Topic: Concerns regarding deterministic wallet - page 2. (Read 5717 times)

This is a very good point.  A non trivial number of coins have been collectively lost over the years due to the "gotchas" inherent in a RBOK (random bunch of keys) wallet.

Just some examples:
a) failing to make a backup
b) failing to keep backup current and exhausting the keypool
c) forgetting or losing passphrase and not having a paper backup
d) encrypting a wallet and not making a new backup (encrypting results in keypool being flushed and old backups out of date)

Also, I would argue that that even the "unstealing" aspect of random wallets is irrelevant.  If someone has access to your unencrypted wallet, they can fill your keypool with more addresses than you'd ever use, then copy your private keys.

Therefore, there really isn't a downside to deterministic wallets.  The upside is phenomenal, though. Armory users rave about being able to do one-time backups and never have to worry about it again.  It also makes securing your backup easier, since it doesn't have to be easily replaceable.  Secure it hardc0re, once.  Then leave it alone for the next 3 years until you need it.

If an attacker needs to guess a key, there is nothing to worry about. The keyspace is way too large for that.

If an attacker has access to your wallet/backup/passphrase/... in a way that grants him access to one of the keys, he very likely has access to all keys.

There is one small security difference between deterministic and randomly-generated wallet keys: if someone manages to copy the keys from the second, he cannot wait (long) before stealing, as the coins tend to move to newer addresses (i.e., it becomes "unstolen" over time).

Also, there are plans to implement deterministic wallets for the reference client too, as the advantages for backup safety far outweigh the security risks.

Nobody tries to "guess" a private key.  Brute forcing private keys is for all intents and purposes infeasible.  256bit is a large number (likely a quadrillion, quadrillion times times larger than you "think" it is).

http://www.schneier.com/blog/archives/2009/09/the_doghouse_cr.html

Unless you are worried about attackers building computers from something other than matter and existing in something other than space the attack vector isn't to "guess" your private key/seed it is to GAIN ACCESS to your private key/seed.


Your coins will be stolen if the attacker GAINS ACCESS TO the private keys.  For unencypted wallets this means access to the wallet file.  For encyrpted wallets this means the wallet file and the passphrase.  If the passphrase is weak the attacker may be able to brute force it.  There is no likely scenario where an attacker would gain access to only some but not all of the random private keys but would gain access to the seed and thus all private keys.

Deterministic or random once the attacker has the decrypted wallet file, you should assume your funds will be lost.  It is your job to ensure the attacker never gains access to the wallet (deterministic or random).

Now if you employ a second wallet (say offline "cold storage") it should use keys which are unrelated to the first wallet.  This applies regardless of if you use a random or deterministic wallet.

I asked the following in the #electrum IRC channel on Freenode recently, but sadly got not response.


What are everyone's thoughts?