On Tue, Jan 21, 2014 at 01:00:43AM +0100, Thomas Voegtlin wrote:
> Hi slush,
> 
> Thank you for your new proposal; it seems to be a compromise.
> 
> @Christophe Biocca:
> If the wordlist becomes part of the standard, then we will run into
> problems of collisions once users ask for wordlists in every language.
> 
> IMO the right approach is to implement checksums that do not depend
> on the wordlist (eg the 'brute force' method, Hash(mnemonic||1) mod
> 2^k == 0 )
> this would also allow us to implement sipa's variable stretching proposal.
> 
> I understand this is not possible because of the computational
> requirements of devices such as trezor.

Is it? Surely the trezor can bruteforce, say, 8 bits == 0. How many
SHA256/sec can the trezor hardware do? Generating your seed is a
one-time thing after all - that taking 10-30s doesn't seem like a big
deal to me.

Even a 1/256th "checksum" will really cut down on the number of mistakes
made and money lost.

-- 
'peter'[:-1]@petertodd.org
0000000000000001d8b9d438c18e856735ddae5b1d918416010350d19794aab6