Use 13 Word Seeds by default

[KeeJef]

Right now we are using a 25 word seed phrase which encodes a private spend key from the private spend key you can generate all other required keys, this provides 256 bits of security.

There is another method available which was used by the MyMonero wallet which generates only a 13 word seed which encodes a 128 bit integer, which is the root for both the private spend key and the private view key. Although this scheme only provides 128 bits of security this is considered more than enough for almost all applications including most bitcoin wallets which implement BIP-39 using 12/13 word seeds.

The obvious benefits is that it makes private key management easier since a user has to write down only half of the words they would have to write down to manage a 25 word seed. Since its likely we will deploy the same format across all applications including messenger and Lokinet this is important for UX, additionally the scheme can be easily supported by allowing a user to restore a wallet from either type of seed phrase.

[jagerman]

Another advantage of the 24-word (plus checksum word) seed phrase is that it is interchangeable with the private spend key (more precisely, it is the private spend key), so if you restore a wallet with the private spend key directly you can still get your mnemonic seed from it, while the 13-word seed phrase is not recoverable from such a wallet.

Although this scheme only provides 128 bits of security this is considered more than enough for almost all applications including most bitcoin wallets which implement BIP-39 using 12/13 word seeds.

BTC wallet private keys are only 128-bit values; they are only 12-word seeds because that is enough to cover the entire range of private key values. In our case it's different: we'd be reducing our default security level (even though we freely support 256-bit innately) by throwing away half of the bits of usable randomness just to save a bit of typing.

[KeeJef]

Another advantage of the 24-word (plus checksum word) seed phrase is that it is interchangeable with the private spend key (more precisely, it is the private spend key), so if you restore a wallet with the private spend key directly you can still get your mnemonic seed from it, while the 13-word seed phrase is not recoverable from such a wallet.

this is done so rarely that i think its a non issue

BTC wallet private keys are only 128-bit values; they are only 12-word seeds because that is enough to cover the entire range of private key values. In our case it's different: we'd be reducing our default security level (even though we freely support 256-bit innately) by throwing away half of the bits of usable randomness just to save a bit of typing.

The process that MyMonero used was as follows

The 13 words convert to a 128-bit integer that is used for both spend and view key derivation, in the following form: the 128-bit integer is hashed with Keccak-256 to produce a 256-bit integer, a. a is sent to sc_reduce32, which returns the Private Spend Key. a is hashed once more with Keccak-256 to produce a second 256-bit integer, b. b is then sent to sc_reduce32, which returns the Private View Key.

There is obviously a reduction in security from 256 bits to 128 bits, but i dont see this as being any less secure than bitcoin 12/13 words seeds are? am i missing something

[jagerman]

There is obviously a reduction in security from 256 bits to 128 bits, but i dont see this as being any less secure than bitcoin 12/13 words seeds are? am i missing something

The difference is that BTC can't be more secure than 12 words allows, while Monero (and thus Loki) can and are. Were BTC being designed today it seems unlikely that they would choose the same 128-bit key size. For Loki, I'm not a big fan of reducing our default level of wallet security.

[jagerman]

"We are as secure as BTC." "Are you as secure as Monero?" "... no."

Is not a good conversation.

[Haafingar]

I would suggest that the alternative is that we introduce support for 13 word seeds in all of the Loki wallets, as most users will be generating wallet from their Loki Messenger keys to Loki core keys, not the other way round.

25 word support will obviously have to be maintained in the Loki core software, but we could also allow Loki Messenger keys to be generated from 'legacy' 25 word seeds as well.

The reason this has arisen is because there are currently inconsistencies in the way seeds are generated across the different messenger platforms. As we are looking to standardize this, there is an opportunity to alter the seed format across the board to something that most cryptocurrency users are more familiar with.

[KeeJef]

"We are as secure as BTC." "Are you as secure as Monero?" "... no."

Is not a good conversation.

I am actually fine with this, and think its a perfectly reasonable thing to say, if someone wants the extra security provided by 256 bits of entropy they can still generate a 25 word seed, its just not used by default.

[KeeJef]

We discussed this out of band and have settled on providing a choice in the Loki wallet when generating a new wallet. this would default to a 13 word seed, but a user would be able to generate a 25 word seed aswell.

@jagerman also mentioned

On a side note, MyMonero's approach may not be the best idea actually for the wallet -- mainly because it doesn't generate the view key from the spend key in the same way as Monero, the consequence being that you can't back out a 25-word seed key from (most) MyMonero 13-word seeds. I think it could easily just generate the spend key using a hash, then fall back to standard Monero generating from the view key rather than MyMonero's approach. That way you can still import from a privkey and at least still get a 25-word seed key out of it.

[KeeJef]

Through offline discussion we think that Loki core should offer a decision for a 12/13 word seed and a 25 word seed, but it should default to a 12/13 word seed if the choice is skipped or the user simply presses enter they will get a 12/13 word seed.

For messenger only a 12/13 word seed should be generated, but users should be able to create an account with both a 12/13 word seed and a 25 word seed.

[jagerman]

Also worth noting: if we are generating keys from a 128-bit seed then we probably want to store the key itself in the wallet or messenger file in addition to the private keys so that we can provide it when someone asks for it. (You can get the 256-bit key from the seed, but can't get the 128-bit seed from the generated key).

[SomethingGettingWrong]

I know this is old but how does sub address's get affected by going to a 128 bit key...

[jagerman]

I know this is old but how does sub address's get affected by going to a 128 bit key...

It doesn't. The 128-bit seed effectively gets "stretched" into a 256 bit value for the private key; there are different ways to do this, but for example you can just repeat the 128-bit value to get the 256-bit value. The end result is that there is only 128 bits of entropy in that key, but in terms of usability it's indistinguishable from a random 256-bit value that just happened to repeat itself (this is extremely unlikely, but still technically possible).