BIG QUESTION : BIP 0039

[fkzktl]

When I create a Bitcoin wallet, it provides 12 words.

such as : bounce error alert step hint way initial drastic impose nephew camera town

one phrase has value between <1 - 2048(2^11)>

the total bitcoin address is 2^160.  

12 phrase can make 2^11 * 12 phrase = 2^132

1.
Why is the total count different between total bitcoin address(2^160) and 12 phrase(2^132)?  

2.
BIP 39 : abandon > 1
Bitcoin Address 'abandon(1) abandon(1) abandon(1) abandon(1) abandon(1) abandon(1) abandon(1) abandon(1) abandon(1) abandon(1)'
I thought I could restore the wallet with these 12 words. but it doesn't connect to a wallet.

[pooya87]

the logic is that a bitcoin private key which is a 256-bit number has half that much as its security meaning 128-bits.
an entropy of 128-bits has 128 bits of security. so a seed used to derive child keys that has the same level of security must be as secure.

a 12-word mnemonic is the human readable encoding of 128 bits of entropy + 4 bits of checksum.

Why is it different between total bitcoin address(2^160) and 12 phrase(2^132)

address is irrelevant here, the private key is the only thing that matters.

2.
BIP 39 : abandon > 1
Bitcoin Address 'abandon(1) abandon(1) abandon(1) abandon(1) abandon(1) abandon(1) abandon(1) abandon(1) abandon(1) abandon(1)'
I thought I could restore the wallet with these 12 words. but it doesn't connect to a wallet.

as i said BIP39 mnemonics are not random words, it is the encoding of the entropy + a checksum to both pad it to a divisible by 11 length and ensure error detection.
when you choose random words (12x abandon) your checksum is incorrect. consequently the mnemonic is rejected by any decent wallet. when you choose any other number of words (10x abandon here) it is an invalid length for the entropy (and the corresponding number of words) which is not defined by BIP-39, consequently that is also rejected.

[HCP]

1.
Why is the total count different between total bitcoin address(2^160) and 12 phrase(2^132)?  

The phrase to address relationship is not 1:1... as pooya87 explained, the phrases encode a specific entropy value + checksum... from this entropy, a seed is derived... from that seed, you can derive (unlimited) addresses via derivation paths etc.

2.
BIP 39 : abandon > 1
Bitcoin Address 'abandon(1) abandon(1) abandon(1) abandon(1) abandon(1) abandon(1) abandon(1) abandon(1) abandon(1) abandon(1)'
I thought I could restore the wallet with these 12 words. but it doesn't connect to a wallet.

The "first" valid 12 word phrase is: abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about

The 12th word needs to be "about", so that the checksum matches.


Essentially, what you're trying to encode in this situation is the entropy: 0x00000000000000000000000000000000 (a 16 byte, 128 bit number)

The SHA256 of the HEX entropy gives us:

Code: (https://emn178.github.io/online-tools/sha256.html)

374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb

NOTE: enter 00000000000000000000000000000000 and select value as "HEX"

The number of checksum bits we use from the SHA256 is "Entropy Size (in bits) / 32"... our initial entropy is 128 bits... so 128 / 32 = 4...

The SHA256 in bits is:

Code:

0011011101000111000010001111111111110111011100011001110111010101100101111001111011001000011101011101010101101100110100100010100001101111011011010011110011110111111011000011000101111010001110110010010101100011001010101010101100101000111011000011011110111011

So, our checksum is the first four bits... or "0011"


Now, we have our original entropy (in binary bits), along with our 4 bit checksum (shown in bold), which gives us:

0000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000011

When split into 11bit chunks and converted via the word list, we get:
00000000000 -> abandon
00000000000 -> abandon
00000000000 -> abandon
00000000000 -> abandon
00000000000 -> abandon
00000000000 -> abandon
00000000000 -> abandon
00000000000 -> abandon
00000000000 -> abandon
00000000000 -> abandon
00000000000 -> abandon
00000000011 -> about


So, you can't just pick 12 random words and hope that the checksum is correct... that is also NOT how wallets operate... they don't randomly pick words! Firstly, they randomly generate your initial entropy (128 bits for wallets that use 12 word seed mnemonics, 256 bits for 24 word seed mnemonics)... then they convert that entropy using the basic steps as outlined in BIP39:

1. Calculate SHA256(entropy) to derive checksum bits
2. Concatenate entropy bits + checksum bits
3. Break in 11bit chunks
4. Convert 11bit chunks to words using BIP39 wordlist

[BASE16]

So, you can't just pick 12 random words and hope that the checksum is correct... that is also NOT how wallets operate... they don't randomly pick words!

But you can just pick 12 random words without the checksum being correct.
The checksum is only a small additional and limited check for errors.

That is also in the docs:

Code:

Reminder for developers
Please remember to allow recovery from mnemonic phrases that have invalid checksums (or that you don't have the wordlist)

When a checksum is invalid, warn the user that the phrase is not something generated by your app, and ask if they would like to use it anyway. This way, your app only needs to hold the wordlists for your supported languages, but you can recover phrases made by other apps in other languages.

However, there should be other checks in place, such as checking to make sure the user is inputting 12 words or more separated by a space. ie. phrase.trim().split(/\s+/g).length >= 12

So if you have a mnemonic that has a false checksum verification, it doesn't mean that it can not be used.

[pooya87]

That is also in the docs:

this text is not from the BIP but from some implementation (i believe started and copied from bitcoinjs since it is found more than one place) and it is their choice to do it differently.

Reminder for developers
When a checksum is invalid, warn the user that the phrase is not something generated by your app, and ask if they would like to use it anyway.

that means such implementation would accept invalid BIP39 mnemonics.

This way, your app only needs to hold the wordlists for your supported languages, but you can recover phrases made by other apps in other languages.

this part doesn't sound right. mainly because if the checksum isn't correct (eg. Electrum seeds) that means the mnemonic is either invalid (eg. has typo) or was generated by another algorithm hence can not be used by the same code.
in case of Electrum seeds if you ignore the checksum (which is going to be invalid) and use the BIP-39 algorithm you can easily end up with an invalid BIP-32 seed specifically if wordlists other than English were used.

So if you have a mnemonic that has a false checksum verification, it doesn't mean that it can not be used.

it should mean that the mnemonic must not be used by the code that doesn't recognize its validity.

[HCP]

But you can just pick 12 random words without the checksum being correct.
The checksum is only a small additional and limited check for errors.

Sure... except that the vast majority of wallets do NOT allow you to use "invalid" seed mnemonics... They just say "Invalid Mnemonic" and then you can't recover your wallet. Intentionally using an "invalid" seed mnemonic is asking for trouble.

When a checksum is invalid, warn the user that the phrase is not something generated by your app, and ask if they would like to use it anyway. This way, your app only needs to hold the wordlists for your supported languages, but you can recover phrases made by other apps in other languages.

I don't see how this could possibly work... if you don't have a wordlist in a given language, how are you meant to convert each "word" to the correct 11bit binary sequence? Say I gave you a menmonic in a different language like this:

Code:

tahi rua toru wha rimu ono whitu waru iwa tekau kia kaha

Without the matching language wordlist, what chance do you have of converting that phrase to the correct 132 bits?

So if you have a mnemonic that has a false checksum verification, it doesn't mean that it can not be used.

It also means that you most likely won't be able to use it easily on the vast majority of BIP39 compatible wallets... there are 1 or 2 that are exceptions and will allow you to use "invalid" seed mnemonics, but they are definitely the exception rather than the rule.

[o_e_l_e_o]

I don't see how this could possibly work... if you don't have a wordlist in a given language, how are you meant to convert each "word" to the correct 11bit binary sequence? Say I gave you a menmonic in a different language like this:

Code:

tahi rua toru wha rimu ono whitu waru iwa tekau kia kaha

Without the matching language wordlist, what chance do you have of converting that phrase to the correct 132 bits?

I think what it is saying is that if you don't have the wordlist then you cannot confirm if the checksum is valid or not, so to display it as incorrect.

To generate addresses from a seed phrase, if you ignore checking whether or not the checksum is valid then at no point do you actually have to convert back to your binary sequence. You can just plug the words in to your 2048 rounds of HMAC-SHA512, regardless of whether or not you know the wordlist which was used to generate them. I can create a seed from a custom wordlist on Electrum, send it to you, and you can restore from it without ever knowing the wordlist.

[HCP]

I think what it is saying is that if you don't have the wordlist then you cannot confirm if the checksum is valid or not, so to display it as incorrect.

Ok, that makes more sense to my coffee-less brain

I noted this in the BIP39 docs:

Although using a mnemonic not generated by the algorithm described in "Generating the mnemonic" section is possible, this is not advised and software must compute a checksum for the mnemonic sentence using a wordlist and issue a warning if it is invalid.

Gotta love "it's possible, but not recommended" type statements like this

[pooya87]

You can just plug the words in to your 2048 rounds of HMAC-SHA512, regardless of whether or not you know the wordlist which was used to generate them. I can create a seed from a custom wordlist on Electrum, send it to you, and you can restore from it without ever knowing the wordlist.

there is a big problem here.
a BIP39 implementation expects a valid checksum, valid length and valid words (exist in its list). when something is not valid (like checksum) the wallet has no way of knowing whether user entered the wrong word or it is intentionally this way OR it is a different algorithm entirely.
who's to say the words in your example with invalid checksum were passed to PBKDF2 and not another KDF algorithm like scrypt? the wallet can't definitely know this.

the following 2 mnemonics are from Electrum and have invalid BIP-39 checksum AND you will get an invalid BIP-32 (hence child keys) if you just run them through PBKDF2

Code:

almíbar tibio superar vencer hacha peatón príncipe matar consejo polen vehículo odise
眼 悲 叛 改 节 跃 衡 响 疆 股 遂 冬

the reason is pretty simple, the algorithm is very different from BIP-39. where BIP-39 simply normalizes the mnemonic using form-KD Electrum does a lot more to these words (remove accent, remove space, change some of the words even,...).

in other words when the mnemonics don't have the indicators (such as the length and checksum) they can only be recovered using the same code in the same application under the same circumstances. otherwise they can not be used anywhere else.

[o_e_l_e_o]

-snip-

You are right of course, and there are multiple potential problems you can run in to using non standard seed phrases (such as picking 12 random words and forcing the wallet to accept the incorrect checksum). I never said that is was a good idea, just that it is possible. For example, I can give you the following seed phrase:

Code:

ETFbitcoin W Z pooya87 H M I o_e_l_e_o bitcointalk N J T P bip32 R I E HCP A U R I D bip39 M chipmixer

And you can recover it in Electrum to give the following address at m/84'/0'/0'/0/0:

Code:

bc1q908y76nqz8kr44ynfek4ssc4qdnecmnfgq3mdc

And you can do all this without having any idea what my original wordlist was.

So yes, if you do something weird with your seed phrase, then chances are you will only be able to recover it using the exact same software and the exact same steps you used when you first set it up. Which is why, to go back to the point BASE16 first made, you shouldn't just pick 12 random words and ignore the invalid checksum.

[CryptoSable]

What's the difference between BIP 0039 and BIP38?

[HCP]

The short answer is that BIP39 is a method for generating deterministic keys from a "seed mnemonic" (usually 12 or 24 words long), whereas BIP38 is a method for encrypting a single private key (usually used for encrypting so-called "paper wallets").


The long answers are in the specs of each BIP...

BIP39: "Mnemonic code for generating deterministic keys" - https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki
BIP38: "Passphrase-protected private key" - https://github.com/bitcoin/bips/blob/master/bip-0038.mediawiki

[Karartma1]

The short answer is that BIP39 is a method for generating deterministic keys from a "seed mnemonic" (usually 12 or 24 words long), whereas BIP38 is a method for encrypting a single private key (usually used for encrypting so-called "paper wallets").


The long answers are in the specs of each BIP...

BIP39: "Mnemonic code for generating deterministic keys" - https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki
BIP38: "Passphrase-protected private key" - https://github.com/bitcoin/bips/blob/master/bip-0038.mediawiki

Also, another way to put it is that BIP38 and BIP39 regard entirely different aspects of key and wallet use.

• BIP38 is a standard for single private key encryption using AES and scrypt hardening. In the past some tools have had erroneous implementations so that's something to be careful about, and it's not a very popular method nowadays since it was never extended to encrypt seeds (that most wallets now use)
• BIP39 is a standard way of encoding entropy into a word list usually used to encode a seed. The random value encoded is used as the base for generating any number of private keys in a repeatable sequence - covered by companion standard BIP32 - for hierarchical deterministic (HD) wallets.

There was a similar question on reddit a few months ago (best answer by jcoinner). Hope it helps. https://www.reddit.com/r/Bitcoin/comments/e9zt5i/can_someone_please_detail_for_me_the_difference/