Create a seed from a selection of words

[NotATether]

No one has mentioned yet that because the checksum at the end is just 5 bytes long, one could take a subset of words [security warnings aside], but keep their positions in the wordlist so as not to confuse wallet implementations, and present a GUI to allow the user to select from these combinations for 11 spots, and then put three checkboxes at the end to flip on or off the leading 3 bytes of the last "mnemonic word" that come before the checksum.

[1714537898]

1714537898

[PawGo]

You could use any eleven words you want and calculate last word to create entropy.
There is a website called seedpicker that can calculate everything for you, you can select any 23 words you want from all 2048 words and last word will be calculated.

That would give you 121 (instead of 128) bits and 253 (instead of 256) bits of entropy respectively. It may not be important for the second one but your first entropy is going to be a slightly weaker one than the security that bitcoin keys need (at least 128-bits).
This is because the last word is not the checksum, it contains checksum.

Which means that one must "preselect" another 3 bits. It would look like selecting the last word, taking it's 3 bits and then replace the last word by the final one.
Unfortunately you cannot finish the manual process after 23 words.
Other option is to see which of 8 "correct" last words you like the best.

[pooya87]

Which means that one must "preselect" another 3 bits. It would look like selecting the last word, taking it's 3 bits and then replace the last word by the final one.
Unfortunately you cannot finish the manual process after 23 words.
Other option is to see which of 8 "correct" last words you like the best.

Exactly, another solution would be doing something similar to what Electrum does. You select 12 words and then increment the last word until you get a valid checksum. As long as the selection process is really random the entropy you get is more than 128 bits.
Same for any other word count.

[o_e_l_e_o]

This is open source tool, but use it carefully, read their guide and only do it if you know what you are doing:
https://seedpicker.net/calculator/last-word.html

First time I've looked at that site, but I don't like it I'm afraid.

Their method for generating the first 23 words does not specify that each raffle ticket needs to be returned to the bag/box for future draws. This reduces the entropy of the seed.
They always start the 24th word with "000" before appending the 8 bit checksum, again reducing the entropy of the seed.
They then show a P2WSH Zpub from derivation path m/48'/0'/0'/2'. I understand it is designed to be used in their specific wallet, but anyone taking that Zpub to another wallet will run in to a huge amount of trouble trying to recover their coins if they don't fully understand what they are doing.

If you want a website to tell you your 24th word (as opposed to manually calculating the checksum), then I would suggest generating 24 words in a properly random fashion and then just typing them all in to an offline version of Ian Coleman. If you then click on "Show entropy details", it will automatically swap your last word for the appropriate checksum word, but keeping the first 3 bits of entropy the same.

[j2002ba2]

Which means that one must "preselect" another 3 bits. It would look like selecting the last word, taking it's 3 bits and then replace the last word by the final one.
Unfortunately you cannot finish the manual process after 23 words.
Other option is to see which of 8 "correct" last words you like the best.

Exactly, another solution would be doing something similar to what Electrum does. You select 12 words and then increment the last word until you get a valid checksum. As long as the selection process is really random the entropy you get is more than 128 bits.
Same for any other word count.

There cannot be more than 128 bits entropy in BIP39 12-words. There are not enough bits to represent it.

Electrum 12-word seeds have less than 128 bits entropy, IIRC it's slightly less than 132-8=124 for legacy addresses, and 132-12=120 for segwit addresses.

More entropy could be inserted, if you instead of using the 12 words directly mutate them with additional entropy. For example: make some letters lower case, while other upper case, change some words to "leet speak", etc. And then feed this into PBKDF2.

Of course, the easiest method of adding entropy is using password together with the seed.

[unamic]

I would like to know if there is a possibility to create a 12 or 24 digit seed from a selection of words and not the whole 2048 words.

You can do that but human brain is known to be bad for creating random results, so I would not do this if you want to hold larger amount of coins.
You could use any eleven words you want and calculate last word to create entropy.
There is a website called seedpicker that can calculate everything for you, you can select any 23 words you want from all 2048 words and last word will be calculated.
This is open source tool, but use it carefully, read their guide and only do it if you know what you are doing:
https://seedpicker.net/calculator/last-word.html

I would prefer if the whole thing is open source and I can possibly create it on my computer without internet (maybe a github project based on python).

You could use iancoleman website totally offline, and it is even advised to be always used like that.
In your browser, select file save-as, and save this page as a file, than double click that file to open it in a browser on your offline computer:
https://iancoleman.io/bip39/

thank you that will help me, the website not find every time the right word but i see it is a very long way to go i search the 24 word of:
abstract version allow online one another digital provide solution still problem into record only pool long control best effort leave will what satoshi

the website find bonus as 24 word but there must be more working words.

here is what i try to: i have read the first email of satoshi and find out that he have many bip39 word inside the email, it looks a little bit like a puzzle or something:



i use all the light green words because they came only 1 time the multicolor are words with more than 1 each and the grey are words that looks like bip39 words.

maybe have someone more luck then me or can help me to find out if we find a wallet.

i also looks at the number of  the words the first 2 words are number 8 and 1943 maybe a year or something.

i try also the word from the beginning and jump over the double words it was:

main double prevent network proof power abstract version allow online payment direct

sorry my bad english

[pooya87]

There cannot be more than 128 bits entropy in BIP39 12-words. There are not enough bits to represent it.

If you have selected each word manually and randomly and you have 12 words then each word represents 11 bits which makes the total 12*11=132 bits.

Electrum 12-word seeds have less than 128 bits entropy, IIRC it's slightly less than 132-8=124 for legacy addresses, and 132-12=120 for segwit addresses.

That is incorrect. Electrum actually starts with a 132-bit entropy (as an int) then increments it until it finds a correct checksum. Address type does not affect the entropy size, it only affects what checksum is expected.
https://github.com/spesmilo/electrum/blob/abe3955d916521f37e06b96d8996b270413e175f/electrum/mnemonic.py#L190

[o_e_l_e_o]

here is what i try to: i have read the first email of satoshi and find out that he have many bip39 word inside the email, it looks a little bit like a puzzle or something:

I mean, BIP39 wasn't created until 5 years after that email, until about 3 years after Satoshi disappeared, and was created by a bunch of people who aren't Satoshi. BIP39 contains a huge number of common English words. You will find many such words in any text of sufficient length. You are not going to find a BIP39 wallet encoded in Satoshi's emails.

Electrum 12-word seeds have less than 128 bits entropy, IIRC it's slightly less than 132-8=124 for legacy addresses, and 132-12=120 for segwit addresses.

We actually discussed this before about a year ago here: https://bitcointalk.org/index.php?topic=5344533.msg57328109#msg57328109

The 8 bit prefix for legacy addresses and 12 bit prefix for segwit addresses which Electrum uses does not reduce the entropy of the seed phrase itself, since an attacker still has to check every seed phrase to see if it hashes to the correct prefix. However, it does mean that for 4095 out of 4096 seed phrases (for segwit), an attacker does not have to go through the 2048 rounds of PBKDF2.

[j2002ba2]

There cannot be more than 128 bits entropy in BIP39 12-words. There are not enough bits to represent it.

If you have selected each word manually and randomly and you have 12 words then each word represents 11 bits which makes the total 12*11=132 bits.

Yes, it is 132 bits, but only if there's no checksum or required version.

Electrum 12-word seeds have less than 128 bits entropy, IIRC it's slightly less than 132-8=124 for legacy addresses, and 132-12=120 for segwit addresses.

That is incorrect. Electrum actually starts with a 132-bit entropy (as an int) then increments it until it finds a correct checksum. Address type does not affect the entropy size, it only affects what checksum is expected.
https://github.com/spesmilo/electrum/blob/abe3955d916521f37e06b96d8996b270413e175f/electrum/mnemonic.py#L190

It very much affects the entropy, since 255 (or 4095 in segwit case) possibilities are rejected (plus the valid BIP39 ones, about one in 16, another loss of additional 0.0931 bits of entropy). You end up with smaller pool of possible seeds, hence smaller entropy.

It seems that entropy is a very tricky subject for many people. I'll give an example. Let's have a hypothetical seed generator, which starts randomly, and increments until it reaches only one specific seed. This is exactly 0 bits of entropy. If the generator stops when it reaches one of 2 seeds, we get 1 bit entropy. If an attacker has no information about these seeds, then he has to scan the whole 256 bit range (or whatever size it is in this case).

So, valid electrum seeds do have less entropy - 123.9 bits for standard, and 119.9 bits for segwit. That doesn't mean it's much easier to crack versus BIP39. If my calculations are correct, it's about twice harder to find a valid Electrum segwit seed versus both Electrum standard and BIP39. (if we are given an address to compare to)

In information theory, the entropy of a random variable is the average level of "information", "surprise", or "uncertainty" inherent to the variable's possible outcomes.

Certainly only one in 2⁴ seeds are valid for BIP39, in 2^8.09 for Electrum standard, and in 2^12.09 for Electrum segwit. Hence the entropy is lower.

One might argue, that the attacker sees 132 bits of entropy, since nothing is certain for him. Then this is true for BIP39 as well, although it is generated using 128 bit entropy. Looking the other way if one insists BIP39 to have 128 bits entropy, then Electrum standard has 123.9, and segwit 119.9.

[unamic]

here is what i try to: i have read the first email of satoshi and find out that he have many bip39 word inside the email, it looks a little bit like a puzzle or something:

I mean, BIP39 wasn't created until 5 years after that email, until about 3 years after Satoshi disappeared, and was created by a bunch of people who aren't Satoshi. BIP39 contains a huge number of common English words. You will find many such words in any text of sufficient length. You are not going to find a BIP39 wallet encoded in Satoshi's emails.

Electrum 12-word seeds have less than 128 bits entropy, IIRC it's slightly less than 132-8=124 for legacy addresses, and 132-12=120 for segwit addresses.

We actually discussed this before about a year ago here: https://bitcointalk.org/index.php?topic=5344533.msg57328109#msg57328109

The 8 bit prefix for legacy addresses and 12 bit prefix for segwit addresses which Electrum uses does not reduce the entropy of the seed phrase itself, since an attacker still has to check every seed phrase to see if it hashes to the correct prefix. However, it does mean that for 4095 out of 4096 seed phrases (for segwit), an attacker does not have to go through the 2048 rounds of PBKDF2.

First of all, thanks for the many people working on this thread, it shows how big this community is.

What options were there in 2009 before bip39 was used?

[hosseinimr93]

What options were there in 2009 before bip39 was used?

Even now, BIP39 isn't a part of bitcoin rules and you always have to sign the transactions with your private key. A BIP39 wallet derives your private keys from your seed phrase and use them for making transactions.
In 2009, there was no seed phrase and people had to backup the wallet file or save their private keys.

[pooya87]

~

Your arguments don't sound correct to me although I don't claim to be good at this type of math. Here is a quote from Electrum docs though:

With the standard values currently used in Electrum, we obtain: 2^(132 + 11 - 8) = 2^135. This means that a standard Electrum seed is equivalent, in terms of hashes, to 135 bits of entropy.

[o_e_l_e_o]

Your arguments don't sound correct to me although I don't claim to be good at this type of math. Here is a quote from Electrum docs though:

With the standard values currently used in Electrum, we obtain: 2^(132 + 11 - = 2^135. This means that a standard Electrum seed is equivalent, in terms of hashes, to 135 bits of entropy.

The issue is j2002ba2 and that read the docs page are using different definitions of entropy.

Taking legacy Electrum phrases, then we all agree that the seed phrase encodes 132 bits of information. Two different scenarios then follow:

Electrum says "Well, only 1 in every 2⁸ seed phrases will have the correct prefix, but for each one that does have the correct prefix, it requires 2¹¹ hashes to generate a master private key." And so they work out 132 - 8 + 11 to give 135 bits of entropy.

j2002ba2 on the other hand says "We start with 132 bits, but since we are discarding all but one of every 2⁸ seed phrases, then that reduces the entropy to 124 bits, although it doesn't reduce the attack surface."


If you consider a BIP39 seed phrase, then you have 2¹²⁸ phrases, and for each one you have to go through 2048 rounds of PBKDF2, giving 2¹²⁸ * 2048 = 2¹³⁹ hashes.
If you consider a legacy Electrum seed phrase, then you have 2¹³² phrases, and for each one you must hash it once to check the prefix, and then for one in every 256 (on average) you have to go through 2048 rounds of PBKDF2. This means 256 + 2048 = 2304 hashes for every 256 seed phrases, which is an average of 9 hashes per seed phrase, giving a total of 2¹³² * 9 = 2^135.2 hashes.

[unamic]

What options were there in 2009 before bip39 was used?

Even now, BIP39 isn't a part of bitcoin rules and you always have to sign the transactions with your private key. A BIP39 wallet derives your private keys from your seed phrase and use them for making transactions.
In 2009, there was no seed phrase and people had to backup the wallet file or save their private keys.

How were wallets generated in the early days of Bitcoin? And were words used?

[Cricktor]

As far as I remember the early Bitcoin Core wallet generated a pool of private keys, a fixed number of them. But frankly I don't know how those were generated and if by any deterministic way. If the key pool ran out of keys, the pool was extended by another fixed batch of fresh random keys. There was no 'visible' seed and Bitcoin Core doesn't use mnemonic seed words. Backup of a Bitcoin Core wallet was always file based: you had to backup the wallet file and restore your wallet from a file backup. This could lead to loss of funds if you restored a wallet file which contained a smaller key pool than your most recent wallet that you may have lost or which got corrupted or deleted.

For deterministic wallets nowadays Bitcoin Core uses a private key as seed and derives the keys and addresses of a HD wallet by BIP-32 mechanics. And descriptors should make, I say, an 'expected' key derivation easier/safer. (I'm still working on this topic to understand it as much as possible.)

Maybe Armory was one of the first wallets to implement some HD scheme where you were able to recover the wallet from some sort of seed numbers. Never used Armory myself, but I read a lot about it out of interest. Bitcoin Core's file based backup always made me feel uncomfortable, too digital and fixed to digital files.

And then there was the desaster with 'brain wallets', keys derived from hashing stuff that humans believed to be unique, secret and whatnot. That didn't go well for some Bitcoiners.

[pooya87]

Early wallets were not deterministic. Whenever the wallet needed a new key it just called up its RNG and created a new random key. That means there were no seed or seed phrase in early days. After some time, due to possibility of flaws in RNGs and bugs in some implementations, deterministic key derivation (BIP32) was introduced and wallets slowly started switching to that. Shortly after, in order to make backups user friendly the concept of using mnemonics or seed phrase (BIP39) was introduced.

[unamic]

Thanks for the many texts. It sounds very interesting so as I understand it then these wallet.dat files were the keys and you don't have a password and all that needed?

I can hardly imagine that, but surely there was a program where you could load the key and then access your wallet?

Maybe you can compare that with a Google Authenticator or these YoubiKeys or whatever they are called, i.e. a key file?

I just started working in 2009 and was also very involved in development, including Web 2.0 and the development of Bootstrap from Twitter and the whole browser development by Google etc... I was very fascinated, I still wonder why I never what had heard of bitcoin. Kind of a shame, not necessarily because of performance but just because you missed something, sort of like everyone has a Nintendo and you never hear about it.

[vapourminer]

It sounds very interesting so as I understand it then these wallet.dat files were the keys and you don't have a password and all that needed?

yes. wallet.dat files contain a list of private keys. some pregenerated when 1st initialized, other keys added as needed when the pool of keys ran out.

early wallet.dat files did not have passord protection, it was added later.

Maybe you can compare that with a Google Authenticator or these YoubiKeys or whatever they are called, i.e. a key file?

google auth and yubikeys are whats called two factor authentication (2FA). totally different then a password, seed or keyfile.

[hZti]

-snip- That is 24*23*22*...*1=24! = 620,448,401,733,239,439,360,000

Thanks, then it would only be an average of 19,674 years for 1trillion combinations per second bruteforce speed for a disarranged 24-words seed then.
And only 479,001,600 combinations for a disarranged 12-word seed.

It’s really insane that even if you know all the seed words the security of your private key is still this high. Makes me laugh a bit about all this brute force attempts that don’t even know a single word 

[o_e_l_e_o]

It’s really insane that even if you know all the seed words the security of your private key is still this high.

Seed phrase, not private key.

It is only relatively secure if it is 24 words, which will essentially be impossible to bruteforce as outlined above. 12 scrambled words however are very easy to brute force, and can be done in minutes or hours depending on your hardware.

Either way, if you have accidentally revealed all or some of your seed phrase, even if scrambled, I'd still be moving everything to a brand new wallet as soon as I could, followed by re-examining my set up to figure out how I could have been so careless and insecure in the first place.