5
1
According to BIP32's "Master key generation" section, "256 bits is advised".
See https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#Master_key_generation
Why did BIP32 consider 256 bits to be the recommended seed size, and why did the authors of so many Bitcoin wallet implementations consider 256 bits unnecessary?
Thanks for your answer, Pieter. I'm not quite clear though: As you say, both public keys (compressed representation EC points) and private keys (scalars) are each represented with 256 bits, but they both have an effective bit strength of just 128 bits. Therefore why is there any advantage at all in generating scalar keys from a seed that has any more than 128 bits of entropy? The only reason I can think of is that bit strength is reduced a little when the seed is hashed to derive subkeys, but that would explain a recommendation for a seed of e.g. 140 bits rather than of a full 256 bits. – knaccc – 2018-05-27T23:11:44.510
1Well, being able to break an EC key with just 2^128 steps is somewhat theoretical. In practice, these algorithms have significant memory/cpu tradeoffs, and in practice would still be much slower than a straight 2^128 exhaustive search on keys with just 128 bits of entropy. I guess the answer is defense in depth: less than 128 bits of entropy definitely hurts security. Less than 256 bits may hurt. More than 512 bits can't help. – Pieter Wuille – 2018-05-28T01:01:36.727