Why does Monero use a 256 bit seed?

Question

Apparently, ECC 256 bit keys have a bit strength of 128 bits. See https://crypto.stackexchange.com/questions/26791/how-many-bits-of-entropy-does-an-elliptic-curve-key-of-length-n-provide

And apparently, no one needs more than 128 bits of entropy https://security.stackexchange.com/questions/102157/do-you-need-more-then-128bit-entropy

So if I'm correct in saying that it's pointless for the private spend key to be derived from a seed with more than 128 bits of entropy, and given that it is currently the case that the private view key is derived from a hash of the private spend key, why does Monero use a 256 bit seed?

Perhaps the 'multi-target attack' mentioned here is relevant? https://crypto.stackexchange.com/questions/39991/can-i-use-128-bits-of-entropy-and-a-kdf-to-make-a-256-bit-ecc-key

Update: Multi-target attacks do not appear to be an issue. See https://crypto.stackexchange.com/questions/56541/is-it-safe-to-generate-two-256-bit-ecc-keys-from-128-bits-of-entropy

Update 2: It looks like BIP32 actually recommends that 256 bits of entropy are used to generate a Bitcoin wallet. See https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#Master_key_generation

This means that the 13 word, 128 bit seeds used in many Bitcoin wallets actually go against the recommendation in BIP32.

Therefore Monero is actually following the recommendations of BIP32 by using 256 bits of entropy via a 25 word seed.

Perhaps the real question should therefore be: Why do Bitcoin HD wallets use only 128 bit seeds, and ignore the BIP32 recommendation? I've asked that question here: https://bitcoin.stackexchange.com/questions/72612/bip32-recommends-a-256-bit-seed-why-do-most-bitcoin-wallets-only-use-a-128-bit

Answer 1

BIP32 recommends that 256 bits of entropy are used to generate a Bitcoin wallet. See https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#Master_key_generation

This means that the 13 word, 128 bit seeds used in many Bitcoin wallets actually go against the recommendation in BIP32.

Monero is following the recommendations of BIP32 by using 256 bits of entropy via a 25 word seed.

I asked the author of BIP32, Pieter Wuille, why 256 bits were recommended instead of 128. He responded in the comments here: https://bitcoin.stackexchange.com/questions/72612/bip32-recommends-a-256-bit-seed-why-do-most-bitcoin-wallets-only-use-a-128-bit

He said:

Well, being able to break an EC key with just 2^128 steps is somewhat theoretical. In practice, these algorithms have significant memory/cpu tradeoffs, and in practice would still be much slower than a straight 2^128 exhaustive search on keys with just 128 bits of entropy. I guess the answer is defense in depth: less than 128 bits of entropy definitely hurts security. Less than 256 bits may hurt.

We therefore have an answer. 256 bits gives us defense in depth, because fewer than 128 bits of entropy may hurt security.

Answer 2

If you can create a bidirectional lossless transformation between a 128 bit number and a 256 bit secret key, then this could be used to create a mnemonic seed. I am aware of no such bidirectional lossless transformation. That lack of knowledge of a solution explains why Monero does not have one.