Some thoughts about the Seedtool Specification
I think the default (encouraged) sizes for BIP-39 should be 12 words and SLIP-39 shares should be 20 words.
The only arguments I'm aware of for the larger sizes are:
-
They are much more secure. I think this is a really bad deal. 128 bits of entropy are completely adequte and the additional cost of recording, transcribing etc of the larger sizes have a terrible cost, especially with the low-tech methods we otherwise desire for cold storage security.
-
They help secure the recovery procedure of the Trezor One. The Trezor Wiki describes it well:
To mitigate any risks of the seed being compromised by malicious key-logging software, the Trezor One device instructs the user to enter the individual words in random order - instead of entering all words in sequence from the first word to the last one. Computing a valid seed out of 24 random seed words is almost impossibly difficult (i.e., this never happens).
To add more strength (randomness) when recovering a 12-word seed on Trezor One, there are 12 fake dummy words introduced by the device and mixed in the pool with the real words. The user inputs the real words mixed with the fake ones, all randomly shuffled, and the device itself sorts them out.
The recovery process using Trezor Model T is limited to the "on-device" input, meaning that the words never touch a potentially compromised environment and always stay safe as you type them in using the touchscreen. In this case, 12 words are sufficient. The 128-bit entropy (randomness) provided by 12 words is widely considered to be plenty secure.
The proposal is to use all 32 bytes of the SHA256 hash as a seed:
The SHA256 is then taken of the resulting array, yielding a deterministic seed.
If a smaller seed is desired, the --count option can specify that the SHA256 be truncated to a fewer number of bytes.
I am aware of 3 similar tools:
-
Ian Coleman's Mnemonic Code Converter
-
Miron Cuperman's PyMultiWallet
-
Blockchain Common's LetheKit Seedtool
All three use the first 16 bytes of the SHA256 hash as the seed. All three generate the same mnemonic passphrase for the dice roll of "123456".
PyMultiWallet:
[user@arduino pymultiwallet] git:(master)$ mw --entropy --generate
Enter entropy string followed by a \n. No entropy is added, make sure you provide enough.
: 123456
mirror reject rookie talk pudding throw happy era myth already payment owner
Mnemonic Code Converter:
settings: "Show entropy details", Entropy="123456", "Base 10", "12 words"