Why on earth would you want to derive the mnemonic from the wallet seed? Ever?
Remembering that as an attacker doesn't actually have to do any key stretching, 
they can just keep trying (what is it 64 bytes from memory?) at a time without 
any PBKDF2 to attack a seed, it seems that the PBKDF2 is just to slow down 
anyone attempting to attack through an interface such as a web service or to a 
TREZOR or whatever, in a real world attack you would not even be performing 
PBKDF2 you would just brute force the raw bytes and force them into the BIP32 
wallet as there is no Authentication scheme that hashes and compares against 
the result. It purely limits abuse through an online wallet provider or 
something like that by slowing down seed generation attempts THROUGH that API, 
it doesn't really add any security to the seed in a real world brute force 
attack! So yea I think the 2048 iteration count is sufficient for it's purpose 
because even if it only forces an extra 1ms per seed generation through the 
API, it is still slower than just brute forcing the 64 bytes straight up, and 
so they would have no reason to abuse your API that is all :)
"meh... the fact that you can't derive the seed phrase from the wallet seed, 
and that the password key stretching is so weak as to be ineffectual security 
theater bugs me. Feels like a pretty big compromise to work on current 
generation low power embedded devices when the next generation will be more 
than capable. But I understand the motivation for the compromise.

Aaron Voisine
co-founder and CEO
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Bitcoin-development mailing list

Reply via email to