Author

Topic: Seed phrase security (post-quantum) (Read 123 times)

jr. member
Activity: 34
Merit: 35
January 18, 2023, 08:11:09 AM
#4
Honestly i fail to see risk of quantum-computer towards BIP 39 mnemonic seed. There's no data which can be used by quantum-computer to perform attack. For comparison, Bitcoin address become vulnerable when it's public key is revealed.

Thanks. I agree with you. The best possible attack is probably simply the brute-forcing process which could be potentially (if QC will ever be that powerful enough) dangerous for 12word mnemonic seeds (Grover's algorithm could brute-force a 128-bit symmetric cryptographic key in roughly 2^64 iterations). Using 24word seed is probably safe.
jr. member
Activity: 34
Merit: 35
January 18, 2023, 05:46:35 AM
#3
Take note that since any bitcoin private key provides 128 bits of security, with increasing number of words in your seed phrase to more than 12, you don't increase your security.
Instead of trying to brute-force your seed phrase, the attacker can try brute-forcing the private key which provides the same security as a 12 word BIP39 seed phrase.

Let's just focus on those seed words, not ECDSA security. If we assume there will be some post-quantum cryptography and we will make a new wallet, will it be safe to generate the new wallet from the old seed? That is my point.
legendary
Activity: 2380
Merit: 5213
January 18, 2023, 05:44:20 AM
#2
Take note that any bitcoin private key provides 128 bits of security and with increasing number of words in your seed phrase to more than 12, you don't increase your security.
Instead of trying to brute-force your seed phrase, the attacker can try brute-forcing the private key which provides the same security as a 12 word BIP39 seed phrase.
jr. member
Activity: 34
Merit: 35
January 18, 2023, 04:56:25 AM
#1
If a user wants to use the mnemonic seed words for his wallet even in a few years/decades/..., will the same 24word seed be safe even in the post-quantum era? According to the BIP39 standard, it is protected by the HMAC SHA-512 hash function, so we assume that it is quantum-resistant (at least 256 bits of security post-quantum?). Let's not talk if QC are a real "threat", what the PQC will look like but just discuss the safety of those 24 words.

1) Do you think that from a UX point of view it will be possible to keep the existing seed and just generate a new PQC keys with a new derivation path?

2) I assume users with 12 words (128 bits of entropy without passphrase) would have to migrate to 24 words (256 bits of entropy) as 128 bits entropy is probably reduced to only 64 bits with Grover's algorithm.
Jump to: