The primary reason BM believes backups on the blockchain are problematic is it allows direct access to a wallet for the purpose of brute force password cracking. Unless the wallet backup is disassociated from the account it is for hackers will be able to locate wallet backups of interest on the blockchain (the wallets associated with large account balances), obtain a copy of it and hammer it with concentrated, distributed CPU power to brute force hack the key / password to unlock it. That's what I took away from BM's discussion about stealth in the mumble the other day. The lessor point he raised is using Storj or IPFS will cost something, it won't be free, which will have a negative impact on the adoption of stealth. External storage also opens up a dependency outside the control of the BitShares ecosystem, and may well incur significant development costs to integrate with our stealth code, at least it's a possibility.
The association between the account and the backup is what needs to be obfuscated, and it seems like there ought to be a way to do that. The wallet backup could be split into small pieces and distributed as chunks in encrypted memo fields as Ken originally suggested, but with additional security as I'll explain. Also, as the number of these wallet backup chunks increase the harder it is to assemble all the right pieces back together for a specific wallet.
The encryption for each chunk would be separate so cracking one doesn't allow you to crack them all, and even after all the backup segments are reassembled, the wallet backup itself requires another separate key to unlock it. If each of these levels is like sha256 or sha512 encryption, each of which must be cracked to get to the next, doesn't that multiply the effort required to gain access to the wallet? Each chunk could contain the location (but not the key's to decrypt) the next chunk on the blockchain, in a kind of inner nested blockchain comprised of these encrypted memo fields. The advantage to this approach is it avoids the cost and risk of using external storage. The downside is the additional space and storage overhead it imposes on the BitShares blockchain.
The devil is in the details of a scheme like this, particularly in how the association is managed in a way that only the wallet owner can know. Ultimately it comes down to a secret the wallet owner must create strong enough, or, if created by algorithm and provided to the wallet owner they must remember and keep secure. So does that not bring us back full circle to the initial problem? If so I don't think any implementation can get around that.
Thoughts anyone?