Seed phrases, Private/Public keys, xpriv and xpub

[Upgrade00]

I made a thread recently How best to secure your Private Keys and/or Seed phrase and in it I briefly discussed; private keys, public keys and master public keys. Turned out I had so many misconceptions about these concepts  I did a little research to try and correct some of those misconceptions.

The concepts include:
1) Seed Phrase
2) Private Keys
3) Master Private Keys
4) Public keys
5) Master Public Keys

Introduction:
All of the above theories are related to wallets and asset security. They are also interdependent in specific wallet types like HD Wallets

- Seed Phrases: This is also commonly called; recovery phrase, recovery seed, mnemonic phrase etcetera. A Seed phrase is a collection of 12, 18, 24 words that are used to back up a wallet address. The words are generated using BIP 39 standard from a collection of 2048 words.
A degree of randomness (entropy) is used to secure the phrase and it approximately has the same strength as a private key. * this applies to a 12 word seed phrase: 2048^12 = 2^132 and the phrase would have 132 bits of security, but as the words are not entirely randomly chosen it's actual security level is 128 bits, corresponding to private key level. Any higher number of word combination has a higher level of security.

Code:

          red yellow green purple orange
Indigo violet brown pink grey white blue     

A seed phrase can be used to generate all the key pairs of a deterministic wallet and can be used to recover a wallet software in case of loss.

- The words used in a seed phrase can be accurately identified from the first four letters of the word,

"The wordlist can contain native characters, but they must be encoded in UTF-8 using Normalization Form Compatibility Decomposition (NFKD)"

Master extended private key/public key: This can be represented by the acronym; xpriv and xpub respectively. They can be derived from the seed phrase, however, they do not serve the same purpose. A master extended private key is used it generates multiple private keys, however, it can not be used to sign an address. Xpriv is also used to generate the xpub (master extended private key), which in turn generates all the public addresses in the bitcoin wallet. It is used (on its own) to create a "watch only" however, it can not be used to send bitcoin from a wallet. Combined with anyone's private key of an address, it can be used to generate all the other private keys of all related public addresses.

Private keys: This is a 256-bit number, it is a collection of alphanumeric characters *depending on the encoding. They are used to spend bitcoins in a wallet and also to sign a transaction. They are generated from the xpriv and in turn used to derive the public keys. This process can not, however, be reversed, i.e, public keys can not generate the private keys.
- Private keys should never be shared with anyone.
- They should be kept in a secured place and safely backed up.

Public keys: This is derived from the private keys multiplied by the curve generator. The sequence can not be reverse engineered, i.e, public keys cannot be used to generate private keys. It is used only for receiving funds and is displayed publicly whenever a transaction is made

As mentioned earlier all these features of an HD wallet are connected, this is the hierarchical system
*Seed phrase can generate the xpriv and all other key pairs of the wallet
*The Master extended private key can generate all private keys
*The Master extended public key can generate all public keys. Xpub + any private key (nP) can be used to generate all private keys of the other addresses.
*The private key generates the public key associated with it. 1 private key = 1 public key
*The public key can not be reversed to derive the private key. It is kept public and hence the algorithm does not support it generating any key/phrase to ensure security.

[pooya87]

A degree of randomness (entropy) is used to secure the phrase and it approximately has the same strength as a private key.

it has "at least" the same security as a private key.
12 words (which is the minimum number of words) corresponds to 128 bits of entropy which is the same strength as what a 256 bit key has.
any higher number of words correspond to a bigger entropy size and a bigger strength.

Private keys: This is a 256-bit number, it is a collection of alphanumeric characters.

you should've ended the sentence after comma the rest depends on your encoding.

They are generated from the xpriv and in turn used to derive the public keys.

depending on derivation path (non-hardened), public keys could be derived from the master public key without knowing the private key. that is by design.

Public keys: This is a hashed version of the private keys and is used only for receiving funds. It is compressed to form the unique (wallet) address which is displayed publicly whenever a transaction is made

this doesn't make any sense.
a public key is a point (x and y coordination) that is calculated by multiplying the private key (the number) by the curve generator. there is no hashing involved.
there is also no "compression", we use a hash algorithm inside the scripts so that the public key is not revealed until the output is to be spent. the address is encoded from that script using the hash result.

a couple of important things are missing here in my opinion:
[technical] seed:
seed is the entropy used to generate some other desired result. it could be used for generating a private key, a master private key, or mnemonic.
[common mistake] seed:
the set of words returned from BIP39
mnemonic
the correct term for the words returned from BIP39 or as mentioned in OP at least use "seed phrase".

another important matter:
difference between mnemonic and master keys
there is a problem that you will face if you ever wanted to switch wallets and all you had was your backup and that is incompatibility of different implementations that use mnemonic. for example if a wallet supports BIP39 you can't import a key generated by Electrum into it because although it uses the same words and may look the same it is not the same. things get worse in some LN wallets as they use entirely different cryptography schemes.
it doesn't stop there either. these mnemonics have no information about which derivation path to use. so even if both wallets were supporting BIP39 you still have to specify the derivation path.
but all this difference is only in getting from mnemonic to extended keys. as soon as you get the extended keys (eg. xprv) BIP32 implementation is the same (in almost all cases, exceptions apply).
in that example you may not be able to import your Electrum mnemonic into a BIP39 wallet but you can import the xpr generated by Electrum in that wallet and get the same result.

knowing that, when backing up your mnemonic you may want to also write down the wallet name that created it and its version. if you have more info writing down the derivation method and the path would also greatly help you in the future.

[tranthidung]

• Public key generated from private key with a one-way process by the elliptic curve multiplication. ^[1]
• Address generated from public key with another one-way process, by the cryptographic hash function (Double hash ~ SHA - Secure Hash Algorithm, and RIPEMD - RACE Integrity Primitive Evaluation Message Digest). ^[2]

^[2] From that one: you have a Public Key Hash, that will be presented from the Base58Check Encode.

[RapTarX]

A Seed phrase is a collection of 12, 18, 24 words that are used to back up a wallet address. The words are generated using BIP 39 standard from a collection of 2048 words.

In electrum, you can get custom number of words as seed key. Don't know about other wallets & I am not certain if it has any limit; I have generated seed key with 15 words seed(extending 3 of custom words of mine). When we generate seed in Electrum, click on "Option" & put a tick on the popup box. In the next step, you will be asked for your custom words. As same, you will be asked for putting your seed & the custom words when you do verify the seed key at the second step.

I guess you must do some works in the thread. BOLD the sub-heading; I was having hard times finding out some terms from the thread.

[dzungmobile]

Extend seeds or not, the most important things to do are: Saving seeds in different backups, and saving them offline.
It is useless if you extend your seeds and lose the back up of seed extensions, and if you lose your backup (default or extensive seeds), you will lose your money.

[Upgrade00]

...

Thanks for the corrections, I was trying to keep it as simple as possible but used the wrong words in some instances. Op edited.

I guess you must do some works in the thread. BOLD the sub-heading

Done

[o_e_l_e_o]

A degree of randomness (entropy) is used to secure the phrase and it approximately has the same strength as a private key. * this applies to a 12 word seed phrase: 2048^12 = 2^132 and the phrase would have 132 bits of security, but as the words are not entirely randomly chosen it's actual security level is 128 bits, corresponding to private key level. Any higher number of word combination has a higher level of security.

In addition to pooya87's corrections above, there are a couple of other things wrong with this paragraph.

The phrase isn't secured by a "degree of randomness". The phrase is generated extremely precisely from the seed number, which should be entirely random. The reason it is 128 bits rather than 132 is not to do with how the words are chosen, but the fact that the last 4 bits are a checksum.

In electrum, you can get custom number of words as seed key.

These custom words are also known as a passphrase. They are not part of your seed phrase. Your seed phrase remains as the 12 or 24 words it was previously. Passphrases are combined with the seed phrase to generate different sets of addresses. Some wallets (such as hardware wallets) place a limit of 100 characters as a passphrase, but theoretically they could be as long as you like. There is also no limit to how many different passphrases you can combine with a seed phrase to lead to different sets of addresses.

mnemonic
the correct term for the words returned from BIP39 or as mentioned in OP at least use "seed phrase".

I actually prefer the term seed phrase rather than mnemonic phrase, since the last thing you should be doing with these phrases is relying on your memory to back them up.

[BrewMaster]

A Seed phrase is a collection of 12, 18, 24 words that are used to back up a wallet address. The words are generated using BIP 39 standard from a collection of 2048 words.

In electrum, you can get custom number of words as seed key. Don't know about other wallets & I am not certain if it has any limit; I have generated seed key with 15 words seed(extending 3 of custom words of mine). When we generate seed in Electrum, click on "Option" & put a tick on the popup box. In the next step, you will be asked for your custom words. As same, you will be asked for putting your seed & the custom words when you do verify the seed key at the second step.

this has nothing to do with the number of words in an Electrum seed. your actual seed still has the same 12 words as always. the only thing you did was that you used a slightly longer "salt" than normal to generate the master private key from your seed. and for that, there is virtually no limit as salt can be extremely long.

as for the limit of the number of words itself, since we are basically converting a random entropy of certain sizes with padding (the checksum) to words, there can only be fixed set of fixed number of words: 12, 15, 18, 21, 24 corresponding to 128, 160, 192, 224 and 256 bit entropies.