Weak Physical Bitcoin (BIP38 EC multiply) through low entropie?

[zappylappy]

Since the BIP38 EC multiply procedure cannot guarantee a sufficient entropie for the private keys, I still have to trust the manufacturer of the physical bitcoin to be honest.

Is that correct?

If so, what is then the purpose of BIP38 EC multiply?

[NotATether]

Since the BIP38 EC multiply procedure cannot guarantee a sufficient entropie for the private keys, I still have to trust the manufacturer of the physical bitcoin to be honest.

Is that correct?

The parameters passed to the EC multiply are different depend on whether you include lot and sequence numbers according to the BIP.

In case they are being included, the factor passed to EC multiply is SHA256d(scrypt(...)) so all of that has to be reversed in order to get the passphrase, even if the factor used for EC multiply is discovered.

If there is no lot and sequence numbers then the factor is just scrypt(...) where most of the parameters are known except for the passphrase and salt. The salt in particular is a 32-bit random number however this is disclosed to the user at the end.

This means that the difficulty of reversing scrypt is the only defense stopping manufacturers from knowing the password. In addition if lot and sequence numbers are used there is also the difficulty of reversing SHA256(SHA256()).

Keep in mind all this applies to the intermediate code only (that's given to coin makers) and not the final BIP38 encrypted key.

If so, what is then the purpose of BIP38 EC multiply?

It's to let manufacturers create an encrypted keypair without knowing the password. It also has the side effect that the private key has to be created along with the address, which some people might like since the manufacturer cannot know the private key in the first place.

[zappylappy]

Does this mean, that a manufacturer could produce physical bitcoin that are as secure as bitcoin keys that are generated according to the glacier protocol?

I assume that challenges like the following are solved:
- privacy regarding shipping
- transfer security regarding intermediate code

If the answer is yes, my next question would be "Why is there not more supply and demand for empty Physical Bitcoin?" regarding market mechanics and I will post it in Marketplace:
https://bitcointalk.org/index.php?topic=5324759

[NotATether]

Does this mean, that a manufacturer could produce physical bitcoin that are as secure as bitcoin keys that are generated according to the glacier protocol?

I assume that challenges like the following are solved:
- privacy regarding shipping
- transfer security regarding intermediate code

Glacier protocol basically vets the hardware that you use for it in order to ensure it's 100% clean. A dishonest manufacturer will obviously not use clean hardware to generate the BIP38 keys but it doesn't matter if you only give them the intermediate code because they don't know the BIP38 password for it.

Then again, a dishonest manufacturer wouldn't impose such a restriction on itself in the first place and would just ask you for the password to generate a key from.

An honest manufacturer will usually take bigger steps than using laptops with removed parts in them as Glacier says to do, and build custom boxes that don't even have these parts in the first place, wipe the disks after each batch of keys is made, and so on.