Skip to content

wallet: add memory-hard wallet password KDF ROMix-Keccak#674

Open
dimmarvel wants to merge 4 commits into
hyle-team:developfrom
dimmarvel:keccak_wallet
Open

wallet: add memory-hard wallet password KDF ROMix-Keccak#674
dimmarvel wants to merge 4 commits into
hyle-team:developfrom
dimmarvel:keccak_wallet

Conversation

@dimmarvel
Copy link
Copy Markdown
Collaborator

@dimmarvel dimmarvel commented Apr 28, 2026 

## How the new wallet KDF works

1. Read user password and per-wallet 16-byte salt from the wallet header
2. Build seed = HDSS (32B) || salt (16B) || password
3. V[0] = Keccak256(seed). Allocate 32 MiB buffer V
4. Phase 1: for i in 1..N, V[i] = Keccak256(V[i-1] || i_le64) sequential, fills the whole buffer
5. Phase 2: X = V[N-1]. Loop j in 0..(N >> phase2_reduction):

   - idx = first 8 bytes of X, mod N (via mask = N-1)

   - X = Keccak256((X XOR V[idx]) || j_le64)

6. Stretched key = final X (32 bytes)
7. Feed stretched key into existing chacha_generate_key_and_iv() to get ChaCha20 key + IV

## Why

- salt kills rainbow tables
- 32 MiB buffer caps GPU parallelism at VRAM / 32 MiB (≈ 768 streams on a 24 GB GPU)
- Phase 2 random walk forces the attacker to keep V resident; TMTO penalty is O(N^2/k)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cryptozoidberg cryptozoidberg cryptozoidberg approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dimmarvel @cryptozoidberg