On Wed, Mar 12, 2014 at 3:42 PM, Pavol Rusnak <stick@gk2.sk> wrote:

On 03/12/2014 09:37 PM, William Yager wrote:
> (that group of people includes me), PBKDF2-HMAC-SHA512 is very easy to
> implement even on devices that only have a few kB of RAM, and even though
> our number of rounds is very aggressive (2^16 and 2^21), it will still run
> in reasonable time even on very slow embedded ARM processors.

To give you some numbers: TREZOR (120MHz ARM) does 1024 rounds of
PBKDF2-HMAC-SHA512 in around 1 second.

So 2^16 is around one minute, 2^21 is around half an hour.

Precisely. And since the target of this BIP is generally storage wallets (just like BIP 0038), we figured these were reasonable time scales for encryption/decryption on slow devices.

Let's say you're implementing a Raspberry Pi based cold wallet printer. Having the user wait 10 seconds to several minutes is not unreasonable for a one-time activity, especially when at least this much time is used to generate entropy, print the wallet, etc.

The same goes for phones. If you're importing a heavily encrypted wallet into your device, the user won't mind waiting a few seconds or even a few minutes.

Plus, as an added bonus, the amount of time it will take to encrypt/decrypt is highly deterministic, so it's easy to add a nice progress bar to a UI.

Will