[cryptography] no-keyring public
natanael.l at gmail.com
Sun Aug 25 11:44:39 EDT 2013
Bitcoin Brainwallet software creates ECDSA keys that you can use for
multiple purposes, not only for Bitcoin.
A link to Phidelius, which was previously mentioned:
I would like to see some standardized hierarchial deterministic scheme
to generate various types of keys from a "master password". Here's my
idea for how you could do it in a reasonably secure way (assuming the
master password is chosen in a secure manner and used in a secure
First of all you have a "master password", of course. Ideally it
should be generated randomly (represented to you as words, diceware
style), but arbitary user input is accepted. First you run scrypt (or
bcrypt?) on the master password, salted with a standard string,
generating a "master seed".
>From this you can generate several different outputs. One of them is
used to generate a number of "master keys" (RSA, ECDSA, or whatever
else you want) through scrypt with another specific salt from that
master seed. To make sure it's deterministic you use specific
algorithms with predefined parameters. For example ECDSA with the
parameters that Bitcoin uses (we can take this code straight from a
Bitcoin brainwallet generator), or some specific parameters for RSA
4096 bits, or even a specific Lamport scheme implementation. Each
algorithm + parameter combination would be referred to with it's own
The master seed is also used to generate a number of "temporary seeds"
(with scrypt on the master seed plus a special string plus a counter,
and you need to remember this counter once you've started to revoke
and replace old temporary seeds). The temporary seeds are presented to
you encoded as a series of words so you do not need to use your master
password everywhere. They are then used to create a set of temporary
keys in the same way.
You can use your master key(s) to revoke temporary keys. How long you
should use each temporary seed and it's keys is up to you - for
example you could use each for one year, or maybe even just for one
When you enter your master password the client generates a bunch of
these keys and signs the subkeys with the master key(s), allowing you
to publish all those signatures at once, and them memorize the first
temporary seed. It also generates a revocation signature for the
master key(s) themselves that you can publish if/when needed. Then you
can go on using those temporary keys, and be fairly calm about using
the temporary keys as every key is revokable (although revocation
notifications don't always travel fast, which can be a problem...).
Of course this fails catastrophically if you use bad passwords or if
they leak, so I probably would not recommend this for anybody other
than a person who do not have long-term access to any reliable form of
storage, for example a person who are forced to continously ditch
their old electronics and trash it and switch to new temporary
If you can generate AND remember strong passwords, then it would work
fine. But the problem is that most people fails at one or both of
those two, even though you CAN learn to do it.
2013/8/25 Alexander Klimov <alserkli at inbox.ru>:
> On Sat, 24 Aug 2013, Krisztián Pintér wrote:
>> has anybody done something like that already? does it have a name?
> There was a ECC program from the previous century that worked as you
> described: the private key was derived solely from the user password.
> Unfortunately, I cannot recall its name (and I suspect it already
> vanished from the net since it was not secure due to its use of EC
> over binary composite field, Weil descent attack), but I guess someone
> here remembers its name, since at that time it was a rare example of
> ECC software.
> Btw, this memorable private key technique has nothing to do with IBE,
> since no trusted third party is required.
> cryptography mailing list
> cryptography at randombit.net
More information about the cryptography