Make sure to uniquely map the passphrase and username into the input of $H$, so that if Bob Willy's passphrase is ‘Wonka’ and Bob's passphrase is ‘Willy Wonka’ then they don't end up with the same key. Let $P$ be the standard base point of order $\ell$ on some elliptic curve, and $H\colon \$ user's secret scalar. The necessity of 256 bits of entropy has been questioned. That key is then hashed with keccak-256 to generate the wallet's private view key. This question is applicable to Monero, where it is the case that 256 bits of entropy are used for a wallet's private spend key. Would this be liable to such a 'multi target attack'? If so, how would that attack work? Can this situation be resolved by increasing the initial entropy above 128 bits, and if so, how much higher would it need to be to allow for the two ECC private keys to be safely generated? A second ECC private key would then be generated by hashing the first 256-bit ECC private key. The first article linked above however stipulates that if more than one 256-bit ECC key was being generated from the 128-bits of entropy, there might be the possiblitity of a 'multi target attack'.ġ28 bits of entropy are passed through keccak-256 to generate a 256-bit ECC private key. I assume this is because 256 bit ECC keys have a bit strength of 128 bits according to How many bits of entropy does an elliptic curve key of length n provide? Can I use 128 bits of entropy and a KDF to make a 256-bit ECC key? Apparently it is perfectly safe to use 128 bits of entropy to generate a single 256 bit ECC key.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |