Electrum is less secure than Bitcoin-Qt?

[Bizmark13]

I have heard this statement twice before and was wondering if there is any truth behind it. Is it true that an Electrum address has 4 billion times less entropy and is therefore 4 billion times less secure and more likely to be brute forced than an address generated using Bitcoin-Qt?

I don't know if the following numbers are correct or not so please correct me if I'm wrong but if a standard Bitcoin address has 160 bits of entropy and an Electrum seed has 128 bits of entropy then 2^160 divided by 2^128 equals 4,294,967,296 or slightly over 4 billion.

What difference does this make in practical terms? I know Moore's law states that processing power doubles every 18 months so if addresses generated with Electrum were 4 billion times less secure then doesn't this mean that they would be cracked 48 years (32 doublings) before Bitcoin addresses are cracked?

[jonald_fyookball]

Partially true.

Electrum seeds do have 128 bits of entropy and Bitcoin
allows for a maximum of 160 bits of security.

However:

1. Addresses that are re-used only have 128 bits of security.
There are several such addresses with tens of thousands of
Bitcoins, and no one seems to be cracking them.

2. 128 bits of security is still beyond brute force cracking,
regardless of moore's law.  (Moore's law has been a trend,
but is by no means a "law", and will reach its limits soon).

Even if the hashing power of the
ENTIRE Bitcoin network of 340 million GH/s
were pointed at a single address, it would take over
31 TRILLION years to Brute force 128 bits.

3. Electrum adds key stretching to the seed in the form
of a 100,000 round hash... So it would take 100,000 times
as long to Brute force, effectively raising the security
from 128 bits to 144 bits.

[dabura667]

First of all:

http://en.wikipedia.org/wiki/Key_size#Asymmetric_algorithm_key_lengths

NIST guidelines state that ECC keys should be twice the length of equivalent strength symmetric key algorithms. So, for example, a 224-bit ECC key would have roughly the same strength as a 112-bit symmetric key. These estimates assume no major breakthroughs in solving the underlying mathematical problems that ECC is based on.

So the "keys" used in Electrum are all 256 bit, because they are generated using SHA256... BUT because ECC only offers 128 bits of security for a 256 bit key, anything over 128 bits of entropy is overkill.

Edit: Basically what jonald_fyookball just said.

Electrum has 144 bits of security due to the key stretching algorithm.

[btchris]

Although this really isn't related to OP's question, it may be worth mentioning anyways. One Electrum weakness (compared to Bitcoin Core) is its poor key stretching when password-protecting the wallet file (against brute-force attacks). Bitcoin Core aims to require about 0.1 seconds of CPU time per password attempt which results in around 100,000 SHA-512 iterations, whereas Electrum uses just 2 SHA-256's.

This makes brute-forcing the password of an Electrum wallet much easier, and therefore requires the use of a stronger password (vs. Bitcoin Core) to achieve the same level of brute-force resistance.

[crazyearner]

Just started to use Electrum at long last but still getting use to it so only playing around with smaller amounts of BTC till I fully get use to it then look to maybe migrating over to it fully if I manage to understand everything correctly on it.

[Q7]

Technically yes, it's less secure with electrum if we work on the calculations but the approach nowadays to hack and steal bitcoin would be more feasible by hackers to introduce malware or some other way to get the seeds by keylogging or other ways to extract the private key.

[btchris]

Technically yes, it's less secure with electrum if we work on the calculations but the approach nowadays to hack and steal bitcoin would be more feasible by hackers to introduce malware or some other way to get the seeds by keylogging or other ways to extract the private key.

If I understand you correctly, you're saying that more sophisticated malware with keylogging isn't slowed down at all by good key stretching, and such sophisticated malware has become fairly commonplace. I couldn't agree more...

Good key stretching is still important if you ever intend to keep wallet backups stored anywhere online (e.g. a backup services), and it can help protect against stupid malware (which still exists), but I agree it does nothing against sophisticated malware. In short: good password key stretching can sometimes help, and there's no reason for any wallet software to use weak key stretching (except of course that it requires development effort, and developers have limited time and long lists of new features to be added).