Bitcoin Brainwallet software creates ECDSA keys that you can use for multiple purposes, not only for Bitcoin.
A link to Phidelius, which was previously mentioned: http://dankaminsky.com/2012/01/03/phidelius/ --- I would like to see some standardized hierarchial deterministic scheme to generate various types of keys from a "master password". Here's my idea for how you could do it in a reasonably secure way (assuming the master password is chosen in a secure manner and used in a secure manner); First of all you have a "master password", of course. Ideally it should be generated randomly (represented to you as words, diceware style), but arbitary user input is accepted. First you run scrypt (or bcrypt?) on the master password, salted with a standard string, generating a "master seed". From this you can generate several different outputs. One of them is used to generate a number of "master keys" (RSA, ECDSA, or whatever else you want) through scrypt with another specific salt from that master seed. To make sure it's deterministic you use specific algorithms with predefined parameters. For example ECDSA with the parameters that Bitcoin uses (we can take this code straight from a Bitcoin brainwallet generator), or some specific parameters for RSA 4096 bits, or even a specific Lamport scheme implementation. Each algorithm + parameter combination would be referred to with it's own specific name. The master seed is also used to generate a number of "temporary seeds" (with scrypt on the master seed plus a special string plus a counter, and you need to remember this counter once you've started to revoke and replace old temporary seeds). The temporary seeds are presented to you encoded as a series of words so you do not need to use your master password everywhere. They are then used to create a set of temporary keys in the same way. You can use your master key(s) to revoke temporary keys. How long you should use each temporary seed and it's keys is up to you - for example you could use each for one year, or maybe even just for one day. When you enter your master password the client generates a bunch of these keys and signs the subkeys with the master key(s), allowing you to publish all those signatures at once, and them memorize the first temporary seed. It also generates a revocation signature for the master key(s) themselves that you can publish if/when needed. Then you can go on using those temporary keys, and be fairly calm about using the temporary keys as every key is revokable (although revocation notifications don't always travel fast, which can be a problem...). Of course this fails catastrophically if you use bad passwords or if they leak, so I probably would not recommend this for anybody other than a person who do not have long-term access to any reliable form of storage, for example a person who are forced to continously ditch their old electronics and trash it and switch to new temporary devices. If you can generate AND remember strong passwords, then it would work fine. But the problem is that most people fails at one or both of those two, even though you CAN learn to do it. 2013/8/25 Alexander Klimov <alser...@inbox.ru>: > On Sat, 24 Aug 2013, Krisztián Pintér wrote: >> has anybody done something like that already? does it have a name? > > There was a ECC program from the previous century that worked as you > described: the private key was derived solely from the user password. > Unfortunately, I cannot recall its name (and I suspect it already > vanished from the net since it was not secure due to its use of EC > over binary composite field, Weil descent attack), but I guess someone > here remembers its name, since at that time it was a rare example of > ECC software. > > Btw, this memorable private key technique has nothing to do with IBE, > since no trusted third party is required. > > -- > Regards, > ASK > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography > _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
