Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Electrum
Re: Seeing output of 40 BTC when i'm trying to send 1 coin
by
DeathAndTaxes
on 21/04/2014, 01:26:27 UTC
Quote from: jonald_fyookball on April 20, 2014, 08:09:05 PM
Quote from: DeathAndTaxes on April 20, 2014, 07:58:06 PM
Quote from: jonald_fyookball on April 20, 2014, 05:50:16 PM
I get it... However, bitcoin already has key stretching. 

Bitcoin the protocol does not use key stretching.

Bitcoin-core "the client" uses key stretching to harden to the WALLET DECRYPTION PASSPHRASE against brute force attack.  Nothing more.   Electrum doesn't copy that code from bitcoin-core wallet so it isn't key stretching "again".


Quote
edit: actually i dont think it would increase the entropy, just add more stretching, since the seed has less entropy than a 160 bit "normal" priv key

Private keys only have 128 bit key strength.  Not 160 bit and not 256 bit.

I see.  So then, it would be even harder to brute force an private key from the electrum seed dictionary because of the key stretching versus trying to do it "directly".

Correct?

If the seed is random then it would be more difficult to brute force the seed.  If the seed is not random then it would depend on what entropy the seed has.   100K iterations is ~2^16 so the stretching adds 16 bits of key strength.  Then again if the seed is "password123" then stretching or not the resulting entropy is too low to be considered secure.

In either case brute forcing the seed would allow you to gain access to all the private keys, where as brute forcing a single private key only gives you access to that key.  It is generally speaking academic if the seed has sufficient entropy because keys with 128 bit key strength are considered beyond brute force anyways.

Key stretching is used to provide brute force resistance to keys that otherwise would have less than 128 bit key strength.  As an example consider a passphrase which has 74 bits of entropy.  It may be possible to brute force that.  Through key hardening you can add 16 bits of key strength making it the equivalent of a 90 bit random symmetric key which today is beyond brute force for all but maybe the largest nation states.   It turns a moderately weak key int one that is nearly unbreakable.   On the other hand "password123" has 0 bits of entropy (it is on lists of know passwords) and thus even with key hardening would be quickly compromised.