I'm no expert either but frankly I don't see how the base security of a random chunk of 128 or 256 bits is hampered by BIP39 representation of it with human readable and easily writable words.
Disclaimer: I still use BIP39 wallets, but the majority of my wallets are Electrum ones.
I will derail a little, but the reason why I will do that will be to express an opinion that BIP39
is not bad by default.
Yes, there are issues with BIP39, but after all, it still represents a
universal way to secure bitcoin, which is addressed to the
great majority of people.
Bitcoin's cryptographical security is 128 bits.
Bitcoin uses the secp256k1 elliptic curve to derive a public key from the equivalent private key.
That said, if someone wanted to solve the ECDSA algorithm in reverse order (to derive the private key from the public key), they would need to put an effort that is,
on average, equivalent to n/2 = 256/2 = 128 bits.
So, there is absolutely no way to get a higher average security than 128 bits.
Entropy's security is 128 - 256 bits (but there is catch, because it can actually range from 0 to 256).
12 words in BIP39 is a representation of 128 bits of initial entropy (like you said).
24 words in BIP39 is a represantation of 256 bits of initial entropy.
A sequence of bits (entropy) when it's gathered from a good entropy source can be as high as 128 or 256 bits.
A sequence of bits (entropy) when it's gathered from a human brain can be as low as 0 bits.
Final notes:- 12 words in BIP39 is more than enough, security-wise, provided the entropy is produced from a good source. The problem (if any), lies in PBKDF, which produces the seed from the mnemonic phrase. People say that this can reduce the initial entropy. I silently agree with them, but I a need to educate myself more before writing something here.
- We are doing multisig, passphrases etc., in order to avoid human error as much as we can, or in order to avoid the chance that a thief can compromise one of our backups and retrieve all of our funds. I could theoretically have a 5-of-5 multisig vault where all the cosigners are produced from different, good sources of entropy. I could also make sure that nobody had access to any of these cosigners. Then, I could send some funds to one of the addresses of this vault. Then, an attacker, would still need on average 128 bits of effort to create a script that unlocks my funds on that address.
- It is expotentially easier for a wallet to be compromised by human error, rather than by compromising bitcoin's cryptographical security.
- The private key cd6357efdd966de8c0cb2f876cc89ec74ce35f0968e11743987084bd42fb8944 looks like a random hexadecimal number. If you try to solve the ECDLP backwards, you will indeed need 128 bits of effort to retrieve this private key from the corresponding public key. But if you try something more sophisticated, you will very easily realise that this private key is the sha256("dog"). So bitcoin can give you 128 bits of security but you are responsible not to make stupid moves to diminish this security.
- The most important thing in bitcoin is the backup system. This is where security lies. This is where people lose funds from. If you create a wallet using a reputable entropy source on an airgapped device, write down your seed phrase (12 words) twice, and then store the 2 pieces of paper in separate locations, the only way that you can lose funds is if someone finds these backups. So again, it won't be the BIP39, nor Bitcoin to blame. I t will be your (or better say, our) inability to find a secure place to store our seed phrase.