PBKDF2 iterations questions (seed to private key)

[Sanglotslongs2]

Hello,

When we have a valid entropy from mnemonic seed, we need to transform it to a valid seed.
To do it we use PBKDF2 - Password Based Key Derivation Function 2.

https://learnmeabitcoin.com/technical/mnemonic
 

PBKDF2 Settings:

Password: Mnemonic Sentence
Salt: "mnemonic"+(optional passphrase)
Iterations: 2048
Algorithm: HMAC-SHA512
Size: 64 bytes

1) If I do more iterations, I will have another valid seed ?

2) For example, if I decide to do 2048+1 PBKDF2 iterations, an attack against "standart wallet with 2048 iterations" will not be effective event if attacker have my mnemonic seed ?

3) If I want an off-standard seed, I can do like 2048x16 = 32k iterations, my wallet will be longer to set up but it's juste few minutes more, I will gain more resilience against brute force attack event if my mnemonic seed is leaked ?

4) I read severals iterations advice, 1024, 2048 or 4096, those advices change with time as computer become more and more powerful. So I can have several differents private key/address results if I use differents software version etc. ?

5) There is 2048^12 mnemonic possibility, is it enough to not care for PBKDF2 validity and just SHA-256 my mnemonic phrase to have a valid seed ? (discusion here : https://security.stackexchange.com/questions/16354/...)

[1715002617]

1715002617

[1715002617]

1715002617

[1715002617]

1715002617

[1715002617]

1715002617

[1715002617]

1715002617

[BrewMaster]

1) you will get another derived key from that mnemonic and it can be used as BIP32 seed but it won't be standard and you'll have to remember the same iteration for the future recovery.

2) no because they will also have to guess your custom iteration count which increases the number of keys to brute force drastically and may even make it impossible

3) true but it would be reasonable to assume that if your mnemonic is leaked your iteration count can leak too.

4) i believe the current secure number for PBKDF2 is more than 10 million if you are going to do it once (which is the case when creating a wallet)
if you are changing things in the BIP then why not also change the key derivation function to something that is already secure? for example scrypt is a very safe and memory intensive one.

5) if you are following the BIP39 (that is to have the option to extend the mnemonic with a passphrase) you can't use simple SHA256 and have to use a KDF or even an HMAC function.
but i think the important thing is still to have a strong random initial entropy that creates the mnemonic.

[Sanglotslongs2]

5) if you are following the BIP39 (that is to have the option to extend the mnemonic with a passphrase) you can't use simple SHA256 and have to use a KDF or even an HMAC function.
but i think the important thing is still to have a strong random initial entropy that creates the mnemonic.

This "passphrase" is (I guess) "custom word" in electrum and "BIP39 Passphrase (optional)" in https://iancoleman.io/bip39/ ?


Just before generating address with derivation pass with https://iancoleman.io/bip39/ :

Encrypt private keys using BIP38 and this password: [___________] Enabling BIP38 means each key will take several minutes to generate.

This is an equivalent for PBKDF2 iterations ?

[o_e_l_e_o]

This "passphrase" is (I guess) "custom word" in electrum and "BIP39 Passphrase (optional)" in https://iancoleman.io/bip39/ ?

Yes, they are all the same.

This is an equivalent for PBKDF2 iterations ?

No. Encryption is not the same as just increasing the number of iterations.

The real question is "What are you trying to achieve?" If you want a set up which means your coins will not be immediately stolen if your seed phrase is compromised, then you should use a passphrase, since this is a BIP standard and reproducible across multiple wallets. Changing the iteration number is both less secure than a complex passphrase and non-standard and could cause you problems in the future when trying to recover your wallets. And since you asked about using multiple different iteration counts, you can also use multiple different passphrases to lead to multiple different wallets, all from the same seed phrase.

[BrewMaster]

yeah if you want to add some sort of additional security level then you can just use this extension words or passphrase in BIP39 while remaining compatible with any wallet that accepts BIP39 mnemonics. any more security will only be possible through actual encryption using any encryption techniques.