Why Is Your Wallet Safe?

Have you ever asked yourself why your wallet is safe?

At the heart of it [the wallet] lies an Elliptic Curve. Its a curve that is used to derive your public key. Your private key is just a very large number that is extremely unlikely to be guessed. Even if you have the most powerful computer in the world… No, even if you have billions of them and use them every second to find the number.

Here is a good article that explains how Elliptic Curve Signature Algorithms guarantee your wallet’s security and verify that you actually have the right to spend your crypto without actually knowing your private key. Pretty fascinating!

How private keys become trophies. Nothing is safe, ever.

https://lbc.cryptoguru.org/trophies

I’ve gotten the recovery phrase from the wallet. Is there a way to get the private key from the wallet? As I understand it, the recovery phrase can generate the private key.

This is a completely bogus idea.

Please stop spreading FUD. Do you really think we’d have a multi billion dollar market cap if the tech was somehow compromised?

Even if you don’t understand how the math works, do you really think all people involved: scientists, financial professionals, developers and other extremely smart people would just stay silent about these vulnerabilities?

Unbelievable!

Yes, your wallet can reconstruct your private key based on your recovery phrase. But when you generate your wallet the first time, it just picks a large number which is basically your private key, then it “translates” it into a series of phrases that are easy to understand for humans.

Your wallet normally stores your private key as it is needed for transaction signing. In Daedalus that private key is stored in a special folder (I think it’s called secret) and is encrypted with your spending password.

So let’s say someone gets access to your computer. He won’t be able to see your private key in that folder if you have set up a spending password.

Now, if someone has your recovery phrases then they don’t even need your private keys as they will be able to restore your wallet on a different computer.

This is why storing recovery phrases in a secure place is important.

Thanks for your reply. Just want to double check - My wallet is encrypted with a password but I did not setup a spending password. So without the spending password someone could see my private key in the “secret” folder? I was under the impression that encrypting the wallet was all that is needed to keep the private key safe.

How exactly is the key “encrypted with a password” without using a spending password? Some kind of disk or filesystem level encryption?

I’m not sure… I always assumed the private key was part of setting up a wallet and that the private key was stored in the wallet and that if you encrypt the wallet you protected the private key. Multiple wallets can be setup in the same instance of the the Daedalus software and each wallet has it’s own different private key (at least that’s how I thought it worked)… Any wallet experts out there that can put this to rest? Does encrypting your wallet protect the private key too? And is the spending password just an extra layer to protect a spend?

Oh, so you set a password in Daedalus itself. That is the spending one, because it’s the only password that you can set using Daedalus. It encrypts the private key, that’s why you need the password to send ADA (= sign a transaction using the key) or to generate new addresses.

I have to admit I won’t fully trust it until we have at least hardware wallet integration and better yet offline transactions so I can set up a wallet on an airgapped PC. I’m not saying the wallets are not secure but it’s to easy to compromise the PC that it’s on.

It’s not FUD. Go ask Charles himself. Just because you don’t want to believe that Cardano or any other crypto is perfect. You’re the one with the issue bud. Nothing, nothing is perfect.

Well, he would say something like https://www.youtube.com/watch?v=zgSLvhlZ1LI&t=2920s

You can set up an airgapped wallet using cardano-cli

I am not saying it is perfect. I am saying it is unlikely your wallet keys could be brute forced, which is what you are implying with your link.

I know the chance you get hacked is none zero. It’s the question of probabilities.

Could someone brute force or guess your pk? Yes. Is it likely? No. It’s very unlikely. In fact you are many times more likely to win a powerball than get your pk hacked.

Possibilities and probabilities are two different things and people tend to equate both.

There is a possibility that you could turn into a bathroom fixture tomorrow, based on how atoms in your body could rearrange themselves.

But the probability of that happening is very small. Now you could take this info and get paranoid about turning into a furniture (because well it is within the realm of possibility) or you can gauge the unlikely probability of this happening and live your life in peace.

I understand people’s desire for security could be a personal preference. To me 1/2^256 risk is worth bearing.

Banks have the same level of security as far as I know. They all use the same security technology.

But if you are not satisfied personally with that level, I completely understand. Then again you shouldn’t be using online banking if so.

One thing is to say I feel uncomfortable with the current level of security. The other thing is to claim the security is broken because some folks claimed to have found private keys to some wallets.

As others pointed out, they could have just created those wallets and published private keys. I highly doubt they found any of these keys as these wallets have peanut balances on them.

If the computational intensity to find a pk is the same for a wallet that holds millions of btc and .52btc, why choose the smaller balance one to prove your point?

Also why isn’t there any findings past 2017? A year has passed.

All these issues together make me highly skeptical about their claims. In my books they are a complete FUD.

I would like to see an analysis of the odds of bruteforcing this many wallets.

The LHC project isn’t necessarily legit, the creator might have strategically placed those wallets where he knew the algorithm would look for them. If the odds turned out to be reasonable, I wouldn’t be so sceptical.

Don’t get me wrong I’m not worried that someone can figure out the private key from the public key. I’m more worried someone sneaks a keylogger on my PC at this point. I realize the odds are small that happens as I take a lot of precautions though.

Thanks I’ll look into that.

I completely understand, but your fear of being hacked with a keylogger and brute forcing pk guesses have completely different probabilities.

You are absolutely right to worry about someone hacking your pc. One wrong click of a link could compromise your pc.

You are much more likely to get hacked that way than have someone guess your keys.

Yes I am not worried at all about any sort of brute force attack any more than I worry about getting hit by a meteor.

The reality is that it wouldn’t be done one at a time. Why anyone relies on this sort of example confounds me. Think about it in terms of computing power.

Then, realize that this is not the only supercomputer on the planet. Then think that there are older versions that can be run in parallel. Then think that these computers are upgraded and new limits attained almost every 5 years.

Summit now executes 200 quadrillion calculations per second; every three years, we see a dramatic improvement. China is aiming to top that in the next few years. For reference, look at the history of supercomputing.

Now assume that thee U.S. Government has something with a greater capability that’s this. Why, you ask. Well, the SR-71 was in use for 20 years before it became known to the public. In matters of national security, these things are kept secret. A “replacement currency” I think rises to this occasion.

So in short, even at the most simplest example, grains of sand on a Hawaiian beach as Charles examples, no lets use all grains of sand on Earth…

https://www.npr.org/sections/krulwich/2012/09/17/161096233/which-is-greater-the-number-of-sand-grains-on-earth-or-stars-in-the-sky

At 200 quadrillion checks per second (Summit’s Max capability), 7.5 x 1018 grains of sand, or seven quintillion, five hundred quadrillion grains (estimated number of grains of sand on earth), doesnt seem to be that far off now does it especially since it wouldnt be looking at a grain of sand every second. It would be looking at 200 quadrillion grains of sand per second. That’s fast and will only become faster.