Seed entropy

[pythonista]

As I understand it, Electrum uses 128 bits of entropy for its random seed generation, whilst the total space of bitcoin addresses is 256 bits. So by generating addresses using Electrum, you have already vastly reduced (by 2^128) the search space of addresses to perform a brute force attack. Am I understanding this correctly? Electrum is great but this has always worried me.

Not so long ago there was an attack on android wallets because the random number generator was broken. Could something similar happen here?

[1714612460]

1714612460

[1714612460]

1714612460

[1714612460]

1714612460

[DeathAndTaxes]

ECDSA 256 bit key only has 128 bits of security.  Public key systems generally need larger keys to deliver the same key strength as symmetric encryption.  

The same thing applies to hashing algorithms.  For collisions and second pre-image resistance the bit strength of a hashing algorithm is half that of the digest length for 128 bits for SHA-256 and 80 bits for RIPEMD-160.

So there is no reduction in bits strength.  Even if there was (assume Bitcoin used 512 bit ECDSA keys), 128 bit simply can't be brute forced, not at any cost, and not in any useful timeframe so any reduction would be academic at best.  

Public key systems are more likely to be degraded in the future (due to mathematical relationship between the public and private key) and thus they are "hedged" by using larger key stengths to provide a "cushion" against improved cryptoanalysis.

[ThomasV]

ECDSA 256 bit key only has 128 bits of security.  Public key systems generally need larger keys to deliver the same key strength as symmetric encryption.  

exactly. for technical details, see the pdf at http://ecc-challenge.info/