Bitcoin Forum

I suggest an option to hash the passphrase multiple times.
This will be barely noticeable for the user but will make bruteforcing much more expensive.

This tiny code, added at brainwallet.org's HTML at line 9086, does the trick:

Warpwallet (https://keybase.io/warp/warp_1.0.6_SHA256_e68d4587b0e2ec34a7b554fbd1ed2d0fedfaeacf3e47fbb6c5403e252348cbfc.html) uses 2^18 rounds of scrypt and 2^16 rounds of pbkdf2 (takes a few seconds in the browser). It makes brute forcing very difficult: an 8-character alphanumeric (47.6 bit) password has a 20 BTC bounty on it, expires over two years after it was created, and is still not expected to be cracked (via brute force).

Electrum does the same thing but uses the concatenation of the original seed with
each iteration to inject entropy all the way through the process in case the hashing
algorithm starts to converge with large repetitions.

Does this have any side effects we may not be aware of?

Rehashing over and over could somehow lead to loss of entropy although
i think that is just a postulation and there's no known attack right now,
but see my post above on how that is easily mitigated.

There is the potential for entropy loss.  I would recommend people not rolling their own cryptography.  There are standardized Key Derivative functions which have been extensively peer reviewed.  PBKDF2, BCrypt, and SCrypt are examples of KDFs.

 warpwallet did and no one stole their coins....YET.

The problem of "brainwallet" is the use of weak passpharse. No matter what algorithm you use, people could generate a rainbow table and wait for a hit. A very complex algorithm may slow this process down, but it could be cracked eventually for weak passpharses

another problem of "brainwallet" is the rubber hose attack.

Warp wallet uses scrypt.

does simply using 2^18 rounds of scrypt qualify as a proper (peer reviewed) KDF?

I don't know. I am not a cryptologist. However, it is not an original algorithm that they are using. They are not rolling their own crypto. It is one of the widely accepted algos listed above. They follow up the scrypt with pbkdf2 as well.

for even better security, the user can specify a hashing exponent.  This makes brute forcing incredibly difficult because it's adds an entirely new dimension to the search space.


where exponent is an input variable.

thus they can specify a very high number for better security.  Of course they must be able to remember this number as well.

-bm

Did you even read the thread?  This whole approach is flawed due to potential loss of entropy, regardless of
whether you use a variable or fixed exponent.

JF,

 Could you point us to the explanation of entropy loss in this situation?

 we do double hashing elsewhere in Bitcoin btw- http://bitcoin.stackexchange.com/questions/8443/where-is-double-hashing-performed-in-bitcoin/8461#8461

 certainly entropy loss could be a potential problem.

thanks, -bm

there was this thread:  Double hashing: less entropy? (https://bitcointalk.org/index.php?topic=86947.0)

-bm

Please read what DeathandTaxes said about KDFs.

If you take the first one he mentions,  PBKDF2,
you can see that the salt is used at each stage
of iteration.

http://en.wikipedia.org/wiki/PBKDF2

I'm far from an expert, but the principle here
is that constant re-hashing introduces
the possibility of convergence.

Now whether that is just a theoretical possibility,
or has been shown to actually occur, I have no
idea.  But, by re-introducing entropy at each
round, that problem is mitigated.

2 hashes are fine, but 100,000 hashes might not be.

Electrum uses the same principle -- although
it is not using a peer-reviewed KDF, it does
a concatenation of the original seed with
each hashing round.

You could use your idea of a variable exponent
but it should be using this principle, not merely
using the simple loop the OP suggested.

yes, this looks like the right standard for this.  Of course this invites in the 'NSA conspiracy' discussion but certainly standards are favorable to 'roll ur own'.

in the case of PBKDF2 you have a 'c' parameter similar to the exponent I just described.  I'll try and read D&T closer next time.

-bm

Nobody has mentioned the human element, the software or website you use with a custom algorithm may change their algorithm, or disappear, leaving you wondering how to rehash your pass phrase to make it work...

I've already solved that problem for Electrum users:

https://bitcointalk.org/index.php?topic=612143.0

I've always wanted to use a brain wallet, but I've heard that they are easy to crack so I've stayed away.. Looks like things are changing..

ok, so how badly do people want this?

I can implement a command line PBKDF2 wallet.dat generator(in Java) if enough people would use it.

-bm