Author

Topic: Quick question regarding valid private keys per address (Read 976 times)

hero member
Activity: 836
Merit: 1030
bits of proof
Actually the generation of the word lists from a given entropy does not increase it, if the dictionary is known and fixed,  just like hashing does not.
Therefore the key set is size is determined by the entropy generator. I was overestimating the entropy using the stats of the language.
hero member
Activity: 836
Merit: 1030
bits of proof
If those words were used as an alphabet then they would define a 2048^12 or 132 bit key space.

The word lists are instead hashed (see BIP39) which gives an approximate entropy of 2.62*4.5*12 = 141 bits.

FYI BIP-39 (and Electrum 2.x) starts with a specific amount of entropy, and then derives the words from that entropy, not the other way around as you implied. Typically, this is 128, 192, or 256 bits for 12, 18, or 24-word long mnemonics.

(and of course the hashing which follows does nothing to increase that initial entropy)

Yes, the user would be a worse source of entropy if he was to chose the words directly.
My point is, that if you are able to encode entropy into 12 words then it can not be more than entropy represented by 12 words, no matter of its source.

You are right, that there are options generating a longer list, but I think default is 12 in popular wallets.
hero member
Activity: 672
Merit: 504
a.k.a. gurnec on GitHub
If those words were used as an alphabet then they would define a 2048^12 or 132 bit key space.

The word lists are instead hashed (see BIP39) which gives an approximate entropy of 2.62*4.5*12 = 141 bits.

FYI BIP-39 (and Electrum 2.x) starts with a specific amount of entropy, and then derives the words from that entropy, not the other way around as you implied. Typically, this is 128, 192, or 256 bits for 12, 18, or 24-word long mnemonics.

(and of course the hashing which follows does nothing to increase that initial entropy)
hero member
Activity: 836
Merit: 1030
bits of proof
If you like playing with those numbers also consider that private keys in modern wallets are generated from word lists of length 12.
If those words were used as an alphabet then they would define a 2048^12 or 132 bit key space.

The word lists are instead hashed (see BIP39) which gives an approximate entropy of 2.62*4.5*12 = 141 bits.

Therefore the attainable private key set in modern wallets is smaller than the 160 bit range of addresses.

Using entropy estimates from here: http://people.seas.harvard.edu/~jones/cscie129/papers/stanford_info_paper/entropy_of_english_9.htm
legendary
Activity: 1260
Merit: 1019
yes.
may be slightly less, may be slightly more
full member
Activity: 131
Merit: 101
Since the private key space is 2^256 and the address space is 2^160 each address can be created from 2^96 private keys on average.

Now you can either use the uncompressed or the compressed public key to compute an address.

Does this imply that each address corresponds to 2 * 2^96 private keys? (2^96 private keys with a valid uncompressed public key and 2^96 private keys with a valid compressed public key)
Jump to: