8
1
Is 12-word seed phrase (as used by Electrum for example) safe enough for generating an offline wallet?
My understanding is this: 2048 words pool make 11 bits of entrophy per word. 12 words in seed make total 132 bits of entrophy.
Is this considered safe enough?
I'm not talking about being quantum-computing-resistent, just being infeasible to crack using brute force given the expected computing power in the foreseeable future.
1
128 bits is generally considered more than enough -- 132 bits is certainly sufficient.
4
Is this considered safe enough?
Nothing is "safe enough" if we do not know the cost.
OK, if you have $100k in bitcoins the 12-words phrase is safe enough.
If the 12-words phrase is the seed to the "Method of destroying the Universe" I would recommend to add at least 11 bits of entropy and use 13 words.
1
In short: 12-word seed has enough entropy to be safe against brute force attack.
First of all not all 132 bits are random. Seed uses some kind of control sum.
Lets talk about 128 bits of entropy.
Lets imaging the following attack:
We will take one billion (10^9) of the most powerful mining hardware in 2017 (13 TH/s each). We will make a 1000 years brute force attack to compromise any of existing billion (10^9) of wallets with coins inside.
This attack will check the following number of seed combinations:
10^9 * (13 * 10^12) * (1000 * 365 * 24 * 3600) = ~ 10^33 combinations checked
128 bits of entropy equals ~ 10^38 total combinations
It means the given attack has the following chance of breaking one of more of 10^9 wallets:
1/10^5 = 0.001%
P.S. Don't forget it is an extra complicated task to find out if this or that seed contains any money. Hash mining hardware has much more simple task. We don't have hardware to check seeds at the same rate as modern ASICs.
0
The security in bits of a 12-word mnemonic that has a valid checksum as per BIP39 is not 132 bits, but rather 128 bits, as the last 4 bits are determined based on the first 128 bits - the initial "entropy".
(2^128)*16 = 2^132), the checksum cannot
be predicted unless an attacker can break SHA256, as the checksum is
computed based on the hash digest of the leading 128 bits formatted
as a byte array.So the idea with the checksum was to slow an attacker from searching through all possible 12-word mnemonics of which there are 2^132 of them, even though the number of valid ones is 2^128 in terms of a valid checksum (as if reducing the strength from 12 words to 11.6363636364 words, since the checksum completes part of the last word), as an attacker would have to run the SHA256 algorithm each time which will slow their brute-force search.
In summary, I think a mnemonic with a valid checksum would be more safe than one without a checksum, on the basis that it's probably less likely for SHA256 to be cracked anytime soon which would otherwise speed a potential brute-force search of all mnemonics.
Note: If you wanted to square your security (i.e. raise it to the power of 2), a 24-word mnemonic which represents 264 bits (minus an 8-bit checksum) would be the square of two 12-word mnemonics in terms of bit security as 2^128*2^128 == 2^256.
Such a huge leap in security could help protect a user later from Grover's algorithm running on a fast-enough quantum computer which could perform such an n-time brute-force search in the "square of n-time", compared classical computers requiring n-time.
[Grover's algorithm][1] could brute-force a 128-bit symmetric cryptographic key in roughly 2^64 iterations or a 256-bit key in roughly 2^128 iterations. [excerpt from: https://en.wikipedia.org/wiki/Grover%27s_algorithm]
In other words, a 12-word mnemonic would have its security reduced to 64 bits (considered unsafe) in terms of classical computer security, while a 24-word mnemonic would only reduce to 128 bits in the same scenario.
So let's say I have $100k. Can you explain why this is considered safe? – shx2 – 2015-07-10T12:00:34.693
Because the attacker have to spend much more funds to bruteforce your key. Nobody will attack you. – amaclin – 2015-07-10T14:43:39.093
14To put exhaustive searches into perspective, the Bitcoin network to date has done approximately 83 bits of work. This is with hundreds millions of dollars worth of investment, likely millions of ASIC chips produced, and currently over 150 megawatt of power expenditure. – Anonymous – 2015-07-10T17:05:48.817
@Bitcoin your comment is the answer I was looking for. Thanks. – shx2 – 2016-08-09T02:40:04.617