Why does Monero use a 256 bit seed?

2018-03-16 17:39:14

Apparently, ECC 256 bit keys have a bit strength of 128 bits. See https://crypto.stackexchange.com/questions/26791/how-many-bits-of-entropy-does-an-elliptic-curve-key-of-length-n-provide

And apparently, no one needs more than 128 bits of entropy https://security.stackexchange.com/questions/102157/do-you-need-more-then-128bit-entropy

So if I'm correct in saying that it's pointless for the private spend key to be derived from a seed with more than 128 bits of entropy, and given that it is currently the case that the private view key is derived from a hash of the private spend key, why does Monero use a 256 bit seed?

Perhaps the 'multi-target attack' mentioned here is relevant? https://crypto.stackexchange.com/questions/39991/can-i-use-128-bits-of-entropy-and-a-kdf-to-make-a-256-bit-ecc-key