Why 12 recovery words are enough for your wallet!

Anyone who stores their own Bitcoin knows it: in order not to lose everything if you lose access to your hardware or software wallet, you write down a few English words on a piece of paper, which you can use to restore your valuable keys at any time with the vast majority of wallets. We are of course referring to the so-called mnemonic phrase, which usually consists of 12 or 24 words. It is precisely this distinction, i.e. the length of the mnemonic, that this article is about. We take a closer look at why there is actually no relevant difference between 12 and 24 words in practice - at least as far as security is concerned.

While some wallets give users the choice between 12 or 24 words, many simply default to one of the two options. It is often the hardware wallets that rely on 24 words and the software wallets on smartphones or computers that are satisfied with 12 words. At first glance, this seems logical: after all, 24 words are twice as long as 12, and offer twice the protection against attackers, don't they?

Every modern Bitcoin wallet is based on the same principle: any number of keys for storing your own coins are derived from a single, very large random number. Each of these keys "contains" the original random number, as they are ultimately uniquely dependent on each other. A wallet therefore does not completely re-roll the dice for each individual key, but uses an existing dice result: the 12 or 24 words. If an attacker succeeds in guessing these words, they have complete access to all the Bitcoin secured with them.

A mnemonic with 12 words is nothing more than a 128-bit number, i.e. 128 consecutive zeros and ones. If this number was actually generated completely randomly, we would have to guess with a fifty-fifty chance for each individual bit whether it is a zero or a one in order to be able to guess the entire number.

The answer to this question is initially quite simple for 24 words. Here we use 256 bits of entropy, twice as much as for 12 words. Accordingly, an attacker must also guess many times more often, namely around²²⁵⁶ times, in order to be successful. Considering the unbelievable size of this number, which is actually comparable to the estimated number of atoms in the visible universe (¹⁰⁸⁴) in terms of magnitude, this is an impossibility.

But even searching²¹²⁸ numbers is not feasible in practice. Although the search space is significantly smaller here,²¹²⁸ is more comparable to the weight of our planet in grams (²⁹²) or the number of atoms on Earth (²¹⁶⁶), for a computer these are still orders of magnitude that are far from feasible, even in the near future.

Important: We are talking about powers of two here, the size of which can easily be underestimated, especially in comparison. The number²²⁵⁶ is not twice as large as²¹²⁸, but about 340282366920938463463374607431768211456 times larger. Twice the size of²¹²⁸ is²¹²⁹.

Even though the discussion about guessing a mnemonic in the previous paragraph is certainly exciting, in actual practice it doesn't really matter. This is because another crucial aspect for the security of your Bitcoin is often ignored in these considerations: A shortcut, which in any case, whether you use 12 or 24 words, is always the simpler alternative.

To spend Bitcoin, our wallet generates a digital signature with a private key, which, without revealing the private key, together with a public key, proves that we actually possess the private key. This asymmetry is the basic building block of why Bitcoin can work at all. It is based on a problem in mathematics that is extremely easy to solve in one direction, but very difficult to solve in the other: the discrete logarithm problem (DLP). We are not interested in the mathematical details at this point, the only important thing is the fact that the security of our Bitcoin is based solely on this mathematical problem as soon as we publish a public key.

This finally brings us to the crucial point in the chain of reasoning. The private keys used in Bitcoin are always 256 bits long. Even if the discrete logarithm problem is not so easy to solve, i.e. guessing the private key used, there are methods and algorithms to be more efficient and faster than simply guessing. In fact, the security level can be reduced from 256 to 128 bits. An attacker therefore "only" has to perform 2128 operations to solve the problem and calculate back to the private key, regardless of whether there is a 256-bit random number (i.e. 24 words) behind the private keys. As this is a fundamental approach, this applies both to the previously common ECDSA signature procedure and to the new Schnorr signatures, which were introduced with the Taproot update at the end of 2021.

At this point, you could argue that you are on the "safe side" as long as you do not spend your Bitcoin, as no public key will be published until then. In practice, however, this argument is invalid, as a large proportion of the Bitcoin in circulation is already stored on addresses with a known public key. In the newer Taproot addresses, the public key is even directly readable "in the address" itself and is known from the outset.

Trust in Bitcoin would dwindle if such an efficient attack were to become a reality. Fortunately, this is of course not the case and will not change in the foreseeable future. It should be clear that we are talking about very theoretical and extremely unlikely scenarios here, with the aim of illustrating the negligible difference between 12 and 24 words. It can be argued that the entire Bitcoin network itself is based on a security level of 128 bits. Therefore, if the end user goes beyond this level, there is no relevant advantage.

The theoretical considerations so far are all well and good, but what are we supposed to do with the knowledge gained?

It's really just about dispelling the myth that "12 words aren't that secure". Since choosing to use 12 words for your own wallet does not put you at a relevant security disadvantage, you can conversely benefit from the better user experience of 12 words. Especially for backups on steel, 12 additional words would also mean additional acquisition costs, which you can therefore do without. When it comes to memorizing your own mnemonic, 12 words are of course also much more rewarding. Although you should never rely solely on memorizing your own mnemonic, there is certainly nothing to be said against it as an additional measure.

Of course, this article is not intended to tempt anyone else to switch to a new wallet with 12 words. On the contrary, there is no harm in using 24 words, especially as the advantages of 12 words are pretty straightforward anyway. If you use simple backups on paper and don't value memorization, writing down another 12 words once will hardly bother you. With backups on microSD cards, this consideration is no longer relevant anyway.

With 24 words, you also have a little more room for error. If, for whatever reason, individual words become known or the quality of the random number is not ideal, you won't be on the brink of disaster as quickly as you would be with 12 words.

As is so often the case, there is no "one truth", but rather several factors that should be weighed up individually when making your own decision. However, if you want to use 12 words, you should not shy away from the supposedly lower level of security that we have hopefully dispelled in this article.