HD wallet security

[takuma sato]

2 simple questions I would like to make:

1) I known in practice this is probably pointless, but in theory, is a non-HD wallet safer than an HD-wallet given that if the enemy somehow bruteforced your seed of an HD-wallet he could derive all possible addresses generated throught this seed, vs an old non-HD which would only be able to derive a limited amount? (afaik non-HD wallets pre-generated a limited amount of addresses, but beyond that you required to backup your wallet, so he couldn't get any addresses that were generated after the first backup was required, isn't this again, in theory, extra security by not having a single point of failure?)

1) In HD wallets, is anything beyond 12 words pointless? In theory, more words more security, but in practice, doesn't this lower security? you may accidentally type a word the wrong way if you manually type or, or it just creates more lenght of bits in the material word to store

[1715322396]

1715322396

[1715322396]

1715322396

[Zaguru12]

1. Each has its advantages but a HD wallet actually edges a non HD wallets from the fact that a master seed phrase it generates can be the only back up you need to secure not like non HD wallets. Also with many addresses been derived from it, it promotes the privacy of having to use a new address for every new transaction and you can also derive their corresponding individual public keys too to probably use to monitor a single address on an unsecured site without risking the private key or seed phrase. HD wallets which mostly uses BIP39 protocol can easily be recover from any wallet using same protocol.

2. Yes a 12 seed phrase is having a 128 bits entropy while the 24 seed phrase is having 256 bits entropy which makes 24 seed phrase more like secure but that doesn’t mean the 12 seed phrase isn’t equally secure as it is because the private key for both seed phrase doesn’t exceed the 128 bits entropy. that means the private key of both seed phrase are just equal having same bit of security.

Also it’s not easy to brute force a 12 word seed phrase as from the 2048 words you need a 2¹²⁸ to do so 

[ranochigo]

1) That point would be unfounded. Given that an attacker would require unrealistic amount of resources to be able to bruteforce your seed, it makes no sense to prefer one over the other. If both of them are, in theory infeasible to be bruteforced, then it isnt a concern.

2) It doesn’t lower your security. User error or negligence wouldn’t concern the security of the seed. However, the security is again sufficient at 12 words and anything beyond provides insignificant amount of additional security.

[_act_]

12 words and 24 words seed phrase have the same bits of security. That makes 24 words not to have security than 12 words. 12 words seed phrase is highly secure enough.

HD wallet was created not becuase of security, it is because it will be able to generate more keys and addresses and give more convenience than non-HD wallets.

The security depends on the person that is using the wallet.

[NotATether]

1) I known in practice this is probably pointless, but in theory, is a non-HD wallet safer than an HD-wallet given that if the enemy somehow bruteforced your seed of an HD-wallet he could derive all possible addresses generated throught this seed, vs an old non-HD which would only be able to derive a limited amount? (afaik non-HD wallets pre-generated a limited amount of addresses, but beyond that you required to backup your wallet, so he couldn't get any addresses that were generated after the first backup was required, isn't this again, in theory, extra security by not having a single point of failure?)

Not really.

Keeping a bunch of miscellaneous private keys around is more cumbersome than storing a seed, and having just a small seed makes it harder to steal data since there's less of it.

In order to back up an HD wallet, you don't have to copy all the private keys. You just need to save the seed phrase (or wallet file + password), derivation path, and receive and change gap limits, which are the number of generated addresses.

1) In HD wallets, is anything beyond 12 words pointless? In theory, more words more security, but in practice, doesn't this lower security? you may accidentally type a word the wrong way if you manually type or, or it just creates more lenght of bits in the material word to store

HD seeds are converted into bits and then passed through HMAC-SHA512 to create the master private key, so while 12 words give enough security now, the option to do 15, 18, 21, 24 words allows us to future-proof seed phrases from things like quantum computers.

12 words and 24 words seed phrase have the same bits of security. That makes 24 words not to have security than 12 words. 12 words seed phrase is highly secure enough.

This is not really true. The private keys may have the same bit-lengths, but the bit entropy from 24-word seed phrases is 2^12 larger than 12-word phrases (because 2^24 for 24 words / 2^12 for 12 words = 2^12 extra strength) which makes it harder to brute-force the master private key.

[_act_]

This is not really true. The private keys may have the same bit-lengths, but the bit entropy from 24-word seed phrases is 2^12 larger than 12-word phrases (because 2^24 for 24 words / 2^12 for 12 words = 2^12 extra strength) which makes it harder to brute-force the master private key.

I am right because this is about bitcoin. It is not true if you are not talking about bitcoin. If it is bitcoin, it is entirely true. Anything that can compromise 128 bit of security makes 24 word seed phrase useless because if the seed phrase can not be compromised, the private key can be compromised and that makes the 24 words security useless.

[satscraper]

2 simple questions I would like to make:

1) I known in practice this is probably pointless, but in theory, is a non-HD wallet safer than an HD-wallet given that if the enemy somehow bruteforced your seed of an HD-wallet

Seed bruteforcing  is monumental task for any enemy due to the lack of the required  energy to perform relevant calculations. Even Qubit-based devices may suffer total defeat at solving this task. More on this is here.

our wallet, so he couldn't get any addresses that were generated after the first backup was required, isn't this again, in theory, extra security by not having a single point of failure?)

1) In HD wallets, is anything beyond 12 words pointless? In theory, more words more security, but in practice, doesn't this lower security? you may accidentally type a word the wrong way if you manually type or, or it just creates more lenght of bits in the material word to store

As it follows from referred estimations 12 words are enough to    ensure security of your stash.

24 words might be useful for sophisticated scheme of their storage.

For instance one may split such 24-words-SEED into 3 parts: (1-2-3-4-5-6 -7-8-9-10-11-12-13-14-15-16), (1-2-3-4-5-6-7-8-17-18-19-20-21-22-23-24) and (9-10-11-12-13-14-15-16-17-18-19-20-21-22-23-24) and store those parts at different locations.

[ABCbits]

1) In HD wallets, is anything beyond 12 words pointless? In theory, more words more security, but in practice, doesn't this lower security? you may accidentally type a word the wrong way if you manually type or, or it just creates more lenght of bits in the material word to store

Security and user mistake are 2 different topic.

This is not really true. The private keys may have the same bit-lengths, but the bit entropy from 24-word seed phrases is 2^12 larger than 12-word phrases (because 2^24 for 24 words / 2^12 for 12 words = 2^12 extra strength) which makes it harder to brute-force the master private key.

I am right because this is about bitcoin. It is not true if you are not talking about bitcoin. If it is bitcoin, it is entirely true. Anything that can compromise 128 bit of security makes 24 word seed phrase useless because if the seed phrase can not be compromised, the private key can be compromised and that makes the 24 words security useless.

It's true ECDSA/secp256k1 only provide 128-bit security bits[1]. But on other hand, is there any rough security bits measurement for words generated using BIP 39?

[1] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf

[apogio]

I am just adding the "explain it like I am 5" version, as people have already mentioned the correct answer above.

Suppose you have:
1. a pk (private key) written on a piece of paper in WIF format
2. a classic seed phrase of 12 words
3. a classic seed phrase of 24 words

Also suppose you have the perfect backup setup for both cases. Suppose you have eliminated any risk that may occur due to human mistake.

The only way for an attacker to steal your funds would be to technically attack your keys. The way to do it isn't brute-forcing the pk. The best way for them to find the pk is to solve the ECDSA algorithm, which means to find a pk from the public key.

In all of the cases above (1,2,3) the pk has a max security of 128 bits. So you can never have any more than 128 bits of security.

We have options (2) and (3) because it is easier to backup than in option (1). We have implemented all these options to avoid human mistake.

[n0nce]

if the enemy somehow bruteforced your seed of an HD-wallet he could derive all possible addresses generated throught this seed, vs an old non-HD which would only be able to derive a limited amount? (afaik non-HD wallets pre-generated a limited amount of addresses, but beyond that you required to backup your wallet, so he couldn't get any addresses that were generated after the first backup was required, isn't this again, in theory, extra security by not having a single point of failure?)

I'd like to clarify this a little, since the main question has already been answered.
Either you have a HD (hierarchical deterministic) Wallet or you don't. If you do, there is one 'single point of failure' seed, from which you can create tons of child keys, and you'll only ever need to back it up once.

If you don't have a HD wallet, you have a single private key with a single corresponding address. 'Deriving a limited amount' is not a thing. Some wallets may create a certain number of individual / unrelated private keys, 'throwing dice' for every key individually, so if you back those up, you can't 'derive' more keys later, of course, because there was absolutely no 'derivation' going on in the first place.

In practice though, as has been explained sufficiently, there is no reason not to use a HD wallet. User error is just so much more likely than facing an attacker with the capabilities assumed in the original post.

[takuma sato]

if the enemy somehow bruteforced your seed of an HD-wallet he could derive all possible addresses generated throught this seed, vs an old non-HD which would only be able to derive a limited amount? (afaik non-HD wallets pre-generated a limited amount of addresses, but beyond that you required to backup your wallet, so he couldn't get any addresses that were generated after the first backup was required, isn't this again, in theory, extra security by not having a single point of failure?)

I'd like to clarify this a little, since the main question has already been answered.
Either you have a HD (hierarchical deterministic) Wallet or you don't. If you do, there is one 'single point of failure' seed, from which you can create tons of child keys, and you'll only ever need to back it up once.

If you don't have a HD wallet, you have a single private key with a single corresponding address. 'Deriving a limited amount' is not a thing. Some wallets may create a certain number of individual / unrelated private keys, 'throwing dice' for every key individually, so if you back those up, you can't 'derive' more keys later, of course, because there was absolutely no 'derivation' going on in the first place.

In practice though, as has been explained sufficiently, there is no reason not to use a HD wallet. User error is just so much more likely than facing an attacker with the capabilities assumed in the original post.

So in a non HD wallet each private key is separated from any single point of failure. Well this seems safer in theory then. If you use Bitcoin Core as a wallet, you are going to need the wallet.dat file anyway, you cannot do like Electrum and save some seed words, so if anything, not having an HD wallet forces you to do several backups often as well which is not bad.

1) That point would be unfounded. Given that an attacker would require unrealistic amount of resources to be able to bruteforce your seed, it makes no sense to prefer one over the other. If both of them are, in theory infeasible to be bruteforced, then it isnt a concern.

2) It doesn’t lower your security. User error or negligence wouldn’t concern the security of the seed. However, the security is again sufficient at 12 words and anything beyond provides insignificant amount of additional security.

Yeah but im talking from a theoretical standpoint. While it may impossible in practice, in theory it sounds better that one would have all keys separated from each other than tied to this seed thing from which all existing and future addresses will be derived from.

1) I known in practice this is probably pointless, but in theory, is a non-HD wallet safer than an HD-wallet given that if the enemy somehow bruteforced your seed of an HD-wallet he could derive all possible addresses generated throught this seed, vs an old non-HD which would only be able to derive a limited amount? (afaik non-HD wallets pre-generated a limited amount of addresses, but beyond that you required to backup your wallet, so he couldn't get any addresses that were generated after the first backup was required, isn't this again, in theory, extra security by not having a single point of failure?)

Not really.

Keeping a bunch of miscellaneous private keys around is more cumbersome than storing a seed, and having just a small seed makes it harder to steal data since there's less of it.

In order to back up an HD wallet, you don't have to copy all the private keys. You just need to save the seed phrase (or wallet file + password), derivation path, and receive and change gap limits, which are the number of generated addresses.

1) In HD wallets, is anything beyond 12 words pointless? In theory, more words more security, but in practice, doesn't this lower security? you may accidentally type a word the wrong way if you manually type or, or it just creates more lenght of bits in the material word to store

HD seeds are converted into bits and then passed through HMAC-SHA512 to create the master private key, so while 12 words give enough security now, the option to do 15, 18, 21, 24 words allows us to future-proof seed phrases from things like quantum computers.

12 words and 24 words seed phrase have the same bits of security. That makes 24 words not to have security than 12 words. 12 words seed phrase is highly secure enough.

This is not really true. The private keys may have the same bit-lengths, but the bit entropy from 24-word seed phrases is 2^12 larger than 12-word phrases (because 2^24 for 24 words / 2^12 for 12 words = 2^12 extra strength) which makes it harder to brute-force the master private key.

But like I said above, if you use Bitcoin Core, you are need to carry your wallet.dat file anyway, so if anything, needing to do backups often is a healthy practice. I don't see the advantage of HD wallet beyond the "spawn my wallet anywhere with 12 words" thing, the rest seems like a security compromise in theory.

[n0nce]

So in a non HD wallet each private key is separated from any single point of failure. Well this seems safer in theory then.

I deliberately wrote 'single point of failure' in quotes. In reality, you are the single point of failure, if you don't have backups. There is no world right now where someone is going to 'crack' one (or more) of your addresses. The only way to realistically lose BTC is through someone getting access to your seed phrase or losing it. That's why you should just not enter it anywhere online and have backups in place.

not having an HD wallet forces you to do several backups often as well which is not bad.

I think it's pretty bad; as soon as you use your wallet once (generating a new address), you need to immediately back it up again; that's highly inconvenient.
Just create proper backups once (different mediums, like steel washers, put them in different safe locations) and call it a day.

Yeah but im talking from a theoretical standpoint. While it may impossible in practice, in theory it sounds better that one would have all keys separated from each other than tied to this seed thing from which all existing and future addresses will be derived from.

What's the use of thinking about this theoretical scenario, though?

But like I said above, if you use Bitcoin Core, you are need to carry your wallet.dat file anyway, so if anything, needing to do backups often is a healthy practice. I don't see the advantage of HD wallet beyond the "spawn my wallet anywhere with 12 words" thing, the rest seems like a security compromise in theory.

Now you're talking about 'healthy practices' and the real world though, don't you? It's hard to explain briefly, but let me tell you it is mathematically irrelevant whether you use a HD wallet or not; the likeliness of someone cracking your Bitcoin private key(s) and / or seed phrase from addresses, can be considered 0 for all intents and purposes, in either case.

More about HD wallets here:
https://learnmeabitcoin.com/technical/hd-wallets
https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki
https://en.bitcoin.it/wiki/BIP_0032

[ranochigo]

So in a non HD wallet each private key is separated from any single point of failure. Well this seems safer in theory then. If you use Bitcoin Core as a wallet, you are going to need the wallet.dat file anyway, you cannot do like Electrum and save some seed words, so if anything, not having an HD wallet forces you to do several backups often as well which is not bad.

That seems to be pushing the point a little bit too much. You shouldn't be forced to make multiple backups, and if they are made, then it should be for redundancy only. Disk drives are prone to corruption and degradation in general, it would be difficult to tell if there is a manufacturing defect or degradation that has occurred to your disk drive before it is too late. In comparison, backups on paper are far, far safer and verifiable.

Yeah but im talking from a theoretical standpoint. While it may impossible in practice, in theory it sounds better that one would have all keys separated from each other than tied to this seed thing from which all existing and future addresses will be derived from.

Again, cost benefit analysis. I'm not going to guard against infeasible and unrealistic attack vectors when there are more things to be worried about. If your seeds can be cracked, I don't see how there are more things to be worried about; your seed isn't any less secure than your private keys. If you are able to crack any of the seeds, then it would be reasonable to be assuming that all of your private keys, and by extension Bitcoin is broken and insecure.
 

But like I said above, if you use Bitcoin Core, you are need to carry your wallet.dat file anyway, so if anything, needing to do backups often is a healthy practice. I don't see the advantage of HD wallet beyond the "spawn my wallet anywhere with 12 words" thing, the rest seems like a security compromise in theory.

It is not a security compromise if there is zero security benefits. It provides virtually zero extra security, especially if you realize that wallet.dat are by default, Hierarchical Deterministic as well; all of them can also sprawned from a single seed. If there are any security benefits, even marginal, you would think that the community would have ditched HD wallets in favour of individual generation. Truth is, we have evaluated the security tradeoffs and there would be no reason why the industry standard would be HD wallets if we thought that the security tradeoffs matters.

Your preference of using wallet.dat (HD or not) or mnemonic seed phrases should not be based on unfounded FUD.

[BlackBoss_]

1) In HD wallets, is anything beyond 12 words pointless? In theory, more words more security, but in practice, doesn't this lower security? you may accidentally type a word the wrong way if you manually type or, or it just creates more lenght of bits in the material word to store

A more words in the seed, the more security you have but 12, 18 or 24 words, you only can have security if you create your wallet, back it up safely.

If you make a backup that is unusable, it is useless for recovery later, it does not make any sense in security for your fund.

Make sure you always test that backup works correctly and have some backups.

How to backup a seed phrase?

Never try to complicate your back up procedure, like splitting your seed phrase and some more weird backup method. It will potentially cause failure in wallet recovery later.

Bitcoin Q&A: Why is Seed Splitting a Bad Idea?

[Charles-Tim]

A more words in the seed, the more security you have but 12, 18 or 24 words, you only can have security if you create your wallet, back it up safely.

Zaguru12 is correct. 12 words seed phrases have 128 bits of security. 15, 18, 21 and 24 words seed phrases all have 128 bits of security which bitcoin private keys have.

It is true correct that 15, 18, 21 and 24 words seed phrases have higher bits of security, but the bit of security that bitcoin private keys have which is 128 bits make the longer seed phrase not to have more rgatn 128 bits of security. If you generate a 24 words seed phrase, but 128 bits of security is compromised. That means your coins stored on blockchain using the address you generate with 24 words seed phrase will all be stolen as their private keys can be brute forced.