By default, some Bitcoin wallets offer you to generate a sentence of 24 words in order to be able to recover your wallet in case of problems, while others offer a sentence of only 12 words. At first glance, it seems that 24 words would be more secure, due to the added difficulty of guessing a correct sequence of 24 words compared to a sequence of 12 words. But in reality, it makes much more sense to use a 12-word sentence to secure your bitcoins. I'll tell you why in this article.
What is a seed sentence?
On the Bitcoin system, BTCs are represented as UTXO (Unspent Transaction Outputs), which are essentially larger or smaller pieces of bitcoin. These UTXOs are secured by a script that imposes certain conditions for spending them, generally requiring the user to prove ownership by providing a signature with a private key. To secure bitcoins, it is therefore sufficient to use a private key with a public key that corresponds to it.
However, for privacy reasons, it is strongly recommended to use a new key pair for each Bitcoin transaction. As these key pairs are the only way to access bitcoins, it is essential to save them. However, if you use independent keys, saving them individually would be extremely complicated.
This is why so-called “deterministic and hierarchical” (HD) wallets are used today. Their principle is simple: instead of using multiple pairs of independent keys, a user can generate an almost infinite number of keys from a single piece of information called the recovery phrase (or mnemonic phrase). Knowing this sentence alone thus makes it possible to regain access to the entire key wallet, and therefore to all the associated bitcoins.
For convenience, this phrase is sometimes said to be “a private key,” but that's a fallacious shortcut. Rather, the recovery phrase is backup information that, after a series of calculations, makes it possible to recover all the private keys in the wallet.
So what does a private key look like?
How secure is a Bitcoin private key?
A Bitcoin private key is simply a pseudo-random number, which can be between 0 and almost 2^256. The number of possibilities is so great that it is almost unimaginable for the human mind. It is precisely on this principle that bitcoin security is based: the probability of finding a specific private key is so low that it is currently considered zero.
In a raw hexadecimal format, a Bitcoin private key could look like this: f316bfa22387eb15369d69bbc023bd3edcd88c98dcf557ec853757daff2440de
This random number is then used to generate the corresponding public key, which will be used to secure bitcoins. To do this, an algorithm is used that makes it easy to calculate a public key from a private key, while making the opposite calculation extremely difficult. Since public keys are visible on the blockchain and accessible to everyone, they should not allow the associated private key to be traced back to.
The security of a key pair thus lies in the difficulty of retrieving the private key from the corresponding public key. Bitcoin uses algorithms established on elliptic curves, where this difficulty is based on the mathematical problem of the discrete logarithm on elliptic curves (ECDLP). Right now, the best known algorithm for solving this problem is Pollard's rho algorithm, which reduces the number of operations needed to break a key to the square root of its size.
For 256-bit keys like those used on Bitcoin, Pollard's rho algorithm makes it possible to break a private key with 2^128 operations. It is therefore said that a Bitcoin private key offers 128 bits of security.
What length should you choose for your recovery sentence?
When a wallet generates a recovery phrase, it is represented in a way that is easily readable by a human, usually in the form of 12 or 24 words. However, this sentence is actually based on a binary number, which also includes a checksum. To learn more about building a recovery sentence, I refer you to a detailed article that we have already published: What is the Bitcoin wallet recovery phrase?
So 12-word sentences represent 128-bit random numbers, while 24-word sentences represent 256-bit numbers. In terms of security, a 12-word sentence offers 128 bits of security, and a sentence of 24 words offers 256 bits of security.
However, as mentioned earlier, the private keys derived from your recovery phrase only offer 128 bits of security, which is as much as a 12-word sentence. It is therefore excessive to opt for a sentence of 24 words.
Indeed, if the private keys have fewer security bits than your recovery phrase, then the overall security of your wallet is limited to the security level of these keys. To illustrate this, let's say your Bitcoin wallet is a house with two front doors. If one of these doors is reinforced and the other is a fragile wooden door, the overall security of your home is reduced to the level of the least solid door. Thus, the reinforced door becomes useless, because a burglar will prefer the most fragile door. In the same way, a 24-word sentence in a Bitcoin wallet is excessively secure.
In addition, it is important to understand that a security level of 128 bits is more than enough nowadays, even for an application as sensitive as Bitcoin. The probability of guessing a specific 12-word sentence is statistically negligible, as is the probability of finding a private key from a public key.
However, remember that the security of your bitcoins involves two distinct risks: the risk of theft and the risk of loss. By using a 24-word recovery phrase, you're not mitigating the risk of theft, but you're increasing the risk of losing your wallet. As long as the size of the private keys on Bitcoin remains the same, it is therefore more appropriate to opt for a 12-word sentence.
The only valid argument for using a 24-word sentence is not about its safety, but rather that its checksum is more robust than in a 12-word sentence. However, this checksum is almost useless for a Bitcoin recovery phrase. In my opinion, this is therefore not a sufficient reason to favour 24 words.
Since private keys on Bitcoin only offer 128-bit security, equivalent to that of a 12-word recovery phrase, opting for a 24-word sentence does not provide additional security benefits. On the other hand, a 12-word sentence, thanks to its small size, is easier to save and store, which decreases the risk of loss. Considering these aspects rationally, choosing a 12-word sentence is less risky than opting for a 24-word sentence.
However, if you already have a Bitcoin wallet secured by a 24-word sentence, I don't recommend changing wallets for that reason alone. While using 24 words is excessive, it is not a risk to the security of your wallet. The only constraint of a longer sentence is that it is slightly more complex to manage.
