2

Watching this Q&A with andreas he states that a 12 word recovery phrase offers the same amount of security as a 24 word seed phrase as the output is 128 bits either way.

If this is the case, why do wallets use 24 word recovery phrases which adds extra user complexity for no, or a marginal at best, security improvement?

bosch-0
  • 41
  • 3

2 Answers2

1

According to my calculator ...

  • 2128 is around 3.4e+38.
  • 204812 is around 5.4e+39

So I guess Andreas is right (unsurprisingly). A randomly chosen 12 word phrase from a 2048-word dictionary has enough entropy to generate any 128-bit seed.

However, I am not a mathematician nor a cryptographer, so there may well be some other important factors I am unaware of.

The fact that the phrase incorporates a checksum must slightly reduce the number of random bits in the generated seed.

BIP39 says this:

We refer to the initial entropy length as ENT. The allowed size of ENT is 128-256 bits.

So BIP39 allows for much greater entropy.

...

The following table describes the relation between the initial entropy length (ENT), the checksum length (CS), and the length of the generated mnemonic sentence (MS) in words.

CS = ENT / 32
MS = (ENT + CS) / 11

ENT CS ENT+CS MS
128 4 132 12
160 5 165 15
192 6 198 18
224 7 231 21
256 8 264 24

So the checksum is accounted for.

I didn't see much other relevant discusssion of this aspect in the BIP.

RedGrittyBrick
  • 24,039
  • 3
  • 23
  • 47
  • The checksum is 4 bits for 12 words, which makes it 2048^12 / 2^4 = 2^132 / 2^4 = 2^128. Typically when a seed phrase is generated, it is done by generating 128 entropy bits, and then transforming that to the phrase with a checksum. The words represent the entropy original entropy. Checksum is for error checking. – miketery Jul 03 '22 at 17:33
0

My guess at this point is that it is much more difficult to brute force 24 words than 12. The resulting seed is no stronger, so actually brute forcing the seed would be more effective than guessing the 24 words.

John C.
  • 69
  • 2