This sounds very dangerous. As Gregory Maxwell pointed out, the key derivation
> function is weak enough that passphrases could be easily brute forced

So you are essentially imagining that a perpetrator will combine the crypto-nerd fantasy (brute forcing the passphrase) *with* the 5-dollar wrench attack, merging both panes of Randall Munroe's comic? Seems vanishingly unlikely to me - attackers are generally either the wrench type, or the crypto-nerd type. 

This thread started by you asking Pavol to give an example of a real-life scenario in which this functionality would be used, and your rebuttal is a scenario that is even less likely to occur. "Very dangerous" is a huge stretch.

When living in Brazil I often carried two (IRL) wallets - one a decoy to give to muggers, the other with more value stored in it. I heard of plenty of people getting mugged, but I never heard of anyone who gave a decoy wallet getting more thoroughly searched and the second wallet found, despite the relative ease with which a mugger could do this. I'm sure it has happened, probably many times, but point is there is rarely time for contemplation in a shakedown, and most perpetrators will take things at face value and be satisfied with getting something. And searching a physical person's body is a hell of a lot simpler than cracking a passphrase.

Moreover, there's no limit to the number of passphrases you can use. If you were an atttacker, at what point would you stop, satisfied? After the first, second, third, fourth wallet that you find/they admit to owning? Going beyond two is already Bond-supervillain level implausible.

Ben Kloester


On 9 January 2018 at 06:37, Peter Todd via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
On Mon, Jan 08, 2018 at 02:00:17PM +0100, Pavol Rusnak wrote:
> On 08/01/18 13:45, Peter Todd wrote:
> > Can you explain _exactly_ what scenario the "plausible deniability" feature
> > refers to?
>
>
> https://doc.satoshilabs.com/trezor-user/advanced_settings.html#multi-passphrase-encryption-hidden-wallets

This sounds very dangerous. As Gregory Maxwell pointed out, the key derivation
function is weak enough that passphrases could be easily brute forced, at which
point the bad guys have cryptographic proof that you tried to lie to them and
cover up funds.


What model of human memory are you assuming here? What specifically are you
assuming is easy to remember, and hard to remember? What psychology research
backs up your assumptions?

_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev