To my understanding, it works like the following:
12 word BIP39 Seed → 132bit Masterkey
24 word BIP39 Seed → 256bit Masterkey
20 word SLIP39 Seed → 132bit Masterkey
My question is:
Does a 33 word SLIP39 seed generates a 256bit Masterkey or a 132bit Masterkey?
I know that 132bit is secure today but I want to make it as future proof as possible, so that I don’t wake up one day and see that a quantum computer has broken the 132bit masterkey and steal my funds.
33-words ↔ 256-bits
PS: 132bit is wrong. Seeds are 128-bits or 256-bits.
The master secrets can’t really be “broken” in the way you are thinking.
For making signatures in cryptocurrencies, you have two keys: a public key and a corresponding private key.
On a normal computer, you can trivially compute the public key from the private key, because there is a straightforward mathematical equation that tells you the answer.
Going in the opposite direction amounts to solving a Hard Math Problem, and we don’t know any ways to do it.
(Think back to high school calculus and solving roots of quadratic equations. It’s kind of like that, except we do have a trick for quadratic equations. No such trick exists for elliptic curves.)
We have dedicated quantum algorithms for a lot of Hard Math Problems. Quantum computers are good at this. They can find the corresponding private key for your public key.
(i mean, not today they can’t, but in like 10 years they very well could)
Your master secret is not a private key.
There is no “equation” where you plug the master secret and out goes your address. It’s an “algorithm”, a long sequence of stirring the bits in a witches’ cauldron and decanting a ladle at the end.
There is no Hard Math Problem to break here. It’s not math at all, it’s un-baking a loaf of bread into a bag of flour and a carton of eggs.
In fact, there’s no guarantee that for a given address, there even is a “corresponding” master secret.
Even quantum computers have to do this the hard way – trying all possible master secrets and checking whether one of them matches your address.
Sure, quantum computers, being quantum, can do it in less tries – 2^64 for a 128-bit seed. The drawback is that a single try takes way longer on a quantum computer.
In conclusion, “breaking your master key” is not a thing and quantum computers don’t help here.
Thank you
What is with the checksumm?
Isn’t it?:
seed → master secret → private keys → public keys → addresses
So quantum computers can go through this process and then check if the
addresses they get hold funds, if not they do it again with a slightly different secret.
So my logic is that the longer the master secret, the more possible combinations are there and therefore it is harder to crack it.
Sry if I get this wrong.
Its take longer for them?
Generally checksum is used for error detection and sometimes even for error correction. In case of wallet backup, the purpose of checksum is to detect user mistakes in:
When no error is detected, Trezor HW device no longer needs the checksum, so it can be discarded. In another words, checksum is not part of the seed entropy.
You could already notice, that they are not equal, i.e. can’t be relevant for Trezor’s storage (but are relevant for user’s paper storage):
And this is also week area of BIP39 - its checksums are too week compared to SLIP39. BIP39 checksum is so week, that it happens, that user enters wallet backup with one or more mistakes and such error is not detected. Scared user sees zero balance and he blames Trezor, because he was not warned about wrong SEED. At the end, he should blame himself for his backup skills or blame BIP39’s checksum, but not to blame Trezor HW or firmware. This won’t happen with SLIP39. (hidden hint: everyone should make a move to SLIP39 
)
Last point - things are much more complicated and oversimplification is often used here (and sometimes it is great and fun like witches and reverse engineering of bread above ). You simply need to sitdown and read for weeks/years as forum is probably not the best place for such level of details which are much better described elsewhere. And no, QC are IMHO out of this game as they did not reach needed level of maturity. And if QC ever reach the need point, Bitcoin will run away to some unreachable level to the capabilities of QC.
Sometimes when you enter the random words then there are more then one Option for the checksumm.
To I remember it right that the possibility of entering a random BIP39 seed and its getting a valid wallet is 1/16 and entering a random SLIP39 seed and get a valid wallet is 1/1,000,000,000 ?
This is indeed a very good argument for SLIP39.
I would always to a check this way: create wallet → note down the addresses of 2 accounts (2 to avoid oversee something) → reset device → enter my seed again and see if I get the same addresses.
I probably will, just need to find a way to dive SLIP39 seed.
Can we just make everything longer to increase possible combinations or at other steps needed?
Thank you 2 for your answers
No there isn’t. There is exactly one checksum for every set of words.
Okay listen.
A quantum computer is not just “computer but very fast”.
In a way, it’s the opposite, it’s a “computer but very slow”. Every instruction is much slower than its equivalent on silicon. Sure, quantum chips will get faster as time progresses, but due to their very nature, they can’t ever be faster than classical chips.
QCs have a range of tricks that classical computers can’t do. These tricks are useful for solving some mathematical problems. One of those problems is “how do I find a private key for some public key on secp256k1 curve”.
Trying all seeds at once is not that kind of problem.
Sure, you can run a quantum circuit for trying a seed 2^64 times, and that will “amplify” the answer enough so that you can read it.
Problem is, this is a big, time-consuming circuit, and 2^64 is still a lot.
What’s worse, you can’t really divide the work between 100 000 quantum computers to get the result 100 000 faster. One chip must be doing all the work, otherwise you won’t get the right result.
In summary: your 128bit seed is already quantum-resistant. You don’t have to “make it longer”. It’s long enough as it is.
Don’t worry about this.
If you want something to worry about, move your coins away from Ethereum, where your public key is already public and ready for some quantum breaking.
Hmm
I think I need to do a much more research about this.
Can’t quantum computers be instructed to search in a particular range like ASICs in a mining pool?
Ok,
Is something between SLIP39 20 words and SLIP39 33 words? So I am not at the button of the security.
If a quantum computer can reverse
public key → private key
then why wouldn’t it also can
address → public key
I can’t see into the future and therefore want to invest into more then one crypto currency, so that I don’t have all my eggs in the same basket.
Not as simple as that – the quantum magic would break.
But now that you mention it, it’s likely that there is some kind of trick to do something similar. So I take that back.
Because a quantum computer is not a general reversing machine.
You need to realize that the public/private key relation is special. Quantum computers do great at breaking this particular relationship. There are a lot of other kinds of one-way relationships where QCs aren’t particularly helpful.
Ok, good to know
So quantum computers can reverse public keys to private keys but not addresses to public keys.
Therefore it is safer to have funds on accounts where the public key hasn’t been revealed.
Do i understand it right?
That is correct.
(now how many filler chars do i have to go over to satisfy the minimum post size for this forum…?)