What key derivation function uses Electrum / how generates private key?

0

I know some brain wallets are using scrypt as the key derivation function and AFAIK scrypt is a good derivation function as it is deliberately slow and makes use of big amount of both CPU and Memory, difficulting brute force attacks.

But I couldn't find which derivation function is actually using Electrum wallet or how does it generate the private key.

Finally, how secure is to generate a wallet in Electrum style from 2048-word list compared to a brain wallet? Apparently to me, it looks like generating the key from a limited set of words would be less secure than doing it from a free-passphrase... how it really is?

Gerard Bosch

Posted 2018-01-03T22:52:08.803

Reputation: 45

Answers

1

Key derivation from seeds is standardised across wallets - Electrum specifically follows the BIP32 spec for key derivation.

Looking at the security aspect, a set of 12 words and 2048 words to choose from results in log2(2048^12) = 132 bits of entropy. If I've done my maths right, this is equivalent to a 22 character long completely random alphanumeric password.

A 256 bit bitcoin private key has 128 bits of entropy, so an electrum 12 word seed is about as secure - it is essentially impossible to crack through brute force.

Apparently to me, it looks like generating the key from a limited set of words would be less secure than doing it from a free-passphrase

I'm not sure of any wallets that use a passphrase to derive keys - usually a passphrase is used to encrypt a set of private keys, as opposed to deriving them from scratch. For example, in Bitcoin Core, the private keys are randomly generated and then the passphrase is simply used to encrypt the file storing them on disk.

The benefit of using a seed-based derivation approach (such as in Electrum) is that the seed is enough to restore all the associated private keys. Otherwise, every private key for every address would need to be backed up and kept secure.

mxbi

Posted 2018-01-03T22:52:08.803

Reputation: 256

I think these two are using scrypt (with salt) for key derivation: https://brainwallet.io/ and https://keybase.io/warp/ Anyway as you say an equivalnt of 22 length random password looks reasonable. It was curious to know if the slowliness and high memory requirements of scrypt was better or how BIP32 is it doing.

Gerard Bosch 2018-01-04T00:15:58.883

The key derivation standardisation is good for two reasons - firstly, support: you don't have to reply on some wallet provider still existing to access your coins, since every wallet uses the same thing. Also, BIP32 has been very rigorously checked and tested, knowing that it's beenmxbi 2018-01-04T09:24:19.320

Asked: 2018-01-03T22:52:08.803

Viewed: 232 times

Active: 2018-01-03T23:04:06.813