Many participants in the cryptocurrency community are convinced that a 24-word seed phrase is safer than a 12-word one. Even the well-known Bitcoin evangelist Andreas Antonopoulos признался that he believed a longer seed was more reliable.
Together with the Bitcoin mixer Mixer.money, we explain why 12 words are sufficient to safeguard funds.
How a seed phrase protects the private key
Software and hardware Bitcoin wallets generate private keys of 256 bits — long alphanumeric sequences such as KxBacM22hLi3o8W8nQFk6gpWZ6c3C2N9VAr1e3buYGpBVNZaft2p.
In 2013, developers included in the Bitcoin code the BIP39 proposal, which described a mechanism to generate mnemonic codes (seed phrases) of length 12 to 24 words.
“Users want to maximise the safety of their savings, so they intuitively choose “reliable” 24-word backups. They hope for higher seed entropy, which in reality increases the security of the private key only theoretically,” — say the representatives of Mixer.money.
An attacker can target the private key in two ways — attempt to recover it from the Bitcoin address or brute-force the mnemonic phrase.
The first attack is also known as ECDLP (Elliptic Curve Discrete Logarithm Problem) — the problem of discrete logarithms in the group of points on an elliptic curve. In theory, an attacker could solve it for an address holding a large number of coins.
The Bitcoin protocol uses elliptic-curve cryptography, and specifically the curve secp256k1. It allows the rapid generation of public keys and Bitcoin addresses based on private keys. The reverse process — recovering private keys from public keys — is practically impossible.
Solving ECDLP for secp256k1 via the ро-алгоритм Полларда reduces the entropy of keys by half and requires 2^128 operations. However, even that process would take billions of years on modern computers.
The second attack is a brute-force of the seed phrase. The number of combinations for a 12-word seed is 204812. Discard seeds with an incorrect checksum — 2128 valid phrases remain. The brute-force would also take billions of years.
“The probability of finding the mnemonic code by modern technical means is negligibly small. Using 24 words will, without a doubt, increase the already enormous brute-force time by many orders of magnitude, but there is no practical value to it,” — comment the Mixer.money team.
Why long seed phrases are unnecessary
12 words are enough to generate private keys with 128-bit security strength. Reducing the seed by even two words would make brute-force attacks feasible.
A longer mnemonic phrase has a greater level of entropy. Yet the Bitcoin protocol remains based on secp256k1 with 128-bit security.
A private key derived from 24 words contains the same 128-bit security. It can be cracked, as with a seed of 12 words, in 2^128 operations.
“A 12-word seed is more vulnerable only if the attacker already knows the set of words and can quickly determine their order.
But even in such a scenario a long phrase is unlikely to save the wallet owner: during backup users pay equal attention to the words and their order. If a hacker has accessed the mnemonic code, he probably knows both.
You can strengthen the protection of seed phrases against such brute-forcing, but the security foundation of Bitcoin will still reside in the private key,” — conclude the analysts at Mixer.money.
Conclusions
Twelve words are sufficient to generate a robust secret and protect against brute-forcing. A seed phrase of that length offers the same security as the private key itself.
Mixer.money notes that losses in Bitcoin can result not only from theft but also from a mistake when creating a backup. From this perspective, a 12-word mnemonic phrase is safer: users are more likely to write it down correctly.