Can a brainwallet passphrase be derived if an attacker has obtained the private keys of an empty wallet.dat file?

1

Someone robbed me at gunpoint and took my laptop. The laptop contained an encrypted hardrive with a wallet.dat file. Both the hardrive and wallet.dat had at best weak passphrases for the encryption. I have assumed both to be compromised.

My question has to do with the one-way permutation hash function of ripemd-160 to generate both the private and public keys used in brain wallet generators.

[I am assuming that wallet generators are using one way permutations. I could be wrong. If I am then please inform me. Most wallet generators use the brainwallet.py available on github.]

If an attacker has obtained your private key can he "reverse engineer" the key to obtain the original brain wallet passphrase used when the wallet was generated?

If so I assume he can use that to bruteforce any other wallet that would use the same passphrase as a seed as mentioned in this post here:

https://crypto.stackexchange.com/questions/10246/question-regarding-multiple-sha-256-rounds-on-a-bitcoin-brain-wallet-passphrase

user12247

Posted 2014-01-15T15:08:56.630

Reputation: 11

Why does it matter if he can reverse-engineer the key to your passphrase? If he has the private key, he can spend your balance. You won't be able to make a new brain wallet with the same passphrase, as it will result in the same address. So unless your passphrase was the password you use for everything (stupid idea!), this doesn't really matter.Steven Roose 2014-01-15T16:42:15.380

Any reason for your cross-post at crypto.se? You obviously already received an answer here...

e-sushi 2014-01-15T18:09:32.660

I did not know where to best post the question. Sorryuser12247 2014-01-16T01:06:55.810

Steven re-read the post. The question was relevant to the seed passphrase being obtained. The wallet was already secured (empty wallet)user12247 2014-01-16T01:15:36.220

Answers

1

Sorry to hear you were robbed.

An attacker cannot reverse engineer a private key to obtain the original mnemonic phrase.

What essentially happens is just another multitude of hashes with an algorithm (SHA256). Different approaches to this are taken by different deterministic wallet generators.

As SHA256 is considered secure. So is your mnemonic phrase

MaxSan

Posted 2014-01-15T15:08:56.630

Reputation: 3 680

So you are guaranteeing me that a one way permutation is used to generate the private key for the wallet generators such as brainwallet.py?user12247 2014-01-16T01:10:44.473

Is this just an opinion or do you have any facts or evidence to back your claim? Dont take offense but im not going to risk losing all of my money on an opinionuser12247 2014-01-16T01:21:00.207

I did some research... what I am worried about is called a preimage attack.user12247 2014-01-16T01:45:39.050

Someone claims ripemd-160 is a one-way hash function: http://www.reddit.com/r/Bitcoin/comments/1lsweg/

user12247 2014-01-16T01:52:41.983

As long as your mnemonic phrase has enough entropy not to be brute forced then it is safe. I think Electrum uses 12 dictionary words to get 128bits of entropy. Don't quote me on that though.MaxSan 2014-01-16T09:15:42.093