[bitcoin-dev] BIP proposal: derived mnemonics

Gregory Maxwell greg at xiph.org
Wed Jul 27 20:59:54 UTC 2016

On Wed, Jul 27, 2016 at 10:39 AM, Jochen Hoenicke via bitcoin-dev
<bitcoin-dev at lists.linuxfoundation.org> wrote:
> Jonas Schnelli via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org>
> schrieb am Di., 26. Juli 2016 um 22:10 Uhr:
>> Side-note: Bip39 does still use PBKDF2 with 2048 iterations which I
>> personally consider "not enough" to protect a serious amount of funds.
> But what are the alternatives?  Put an expensive processor and a decent
> amount of memory in every hardware wallet to support scrypt?  Use a million
> iterations and just wait 10 minutes after entering you passphrase?  Or
> compute the secret key on your online computer instead?
> Also, how many iterations are secure?  A million?  Then just add two random
> lower-case letters to the end of your passphrase and you have a better
> protection with 2048 iterations. If you want to be able to use your
> passphrase with cheap hardware and be protected against a high-end computer
> with multiple GPUs that is almost a mllion times faster, then you have to
> choose a good passphrase.  Or just make sure nobody steals your seed;

Jochen, two alternatives were raised in public discussion:

Use a scheme which supports delegatable hardening-- (there are two
broad classes proposed, one where the delegated party learns
information that would let them bypass the part of the hardening they
perform but only that part, and another where the delegation is
information theoretically private.)


Eschew the pretextual 'hardening' that serves no purpose but to cause
users to think the scheme is more secure than it is, and which makes
the system more complex to implement.

Both were rejected by the authors of that spec.

> it is
> not a brainwallet that is only protected by the passphrase after all.

This ignores the history of that spec and the widespread use. Because
of the design, the check value can't be computed without a fixed
dictionary, and many people do use it as a brainwallet-- which is what
that BIP originally specified, in fact.

More information about the bitcoin-dev mailing list