Key Stretching
Key stretching is a cryptographic technique that strengthens a weak password or passphrase by applying a computationally expensive hash function repeatedly.
Key Takeaways
- Key stretching converts low-entropy inputs like passwords into high-strength cryptographic keys by making the derivation process intentionally slow and computationally expensive, defending against brute-force attacks.
- Bitcoin uses key stretching in BIP-39: when generating a wallet, your seed phrase is run through 2,048 rounds of PBKDF2-HMAC-SHA512 to produce the master seed that derives all your keys.
- The four major key stretching algorithms are PBKDF2, bcrypt, scrypt, and Argon2, each offering different tradeoffs between CPU cost, memory hardness, and resistance to hardware-accelerated attacks.
What Is Key Stretching?
Key stretching is a cryptographic technique that takes a weak or low-entropy input, such as a password or passphrase, and transforms it into a longer, stronger cryptographic key by applying a computationally expensive function. The core idea is simple: if deriving a key from a password takes 100 milliseconds instead of 1 microsecond, an attacker trying billions of password guesses becomes 100,000 times slower.
Humans tend to choose passwords with far less randomness (entropy) than cryptographic systems require. A typical 8-character password might have around 40 bits of entropy, while a secure private key needs 128 or 256 bits. Key stretching bridges this gap not by adding entropy, but by making each guess so expensive that brute-forcing the limited keyspace becomes impractical.
In the Bitcoin ecosystem, key stretching plays a critical role in wallet generation. The BIP-39 standard uses PBKDF2 to convert a mnemonic phrase into the master seed that underpins an entire HD wallet hierarchy.
How It Works
Key stretching functions work by repeatedly applying a hash function or cipher to the input, chaining the output of each round into the next. This creates a sequential computation that cannot be shortcut: to verify a single password guess, an attacker must perform every round.
The general process follows these steps:
- Take the user's password and combine it with a unique salt (a random value stored alongside the output)
- Apply a pseudorandom function (typically HMAC with a secure hash) to the salted input
- Feed the output back as input and repeat for a configured number of iterations (hundreds, thousands, or millions of rounds)
- Produce the final derived key, which serves as the cryptographic key or stored password verifier
The salt prevents precomputed attacks (rainbow tables): even if two users choose the same password, their different salts produce entirely different derived keys. The iteration count is the primary tuning knob: higher counts mean more security but slower derivation.
BIP-39 Seed Derivation
The most prominent use of key stretching in Bitcoin is BIP-39 mnemonic seed generation. When a wallet converts your 12- or 24-word seed phrase into a master seed, it uses the following PBKDF2 configuration:
PBKDF2(
password: mnemonic_sentence (UTF-8 NFKD),
salt: "mnemonic" + passphrase (UTF-8 NFKD),
iterations: 2048,
PRF: HMAC-SHA512,
keyLength: 512 bits (64 bytes)
)The mnemonic sentence serves as the password input, and the string "mnemonic" concatenated with the optional passphrase serves as the salt. Both are normalized to UTF-8 NFKD before derivation. The resulting 512-bit output becomes the master seed used by BIP-32 to derive the entire wallet key hierarchy.
The 2,048 iteration count was chosen as a balance: it adds measurable resistance to brute-force attacks on the mnemonic while keeping wallet loading times acceptable on mobile devices. Each guess an attacker makes requires 2,048 HMAC-SHA512 operations, multiplying the cost of exhaustive search.
Key Stretching Algorithms
Four algorithms dominate the key stretching landscape, each designed to address different threat models as hardware has evolved.
PBKDF2
PBKDF2 (Password-Based Key Derivation Function 2), defined in RFC 8018, is the oldest widely used key stretching algorithm. It applies a pseudorandom function (usually HMAC-SHA1 or HMAC-SHA512) for a configurable number of iterations. PBKDF2 is CPU-bound only: it requires minimal memory, which makes it vulnerable to GPU and ASIC-based attacks that can run many instances in parallel.
Despite this limitation, PBKDF2 remains widely deployed. BIP-39 uses PBKDF2-HMAC-SHA512 with 2,048 iterations, and the WPA2 Wi-Fi protocol uses PBKDF2-HMAC-SHA1 with 4,096 iterations.
bcrypt
bcrypt, designed in 1999 by Niels Provos and David Mazières, is based on the Blowfish cipher. It incorporates a logarithmic cost factor (typically 10 to 14, representing 2^n rounds) and uses 4 KB of memory during computation. The built-in salt handling and fixed output format made bcrypt the default choice for web application password storage for over a decade. However, its modest memory requirement offers limited protection against modern GPU attacks.
scrypt
scrypt, created in 2009 by Colin Percival, introduced the concept of memory-hard key derivation. It requires large amounts of RAM during computation, making parallel attacks on GPUs and ASICs significantly more expensive: these devices have abundant compute cores but limited per-core memory. scrypt is configurable via three parameters: N (CPU/memory cost), r (block size), and p (parallelization factor). The Litecoin cryptocurrency uses scrypt as its proof-of-work function.
Argon2
Argon2, designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich, won the Password Hashing Competition in 2015 and represents the current state of the art. It comes in three variants:
- Argon2d: data-dependent memory access, maximizing resistance to GPU cracking but vulnerable to side-channel attacks
- Argon2i: data-independent memory access, resistant to side-channel attacks but slightly weaker against GPU cracking
- Argon2id: a hybrid that uses Argon2i for the first pass and Argon2d for subsequent passes, providing balanced protection against both threat models
Argon2 is configurable via three parameters: memory cost (in kibibytes), time cost (iteration count), and parallelism degree (number of threads). OWASP recommends Argon2id with a minimum of 19 MiB of memory, 2 iterations, and 1 degree of parallelism as a baseline configuration.
Algorithm Comparison
| Algorithm | Year | Memory Hardness | GPU/ASIC Resistance | Notable Usage |
|---|---|---|---|---|
| PBKDF2 | 2000 | None | Low | BIP-39, WPA2 |
| bcrypt | 1999 | Minimal (4 KB) | Moderate | Web applications |
| scrypt | 2009 | High (configurable) | High | Litecoin, Tarsnap |
| Argon2 | 2015 | High (configurable) | Very high | OWASP recommended |
Why It Matters for Bitcoin
Key stretching is a quiet but essential layer of Bitcoin wallet security. Every time a user creates or restores a wallet from a seed phrase, key stretching protects them.
A 12-word BIP-39 mnemonic encodes 128 bits of entropy: enough randomness that brute-forcing the mnemonic directly is infeasible (2^128 possibilities). But the 2,048 rounds of PBKDF2 provide an additional safety margin. If an attacker discovers a partial mnemonic or targets mnemonics with lower effective entropy (due to implementation bugs or constrained word lists), the key stretching multiplies the cost of each guess by 2,048x.
The optional passphrase in BIP-39 (sometimes called the "25th word") benefits even more from key stretching. Passphrases are user-chosen strings with potentially low entropy: a passphrase like "bitcoin" would be trivially guessable without key stretching. The PBKDF2 rounds make dictionary attacks against weak passphrases significantly more expensive, though they cannot fully compensate for a truly weak passphrase.
For wallet developers building on Bitcoin infrastructure, understanding key stretching is important for making informed decisions about key derivation parameters and security tradeoffs. Solutions like Spark abstract much of this complexity, but the underlying cryptographic primitives remain foundational to self-custody security.
Use Cases
Wallet Seed Generation
The primary use case in cryptocurrency is converting BIP-39 mnemonics into master seeds. Every HD wallet that supports BIP-39 recovery phrases uses PBKDF2 key stretching during both wallet creation and restoration. This includes hardware wallets, mobile wallets, and desktop software.
Encrypted Wallet Files
Wallet software that stores keys in encrypted files uses key stretching to derive the encryption key from the user's password. Bitcoin Core, for example, encrypts its wallet database with a key derived from the user's passphrase. Without key stretching, a weak password would leave the encrypted file vulnerable to rapid offline cracking.
Password-Protected Backups
Any system that encrypts sensitive data with a user-chosen password benefits from key stretching. This includes encrypted channel backups, password-protected key exports, and encrypted seed phrase storage solutions.
Server-Side Authentication
Cryptocurrency exchanges and custodial services use key stretching algorithms (typically bcrypt or Argon2id) to hash user passwords for account authentication. If a database is breached, the key-stretched hashes resist offline cracking far better than plain SHA-256 hashes would.
Risks and Considerations
Security vs. User Experience
More iterations mean stronger security but slower key derivation. BIP-39's 2,048 PBKDF2 rounds add roughly 50 to 200 milliseconds on modern hardware: noticeable but acceptable for a one-time wallet loading operation. However, password-checking systems that run key stretching on every login must balance security against user-perceived latency.
On resource-constrained devices like older smartphones or hardware wallets, even 2,048 rounds of PBKDF2 can take several seconds. Memory-hard algorithms like scrypt and Argon2 compound this challenge because they require significant RAM allocations that may exceed available memory on embedded devices.
PBKDF2 Limitations
PBKDF2 is CPU-bound and uses negligible memory, making it vulnerable to massively parallel attacks. Modern GPUs can compute billions of PBKDF2-HMAC-SHA512 operations per second. For new applications, Argon2id is generally preferred because its memory hardness makes GPU and ASIC attacks orders of magnitude more expensive. BIP-39's use of PBKDF2 reflects the standard's age (2013): its security relies primarily on the high entropy of the mnemonic itself rather than on the key stretching alone.
Parameter Selection
Choosing key stretching parameters requires anticipating future hardware capabilities. Parameters that are secure today may become insufficient as GPUs and ASICs improve. Applications should regularly reassess their iteration counts and consider migrating to memory-hard algorithms. A common guideline is to target roughly 100 milliseconds of computation on current hardware for interactive logins, and up to 1 second for high-value key derivation operations.
Not a Substitute for Entropy
Key stretching slows down attackers but cannot compensate for truly weak inputs. A 4-digit PIN has only ~13 bits of entropy: even with millions of PBKDF2 rounds, the entire keyspace can be exhausted in seconds on modern hardware. Key stretching is most effective when the input already has moderate entropy (40+ bits) and the stretching makes exhaustive search impractical within a useful timeframe. For cryptographic applications, pair key stretching with adequately random inputs like full-length BIP-39 mnemonics.
For a deeper look at how mnemonic phrases and key derivation fit into Bitcoin wallet architecture, see the research article on Bitcoin wallet recovery methods.
This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.