Bitcoin Forum>Bitcoin>Development & Technical Discussion
Pages:
Author

Topic: Why 24 words? - page 2. (Read 537 times)

NotATether
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Re: Why 24 words?
December 28, 2020, 10:32:23 PM
#6
Quote from: pooya87 on December 28, 2020, 09:59:42 PM
Quote from: NotATether on December 28, 2020, 07:26:28 PM
Hardware wallets use them mainly. Since they intend these to be written down, 24 words provides greater protection in the case some of the words are accidentally exposed without the users' knowledge. The entropy space would still be far to large to attempt any kind of brute-forcing.
If equal number of words were missing from a mnemonic (eg. missing 3 words) then brute forcing a 24-word mnemonic is a lot easier than brute forcing a 12-word mnemonic because of a much bigger checksum used by 256-bit entropy that provides less collision ergo it requires a lot less full checks.

I don't quite understand the underlined part. Are you saying that brute forcing is easier when multiples of 3 words are revealed than other numbers of words?

I'm confused by how this would work in practice since each additional three words adds another checksum bit, but revelation of three words from my intuition still requires you to get all the checksum bits because you're running SHA256 once in both cases anyway.
pooya87
legendary
Activity: 3472
Merit: 10611
Re: Why 24 words?
December 28, 2020, 09:59:42 PM
#5
Quote from: NotATether on December 28, 2020, 07:26:28 PM
Hardware wallets use them mainly. Since they intend these to be written down, 24 words provides greater protection in the case some of the words are accidentally exposed without the users' knowledge. The entropy space would still be far to large to attempt any kind of brute-forcing.
If equal number of words were missing from a mnemonic (eg. missing 3 words) then brute forcing a 24-word mnemonic is a lot easier than brute forcing a 12-word mnemonic because of a much bigger checksum used by 256-bit entropy that provides less collision ergo it requires a lot less full checks.
NotATether
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Re: Why 24 words?
December 28, 2020, 07:26:28 PM
#4
Quote from: Evilish on December 28, 2020, 06:00:43 PM
12 words are secure enough on their own. But keep in mind, 24 words provide 256 bit entropy (vs 128 bit entropy that 12 words provide). I imagine that plays a role in 24 words being more preferred, because greater entropy is always better right? But like you mentioned that comes with greater inconvenience.

I wonder if there's a reason behind that other than just 256 > 128 because 128 bit entropy is very secure on its own. IIRC Bitcoin's 256 bit ECDSA signatures also have 128 bit entropy.

Hardware wallets use them mainly. Since they intend these to be written down, 24 words provides greater protection in the case some of the words are accidentally exposed without the users' knowledge. The entropy space would still be far to large to attempt any kind of brute-forcing.

Quote from: Evilish on December 28, 2020, 06:00:43 PM
I myself use 24 words because I am simply not knowledgeable enough in cryptography and don't wanna leave anything up for any potential future risks. I am all for greater security even if it comes with a slight inconvenience.

You'd be equally safe using 12 words because the entropy space that has to be searched is 2^128. Anything under that is prone to brute-forcing.

And using a random password for the seed multiplies the search space with the password's entropy. Dictionary-based passwords don't really provide any additional protection because everyone has tools for this.
Evilish
hero member
Activity: 882
Merit: 563
Bitcoin to the moon!
Re: Why 24 words?
December 28, 2020, 06:00:43 PM
#3
12 words are secure enough on their own. But keep in mind, 24 words provide 256 bit entropy (vs 128 bit entropy that 12 words provide). I imagine that plays a role in 24 words being more preferred, because greater entropy is always better right? But like you mentioned that comes with greater inconvenience.

I wonder if there's a reason behind that other than just 256 > 128 because 128 bit entropy is very secure on its own. IIRC Bitcoin's 256 bit ECDSA signatures also have 128 bit entropy.

One scenario I imagine is if you split your seed into three to store as 2 of 3 factors of authentication, in case of 24 words, attacker would have to crack more words if they get their hands on one copy versus if you were using 12 words.

But then again. If you use a passphrase to secure your seed, then 12 words should be more than enough even taking my above point into consideration.

I myself use 24 words because I am simply not knowledgeable enough in cryptography and don't wanna leave anything up for any potential future risks. I am all for greater security even if it comes with a slight inconvenience.
HCP
legendary
Activity: 2086
Merit: 4363
Re: Why 24 words?
December 28, 2020, 05:40:47 PM
#2
Quote from: BlackHatCoiner on December 28, 2020, 05:12:02 PM
I've noticed that on BIP39 total words on mnemonics can be either 3, 6, 9, 12, 15, 18, 21 or 24.
To be technically compliant with BIP39... they should be 12, 15, 18, 21 or 24 words. The BIP39 specification says the initial entropy needs to be between 128 and 256 bits.

Quote from: BlackHatCoiner on December 28, 2020, 05:12:02 PM
Using mnemonic lower than 12 words, has low entropy and can be guessed by an attacker. While most of the wallets use the 12 words option, some others have different philosophy. For example, trezor chooses to use 24 words. Since 12 words are strong enough, why should someone use more than that? Does it offer extra security? I doubt.
(Isn't it 128 and 256 bits?)
Technically, yes... it does offer "more" security... but it's like saying that it's more difficult to get to Pluto than to Jupiter because it's further away... they're both a looooooooong way away and very difficult to get to... but one is technically further away than the other. Same with 128bit vs. 256bit entropy... the latter is theoretically "harder" to bruteforce than the other by sheer fact that it's so much bigger, but the former is already "impossible" to bruteforce anyway.


Quote from: BlackHatCoiner on December 28, 2020, 05:12:02 PM
Mnemonics tend to be easy to memorize, besides on their writing convenience. If you really want to keep your funds safe, but are afraid of losing them, you can try to memorize the words. I personally haven't, because I don't think I need to, but it's possible with only 12 words. With 24, it isn't.
Because attempting to memorise 12 words and keep them memorised over a long period of time is a recipe for disaster. There are countless threads on these forums where people struggle to remember all sorts of things (wallet passwords, words from mnemonics, what software they had installed, when they did things etc) Roll Eyes

Human memory is a delicate thing... a simple knock to the head from any manner of things can cause "permanent" memory loss.

IMO, there is no way that memorising a 12 word seed is a way to "really keep your funds safe"... quite the opposite in fact.
BlackHatCoiner
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Re: Why 24 words?
December 28, 2020, 05:12:02 PM
#1
I've noticed that on BIP39 total words on mnemonics can be either 3, 6, 9, 12, 15, 18, 21 or 24. Using mnemonic lower than 12 words, has low entropy and can be guessed by an attacker. While most of the wallets use the 12 words option, some others have different philosophy. For example, trezor chooses to use 24 words. Since 12 words are strong enough, why should someone use more than that? Does it offer extra security? I doubt.
(Isn't it 128 and 256 bits?)

Mnemonics tend to be easy to memorize, besides on their writing convenience. If you really want to keep your funds safe, but are afraid of losing them, you can try to memorize the words. I personally haven't, because I don't think I need to, but it's possible with only 12 words. With 24, it isn't.
Pages:
Bitcoin Forum>Bitcoin>Development & Technical Discussion
Jump to: