Bitcoin Forum

Alternate cryptocurrencies => Altcoin Discussion => Topic started by: lem0nhead on October 23, 2017, 02:01:55 AM


Title: Trustless generation of keys?
Post by: lem0nhead on October 23, 2017, 02:01:55 AM
Hi there! First-timer on a forum, but I'm studying cryptocurrencies for a while.

When creating a wallet for a cryptocurrency, I see 3 main attack vectors.
If you use a software (even an air-gapped one), it can be compromised to generate a biased pseudo-random number. For instance, it might be using an int32 seed; you never know (unless you really go deep into the source - not only of the code, but on the libs also!).
Then, after you get a pseudo-random number, you need to convert it to words (after all, we don't want to write a password like "w-ROYRl1?|I0,*'''m*{" on a piece of paper, right?). The code that translate this number to words can be compromised (maybe it's only using the 4th bit of every byte as seed?).
And finally, if you get a secure random-number and manage to securely convert them to random words, then you still need to generate a private key for multiple cryptocurrencies (using another software that might be compromised)!

That seems hard.
The first 2 main attack vectors (generating random numbers securely and converting them to words) seems feasible with something like http://diceware.com (http://diceware.com).

But what about the last one? How to convert a random password to a "wallet" (addresses derivation + privkey + pubkey)? I think BIP32 (and not BIP39 for the reasons above!) is the answer. But even though I found ways to generate wallets for multiple cryptocurrencies using BIP39, I didn't find the same for BIP32 (I found some that could generate based on the derivation path, but that doesn't suffice.. for instance, the addresses for ethereum are encoded differently).

Then again, we'd need to trust this BIP32 implementation is not compromised. But maybe at least that could be done comparing the result of 3+ independent implementations.

I'm leaning towards falling back to BIP39 to generate the wallets (since we have multiple tools that could be used - and that can also have their results compared). It would still be possible to do that using only 6*6*6*6=1296 words from the 2048 on BIP39 and using a dice to choose among them (that would provide 10.27 bits of entropy per word instead of 11) - and then calculating the last word for the checksum.

Thoughts?


Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines