Bitcoin Forum

bip39 is a design implementation that lays out how cryptocurrency wallets create the set of words (mnemonic codes) that make up a mnemonic set, and how the wallet converts the seed into mnemonic codes that are used to derive extended keys that can be used to derive private bitcoin keys. with these 4 foils i would like to bring you closer to this important topic. there are also numerous threads about it but to continue working on my 'slide threads' i decided to create a new one ;D
i hope that this topic will be well received by you and will appeal to more users

https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki (https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki)

https://www.talkimg.com/images/2023/09/07/msM6D.jpeg https://www.talkimg.com/images/2023/09/07/msmjf.jpeg
https://www.talkimg.com/images/2023/09/07/ms6OZ.jpeg https://www.talkimg.com/images/2023/09/07/msRn8.jpeg
https://twitter.com/BTCillustrated (https://twitter.com/BTCillustrated)

It doesn't convert the mnemonics into a seed. It converts the seed into mnemonic. As you demonstrate in the slides, the computer firstly generates 128 + 4 bits, and converts these to mnemonic phrase.

The seed isn't used to create encryption keys, it is used to derive extended keys, which can be used to derive Bitcoin private keys.

@BlackHatCoiner you are absolutely right. i was writing too fast again and already had other thoughts in my head before i wanted to finish the actual sentence/topic
have of course now improved - shame on me :-X

In the slide before last it is misleading to call PBKDF2 a "key stretching" function because although it is how PBKDF2 is categorized but key stretching algorithms are used to make a weak key more secure against brute force attacks.
In case of BIP39, the key (ie. the initial entropy) is not weak at all and it doesn't need to be secured. In other words PBKDF2 in this context is only used as a key derivation function not a key stretching function.

Aren't the 2048 rounds of HMAC-SHA-512 as PBKDF2 there to also make the derivation from the initial seed computationally expensive so that brute-forcing is rendered considerably slower? I don't know much about SHA-512 compared to SHA-256 in terms of computational complexity and expense, though.

While it makes brute-force slower, BIP 39 only state "The iteration count is set to 2048 and HMAC-SHA512 is used as the pseudo-random function."[1].


Theoretically SHA-512 is computationally more complex. Although depending on the hardware and OS, SHA-512 might run faster[1-2].

[1] https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#from-mnemonic-to-seed (https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#from-mnemonic-to-seed)
[2] https://crypto.stackexchange.com/a/26340 (https://crypto.stackexchange.com/a/26340)
[3] https://crypto.stackexchange.com/a/52646 (https://crypto.stackexchange.com/a/52646)

It's certainly slower, but it definitely isn't slow and it definitely isn't considerably slower either. PBKDF2 is already pretty weak, and 2048 rounds is nothing. This is why tools like btcrecover can still check tens of thousand possible seed phrase combinations a second (even once you exclude those with an invalid checksum).

If you wanted actual protection against brute-force attacks, then you would need to up the iteration count to the millions or switch to an algorithm which is actually computational expensive. BIP39 survives without these things due to the initial entropy being at least 2¹²⁸, not because it is difficult to attack.