Hypothetical Thought Exercise

[caveminer]

Let's say, hypothetically, you can remember your master private key (256-bit) or a 24 word seed phrase with equal precision. 

Would it therefore be equally/more secure to remember your 256-bit master private key and never use a seed phrase?  And actually more secure (not by a statistically relevant amount but still technically more secure for this hypothetical) because of the fact that a seed phrase can be used to get the master private key, but a master private key cannot be used to get a seed phrase if a seed phrase does not exist? 

Please try and keep answers to the hypothetical, I'm trying to understand how things work and not necessarily how to store my own bitcoin. 

[BlackHatCoiner]

And actually more secure (not by a statistically relevant amount but still technically more secure for this hypothetical) because of the fact that a seed phrase can be used to get the master private key, but a master private key cannot be used to get a seed phrase if a seed phrase does not exist?

A master private key can also be used to derive a private key, but a private key cannot be used to get the master private key. This doesn't make the master private key less secure nor the private key more secure.

Better example: A seed phrase is used to generate addresses, but addresses can also be generated without a seed phrase; just by hashing a public key. The former address isn't (and shouldn't be) considered more vulnerable than the former address, as long as the seed phrase remains secret.


Note that there's a high chance for your master private key to have a seed phrase, that isn't known by anyone.

[caveminer]

Doesn't the seed phrase give you the master private key though?  So someone could guess either the seed phrase or master private key and get the bitcoin.  Whereas with a master private key that has no seed, there's only 1 thing to guess.  Although guessing takes time so I suppose you could say the 2 are equally secure then?

[BlackHatCoiner]

Whereas with a master private key that has no seed, there's only 1 thing to guess.

You can't know if there's a seed that generates it, for the same reason you don't know if a burning address has a private key that isn't yet known. (Although it's extremely likely for every address to have at least one private key)

A master private key is consisted of a private key and a chain code, both of which are 128 bits long. This makes the master private key 256 bits long. If the seed is 256 bits, then there a high chance for your master private key to have at least one seed phrase nobody knows.

And there's also a nearly infinite amount of seed phrases, of any size, with a passphrase that can generate it.

Post edited.

[caveminer]

Can you explain this "there's a 1 in 2^256 chance for your master private key to have a seed phrase that isn't known."

So you're saying that if I generated a private master key using bitcoin core, it could possibly have a seed phrase attached to it already and I don't know about it?  That doesn't seem correct to me.  I think I'm not fully grasping what you're saying. 

[BlackHatCoiner]

I think I'm not fully grasping what you're saying.

It's simple.

Take this number:

Code:

0xc555eab45d08845ae9f10d452a99bfcb06f74a50b988fe7e48dd323789b88ee3

Can you prove there's no number such that once you use it as an input to SHA-256, it'll output the above? No, unless you try all the numbers, which are nearly infinite.

That number is 0x10, but if you don't know it, you can't prove there isn't such number. You can neither prove 0x10 is the only number that'll output it.

[caveminer]

Thank you for your patience I'm somewhat confident that makes sense to me.  Would you say then that the 2 options are equally secure in terms of being randomly guessed/hacked?

[aoluain]

Hold on!

I'm focussing on the word being used "Guess", it is impossible* to guess a seed phrase,
so memorising it is perfectly safe provided you can recall the 24 words anytime and are in full
control of your faculties in 10, 20, 30+ years from now.

Also if we disregard another word "hypothetically" and look at what o_e_l_e_o posted
in a related thread from earlier this week > Crypto vs "the lucky dude" --- Is Bitcoin really SAFE?

From what I understand the only defense against this event is to divide your assets into many accounts to reduce the risk.

No, the defense against this is math:

Let's say we have a trillion planet Earths. On each Earth, there are a trillion people. Each person has a trillion computers. Each computer generates a trillion keys a second. All these computers have been creating a trillion keys per second since the birth of the universe 13.7 billion years ago. 10^12 * 10^12 * 10^12 * 10^12 * 60 * 60 * 24 * 365 * 13.7 * 10^9 = 4.3*10^65. This means thay they would have so far generated approximately 0.0000000004% of all private keys.

If you are worried about someone using such a site to stumble across your private key, then you should be absolutely terrified of dying from a meteor strike, shark attack, or lightning strike, all of which are exponentially more likely to happen. You should also be terrified about someone guessing your credit card number and stealing all your fiat, since for every possible credit card number there is somewhere in the region of 10 trillion trillion trillion trillion trillion possible private keys.

I think he got some spent addresses but all of them were empty already.

If he did, then it was because those addresses were generated insecurely (e.g. brain wallets), or he had some additional information or knowledge about those addresses. No one has ever or will ever randomly stumble across the same private key as anyone else, period.

Sorry, but your chances of winning a lottery are higher.

Given that most lotteries have a chance to win the jackpot in the region of 1 in 10⁸, and there are around 10⁷⁷ possible private keys, then you are a few trillion trillion trillion times more likely to win the jackpot 5 times in a row than to find a single previously used private key.

Imagine stumbling across an address with a only few thousand sats in it, knowing you could have exponentially more easily just won several billion dollars by winning the lottery over and over and over!

[BlackHatCoiner]

Thank you for your patience I'm somewhat confident that makes sense to me.  Would you say then that the 2 options are equally secure in terms of being randomly guessed/hacked?

Brute forcing all the master private keys is less difficult than brute forcing all the seed phrases, because there's a HMAC that has to be called, but it's meaningless, because brute forcing an address directly is far easier.

[hatshepsut93]

When people talk about security, they need to think about concrete attacks. Security is not an abstract value that can be "more" or "less". If you keep your seed or key in your memory only, you have a huge risk of forgetting it. The second risk is a $5-wrench attack. If you want to ask, which method is more safe when you type your seed or key into your wallet, then there's no difference between them. If you have malware, your coins will be stolen in both cases.

[o_e_l_e_o]

Brute forcing all the master private keys is more difficult than brute forcing all the seed phrases, because there's a HMAC that has to be called, but it's meaningless, because brute forcing an address directly is far easier.

I don't think this is correct. If I want to brute force master private keys, then I must first generate the master private keys, and then work down the derivation tree and then convert to public keys and addresses. If I want to brute force seed phrases, I must first turn each seed phrase in to a master private key, and then do all the same operations that I did for the master private key. A seed phrase will be computational more expensive.

Having said that, none of this matters at all. In terms of protection from brute force attacks, it makes absolutely no difference if you back up a seed phrase or back up a master private key (provided both were generated equally securely). Every address in your resulting wallet, created by either method, will show up in some other hierarchical deterministic wallet at some derivation path. Anyone who wants to conduct a brute force attack with no prior knowledge of your seed phrase or master key will instead just brute force individual private keys, which is a much faster process than either seed phrases or master private keys, and at that point it makes absolutely no difference which method you used to generate those private keys.

[BlackHatCoiner]

I don't think this is correct.

Oops, should have put a "less" there.