What 15 extra bits? NVM
There is a discussion
here on this subject. Some of it refers to the old 1.9 branch. One thing that stands out:
Private keys only have 128 bit key strength. Not 160 bit and not 256 bit.
and this too:
In either case brute forcing the seed would allow you to gain access to all the private keys, where as brute forcing a single private key only gives you access to that key. It is generally speaking academic if the seed has sufficient entropy because keys with 128 bit key strength are considered beyond brute force anyways.
So let me get it straight.
Unspent bitcoin address =160 bit entropy + lots of crypto operations for brute forcing
Spent bitcoin address = 128 bit entropy + lots of crypto operations for brute forcing
Maximum private key entropy = 128 bit + lots of crypto operations for brute forcing
Electrum seed (english-default 13 word) = 143 bit - entropy loss from searching +
16 bit (from key stretch) = 128 (it can be customized with the
electrum help make_seed command)
1) Ok so I read the documentation it shows that the electrum seed has only 128 bit entropy , how?
http://docs.electrum.org/en/latest/faq.html#how-secure-is-the-seedIt also says:
The seed generation requires to find a seed that has a legal version prefix. That constraint results in a loss of entropy. This loss is compensated by adding extra bits of entropy during the seed generation.
So does this mean that the searching for seeds actually loses 16 bit entropy which is then compensated by the 16 bit added in the key stretch? So actually the default seed has only 128 bit? How much entropy is lost exactly in the seed generation/searching process, 16 bit?
2)It seems to me that the bitcoin private key is the weakest link. Brute forcing a bitcoin address is one thing because it involves many operations, but what if somebody tries to calculate all private keys?
Or the fact that he still needs to calculate the address from the private key, and check the balance on the blockchain, and put all items in a spreadsheed to compare, adds too many operations, makes a private key actually as secure as an address (if not more)?
So the 128 bit private key + many operations (calculate address, comparation, spreadsheet in memory, getting balance of address)
3)Isn't it logical to generate a 256 or 512 bit seed. For example
-In a non-deterministic wallet you have 10 addresses with 1 bitcoin each on them.Protected by 160 bit unspend address. If 1 gets compromized that is 160 bit security+ (additional operations) broken. Results in 10% risk.
So the total wallet security is 1600 bits + crypto operations, and the minimum risk is 10%.
-In a deterministic wallet (electrum) you have 10 addresses with 1 bitcoin each on them. All protected by 128 bit seed
So total wallet security is still 128 bit , and the minimum risk is 100%, if the seed is broken all money is lost.
So it would make sense to make higher security seeds?
