Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Re: Concerns regarding deterministic wallet
by
pmlyon
on 12/05/2013, 18:12:22 UTC
Quote from: DivineOmega on May 09, 2013, 11:26:35 PM
Quote from: etotheipi on May 09, 2013, 11:19:39 PM
Quote from: DivineOmega on May 09, 2013, 11:16:25 PM
Thanks for your detailed response.

Electrum seeds are 128 bit (http://electrum.org/seed.html), which makes them easier to brute force. If one is successfully brute forced, this surely yields a larger 'reward' for a the attacker than just brute forcing private keys directly, as it allows the attacker the reconstruct all private keys in the seeded deterministic wallet.

Assuming I'm correct here, why would the decision for to make the seed for an algorithm that generates multiple private keys only 128 bit, while the private keys themselves are 256 bit?

128 bits is more than sufficient.  There's a reason it was chosen.

Consider that the entire bitcoin network, over the course of the last 4.5 years, has "only" produced about 269 hashes.  You'd have to do about 500 quintillion times that amount of work to have a 50% chance to brute-force a single 128-bit seed.  It's just not feasible.

If that is indeed the case, then perhaps I am just being overly paranoid. Maybe it is the simplification of Electrum's seed (specifically its representations as only a few words) that makes it seem that it could be much more easily brute forced than these calculations suggest.

If someone were to get access to your encrypted wallet file, they would only have to attack your passphrase, correct? Some people could easily have weak passphrases, and then you could get access to the private keys. If deterministic wallets were periodically moved to a new deterministic wallet with a new random seed, this would help to mitigate the threat of offline atttacks.