Does more seed words equal better security?

[o_e_l_e_o]

Attacking specific Electrum seed is 3 times harder compared to BIP39, if we look at single derivation path.

Allow me to rephrase. Yes, finding a valid Electrum seed requires 3 times the hashes of a valid BIP39 seed (assuming it takes a full 4096 attempts to find a valid prefix), but if searching the entire space for a specific seed, then it would be easier with Electrum seeds than with BIP39 seeds, no? There are fewer valid Electrum seeds as you point out here:

With BIP39 the attack is 2¹²⁸ PBKDF2, while Electrum is 2^121.6 equivalent PBKDF2. After that we have 2¹²⁸ address derivations for BIP39, and 2^119.9 for Electrum.

The difficulty in derivation is mainly the number of elliptic curve multiplications

Sure, but an additional three HMAC-SHA512s and additions per derivation path is not trivial when considering 2¹²⁸ seeds.

[1714261577]

1714261577

[1714261577]

1714261577

[1714261577]

1714261577

[1714261577]

1714261577

[franky1]

its been many posts and many hours. and i still see people beating their chest showing off how much they know about the math of the hashing cycle of sha, ecdsa and ripemd160..

but the question of SEEDS.. is the part pre hashing cycle
and thats about the human security of what randomiser/human personal selection entropy
which can make the difference between 500¹² or 2048¹²

yet again. if they want to talk about the 2¹⁶⁰ post hash cycle(a)
they are ignoring the less secure(b,c)

a. 2¹⁶⁰ =      1461501600000000000000000000000000000000000000000
b. 2048¹² =                   5444517900000000000000000000000000000000
c. 500¹² =                                       488281250000000000000000000000

by the way.
having 10 seed words of 32000 library(d) is more secure than 12seed with with randomiser(b) or personally chosen(c)
d. 3200¹⁰ =        1125899900000000000000000000000000000000000000

and thats without having to do any gorilla chest beating of whos the smartest and explaining the hashing functions

yep you will have much better luck brute forcing seeds in (b,c,d) than you would by trying all (a) combinations
so. try to keep to the topic of the SEEDs and not the post ripemd160 entropy

remember the question is
"does more seed words"
not
"whats the most combinations post keyhash cycle"

[j2002ba2]

Allow me to rephrase. Yes, finding a valid Electrum seed requires 3 times the hashes of a valid BIP39 seed (assuming it takes a full 4096 attempts to find a valid prefix), but if searching the entire space for a specific seed, then it would be easier with Electrum seeds than with BIP39 seeds, no?

Seems that I got confused. Yes, it would be easier.

On the other hand, while attacking specific seed, it's way more probable to stumble upon another seed before finding it.

The difficulty in derivation is mainly the number of elliptic curve multiplications

Sure, but an additional three HMAC-SHA512s and additions per derivation path is not trivial when considering 2¹²⁸ seeds.

If my numbers are correct generating one public key from private is ~68 times slower than a single HMAC-SHA512. That's why I assume elliptic curve operations are the slow thing here.

[BlackHatCoiner]

remember the question is
"does more seed words"

Don't miss the forest for a tree; the title may say that, but in the original post, 20kevin20 asks if Bitcoin would be more secure if we extended the phrase with additional words. Therefore, we answer that an attacker will prefer computing 2¹⁶⁰ hashes rather than a range of mnemonics which exceeds it. Besides that, calculating a RIPEMD-160 hash takes less time than generating a BIP39 seed.

having 10 seed words of 32000 library(d) is more secure than 12seed with with randomiser(b) or personally chosen(c)

Again, if it exceeds the time 2¹⁶⁰ hashes would take, then the point is lost.

[o_e_l_e_o]

and i still see people beating their chest showing off how much they know about the math of the hashing cycle of sha, ecdsa and ripemd160..

We are having a discussion about the security of different seed phrases. No one is beating their chest about anything.

and thats about the human security of what randomiser/human personal selection entropy

Here you go with the "personal selection" again. Humans are not random. Despite how random you think you are being, you aren't. I'll take 128 bits of properly generated entropy over any of your "human chosen words from a list of 32,000 words" any of the day week. Not to mention that choosing words is the completely wrong way to think about the whole thing. You generate entropy, not words. The words are simply an encoding of the entropy.

remember the question is
"does more seed words"

Are 256 bits of entropy encoded by 24 words more secure than 128 bits of entropy encoded by 12 words? Sure.
Does that result in private keys which are more secure? No.
Is any harebrained scheme where someone picks their own words going to be more secure than either of those? No.

[franky1]

remember the question is
"does more seed words"

Are 256 bits of entropy encoded by 24 words more secure than 128 bits of entropy encoded by 12 words? Sure.
Does that result in private keys which are more secure? No.
Is any harebrained scheme where someone picks their own words going to be more secure than either of those? No.

if you stop beating your chest for a slight moment.
have a cup of coffee, take a breath and read the details.

none of my posts say human hand picked keys are more secure
NOTE: yes i mentioned human chosen words are LOW entropy as people usually only hand pick from a vocab of about 500 common words
that was an example of low entropy. no conclusion or suggestion was made that hand picked brain chosen words were better(though your chest beating assumed so due to weirdly looking for something to oppose)

ill explain the separate part now
your 1 round 128bit random...
then add on 4 bit checksum
then divide by 12 (call it the backward flow method of seed)

is not as much entropy as
12 rounds of 11bit random. then joined together
(call this the forward flow method)

both equal 132bit. but forward flow random 12 words, gives more combinations than your backward flow single random 128bit
(the extra 4bit checksum adds no extra combinations because the checksum is linked to the 128bit)


so we both agree(if you stop thumping your chest) that hand picked low vocab human chosen is bad
that has never been a debate.

let me take it one step further as it seems you missed the entire point
i understand your backward flow method

BEFORE going into a ECDSA cycle. that 128bit+checksum of yours needs to be padded out into 256bits
meaning your limiting how many possible private keys you can have by only seeking within the first 128bit
meaning your scheme has less entropy than whats possible
yes your 128bit may calculate to having more then private key for a public key. meaning you are not going to be calculating all possible 160bit public keys.

for emphasis:
i know you will be beating chest ready to growl how there are only 160bit of public key so no need to worry about 256bit. but only having 128bit means your not finding all 160bit publics

but hey lets limit it to your chest beat of 160bit public key as the max entropy for the private(still not enough, but lets play it your way)

so
12 rounds of random 11bit is more possible combinations (132bit)
13 rounds of random 11bit is more possible combinations (143bit)
14 rounds of random 11bit is more possible combinations (154bit)
15 rounds of random 11bit is more possible combinations (165bit)
    ^15 rounds is a bit of an over flow but would atleast cover all 160bit public keys

and one step further
10 rounds of random 15bit(32k library) is more possible combinations (150bit)
11 rounds of random 15bit is more possible combinations(165bit)
    ^11 rounds is a bit of an over flow but would atleast cover all 160bit public keys

so the point of my answer is
to the topic creator
using the standard 2048word library(11bit)
doing 13-14-15 random rounds is more secure than o_e_l_e_o's single round of 128bit
so more seed-words of 2048library-words (rounds of 11bit random) is more secure
but, so is
10 random seed-words of 32k library-words(rounds of 15bit random) is more secure
11 random seed-words of 32k library-words(rounds of 15bit random) is more secure

i wont do the math of all the privates needed to get EVERY public including all double privates..
because o-e-l-e-o wants to keep his debate to 160bit. so just on the limited scope

forward flow method of 13-14-15 is more secure

have a nice day,
hopefully a more calm and relaxed day

[o_e_l_e_o]

You might find people are more willing to discuss things with you if you stopped using personal insults in every other sentence.

BEFORE going into a ECDSA cycle. that 128bit+checksum of yours needs to be padded out into 256bits
meaning your limiting how many possible private keys you can have by only seeking within the first 128bit

The seed phrase does not enter an elliptic curve multiplication function (which is not the same as ECDSA). It enters 2048 rounds of HMAC-SHA512 to produce a 512 bit seed number, the first 256 bits of which become the master private key of your wallet, and the second 256 bits becoming the master chain code.

yes your 128bit may calculate to having more then private key for a public key. meaning you are not going to be calculating all possible 160bit public keys.

There are (slightly fewer than) 2²⁵⁶ public keys, not 2¹⁶⁰. And thanks to how hierarchical deterministic wallets work with unlimited levels, you can theoretically generate every public private key pair from a single seed phrase.

I'm not saying that 15 words from a wordlist of 32,768 does not have more entropy than 12 from a wordlist of 2,048, provided both are encodings of a randomly generated number. But given how bitcoin generates private keys and addresses, you are not decreasing the security of your private keys nor limiting yourself to a subset of private keys by using the latter.

[BlackHatCoiner]

If only I had a 'toshi for each chest beat of this page.

if you stop beating your chest for a slight moment.
have a cup of coffee, take a breath and read the details.

Do you read what you write? Do you actually read your sentences before you submit? It's not bad if english isn't your mother language, but I'd recommend you to translate one of your posts and try making any sense. I'll need more than just a breath and a cup of coffee for this. Also, stop insulting, we're having a discussion.

so more seed-words of 2048library-words (rounds of 11bit random) is more secure

Yes, they are. As you said, having a fifteen-words seed is the maximum security you can get acknowledging that it exceeds the 160 bits. Although, that's correct if the public key of the related address has never been exposed. The security of secp256k1 is 128 bits.

[o_e_l_e_o]

Yes, they are. As you said, having a fifteen-words seed is the maximum security you can get acknowledging that it exceeds the 160 bits.

They aren't. franky1's number of 160 bits is incorrect.

Either we are considering the security of your private keys, of your coins, of bitcoin itself, in which case 128 bits is the maximum security unless we change the protocol. Or we consider the security of only your seed phrase as an isolated concept, in which case we might as well generate a seed phrase a million words long. Obviously the latter makes no sense since it does not make your private keys or your coins any more secure if your seed phrase is 12 words or a million words (all else being equal).

[BlackHatCoiner]

They aren't. franky1's number of 160 bits is incorrect.

I guess he talks about the private keys and specifically, the RIPEMD-160 function that returns 160 bits. Why is he incorrect?

[ranochigo]

They aren't. franky1's number of 160 bits is incorrect.

Either we are considering the security of your private keys, of your coins, of bitcoin itself, in which case 128 bits is the maximum security unless we change the protocol. Or we consider the security of only your seed phrase as an isolated concept, in which case we might as well generate a seed phrase a million words long. Obviously the latter makes no sense since it does not make your private keys or your coins any more secure if your seed phrase is 12 words or a million words (all else being equal).

I'm not sure if I'm following the discussion correctly since it's getting a bit lengthy but I share the same sentiments as BlackHatCoiner.

The 128bits value is for breaking ECDSA to obtain the private key for secp256k1 curve, as defined here[1] to be 128bits. Unless we're able to get the public keys in the first place, we won't be able to have the 2^128 operations to get to the private keys. If we have no knowledge of the public keys, then we're going to the old school bruteforce for the preimage attack which 160bits of security applies since, 160 due to size of RIPEMD-160.


[1] https://www.secg.org/sec2-v2.pdf

[o_e_l_e_o]

Sure, if we are talking about brute forcing a public key from an address, then you are looking at 160 bits. Maybe I've misunderstood franky1, in which case I apologise, but I've re-read what he wrote I don't see him mention that anywhere. However, when he says this:

yes your 128bit may calculate to having more then private key for a public key. meaning you are not going to be calculating all possible 160bit public keys.

To me, that reads that he is suggesting you can generate multiple private keys per public key, and your seed phrase will not be able to generate all possible public keys, of which there are 2¹⁶⁰, none of which is correct.

[PrimeNumber7]

yet again..
my whole point was..
the HUMAN ELEMENT

someone handpicking 12 words. means their entropy of library might just be 500 words they commonly use and are personal to them..
EG many IT/Network nerds might choose words affiliated with IT/networking. and not even think to uuse words like 'voyage' / vicious

so 12 words of a library of 500 handpicked words is very bad.
(its why a few passphrase wallets got emptied)

You are describing a problem with a typical brain wallet that is created using a means that is not random. In order for a seed to have its advertised bits of entropy, the seed words need to be chosen at random from the word list.

A person creating a typical brain wallet will have a very large word list (their vocabulary), however they will often pick a phrase in a predictable way. An attacker trying to crack a typical brain wallet will not use random, but will rather use a library of common phrases or words that have the highest chances of being used.

A person trying to crack a seed on the other hand will need to use randomness in order to attempt to guess the correct seed.

[o_e_l_e_o]

In order for a seed to have its advertised bits of entropy, the seed words need to be chosen at random from the word list.

I get what you mean, but for the sake of accuracy/clarity, the words shouldn't be "chosen at random" at all. Rather, a (usually) 128 bit or 256 bit number should be randomly generated, and then 11 bit sections of this number should be encoded by the very specific word on the wordlist which represents those 11 bits.

I think part of the reason we still see brainwallets being used and people trying to come up with their own seed phrases is because they think a seed phrase is also just a computer "choosing words",  think "I can do that just as well as it can", and don't appreciate that they have the entire process back to front.

[PrimeNumber7]

In order for a seed to have its advertised bits of entropy, the seed words need to be chosen at random from the word list.

I get what you mean, but for the sake of accuracy/clarity, the words shouldn't be "chosen at random" at all. Rather, a (usually) 128 bit or 256 bit number should be randomly generated, and then 11 bit sections of this number should be encoded by the very specific word on the wordlist which represents those 11 bits.

I think part of the reason we still see brainwallets being used and people trying to come up with their own seed phrases is because they think a seed phrase is also just a computer "choosing words",  think "I can do that just as well as it can", and don't appreciate that they have the entire process back to front.

By my calculations, picking a number between 1 and 2048, 12 times (2048^12) equals ~5.4445e+39, and log2 of this number is 132. The reason for the difference in the number of bits is due to seeds have a checksum that remove some of the actual entropy.

My understanding is that brain wallets are not typically standardized, and as such, it is possible to create a branwallet that does not have a checksum that would remove bits of entropy. So if you were to one hot encode each word in a passphrase that is L words long, out of a vocabulary of V words, it would result in an array that has a dimension of [V, L], and is one of V^L possiblities.

Unless I am missing something?

[o_e_l_e_o]

This is looping back round to the points I've made above. Sure, if you pick 12 words from a BIP39 wordlist, then (ignoring the checksum) you will end up encoding a 128 bit number. However, you will not end up with 128 bits of entropy. If you pick 10 words from the entire English dictionary of ~150,000 words, then you can encode a ~172 bit number, but you do not have 172 bits of entropy.

Humans are not random and are not a source of entropy. As soon as you introduce a human element, i.e. manually picking or choosing anything, then you have lost a significant amount of entropy. A 8 character password, for example, could encode ~53 bits of entropy, but it almost never does, because literally millions of people use passwords such as "password", "iloveyou", and "princess".

[dortheamangum]

It does not make it more secure but of course it would make it difficult for the hacker.

[BlackHatCoiner]

Humans are not random and are not a source of entropy. As soon as you introduce a human element, i.e. manually picking or choosing anything, then you have lost a significant amount of entropy. A 8 character password, for example, could encode ~53 bits of entropy, but it almost never does, because literally millions of people use passwords such as "password", "iloveyou", and "princess".

Instead of saying that you lose a significant amount of entropy, shouldn't it be a significant amount of randomness? The entropy length remains the same whether you generate it randomly or pick fifty three zeros. “Losing entropy” sounds like the size of it rather than its unpredictability.

My understanding is that brain wallets are not typically standardized, and as such, it is possible to create a branwallet that does not have a checksum that would remove bits of entropy.

But, the checksum doesn't remove you bits of entropy. If you extend a 128-bits seed with 4 extra bits, you aren't reducing your security.

[BASE16]

Would Bitcoin be more secure against extremely powerful computing tech with more words in the dictionary list, a larger number of seed words and perhaps a longer BTC address/privkey? Say a seed had 50 words instead of 12 or 24 and Bitcoin addresses or seeds had at least one more character. Would it be more secure against bruteforcing or high computing power?

You have to specify more secure in terms of YOUR specific mnemonic/address or more secure in terms of ANY address because those are two different things.

Mnemonics exist to make your life easier by using words in stead of digits, and not to make it more secure.