The full list of accepted mnemonic codes to secure a wallet is defined by the BIP-39 specifications. Note that picking up 12 random words from the list is not enough and leads to poor security. Make sure to carefully follow the steps described in the protocol when you generate words for a new wallet.
“full list of accepted mnemonic codes” – does this mean that all (12-word) combinations which are generated according to BIP39 can also be safely used with Daedalus?
If the relation to BIP39 is maintained, why not allow 15-, 18-, 21- and 24-word mnemonics? Mnemonics which encode only 128 bits of entropy (12-word ones) will become vulnerable once quantum computing becomes a viable threat. I’d hate to see a scenario where the first quantum attacks take place and people would have to be warned manually to generate new mnemonics and transfer funds as quickly as possible.
Cardano uses the BIP39 word list, but the mnemonic implementation differs from the BIP39 standard for some unexplained reason: wallet/src/Pos/Util/Mnemonic.hs. It’s unclear to me too if all BIP39 mnemonics are also valid and strong Cardano mnemonics.
I also think that longer keys should be supported, as they are harder to brute-force using a quantum computer.
They use the BIP39 for the 12-word mnemonic (have not checked the others), but CBOR-ing (Concise Binary Object Representation) the outputs (the entropy, hashes etc.).
Afaik, they are getting rid of the CBOR slowly, but not sure, as I do not follow the developmet as deeply as I did in the past.
The hash algorithms are not really affected by that threat, but the PKC’s and some other algs. So, the threat does not depend on the Entropy generated from the Mnemonic, but on the lower layers.
The hash algorithms are not really affected by that threat, but the PKC’s and some other algs. So, the threat does not depend on the Entropy generated from the Mnemonic, but on the lower layers.
As far as I know, it’s true that 256-bit output hash functions (in our case, Blake2b-256) are probably okay post-quantum (read: they have a security strength of at least 128 bits for all attack types), although I couldn’t find reassuring info for this on Blake2b-256, and e.g. Brassard et al. think that a cbrt(2^d) reduction of security strength is possible, but let’s put that aside for now.
My main point is that if you feed 128 bits of entropy into a 256-bit output function, then you only attained the security level you would have with a 128-bit function (64 bits, excluding a birthday attack scenario). The length of the mnemonic does affect the safety of the funds, because you can get only 128 bits of entropy from 12 BIP39 words.
That means Daedalus also uses 27-word mnemonic for paper wallet (and heard abt some other type of x-word mnemonics either, do not remember really, what x-es can be).
Anyway, you are right that
the entropy should be bigger than 128 (best would be 256, but think of it a bit. How much time do you need to crack a 128 bit entropy at the moment (pre-Quantum era), so I am not afraid at all) and
that an 128-bit func is only 64 bits secure (against quantum computers)
But, I do not think that it really matters at the moment, as every crypto, including Cardano, would evolve by the time.
Means they will replace/refine the algs that are more resilient to quantum computers. Bitcoin and other CC would face the same issue, and cardano also uses mixed hash algs to reduce the attack surface.
That means Daedalus also uses 27-word mnemonic for paper wallet (and heard abt some other type of x-word mnemonics either, do not remember really, what x-es can be).
I have yet to understand what the 27-word mnemonic is for. But if funds can be retrieved via the 12-word one, then it’s only 128 bits of entropy.
How much time do you need to crack a 128 bit entropy at the moment (pre-Quantum era), so I am not afraid at all
they will replace/refine the algs that are more resilient to quantum computers.
I share your view about the present, but not your optimism. Once we’re post-quantum, those possessing the capability may not announce it publicly – the financial incentive is simply too high. Preparing for post-quantum means transitioning to resistant solutions before damage is done.
Bitcoin and other CC would face the same issue, and cardano also uses mixed hash algs to reduce the attack surface.
Monero transitioned to 25-word mnemonics. They are not fully quantum-proof yet. but it’s a step forward.
I’m not sure if mixed hash algos help here. Grover’s algo affects hash algos mostly based on their digest size, but I may be wrong about this.
Words are only indexes, means you need 11 bit for one word (2^11) as Cardano uses the BIP39’s english wordlist, therefore a 27-word mnemonic (which is not BIP39 compatible) is 297bit, that means 41bits for CRC and 256 for Entropy. That’s why the 12 “abandon” words are not good for Mnemonics as the 4bit CRC (hashed 128-bit entropy’s last 4 bit) is invalid.
Yes, you’re right, but it’s similar to the early days back to 90’s, where we used weaker algos, and they’re evolved by the time, same applies to present, we will use stronger and stronger algos by the time. Also, the quantum resistant funcs are not really proved their strength yet, they’re still in the infant stage.
I would say, we have ~10 yrs or more (based on what the experts says), but when the time arrives, we will be prepared to that threat, but as I said Crypto’s algs needs time to prove and evolve.
Are you suggesting that funds can be restored only though the 27-word mnemonic? If so (or not), could you link to the relevant documentation? I tried to find it myself but failed.
And if only the 27-word one is sufficient for a full recovery, then what is the 12-word one for?