What does it imply that the safety of Bitcoin public keys and 256-bit ECDSA is 128 bits?

I’m studying the Grasp Bitcoin ebook and got here throughout the next:

From a safety perspective, the quantity of entropy really used for
the manufacturing of HD wallets is roughly 128 bits, which equals 12
phrases. Offering greater than 12 phrases produces further entropy which
is pointless, and this unused entropy shouldn’t be used for the derivation
of the seed in the best way that one may initially suspect.

It says that utilizing greater than 12 phrases (128 bit entropy) is pointless. It sounded extraordinarily unusual to me, as a result of the seed from which wallets are made can go as much as 512 bits. Thus, 256 bit entropy would supply the next diploma of safety. So I did some analysis and within the third version of the given ebook (which remains to be being written) I got here throughout the next:

The safety energy of a Bitcoin public secret is 128 bits. An attacker
with a classical pc (the one variety which can be utilized for a
sensible assault as of this writing) would wish to carry out about 2^128
operations on Bitcoin’s elliptic curve so as to discover a non-public key
for an additional person’s public key. The implication of a safety energy
of 128 bits is that there’s no obvious profit to utilizing greater than 128
bits of entropy (though you have to guarantee your generated non-public
keys are chosen uniformly from inside the total 2^256 vary of
non-public keys).

So I perceive the place the claims are coming from that it isn’t price having greater than 12 mnemonic codewords (128 bits), though the given declare shouldn’t be clear to me in any respect. Upon additional analysis, I came upon that 256-bit ECDSA has 128 bits of safety. And that is the place my confusion began, so I’ve two questions:

1. What does it imply that the safety of 256-bit ECDSA, and due to this fact Bitcoin keys, is 128 bits? I imply, if I’ve roughly 2^256 doable factors on the elliptic curve (thus doable public keys), and due to this fact non-public keys, would not that require roughly 2^256 computations to search out the general public key (or barely much less if the bottom line is reached early)? From this it appears to me just like the safety is round 256 bits?

2. If safety is 128 bits, then why will we also have a 512 bit seed? I imply, why is not it 128 bits, as a result of the additional bits do not improve safety?

One thing is critically not clear to me right here. Any assist could be appreciated.