Thanks, Zac!

I indeed did get the napkin math very wrong. I now get around 10^30 total possible phrases, which would take an impossibly long time to brute force. So, it is less entropy but probably still sufficient for low-stakes usage.

James


On Sat, Jul 9, 2022 at 10:31 PM Zac Greenwood <zachgrw@gmail.com> wrote:
Sorting a seed alphabetically reduces entropy by ~29 bits.

A 12-word seed has (12, 12) permutations or 479 million, which is ln(469m) / ln(2) ~= 29 bits of entropy. Sorting removes this entropy entirely, reducing the seed entropy from 128 to 99 bits.

Zac


On Fri, 8 Jul 2022 at 16:09, James MacWhyte via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:

What do you do if the "first" word (of 12), happens to be the last word in the list alphabetically?

That couldn't happen. If one word is the very last from the wordlist, it would end up at the end of your mnemonic once you rearrange your 12 words alphabetically.

However! 

(@vjudeu) Choosing 11 random words and then sorting them alphabetically before assigning a checksum would reduce entropy considerably. If you think about it, to bruteforce the entire keyspace one would only need to come up with every possible combination of 11 words + 1 checksum. I'm not the best at napkin math, but I think that leaves you with around 10 trillion combinations, which would only take a couple months to exhaust with hardware that can do 1 million guesses per second.


James
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev