CH05::key stretching: clarify that BIP39 key stretching adds little security

2025-01-10 15:51:04 +00:00 · 2023-02-16 18:12:13 -10:00 · 2023-02-16 18:12:13 -10:00 · 305a205437
commit 305a205437
parent 0605638d38
1 changed files with 15 additions and 5 deletions
--- a/ch05.asciidoc
+++ b/ch05.asciidoc
@ -716,11 +716,21 @@ image::images/mbc2_0507.png["From mnemonic to seed"]

 [TIP]
 ====
-The key-stretching function, with its 2048 rounds of hashing, is a very
-effective protection against brute-force attacks against the mnemonic or
-the passphrase. It makes it extremely costly (in computation) to try
-more than a few thousand passphrase and mnemonic combinations, while the
-number of possible derived seeds is vast (2^512^).
+The key-stretching function, with its 2048 rounds of hashing, makes it
+slightly harder to brute-force attack the recovery code using software.
+Special-purpose hardware is not significantly affected.  For an attacker
+who needs to guess a user's entire recovery code, the length of the code
+(128 bits at a minimum) provides more than sufficient security.  But for
+cases where an attacker might learn a small part of the user's code,
+key-stretching adds some security by slowing down how fast an attacker
+can check different recovery code combinations.  BIP39's parameters were
+considered weak by modern standards even when it was first published
+almost a decade ago, although that's likely a consequence of being
+design for compatibility with hardware signing devices with low-powered
+CPUs.  Some alternatives to BIP39 use stronger key-stretching
+parameters, such as Aezeed's 32,768 rounds of hashing using the more
+complex Scrypt algorithm, although they may not be as convenient to run
+on hardware signing devices.
 ====

 Tables pass:[<a data-type="xref" href="#mnemonic_128_no_pass"