Yeah but 2^124 is pretty much impossible these days.
Only way to go thru all those hashes are with GPUs.
2.1267647932558653966460912964486e+37 hashes in total.
Most GPUs have a Teraflop of 5-10 these days, however with the extra steps it would be slower so say each GPU hashes at 1TH/s.
Even with 1,000,000 GPUs hashing at 1TH/s.
It would take
21,267,647,932,558,653,966.460912964486 seconds
Which is 674,392,691,925.37588681065807218688 years....
With that amount of hash power you are better off mining ZEC or ETH and you would at least get a gauranteed profit of $1,000,000 - $1,500,000 daily.
ok, I hope this is my last post here.
So the easiest path to crack an Electrum private key is to just run through the 2^124 permutations, that is the shortest route.
That is precisely the point you are not getting.
How do you think an attacker can "run through" these 2^124 permutations?
Please try to focus on this question, and forget the rest.
First, let us agree that these are not "permutations".
In mathematics, a permutation is a bijective function between two sets.
However, the attacker does not have a simple function that takes integers up to 2^124 and maps them to the set of seeds accepted by is_new_seed().
So let us not talk about "permutations", but about "valid seeds".
So, how would an attacker "run throught" these 2^124 valid seeds?
The only way he can do that is to test all seeds, and to filter out the ones that are not valid.
That means the attacker has to enumerate a set of 2^132 seeds.
I understand, but I am talking about the theoretical implications not the practical ones.
The fact of the matter is that the minimum entropy is 124 bits, and probably lower due to collisions.
According to the cryptographers that I have asked, 1 bit is lost at every layer, especially if the "glass is full" as that is when the collisions start to appear.
So the RIPEMD is the weak link here, and possibly the ECDSA if spent.
There is 1 bit lost assuming that the attacker has 50% probability of guessing a bit, and possibly more if he is more lucky.
So let's assume 120 bit of security, and that is only if no new attack vectors appear, that make the cracking of these algos faster.
Now 120 bits is not quantum secure. And maybe if the RNG of the users is weak, probably less. It may still be unfeasible to crack it, but the danger is there.
The private key becomes exposed to danger, and it will be a question of
when, not
if, the attacker finds it.
By the way, the attacker doesn't have to target you specifically, there are already people going over all private key combinations as we speak. And this will only get worse, in the future.
https://www.youtube.com/watch?v=foil0hzl4Pg