scrypt: Use same key for all encryption keys generated in one round

[paulmillr]

I suggest to use same scrypt key for all keys generated in one round. Meaning we should reuse scrypt salt.

Advantages:

• tons of keystores would be generated in 2 seconds, not in 2*(keystore) seconds
• same with verification
• Scrypt key could be the same, but it's important that we use separate AES initialization vector (IV), for security. Reusing IV can make keys feel decryptable.

I see no point in using separate key for everything.

If an attacker breaks into FS, he would probably see keystore passwords and break them anyway. Passwords are stored somewhere in beaconchain clients
If an attacker has x keystores to bruteforce instead of 1, it's not much more secure.

[yorickdowne]

Unless I am missing something, we used to, and that led to the security disclosure and fix documented here: GHSA-c6rv-g6pj-r6qx

#238

We used to always use the same kdf_salt and aes_iv. I am not qualified to say that we can safely reuse the salt, and I don't see that "it takes a minute to generate 10,000 keys" warrants touching the security assumptions.

If we change this, it requires a careful audit. We use Trail of Bits for audits and while they are very, very kind towards FOSS and give us a special rate, I wouldn't be surprised if we'd pay upwards of 20k to get this change audited. With no guarantee that it passes audit.

[paulmillr]

1. You’ve reused iv. Iv should never be reused. In the first post I mention “Reusing IV can make keys feel decryptable”. The iv stuff is repost of my 2021 issue in Use same key for all keys generated in one round ethereum/staking-deposit-cli#222 which was ignored and closed after 4 years.
2. The topic is about reusing kdf salt, which is not a huge deal.
3. It’s not 1 minute for 10k keys. It’s at least 1 hour on high end machine.
4. Instead of paying 20k, how about simply asking them if this is ok? This is a very quick job.
5. For the record, I do security and the software I make was also audited by trail of bits and no severe issues have been found (https://github.com/trailofbits/publications/blob/master/reviews/2023-01-ryanshea-noblecurveslibrary-securityreview.pdf)