On Wed, Mar 12, 2014 at 3:42 PM, Pavol Rusnak <stick@gk2.sk> wrote:

> On 03/12/2014 09:37 PM, William Yager wrote:
> > (that group of people includes me), PBKDF2-HMAC-SHA512 is very easy to
> > implement even on devices that only have a few kB of RAM, and even though
> > our number of rounds is very aggressive (2^16 and 2^21), it will still
> run
> > in reasonable time even on very slow embedded ARM processors.
>
> To give you some numbers: TREZOR (120MHz ARM) does 1024 rounds of
> PBKDF2-HMAC-SHA512 in around 1 second.
>
> So 2^16 is around one minute, 2^21 is around half an hour.
>
>
Precisely. And since the target of this BIP is generally storage wallets
(just like BIP 0038), we figured these were reasonable time scales for
encryption/decryption on slow devices.

Let's say you're implementing a Raspberry Pi based cold wallet printer.
Having the user wait 10 seconds to several minutes is not unreasonable for
a one-time activity, especially when at least this much time is used to
generate entropy, print the wallet, etc.

The same goes for phones. If you're importing a heavily encrypted wallet
into your device, the user won't mind waiting a few seconds or even a few
minutes.

Plus, as an added bonus, the amount of time it will take to encrypt/decrypt
is highly deterministic, so it's easy to add a nice progress bar to a UI.

Will