Date: Thu, 12 Mar 2015 05:58:12 +0000 (UTC)
From: Thy Shizzle <thashiznets@yahoo.com.au>
To: "voisine@gmail.com" <voisine@gmail.com>
Message-ID: <1511245342.4538047.1426139892373.JavaMail.yahoo@mail.yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="----=_Part_4538046_1837632964.1426139892370"
Cc: "bitcoin-development@lists.sourceforge.net"
	<bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Electrum 2.0 has been tagged
Precedence: list
Reply-To: Thy Shizzle <thashiznets@yahoo.com.au>

------=_Part_4538046_1837632964.1426139892370
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

=C2=A0 Why on earth would you want to derive the mnemonic from the wallet s=
eed? Ever?
Remembering that as an attacker doesn't actually have to do any key stretch=
ing, they can just keep trying (what is it 64 bytes from memory?) at a time=
 without any PBKDF2 to attack a seed, it seems that the PBKDF2 is just to s=
low down anyone attempting to attack through an interface such as a web ser=
vice or to a TREZOR or whatever, in a real world attack you would not even =
be performing PBKDF2 you would just brute force the raw bytes and=C2=A0forc=
e them into the BIP32 wallet=C2=A0as there is no Authentication scheme that=
 hashes and compares against the result. It purely limits abuse through an =
online wallet provider or something like that by slowing down seed generati=
on attempts THROUGH that API, it doesn't really add any security to the see=
d in a real world brute force attack! So yea I think the 2048 iteration cou=
nt is sufficient for it's purpose because even if it only forces an extra 1=
ms per seed generation through the API, it is still slower than just brute =
forcing the 64 bytes straight up, and so they would have no reason to abuse=
 your API that is all :)
"meh... the fact that you can't derive the seed phrase from the wallet seed=
, and that the password key stretching is so weak as to be ineffectual secu=
rity theater bugs me. Feels like a pretty big compromise to work on current=
 generation low power embedded devices when the next generation will be mor=
e than capable. But I understand the motivation for the compromise.

Aaron Voisine
co-founder and CEO
breadwallet.com"
------=_Part_4538046_1837632964.1426139892370
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<html><body><div style=3D"color:#000; background-color:#fff; font-family:He=
lvetica Neue-Light, Helvetica Neue Light, Helvetica Neue, Helvetica, Arial,=
 Lucida Grande, Sans-Serif;font-size:16px"><div id=3D"yiv7197762186"><div i=
d=3D"yui_3_16_0_1_1426122660566_43474" style=3D"color: rgb(0, 0, 0); font-f=
amily: Helvetica Neue-Light, Helvetica Neue Light, Helvetica Neue, Helvetic=
a, Arial, Lucida Grande, Sans-Serif; font-size: 16px; background-color: rgb=
(255, 255, 255);">&nbsp; <div id=3D"yiv7197762186yui_3_16_0_1_1426122660566=
_40948" style=3D"color: rgb(0, 0, 0); font-family: Helvetica Neue-Light, He=
lvetica Neue Light, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-S=
erif; font-size: 16px; background-color: rgb(255, 255, 255);"><div id=3D"yi=
v7197762186yui_3_16_0_1_1426122660566_38088" dir=3D"ltr">Why on earth would=
 you want to derive the mnemonic from the wallet seed? Ever?</div><div id=
=3D"yiv7197762186yui_3_16_0_1_1426122660566_38110" dir=3D"ltr"><br></div><d=
iv id=3D"yiv7197762186yui_3_16_0_1_1426122660566_38109" dir=3D"ltr">Remembe=
ring that as an attacker doesn't actually have to do any key stretching, th=
ey can just keep trying (what is it 64 bytes from memory?) at a time withou=
t any PBKDF2 to attack a seed, it seems that the PBKDF2 is just to slow dow=
n anyone attempting to attack through an interface such as a web service or=
 to a TREZOR or whatever, in a real world attack you would not even be perf=
orming PBKDF2 you would just brute force the raw bytes and&nbsp;force them =
into the BIP32 wallet&nbsp;as there is no Authentication scheme that hashes=
 and compares against the result. It purely limits abuse through an online =
wallet provider or something like that by slowing down seed generation atte=
mpts THROUGH that API, it doesn't really add any security to the seed in a =
real world brute force attack! So yea I think the 2048 iteration count is s=
ufficient for it's purpose because even if it only forces an extra 1ms per =
seed generation through the API, it is still slower than just brute forcing=
 the 64 bytes straight up, and so they would have no reason to abuse your A=
PI that is all :)</div><div id=3D"yiv7197762186yui_3_16_0_1_1426122660566_3=
8087" dir=3D"ltr"><br>"meh... the fact that you can't derive the seed phras=
e from the wallet seed, and that the password key stretching is so weak as =
to be ineffectual security theater bugs me. Feels like a pretty big comprom=
ise to work on current generation low power embedded devices when the next =
generation will be more than capable. But I understand the motivation for t=
he compromise.<br><br>Aaron Voisine<br>co-founder and CEO<br><a tabindex=3D=
"-1" id=3D"yiv7197762186yui_3_16_0_1_1426122660566_38019" href=3D"http://br=
eadwallet.com/" target=3D"_blank" rel=3D"nofollow"><font id=3D"yiv719776218=
6yui_3_16_0_1_1426122660566_38018" color=3D"#0066cc">breadwallet.com</font>=
</a>"</div></div></div></div></div></body></html>
------=_Part_4538046_1837632964.1426139892370--