I'm no crypto expert by any means, but I get a little nervous since this sounds like you're using crypto primitives in some pretty untraditional ways. Is this a documented industry-standard way of using AES in a reasonable fashion? Is there another cipher out there that is more designed for the encrypting-few-bytes use case? It may very well be fine, but I don't have any way of knowing, so it'd be good to know that the crypto community thinks that this is a good use of algorithms before I go throwing all my savings into a BIP38-encrypted key.
I would totally welcome the comments from anyone with more expertise.
Keep in mind that the AES step isn't what the protection scheme relies upon. It is extra protection. The AES step could be removed and the password would have been just as hard to crack. The operative part of the password protection is scrypt, and the fact that bitcoin key information is
missing without being able to supply the correct parameters to scrypt.
I added AES in there just to add protection against the following: attacker has bitcoin private key for paper wallet A (and not the passphrase), and knows paper wallet B is encrypted with the same passphrase and wants to crack it. The AES step virtually ensures that no information from knowing private key for wallet A can be used to attack B, but even if the attacker had that information, it's not enough to crack it. Such a scenario is pretty rare on its face, but one I thought to protect against anyway. As another poster pointed out, it also makes the task of making an ASIC cracker that much more difficult, assuming someone had a reason to do so.
The elementary forms of the AES-128 and AES-256 ciphers were made for encrypting blocks of exactly 16 bytes, no more, no less, which is why they are called block ciphers. So it is already suited to the task of encrypting this amount of data. AES+CBC is what is commonly used when "encrypting a file with AES" - a derivative that we don't need here.
Remember the whole point of using IV's and chaining is to protect a
stream of non-random data that is many multiples of the cipher's block size from being compromised due to typical properties of streams. That's not the case here, because we're just protecting a single random integer. So I think it is very safe to say that this tool does not even apply to this job. Read more:
http://en.wikipedia.org/wiki/Block_cipher_modes_of_operationCrypto experts, please fire away!
EDIT: I just noticed the Wikipedia article I linked to says (in the section about IV's):
As a special case, if the plaintexts are always small enough to fit into a single block (with no padding), then with some modes (ECB, CBC, PCBC), re-using an IV will leak only whether two plaintexts are equal.
This usage falls into that special case. Since in this application, the "plaintexts" are themselves large random numbers, the odds of having two identical "plaintexts" are effectively zero.