Any key/address you make will be uncrackable as long as they are not created by flawed software.
The question was whether the increase could be enough to eliminate the need for code trust.
Maybe someone who actually knows cryptography could answer?
Let's say I make a poisoned normal gen:
1. At least the first 10.000 installs would need different starting generation points (think 1.. 2.. 3...) or address collision would happen too often and oust my malevolent code.
2. Each generator would also need to generate at least 1000 addresses before cycling back to #1 to avoid address repetition ousting the malevolent code.
This gives a total brute forcing chance of 1/10.000.000, which is laughably bad. My laptop computer could generate ALL my users keys, check for BTC on the blockchain and empty the addresses in tops 1-5 hours.
How do you know YOUR favorite generator programmer is not about to do this right this second? Unless you personally checked every program line of your generator all your fancy-pants paper wallets could be empty in the next 10 secs.
Now lets try again but with vanity addresses:
1. We already have the maximum brute force chance of 1/10.000.000 from before.
2. Now you spend 1 hour to generate your key - possibly millions or billions of attempts on today's hardware.
Now the malevolent programmer would need 10.000.000 hours, not tries, to generate ALL his users keys. In case you are wondering that is ~1141 years.
So not too shaby huh?
However our malevolent programmer is smart so he will now change the program so that vanity addresses only have 10 different starting points and a cycle of 5 (so generating for the same vanity phrase will only ever yield maximum 50 unique addresses).
It would then take the malevolent programmer 50 hours to generate all his users keys.
So okay 50 hours is more than 5, but still not that good.
However if you increase your generation time to the full 8 hours of sleep he would now have to generate ~16 days.
Still not that good.
Still that is at least 80 times safer than a regular poisoned generator.
Does anyone have a program that checks if a generator is really generating different addresses each time? Then only ONE programmer has to trustworthy out of 2 or more.