Update: Adam Back says this is called key stretching. There’s [standard from 1993](https://en.wikipedia.org/wiki/PBKDF2) that seems to be the most common.
This does not create high entropy from low entropy, but uses POW to make it prohibitively expensive to search the low entropy space.
This is an idea for using POW, 2 secret words, and a salt to generate 12 to 24 seed words for creating and **recovering** your wallet keys. The idea is to spend value via hashing to create the 12 to 24 keys so that an attacker has to spend the same amount of value **for each guess** of your 2 secret keys. With 2 keys selected from a 50k dictionary, there are 2.5B possibilities, so the attacker has to hash 1.25B times more than you to have a 50% chance of success.
**Example:** If you want to protect $10 M with 2 secret words for 3 years, you would use a newish ASIC that will not be more than 100x more costly to run than professional ASICs in 3 years in low-cost electricity regions. If you want a protection factor of 15 even if BTC jumps 20x in value, you would have to spend $10 M * 100 * 15 * 20 / 1.25B = $240 on electricity. You have additional security from the ASIC equipment value. If you use 3 secret words, you could use a GPU and spend $1 on electricity.
**Specifics:** You select how much you’re going to spend on hashing by selecting the difficulty. You hash the salt+2 secret words once and the output is the input for the next hash and so on until you reach your selected difficulty’s number of hashes. The result determines your 12 to 24 seed words.
You want to remember the 12 to 24 words so you don’t have to hash to recover them. The salt doesn’t have to be very random or long, as long as it’s not used elsewhere (too often). You need to select a difficulty you will not forget or lose, or your software will have to try every hash as you’re hashing, which is a problem as it probably takes longer per password try than to do a hash. This problem is less if you remember one of your 24 words so that your software only needs to try the partial matches. The security model assumes the salt and difficulty are known to all attackers, so you can easily make them somewhat unforgettable by putting them in the tx where you first use the keys. Making the salt and difficulty perfectly obvious to all attackers is related to not being able to forget them.
**User abuse:** If the wallet software does not select and broadcast to the chain the salt and difficulty, users may select a weak difficulty, a trivial salt, reuse the same salt, or not correctly broadcasting the salt and difficulty so that they are forgotten.
**Renting ASICs** over the internet to make up for not having at least a GPU would require pre- and post- hashing a fair amount that is random so that the owner can’t easily connect your hashing with your salt and difficulty, but it greatly reduces security.
**VDF**’s could be used to require you and an attacker to use time instead of hashing to recover your keys, but requires 3 secret words because an attacker might be able spin up 2.5 B parallel VDFs in the cloud (1M GPUs?) as opposed to having more efficient mining. To lower it back to 2 words, you would have to be skilled at deploying parallel VDFs.
View Reddit by zawy2 – View Source