Topic: Does more seed words equal better security? - page 2. (Read 1166 times)

We are having a discussion about the security of different seed phrases. No one is beating their chest about anything.

Here you go with the "personal selection" again. Humans are not random. Despite how random you think you are being, you aren't. I'll take 128 bits of properly generated entropy over any of your "human chosen words from a list of 32,000 words" any of the day week. Not to mention that choosing words is the completely wrong way to think about the whole thing. You generate entropy, not words. The words are simply an encoding of the entropy.

Are 256 bits of entropy encoded by 24 words more secure than 128 bits of entropy encoded by 12 words? Sure.
Does that result in private keys which are more secure? No.
Is any harebrained scheme where someone picks their own words going to be more secure than either of those? No.

Don't miss the forest for a tree; the title may say that, but in the original post, 20kevin20 asks if Bitcoin would be more secure if we extended the phrase with additional words. Therefore, we answer that an attacker will prefer computing 2¹⁶⁰ hashes rather than a range of mnemonics which exceeds it. Besides that, calculating a RIPEMD-160 hash takes less time than generating a BIP39 seed.

Again, if it exceeds the time 2¹⁶⁰ hashes would take, then the point is lost.

Seems that I got confused. Yes, it would be easier.

On the other hand, while attacking specific seed, it's way more probable to stumble upon another seed before finding it.


If my numbers are correct generating one public key from private is ~68 times slower than a single HMAC-SHA512. That's why I assume elliptic curve operations are the slow thing here.

its been many posts and many hours. and i still see people beating their chest showing off how much they know about the math of the hashing cycle of sha, ecdsa and ripemd160..

but the question of SEEDS.. is the part pre hashing cycle
and thats about the human security of what randomiser/human personal selection entropy
which can make the difference between 500¹² or 2048¹²

yet again. if they want to talk about the 2¹⁶⁰ post hash cycle(a)
they are ignoring the less secure(b,c)

a. 2¹⁶⁰ =      1461501600000000000000000000000000000000000000000
b. 2048¹² =                   5444517900000000000000000000000000000000
c. 500¹² =                                       488281250000000000000000000000

by the way.
having 10 seed words of 32000 library(d) is more secure than 12seed with with randomiser(b) or personally chosen(c)
d. 3200¹⁰ =        1125899900000000000000000000000000000000000000

and thats without having to do any gorilla chest beating of whos the smartest and explaining the hashing functions

yep you will have much better luck brute forcing seeds in (b,c,d) than you would by trying all (a) combinations
so. try to keep to the topic of the SEEDs and not the post ripemd160 entropy

remember the question is
"does more seed words"
not
"whats the most combinations post keyhash cycle"

Allow me to rephrase. Yes, finding a valid Electrum seed requires 3 times the hashes of a valid BIP39 seed (assuming it takes a full 4096 attempts to find a valid prefix), but if searching the entire space for a specific seed, then it would be easier with Electrum seeds than with BIP39 seeds, no? There are fewer valid Electrum seeds as you point out here:

Sure, but an additional three HMAC-SHA512s and additions per derivation path is not trivial when considering 2¹²⁸ seeds.

The opposite. Attacking specific Electrum seed is 3 times harder compared to BIP39, if we look at single derivation path. Attacking sufficient number of derivation paths (100?) makes the difficulty same.


The difficulty in derivation is mainly the number of elliptic curve multiplications (by scalar), m/0/0 uses 3 multiplications and 2 additions. m/0'/0/0 does exactly the same, so does m/84'/0'/0'/0/0. m/0'/0' is single multiplication. Non-hardened child means we need the parent public key, and have to add it to another public key.

Good point. So attacking a specific seed is easier for Electrum seeds, but if attacking any used seed then that may not be the case. Interestingly, if you assume 100 times more BIP39 than Electrum seeds as you have, then you end up with very similar numbers between the two.

Remember as well that Electrum uses simpler derivation paths which would be easier to derive than the BIP39 ones. It uses m/0/0 for the first legacy address, and m/0'/0/0 for the first segwit address.

Only when doing exhaustive search. But then "ease" of attack depends on other things as well. What is the proportion of BIP39 seeds versus Electrum ones? If there are 100 times more BIP39 seeds than Electrum, then the chance of stumbling upon BIP39 is higher.

I looked up PBKDF2 vs Address Derivation timings, and for the usual non-hardened addresses (m/84'/0'/0'/0/0) AD is about 10 times faster than PBKDF2. Hardened only derivation is 30 times faster. Specialized hardware might change the ratio.



Entropy is a word with many meanings. The Shannon Entropy, measured in bits, does decrease. It has nothing to do with how many calculations are done.

Someone hand picking words is almost certainly going to be less secure than a randomly generated 12 word seed phrase, regardless if they are picking from a list of 500 words or 32k words or 100k words.

There should not be a human element at all. You should allow your software to randomly generate entropy for you. As soon as you introduce a human element, then you are far less secure than if you just let the software generate a 12 word seed phrase for you.

No, it doesn't. The number of words or the size of the library have no direct correlation with "randomness". I could pick the same word 12, or 20, or 100 times and be far less secure than a standard 12 word BIP39 seed phrase.

Why would someone handpicked twelve words since he can generate them and ensure that he's made a completely unpredictable choice? As you said, there may be people who won't use specific words, but that doesn't matter that much; it matters the fact that they won't make an unpredictable guess while the whole point of cryptography is to always generate the private key with no human intervention. (Knowing what he's doing)

The point of this thread is to give an answer if the more words means the better security and we've explained that an attacker won't have to brute force an extremely long seed phrase; he'll find it easier to successfully find a RIPEMD-160 collision instead.

yet again..
my whole point was..
the HUMAN ELEMENT

someone handpicking 12 words. means their entropy of library might just be 500 words they commonly use and are personal to them..
EG many IT/Network nerds might choose words affiliated with IT/networking. and not even think to uuse words like 'voyage' / vicious

so 12 words of a library of 500 handpicked words is very bad.
(its why a few passphrase wallets got emptied)

next up is the HUMAN element of when using a randomiser
is it better to have 12 words or 24 words of a 2048 library
or a 20 word of a 32k library

and the answer is. most people write down their seeds so human memory is of no issue and so a 20 word of 32k library allows for the most randomness

..
i honestly thought this topic was about seed word security of DO MORE SEED WORDS EQUAL BETTER SECURITY
seems many want to think its about the edcsa sha ripemd160 process, and the pre to post bit differences either side of that process..

but anyways moving on, ive said my peace

answering to below..
(sticking with speaking laymans<-emphasis)
(using basic math of entropy and not the technical anals of acertain wallets prefered method of conversion)
i know you want to obsess about the 2¹⁶⁰ to go through all keys..

but for a HUMAN wanting to know his security risk of HIS seed key..
ill lay out the math
how many combinations:
a. 2¹⁶⁰ =      1461501600000000000000000000000000000000000000000
b. 2048¹² =                   5444517900000000000000000000000000000000
c. 500¹² =                                       488281250000000000000000000000

a=ripemd160 combinations
b=12 seed with 2048 library+good randomiser
c=manually choosing personalised words from common vocab

his 12 word seed with 2048 library. can be found easier then ripemd160
his personally chosen words from his common vocab can be found even easier

so if a brute forcer was looking for a particular persons seed and knew his vocab preference by scanning all his posts and finding the words he uses.
a bruteforcer could find his seed in 19 less significant figures then bruteforcing all ripemd combinations

it doesnt matter about how many combinations there are in the hash process
because his seed keys have less combinations at the beginning

its never a debate about total combinations a process allowes
its that his key is somewhere in the middle of
5444517900000000000000000000000000000000
or
488281250000000000000000000000
before it even goes though any particular wallets prefered conversion method

Fixed, thanks.

Ahh right, I'm with you now. So yes, it is harder to attack a single valid Electrum seed compared to a single valid BIP39 seed, but for a 3 character prefix there are only 2¹²⁰ valid Electrum seeds compared to 2¹²⁸ valid seeds for BIP39. Does this not making attacking an Electrum seed theoretically easier? (2^132.58 versus 2¹³⁹ as I stated above?)

This is exactly what I said above:

The reason why this does not result in a loss of entropy is that you cannot know in advance if a seed is valid or not prior to checking the seed. You will need to perform a calculation on every seed candidate before ruling it out as not being your seed. According to the electrum devs, the cost to rule out a seed candidate as being outright invalid is less than calculating the actual seed. While technically not reducing the number of bits of entropy, it would somewhat reduce the cost of a bruteforce attack with a given n bits of entropy, when compared with a setup in which every seed candidate is valid.

I would compare the above to j2002ba2's above comparison to only accept dice rolls that are a 1 or a 6 on a 6-side dice. In his example, no calculation is needed in advance, the dice is reduced to a coin, with one side being valued as True and the other being valued as False, and the seed is calculated accordingly. An individual attacker may not specifically know you are using the "1" and "6" constraints but may bruteforce with two random numbers in order to have a lower space of possible values, and with many attackers, one will eventually try 1 and 6. 

You mean 3 hex digits (or 3 nibbles).

I don't follow you here. Why is it 3x PBKDF2 for Electrum?