Author: Troy Benjegerdes 2014-03-27 15:17:58
Published on: 2014-03-27T15:17:58+00:00
In an email exchange between Thomas Voegtlin and Mike Hearn, they discussed the entropy size of BIP32 and its implications. Mike expressed his belief that there is a right answer for the entropy size, stating that 2^128 should not be brute forceable while longer sizes have a cost in terms of making the seeds harder to write down on paper. Thomas argued that 2^128 iterations are not brute forcable today and will not be for the foreseeable future but he foresees it being brute forceable in 20-25 years. He explained that Bitcoin pubkeys, which are 256 bits, would require 2^128 iterations, making unused addresses (160 bits hash) better protected than already used ones. Thomas also noted people's tendency to believe that a public key of size n requires 2^n iterations, which may have been spread by this popular image. He assumed that this image uses Landauer principle for minimum energy; however, it is unknown whether or not a reversible computing ecdsa forcing algorithm could be implemented. He then provided calculations to illustrate how much energy an attacker with a sub-Landauer limit/1e6 cracker would need to cycle through 128 bits of address space. He estimated that an attacker with a couple of hours of energy from a large wind farm and siphoning that energy out in a rural area without anyone noticing anything other than a few shipping containers and that the wind turbines are running more on windy days could brute force 2^128. He also provided calculations to estimate how long it would take a 10MW system that runs 24x7 or a 250MW system to brute force 2^128. Thomas expressed concern about the rate of technological advancement and expected silicon with 256 bit registers capable of doing thousands or millions of ECDSA calculations per second per computation unit within 5-10 years. He jokingly stated if people stop hearing from him there, it's because he found a better mailing list or got a contract to develop an ECDSA cracker, in which case they probably won't hear from him again until he has a talk at DEFCON showing it off.
Updated on: 2023-06-08T16:25:10.676842+00:00