Why limit the CRC by a modulo of 24 rather than 1626?

Question

When looking through Monero's source code I was intrigued by the choice of the Mnemonic's 25^th word which is defined as follow:

words += (' ' + words_store[create_checksum_index(words_store, language->get_unique_prefix_length())]);

Which calls:

return result.checksum() % crypto::ElectrumWords::seed_length;

In short, a modulo of 24 is applied on the CRC32 result which then represents the index of a word in the current Mnemonic Seed.

Why was the choice made to reduce CRC32's effect by applying a modulo 24 (and pick a word from the Mnemonic Seed) rather than a modulo 1626 (and pick a word from the dictionary)?

score 1 · Answer 1 · answered May 23 '18 at 18:32

Why was the choice made to reduce CRC32's effect...?

Well it doesn't actually reduce the intended effect in this use-case. It's purpose is to quickly detect if a wrong set of words was entered, nothing more.

Also, as @user36303 commented above regarding cryptosteel, a nice side effect is you can reduce the seed words from 25 to 24 words by simply writing the word that happens to also be the checksum upside-down.

Why limit the CRC by a modulo of 24 rather than 1626?

1 Answers1