIX Epoch timestamp 1231006505 will produce different key fingerprints.</ref> because the key fingerprint is affected by the creation date (Epoch timestamp 0 was not chosen because of legacy behavior in GNUPG implementations for older keys). Additionally, when importing sub-keys under a key in GNUPG, the system time must be frozen to the same timestamp before importing (e.g. by use of <code>faketime</code>).
 508 |  
 509 | -Note on GPG key capabilities on smartcard/hardware devices:
 510 | +All keys derived under this application MUST use a fixed creation date of unix Epoch timestamp 1231006505 (the Bitcoin genesis block time <code>'2009-01-03 18:05:05'</code> UTC) when constructing the OpenPGP key packet, because the key fingerprint is affected by the creation date (Epoch timestamp 0 was not chosen because of legacy behavior in GNUPG implementations for older keys). Additionally, when importing sub-keys under a key in GNUPG, the system time must be frozen to the same timestamp before importing (e.g. by use of <code>faketime</code>).
    akarve commented at 8:10 PM on April 4, 2026:

    we need to be very careful with that timestamp, it was just corrected: https://github.com/bitcoin/bips/blob/master/bip-0085.mediawiki#fixed

    nivekpraht commented at 8:14 PM on April 4, 2026:

    Yes

  48. nivekpraht commented at 8:13 PM on April 4, 2026: none

    Yes

    Yahoo Mail: Search, Organize, Conquer

    On Sat, Apr 4, 2026 at 17:41, Aneesh @.***> wrote: @akarve commented on this pull request.

    In bip-0085.mediawiki:

    The resulting RSA key can be used to create a GPG key where the creation date MUST be fixed to UNIX Epoch timestamp 1231006505 (the Bitcoin genesis block time <code>'2009-01-03 18:15:05'</code> UTC)<ref>The human-readable datetime string was incorrectly noted as '2009-01-03 18:05:05' prior to v2.0.0 of this BIP, so implementations that relied on it rather than UNIX Epoch timestamp 1231006505 will produce different key fingerprints.</ref> because the key fingerprint is affected by the creation date (Epoch timestamp 0 was not chosen because of legacy behavior in GNUPG implementations for older keys). Additionally, when importing sub-keys under a key in GNUPG, the system time must be frozen to the same timestamp before importing (e.g. by use of <code>faketime</code>).

    -Note on GPG key capabilities on smartcard/hardware devices: +All keys derived under this application MUST use a fixed creation date of unix Epoch timestamp 1231006505 (the Bitcoin genesis block time <code>'2009-01-03 18:05:05'</code> UTC) when constructing the OpenPGP key packet, because the key fingerprint is affected by the creation date (Epoch timestamp 0 was not chosen because of legacy behavior in GNUPG implementations for older keys). Additionally, when importing sub-keys under a key in GNUPG, the system time must be frozen to the same timestamp before importing (e.g. by use of <code>faketime</code>).

    we need to be very careful with that timestamp, it was just corrected: https://github.com/bitcoin/bips/blob/master/bip-0085.mediawiki#fixed

    — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @.***>

  49. in bip-0085.mediawiki:428 in 8b1397a156 outdated 
     427 | +<b>ECC Scalar Derivation for Curves Exceeding 64 Bytes</b>
 428 | +
 429 | +For elliptic curves whose base length (⌈log₂(order) / 8⌉) exceeds the
 430 | +64-byte HMAC-SHA512 entropy output — currently only NIST P-521 (base
 431 | +length 66 bytes) — the private scalar MUST be derived using the
 432 | +BIP85-DRNG (SHAKE256) as follows:
    akarve commented at 8:53 PM on April 4, 2026:

    Can we try a "same for all" algorithm that also has less chance for bias? For example:

    1. Initialize BIP85-DRNG with the 64-byte HMAC entropy
    2. L = ceil((ceil(log2(n)) + 128) / 8)
    3. Read L bytes from DRNG
    4. scalar = (int.from_bytes(buf, 'big') % (n - 1)) + 1

    As I understand it without a safety margin we risk bias e.g. when curve order is high and close to the entropy size. See e.g. https://www.rfc-editor.org/rfc/rfc9380.html#name-hashing-to-a-finite-field

    akarve commented at 8:54 PM on April 4, 2026:

    Even better if you can refer us to a standard procedure for this step let's just use that.

    3rdIteration commented at 11:11 PM on April 4, 2026:

    There isn't really a standard procedure other than "Generate at least X bits of entropy and use that", so the question is how to throw away the excess. (Mod or mask)

    The other thing to avoid was something that happened with Putty a few years back where they just used 512bits and padded with 9 bits, making the keys easier to recover.

  50. nivekpraht commented at 8:55 PM on April 4, 2026: none

    Subject: Algorithm Adjustment Request for Key GenerationDear Aneesh,I read your feedback on the pull request concerning key generation specifications in bip-0085.mediawiki. I recommend considering an algorithm that is uniform across all key types and reduces bias. Here are some suggestions:1. Generate the child key at the application path (e.g., m/83696968'/828365'/4'/256'/0') from the master key.2. Utilize the child key's private key bytes to generate entropy using HMAC-SHA512.3. Initialize BIP85-DRNG (SHAKE256) with the 64-byte entropy as a seed.4. Extract ceil(bit_length(n) / 8) + 16 bytes from DRNG.5. Interpret the bytes as a big-endian unsigned integer.6. Compute the scalar value as (integer % (n - 1)) + 1.It is essential to incorporate the standard 16-byte safety margin to prevent bias, particularly when working with high curve orders near the size of the entropy. For further information, please refer to https://www.rfc-editor.org/rfc/rfc9380.html#name-hashing-to-a-finite-field.I appreciate your prompt attention to this issue.Best regards,[Your Name]

    Yahoo Mail: Search, Organize, Conquer

  51. Apply suggestion from @akarve
    Co-authored-by: Aneesh Karve <akarve@users.noreply.github.com>
    34e8931978
  52. in bip-0085.mediawiki:398 in 8b1397a156 outdated 
     397 | +!key_type
 398 | +!key_bits
 399 | +!OpenPGP Algorithm / Curve
 400 | +|-
 401 | +| 0 (RSA)
 402 | +| 1024, 2048, 4096
    akarve commented at 9:16 PM on April 4, 2026:

    Should we even support RSA-1024, it's deprecated right?

    3rdIteration commented at 10:55 PM on April 4, 2026:

    It's deprecated so I wouldn't imagine any current implementations would use it

Contributors
3rdIterationodudexjonatackakarvemurchandamusCopilotnivekpraht
Labels
Proposed BIP modificationPending acceptancePR Author action required
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-19 06:50 UTC