Opinion: there is no practical sense in long seed phrases

Let's make_12_words_standard_(Mixer.money)

Many members of the cryptocurrency community believe that a 24-word seed is safer than a 12-word seed. Even well-known bitcoin evangelist Andreas Antonopoulos admitted that he considered a long seed to be more reliable.

Together with the bitcoin mixer Mixer.money, we explain why 12 words are enough to ensure the safety of funds.

How the seed phrase secures the private key

Software and hardware bitcoin wallets generate 256-bit private keys – long alphanumeric sequences like KxBacM22hLi3o8W8nQFk6gpWZ6c3C2N9VAr1e3buYGpBVNZaft2p. In this format, they are quite difficult to write down and remember.

In 2013, developers included a proposal to improve BIP39 in the Bitcoin code, which described a mechanism for generating a mnemonic code (seed phrase) from private keys from 12 to 24 words long.

“Users want to protect their savings as much as possible, so they intuitively choose “reliable” backups of 24 words. They hope for a higher seed entropy, which in reality increases the security of the private key only theoretically,” Mixer.money representatives say.

An attacker can attack the private key in two ways – try to recover it from a bitcoin address or pick up a mnemonic phrase.

The first attack is also known as ECDLP (Elliptic Curve Discrete Logarithm Problem) – a discrete logarithm problem in a group of points on an elliptic curve. In theory, an attacker can solve it for an address with a large number of coins.

The bitcoin protocol uses elliptic cryptography, namely, the secp256k1 curve. It allows you to quickly generate public keys and bitcoin addresses based on them from private ones. At the same time, the reverse process – the recovery of private keys from public ones – is practically impossible.

The ECDLP solution for secp256k1 uses Pollard’s ro-algorithm to halve the key entropy and requires 2128 operations. However, this process will take billions of years of work on modern computers.

The second attack is brute force seed phrases. The number of combinations of 12 words is 204812. We discard the seeds with the wrong checksum – there will be 2128 valid phrases. A full search will also take billions of years.

“The probability of finding a mnemonic code by modern technical means is negligible. Using 24 words will certainly increase the already huge brute-force time by many orders of magnitude, but this makes no practical sense, ”comments the Mixer.money team.

Why Long Seed Phrases Are Not Necessary

12 words is enough to generate private keys with 128 bits of security (security strength). At the same time, reducing the seed even by two words will make it possible to attack by enumeration.

A long mnemonic phrase has a higher level of entropy. However, the backbone of the bitcoin protocol remains secp256k1 with 128-bit security.

The private key, created from 24 words, contains all the same 128 bits of security. It can be hacked, like a seed of 12 words, for 2128 operations.

“A seed of 12 words is only more vulnerable if the attacker already knows the set of words and can quickly pick up their order.

But even in such a scenario, a long phrase is unlikely to save the owner of the wallet: when backing up, users pay equal attention to the words and their sequence. If a hacker has access to a mnemonic code, it is likely that he knows both.

You can strengthen the protection of the seed phrase from such a brute force, but the private key will still remain the basis of Bitcoin security,” Mixer.money analysts conclude.


12 words are enough to generate a strong secret and protect against brute force. Seed phrases of this length have the same security as the private key itself.

Mixer.money notes that the reason for the loss of bitcoins can be not only theft, but also an error when creating a backup. From this point of view, a 12-word mnemonic phrase is safer: the user is more likely to spell it correctly.

Leave a Reply