Question about wallet seed in numbers

[hosseinimr93]

in order words, they are difference numbers of seeds that determine how strong the wallet are, which is 12, 14, 18, 21 or 24 and anything less than 12 words is not secure,

A small correction:
Number of words in a seed phrase following BIP39 standards must be divisible by 3.
So, a BIP39 seed phrase can't include 14 words. It must include 3, 6, 9, 12, 15, 18, 21 or 24 words.

[1715659793]

1715659793

[PowerGlove]

Maybe I've misunderstood, but it reads to me like you're saying that a 12-word seed offers equivalent security (~128 bits) to that of the individual addresses generated from it, and that therefore, longer seeds are overkill.

In Elliptic Curves the key's security is half the key size and since bitcoin key sizes are 256 bit that makes the security 128 bits. [...]

Maybe I'm being less clear than I think I am, or the point I'm making is more confusing than I think it is, because I'm not sure why you're explaining that. I mean, my critique of Charles-Tim's quote depends on me already knowing that, doesn't it? My point was that seeds that offer higher security levels than the individual keys they generate are useful because they're protecting multiple keys.

Isn't that reasoning a little shaky? I mean, the seed is used to generate a unique sequence of addresses [1], no? Putting aside the increased hassle of longer seeds, isn't it desirable for it to be harder to recover the sequence than it is to brute-force a single address?

No because security is defined by the weakest link not the strongest. [...]

Yep, when you're combining cryptographic primitives, that's exactly right. But, in this case there's a causal relationship that makes things a little more subtle.

If you had, let's say, a 64-bit seed that you deterministically generated 256-bit private keys from, then the security of the latter is confined by the entropy of the former. But that confinement doesn't work the same way in the opposite direction. I'm flipping two things at once here, so keep your wits about you, but in the reverse situation, with a 256-bit seed being used to generate 64-bit private keys (with the top 192 bits set to 0, for example) the smaller 64-bit private keys don't reduce the security of the seed all the way down to their level.

In some sense, the seed "contains" the private keys that it generates, and viewed through that lens, the following example amounts to a very similar thing, even if it looks unrelated at first glance:

Imagine you have a file, listing the locations of secret military bases encoded as 64-bit coordinates (32-bit longitude, 32-bit latitude). Even though this file contains only a sequence of (sensitive) 64-bit values, that shouldn't decide what security level is chosen to protect its contents. It wouldn't make sense to argue that encrypting it with anything more than a 64-bit key is technically unnecessary.

[pooya87]

My point was that seeds that offer higher security levels than the individual keys they generate are useful because they're protecting multiple keys.

But it doesn't matter how many keys you generate from a seed, they all have the same security. Meaning if you generate 1 key using a 12 word seed it has the same security as the 100th key you generate from the same seed.

with a 256-bit seed being used to generate 64-bit private keys (with the top 192 bits set to 0, for example) the smaller 64-bit private keys don't reduce the security of the seed all the way down to their level.

The seed will have its 256-bit security (assuming 256 bit were generated and used) but the key will still have only 64 bits of security, not more.

In some sense, the seed "contains" the private keys that it generates, and viewed through that lens, the following example amounts to a very similar thing, even if it looks unrelated at first glance:

Imagine you have a file, listing the locations of secret military bases encoded as 64-bit coordinates (32-bit longitude, 32-bit latitude). Even though this file contains only a sequence of (sensitive) 64-bit values, that shouldn't decide what security level is chosen to protect its contents. It wouldn't make sense to argue that encrypting it with anything more than a 64-bit key is technically unnecessary.

That's a bad example because encryption is different and irrelevant in this context. When encrypting something, the message is not the deciding factor in choosing the algorithm, security level and key size.
But when deriving a key, the key size (or better say security level) itself is a deciding factor in choosing the entropy size.

[PowerGlove]

[...]

We're clearly talking past each other. You seem to think that I'm saying that the stronger the seed is, the stronger the generated keys will be. That's obviously wrong and it's not what I'm saying.

What I'm saying is that it doesn't make sense to choose a seed strength based on the security level of private keys. It makes sense to say "128 bits is enough security for my needs, that's why I use 12-word seeds". It doesn't make sense to say "I use 12-word seeds because private keys have 128 bits of security". You see what I'm saying?

The two things have different jobs. The security level of a private key protects a single satoshi balance. The security level of a seed protects every private key in your wallet. The idea that the seed can't make use of more than 128 bits of security is wrong.

That's a bad example [...]

No it's not. It's an excellent example that exposes the flawed reasoning I'm talking about perfectly.