Published on: 2022-07-11T13:18:14+00:00
In a discussion on the bitcoin-dev mailing list, there is a debate about the security of a 12-word seed used for Bitcoin wallets. Sorting the seed alphabetically reduces its entropy by approximately 29 bits, which raises concerns about its security. One suggestion is to use an unordered encoding instead, but others argue that 12 unordered words may be sufficient for memory purposes unless there are gaps or errors in the remembered story.James MacWhyte proposes randomly choosing 11 words and sorting them alphabetically before assigning a checksum. This would significantly reduce entropy, leaving around 10 trillion combinations to brute force. With hardware capable of one million guesses per second, this could be exhausted within a couple of months.It is noted that sorting a seed alphabetically removes approximately 29 bits of entropy, reducing the seed entropy from 128 to 99 bits. However, choosing 11 random words and then sorting them alphabetically would still reduce entropy considerably. Despite some initial miscalculations, it is determined that there are actually around 10^30 total possible phrases, making it impossible to brute force in an acceptable timeframe.Zac Greenwood explains that sorting a seed alphabetically reduces its entropy by approximately 29 bits, reducing the seed entropy from 128 to 99 bits. However, James MacWhyte points out that if one word is the very last from the wordlist, it would end up at the end of the mnemonic once you rearrange your 12 words alphabetically. Despite this, choosing 11 random words and then sorting them alphabetically before assigning a checksum would still reduce entropy considerably. Napkin math estimates this would leave around 10 trillion combinations, which would only take a couple of months to exhaust with hardware capable of doing one million guesses per second.The discussion also explores different mnemonic encodings. Anton Shevchenko shares his python implementation for a different mnemonic encoding that requires users to remember words but not their order. Bram Cohen raises the question of whether it is possible to create a code that always uses BIP-39 words for the same key as part of its encoding, adding error correction words in case the order is lost or confused. Pavol Rusnak suggests encoding the index of permutation used to scramble the otherwise sorted list, but notes that repetitions make this more difficult. It is also emphasized that any ordering is acceptable as long as the new words are in the same pool as the old words.In conclusion, the discussion revolves around the security of a 12-word seed for Bitcoin wallets. Sorting the seed alphabetically reduces entropy, but there are concerns about its security. Different proposals are made, such as using an unordered encoding or sorting random words alphabetically before assigning a checksum. The feasibility of brute forcing the combinations is discussed, and different mnemonic encodings are explored. Anton Shevchenko shares his python implementation for a mnemonic encoding that requires users to remember words but not their order. Bram Cohen raises the question of creating a code that always uses BIP-39 words for the same key as part of its encoding, with added error correction words.
Updated on: 2023-08-02T06:53:56.589196+00:00