Haarang

Why 12 Words Is All You Need

The Mathematics of Unbreakable Encryption

1. The Problem With Passwords

In 2024, the average person manages 168 passwords. 65% reuse passwords across services. Over 15 billion credentials have been exposed in data breaches, available on the dark web for less than $10 per account.[1]

A typical 8-character password chosen by a human contains approximately 30-40 bits of entropy. At current GPU cracking speeds of ~100 billion attempts per second (RTX 4090 × 8 rig), such a password falls in under 10 seconds.[2]

More critically: passwords require the server to know the secret. Every password you type is transmitted to a remote server, compared against a stored hash, and validated. If that server is compromised — and 1,802 US data compromises occurred in 2023 alone[3] — your content is exposed. The server model is fundamentally broken for anything you want to keep private.

NIST Special Publication 800-63B explicitly recommends against password-only authentication and advises moving toward phishing-resistant, cryptographic methods.[4]A seed phrase is exactly that.

2. What Is A Seed Phrase?

A seed phrase is 12 (or 24) common English words drawn from a standardized list of 2,048 words, defined by BIP39 — Bitcoin Improvement Proposal 39.[5] This standard has secured over $100 billion in Bitcoin since 2013. It has been subjected to 10+ years of continuous, high-stakes cryptographic review by the world's best security researchers. It has never been broken.

divert   float   elbow   scissors   auction   hurdle
either   problem   party   source   picture   forest

These 12 words are mathematically transformed into a 256-bit encryption key through PBKDF2-HMAC-SHA512 with 2,048 rounds.[6] The 2,048-word list was designed for maximum human error resistance: no visually similar words, no homophones, every word uniquely identifiable by its first 4 letters.

The 12th word contains a built-in checksum. Mistype any word and the browser immediately tells you — the error is caught before any decryption is attempted.

3. The Math: From Words To Key

Step 1: 12 words → 132 bits (11 bits per word) + 4-bit checksum
Step 2: PBKDF2-HMAC-SHA512(mnemonic, salt="mnemonic", 2048 rounds)
Step 3: First 32 bytes of resulting 64-byte seed → AES-256 key
Step 4: AES-256-GCM(nonce, plaintext) → ciphertext + 16-byte auth tag

AES-256-GCM provides authenticated encryption — the ciphertext is not only encrypted, but verifiably untampered. Any modification to the encrypted file is detected and rejected.[7]This is the same algorithm approved by the NSA for TOP SECRET classified information.[8]

Encryption overhead: just 28 bytes (12-byte nonce + 16-byte auth tag). A 10,000-word essay grows by approximately 0.05%.

4. Why It Cannot Be Broken

This is not a debatable claim. It is a mathematical certainty bounded by physics.

Key typeEntropyCombinationsCrack time (10¹² tries/s)
4-digit PIN13 bits10,000Instant
8-char password~35 bits~3.4×10¹⁰0.03 seconds
16-char random~95 bits~6.3×10²⁸~2 billion years
12-word BIP39128 bits3.4×10³⁸1.08×10¹⁹ years
24-word BIP39256 bits1.16×10⁷⁷3.67×10⁵⁷ years

For comparison: the age of the universe is 1.38×10¹⁰ years.

The crack time assumes 1 trillion attempts per second — roughly the entire Bitcoin network's hash rate (~700 EH/s). Even if you turned every atom on Earth into a perfect computer operating at the Landauer limit (the theoretical minimum energy per computation)[9], brute-forcing 128 bits would consume more energy than the Sun outputs in a year.

This is a physics problem. No advances in AI, quantum computing, or any future technology can reduce the search space of a properly random key. AES-256 is quantum-resistant — Grover's algorithm can at best halve the effective key length to 128 bits, which remains unbreakable.[10]

Bottom line: A 12-word BIP39 seed phrase is harder to crack than the universe is old, by a factor of ~780 million. A 24-word phrase is harder by a factor of ~2.6×10⁴⁷ — a number with 48 digits.

5. Zero-Knowledge Architecture

The critical property is not just the encryption — it's where the encryption happens.

Traditional Password System:
You → [type password] → Server receives password → Server compares → Access
Server knows the secret. Compromise = total exposure.
Dycerism Seed Phrase System:
You → [type 12 words in browser] → Key derived locally → Browser decrypts .enc
Server never sees the key. Server hosts only encrypted noise.

This is called zero-knowledge. The hosting provider sees only files that appear to be random data. Even if compelled by a court order, they cannot decrypt your content. The key exists only in the memory of the person who knows the 12 words.

No login form. No username. No email. No password reset. No API. No database of credentials. The 12 words are the access. No gate to breach.

6. Etched Into Time

A website expires. A domain lapses. A server shuts down. The vault survives:

IPFSContent-addressed permanent web. Encrypted files pinned to IPFS exist as long as one node remembers.[11]
BitcoinContent hashes embedded in Bitcoin transactions via OpenTimestamps. As long as Bitcoin exists, proof of your content exists.[12]
Metal12 words engraved on steel. Fireproof. Waterproof. EMP-proof. Three copies, three locations.

Citations

  1. Have I Been Pwned. Pwned Passwords. Troy Hunt, 2024.
  2. Hashcat. GPU Benchmark Results: NTLM on RTX 4090. hashcat.net, 2024.
  3. Identity Theft Resource Center. 2023 Data Breach Report. ITRC, January 2024.
  4. NIST. SP 800-63B: Digital Identity Guidelines. NIST, 2017.
  5. Palatinus, M., Rusnak, P. BIP-0039: Mnemonic code for generating deterministic keys. Bitcoin Improvement Proposals, 2013.
  6. NIST. SP 800-132: Recommendation for Password-Based Key Derivation. NIST, 2010.
  7. NIST. FIPS 197: Advanced Encryption Standard (AES). NIST, 2001; updated 2023.
  8. NSA. Suite B Cryptography. NSA, 2005. Superseded by CNSA Suite 2.0 (2022) which continues to mandate AES-256.
  9. Landauer, R. Irreversibility and Heat Generation in the Computing Process. IBM Journal, 1961.
  10. NIST. NIST IR 8413: Post-Quantum Cryptography Standardization. NIST, 2022. Grover's algorithm reduces AES-256 to 128 bits, still infeasible.
  11. Benet, J. IPFS — Content Addressed, Versioned, P2P File System. Protocol Labs, 2014.
  12. Todd, P. OpenTimestamps. 2016.

Dycerism v1.0 · Enter the Vault