Bitcoin Forum

...and is it possible to achieve this highest entropy with a 12-word seed phrase? (Not enough space for complete question in subject field)

I'm trying to figure out what is the most secure seed phrase possible for a BIP-39 bitcoin seed, and whether it's possible to achieve this with a 12-word phrase, with or without a passphrase. I'm no expert in cryptography, but I've been reading up on it and it looks like modern bitcoin seeds are capable of 256 bits of entropy in theory, but only 128 in practice, at least if one is using BIP-39 HD wallets, which is currently the standard. As long as one uses a sufficiently random method for generating the seed, such as dice-rolls, 12 words is sufficient to produce 128 bits of entropy. Does that mean that, in practice, no additional entropy can be achieved for the seed, whether using a passphrase or a longer seed phrase such as 24 words?

I hope I was able to phrase the question clearly. I'm just wondering whether there's really any reason to opt for a 24-word seed phrase when it doesn't offer any real-world gain in seed security. Passphrases have other uses of course, but it seems they're not necessary for maximizing seed entropy.

A 12 word BIP39 seed phrase provides 128 bits of entropy and that's enough.
You can have more words and more entropy. For example, a 24 word BIP39 seed phrase provides 256 bits of entropy, but since any bitcoin private key provides 128 bits of security, you don't really increase your security by generating a seed phrase with more than 12 words.

Thanks, this answers my question. The distinction between entropy and security clarifies the issue for me. So any amount of entropy beyond 128 bits will be reduced to the 128 bits of security of the key.

This still dazzles me after all those years in Bitcoin. I know there are only 2¹⁶⁰ different legacy addresses, which means there must be 2⁹⁶ valid private keys for each address. I also know from reading it many times that 128 bit is enough, but cyptography just isn't very intuitive.

Further reading: StackExchange (https://bitcoin.stackexchange.com/questions/118558/is-24-words-seed-safer-than-12-words-in-terms-of-bruteforcing-the-private-key):

In BIP39, the number of words is tied with the entropy's size since it's the entropy itself (plus checksum) presented in words.
So if your target is 12-word seed phrase, you wont be able to utilize a higher entropy size in full.

For the limit, the standard allows only 128~256 bits,
In theory, it's possible to generate a very long seed phrase as long as its entropy is divisible by 32bits.
In practice, most wallets will only prompt for 12~24 words, some allows to restore higher number of words like Electrum but that would be non-standard.

And as you were informed, higher than 128-bit is not necessarily safer.
The most famous argument is: it's for use-cases where they want to make it harder to brutefoce in case a few of the words got compromised, etc.

I have a thirteen word phase for my electrum

I could have done a 25 word phase.

This statement holds only if the entropy source ^{used by wallets to generate SEED} is uniform and random ^{which is ideal case}. If it is not, the seed phrase may contain far less entropy. For example, wallets whose PRNGs are seeded with the current Unix timestamp “restrict the internal entropy to 32 bits regardless of settings,” (https://nvd.nist.gov/vuln/detail/CVE-2023-39910) so they generate predictable seed phrases that are susceptible to brute‑force attacks.

Effected wallets:

If it's about the 12 to 24 word prompts that I've mentioned, that 13th word of your 13-word phrase is just a passphrase (as you know it)
It's not part of the entropy but used as part of the salt when generating the binary seed from the 12~24 words mnemonic.

It's also worth noting two things:

1. BIP-39 and Electrum seed phrases are entropy representations. Each seed phrase is used to produce key-pairs that can be deterministically derived from the entropy that's given. But, each key-pair has 128 bits security by default, because on a lower level, bitcoin uses Secp256k1 (https://en.bitcoin.it/wiki/Secp256k1). So, in a perfect scenario where a seed phrase is truly random and you also add a strong passphrase, again, each private key will offer on average 128 bits of security.

2. In general, I'll be surprised if entropy can be measured. It's supposed to be random, so I don't see how you could measure randomness in a legitimate way.


(edit: number 1 was mentioned by LoyceV above, I just saw that, sorry)

If you haven't exposed your public keys ^{meaning you've never sent transactions from addresses holding your stash}, then there is no threat from quantum computers, as there is nothing for them to search for. That said, if you're particularly paranoid about the potential threat of quantum computers, especially in the case of an extremely large stash, you may want to consider moving it to a quantum-resilient wallet, like Quastle (https://bitcointalk.org/index.php?topic=5563065.0), which ^{by this} offers quantum-grade encrypted keys.

As for potential bugs in RNG, use of physical source of entropy such as dice rolls to generate the seed is one way to avoid this risk.


I wasn't going to bring up the quantum issue, but since it's come up in this thread, I'll mention one question I have about quantum brute-forcing...not of exposed public keys, but of 12-word seed phrases specifically:

According to my research, brute-forcing a 24-word seed phrase (i.e., guessing random phrases until finding one with a balance) would be impossible even for the most powerful quantum computer theoretically conceivable. It would take way longer to do that than it will take the Sun to run out of hydrogen, switch to burning helium, and expand until it engulfs the Earth. It's not as clear to me that this is also the case for 12-word seed phrases. Could a future quantum computer brute-force a 12-word seed phrase? I doubt this is likely to happen in practice, not within the next 50 years anyway, but is it possible in theory?

I've quoted two of your posts since it's relevant to this reply:

If it's just theoretical bruteforce, brutefocing 12-words mnemonic will be quite harder than bruteforcing a 128-bit entropy.
That's simply 2048^12 combinations which is higher that 2^128.
But since the last word is part of the checksum (4 bits), the two would be equal if the it'll only include valid 12th words; that's: (2028^11)128 = 2^128
But it also means that it'll be slower with those extra operations than just straight bruteforcing 128-bits.

So even with bruteforce, 12-words is as good as a 128-bit entropy.
Thus, we go back to the initial answer that anything higher isn't necessarily better.

I'm wondering whether higher is better when it comes to brute-forcing seed phrases, even though it's not better in the case of cracking 128-bit public keys. It seems to me that, in the former case, you're not limited by the 128-bit security of the key, so that with a 24-word seed phrase you're getting the entire 256-bit space of possible word combinations. This difference wouldn't matter with traditional computers, since they're not able to brute-force a 12-word phrase. I'm wondering if this is also the case with any possible quantum computer. No quantum computer could brute-force a 24-word seed, but is that also the case with 12-word seeds? My understanding is that 128-bit keys are potentially vulnerable to quantum computers, otherwise the experts wouldn't be advising people to avoid keeping balances in addresses with exposed public keys. So if quantum computers might turn out to be capable of cracking 128-bit keys, could they also be capable of brute-forcing 12-word (but not 24-word) seed phrases? I realize that the two cases are not equivalent, since quantum computers may not have as much of an advantage in brute-forcing phrases as they do at cracking ECDSA encryption. But even if that's the case, it seems that 24-word seed phrases do have this specific advantage (resistance to brute-forcing) over 12-word phrases.

Ah, that's because of "ECDLP" which is deemed to be solvable by a quantum computer with high-enough cubits.
And if so, it theoretically can; if it can calculate 128-bit of work, bruteforcing would be simpler.

Since you're considering future quantum computers, your concern to use 24 words is valid but be aware that the derived public key isn't limited to your reused addresses,
As you know it, your used-but-not-reused addresses have their public key exposed so a theoretical future QC can get its private key.
And your "extended public key" is most of the time saved on an online computer.
So when any of your address' private key that is a child of that xpub is exposed, even a traditional computer can use those together to calculate the rest of your private keys.
So be absolutely sure that no one gets your xpub.

I don't like theorizing future QC developments though.
(I'm personally not convinced with the current hardware's architecture TBH)

Thanks, I wasn't aware of this potential threat from exposed Xpubs. So if an attacker was able to decrypt just one of my public keys with a quantum computer, and hack my online watching wallet to steel my Xpub, they could get all of my private keys. Mind-boggling. So I guess paranoiacs like me should avoid BIP-39 altogether and stick to using discreet keys for each transaction. Just use Core to generate all their addresses. Then there are no Xpubs to worry about.

Core also utilizes xpubs by the way,
It just doesn't use mnemonic to derive the binary seed but the derivation from seed to master private key to addresses also use BIP44 and other standards.
Just make sure that no one get his hands on your machine or export those on a non-secure environment.

This is why you'll often see expert answers in 'bitcoin.stackexchange' that not reusing addresses doesn't totally secure your bitcoins from QC.
It's still better not to reuse addresses though, both for your privacy and security since without the xpub, each of your private keys must be "hacked" separately.

The process to calculate the private key from the public key is not decryption, more like "calculations".

Understood, thanks again