https://www.youtube.com/watch?v=ZloHVKk7DHk
2^128 or 2^160 are both staggeringly large numbers. Incomprehensibly large.
Topic: Why do most HD seeds choose to give only 128-bits of entropy instead of 256? (Read 874 times)
December 16, 2014, 10:25:46 PM
December 16, 2014, 08:05:48 PM
If a bitcoin private key can be 256 bits of entropy, why is it then that most HD seeds choose to use only 128?
There are only a total of 2^160 valid bitcoin addresses in the end even though there are 2^256 private keys.
I am not sure about the details, so please correct me if I am wrong, but it seems to me that you don't really need 256bit entropy.
That's true, but it's not the most limiting factor.
The effective strength of ECDSA is roughly half the private key length, so 128 bits for secp256k1 used by Bitcoin. 2^128 is still a staggeringly big number, so it's probably nothing to worry about anytime soon.
128 bit seeds are easier to write down (BIP39 style), and 256 bit seeds probably aren't much stronger. This all assumes those 128 bits are actually generated from good entropy -- 256 bits of mediocre entropy are definitely better than 128 bits of mediocre entropy (and probably would make a practical difference).
Incidentally, I keep inserting "probably" everywhere because I'm not an expert, so take all this with a grain of salt....
December 16, 2014, 02:48:07 PM
If a bitcoin private key can be 256 bits of entropy, why is it then that most HD seeds choose to use only 128?
There are only a total of 2^160 valid bitcoin addresses in the end even though there are 2^256 private keys.
I am not sure about the details, so please correct me if I am wrong, but it seems to me that you don't really need 256bit entropy.
December 16, 2014, 02:37:45 PM
If a bitcoin private key can be 256 bits of entropy, why is it then that most HD seeds choose to use only 128?
Jump to: