Re: How much entropy is lost by searching for a '01' prefix SHA512 output
The problem is that you do not understand what entropy is. I think there is no point continuing this discussion.
Btw, raising the num_bits parameter to 132 would have no effect at all; math.ceil() already ensures that n is a multiple of 11 bits.
Let me explain it another way if I may, because it seems that you are the one who is confused here.
SHA512 hash function =/= 512 bits of security by default
It only means a maximum of 512 bits of security, if the input entropy is 512 bits.
So if you feed 1 bit of entropy into a 512bit hash function, it will only have 1 bit of security.
There are 3 ways the attacker can proceed cracking it:
1) By brute forcing the hash function 2^512 permutations
2) By finding a shortcut/vulnerability in the hash function
3) By looking at the input function and brute forcing that.
-Now for this example we will ignore point 2).
-The attacker will also not try to brute force 2^512 permutations.
-So what he will do is just run the input permutations.
WITH A DICE
So if you have an entropy of a dice, and the attacker knows it's a dice, then you have 6 values with 2.58 bits of entropy
If you hash a random number from 1-6, the hash won't have 512 bit of security, only 2.58 bit of security.
The attacker will obviously not go through 2^512 bits, it will only go through 2^2.58 bits, which is 6 values.
WITH ELECTRUM
In electrum you have an is_new_seed function, that steals away 8 bits of entropy, so it doesn't matter if you wrap it around a SHA512 function, because the BTC protocol and the electrum source code is public just as with the dice above, that function will only have as much security as the entropy. Just as in the analogy above, the attacker knows that it's a dice, so here the attacker knows that it's a is_new_seed function.
So according to my calculations, we have a 124bit entropy, therefore, at all layers, the maximum security is only 124bits, even if it's packaged into a RIPEMD-160 and the public key is not known.
So the easiest path to crack an Electrum private key is to just run through the 2^124 permutations, that is the shortest route.
While people who use minimum 160 bit input entropy can enjoy 2^160 permutations of security with an unspent BTC address.
Do you understand now my analogy? I don't try to be cocky or insulting, I just believe that this is a security issue in Electrum that needs to be resolved.
