Create a seed from a selection of words

[pooya87]

Keep in mind that security of revealed 24 words out of order is still not as high as security of a private key because you are revealing your entropy and 620,448,401,733,239,439,360,000 is 6e+23 whereas security of a bitcoin private key is 2¹²⁸=3e+38.

[unamic]

Sorry it's been almost 1 year since my last message, I sat down today again on the subject of Bitcoin.

In the meantime I have also looked at the tool lostWord again more closely it can validate good seeds and look which combinations are valid.

Success has not brought the whole of course but I have learned a lot. What I didn't understand yet is the path of the seed, e.g. m/0/0 is used by lostWord by default (P2PKH).

What exactly do these paths mean:
m/84'/0
m/44'/60
m/44'/0'
m/84'/0

So the question is which BIP fits to which path and which path did you use in the beginning?

What I understood is that the addresses are as follows:
P2PKH = 1xxxx addresses
P2WPKH = bc1xxxxx addresses
P2SH = 3xxxxx addresses

maybe you can help me a little bit in dealing with the m/0/0 etc..

What I have not yet understood is how entropy works and how I can use the highest possible bne to generate a lot of security I think I read that Trust Wallet for example only has an entropy of 8 or was it 32bit?

What about Conomi, Bitcoin Core, Electrum or BlueWallet? and should I use any of these programs to generate a secure wallet? The higher the entropy, the more secure it will be, even in the quantum computer age.

[PawGo]

What exactly do these paths mean:
m/84'/0
m/44'/60
m/44'/0'
m/84'/0

So the question is which BIP fits to which path and which path did you use in the beginning?

I think you will find answer for that question if you look at the page: https://iancoleman.io/bip39/

After you generate/paste seed, you may check addresses generated by different derivation paths.
In general, we may say we have: "m/[BIP]/[COIN]/["Account"]/address"

Using your example, m/44'/60 will produce addresses for Ethereum (see the list: https://github.com/satoshilabs/slips/blob/master/slip-0044.md)

[unamic]

I have understood a little more out there but only bip39 uses a Mnemonic seed? Because many wallets from different manufacturers are often compatible.
Assuming I have a 24 digit Mnemonic, example of the website you linked:

Code:

assault crane thumb neither seminar impulse solve record result cradle room deposit father video enforce mammal give chase despair analyst sorry tooth eyebrow sniff

the seed is out:

Code:

159c926acdc50682281d44a26be623813de155e4f567afc359d2ba7674e4cd9c311fc31e7af5d2c0b673c3a35eba3dd08a3d0097c524e3edee6b2d0acf49e096

Is this the entropy at the same time?

if i now add a 128 digit password:

Code:

^wUa0tw%&ZE$nv45cVd#iFUuamuUqmdYSa*i5&LTz*gv&W7kK9c8zZ$1H@ZzG#Ur0by4ZUE@^nw1gLUXTPKZCe0DtGknW62VrJwSocG3Y!SjOEwXT8ureahEZn8$8^Gr

the seed becomes:

Code:

fc7c9360aec42693cefdd0ad6275f4d9e7644c1f54a48c09f0c5b265cba154e9b249737c683d4c6c3cb79d9e6ee7bf50fd716dec5ed66bbb296fb9648ac46cef

In the hey area the f at the beginning is higher than the 1 so seen like this almost 8 times as strong, or how does this entropy calculate?

Background of my question is simply that I want to create a wallet that is as secure as possible but where also the address looks cool as generated by vanitygen.
If I wanted to create a wallet here now, how could I influence the entropy?
https://github.com/adrijano/Bitcoin-wallet-cracker

I could also use the links you sent to create a wallet offline but I can't see the source code and there could be providers who create and store millions of wallets and only these are generated and connected to the provider, even if you generate it offline, if it's from pre-generated seeds, it's all useless.

[PawGo]

Background of my question is simply that I want to create a wallet that is as secure as possible but where also the address looks cool as generated by vanitygen.
If I wanted to create a wallet here now, how could I influence the entropy?
https://github.com/adrijano/Bitcoin-wallet-cracker

So, you want to have a seed which produces “nice” address for a given derivation path.
Testing addresses on the path is quite “expensive” operation, so the whole process will be much slower (less efficient) than “normal” vanitygen.
But I understand your doubts, you consider testing different seeds or one seed and different passwords.

[odolvlobo]

I have understood a little more out there but only bip39 uses a Mnemonic seed? Because many wallets from different manufacturers are often compatible.
Assuming I have a 24 digit Mnemonic, example of the website you linked:

Code:

assault crane thumb neither seminar impulse solve record result cradle room deposit father video enforce mammal give chase despair analyst sorry tooth eyebrow sniff

the seed is out:

Code:

159c926acdc50682281d44a26be623813de155e4f567afc359d2ba7674e4cd9c311fc31e7af5d2c0b673c3a35eba3dd08a3d0097c524e3edee6b2d0acf49e096

Is this the entropy at the same time?

if i now add a 128 digit password:

Code:

^wUa0tw%&ZE$nv45cVd#iFUuamuUqmdYSa*i5&LTz*gv&W7kK9c8zZ$1H@ZzG#Ur0by4ZUE@^nw1gLUXTPKZCe0DtGknW62VrJwSocG3Y!SjOEwXT8ureahEZn8$8^Gr

the seed becomes:

Code:

fc7c9360aec42693cefdd0ad6275f4d9e7644c1f54a48c09f0c5b265cba154e9b249737c683d4c6c3cb79d9e6ee7bf50fd716dec5ed66bbb296fb9648ac46cef

The meaning of the word "entropy" differs a little depending on the context.

A 24-word mnemonic is an encoding of 256 bits of entropy (in this case, "entropy" means random data). Adding a password to the mnemonic increases the entropy (in this case, "entropy" means the amount of randomness). The seed is then derived from the mnemonic plus password (if there is one).

In the hey area the f at the beginning is higher than the 1 so seen like this almost 8 times as strong, or how does this entropy calculate?

The strength is determined by the number of digits in the number or the strength of its source, whichever is less, and not the value of the number itself.

Background of my question is simply that I want to create a wallet that is as secure as possible but where also the address looks cool as generated by vanitygen.
If I wanted to create a wallet here now, how could I influence the entropy?

So, if you want to create an address that looks cool like it was generated by vanitygen, why not just use vanitygen? Some wallets have the ability to import private keys, allowing you to spend the funds received at the address.

Note that a wallet and an address are different things. A wallet contains one or more addresses.

[Cricktor]

<snip>

As said here before 24 mnemonic words from the BIP39 set of words encode a 256-bit random number and include also a partial hash checksum which allows very certain detection of an error in the sequence of words. To me your 128-char mnemonic passphrase is a bit of over the top. It's random which is good, likely very few humans can type it without any error which is a risk. That means you have to store your mnemonic passphrase in a digital file on a computer which shouldn't ever go online for safety reasons. Practically you can only copy/paste such a mnemonic passphrase. If you care for security this mandates that you don't use any online device with such a mnemonic passphrase and it makes an analog backup copy of the passphrase nearly impossible as the smallest error will give you a different and empty wallet.

You're making your life harder than necessary. You can't have a hierarchical deterministic wallet with fancy addresses, very unlikely to happen. Vanitygen addresses might be fancy but are a pain to generate securely and to keep secure, too.

Get a decent hardware wallet (and that's no Ledger crap device) and have piece of mind. Learn on HD wallets and derivation paths e.g. at https://learnmeabitcoin.com and make yourself familiar with a good hardware wallet. Practice recovery with some Testnet bitcoins and you will have a much more secure storage of your wallet than with any online software wallet solution.

[unamic]

Thanks for all the info. How much entropy does Vanitygen have? So programs that generate 24 words have 256bit? Is there also 512bit with Bitcoin?
I also think that Vanitygen is a game in itself, an address that you can own to receive money on the Internet and have a cool address when there is little money on it.

And something else, there is a passphrase in Bip39 and a passphrase in Bitcoin Core, in Bitcoin Core you can change the passphrase and the addresses remain, but how is it with Bip39 there is a separate address generated?

That with the Bip39 passphrase and less entropy sounds strange at first but I think it has to do with Bip39 itself and any human intervention disturbs the algorithm somewhere?

[hosemary]

Thanks for all the info. How much entropy does Vanitygen have? So programs that generate 24 words have 256bit? Is there also 512bit with Bitcoin?

The private key which your vanity address is derived from is like any other private key. It provides 128 bits of security.
A 24 word BIP39 seed phrase provides 256 bits of entropy.

And something else, there is a passphrase in Bip39 and a passphrase in Bitcoin Core, in Bitcoin Core you can change the passphrase and the addresses remain, but how is it with Bip39 there is a separate address generated?

They are different.
The term "passphrase" is usually used to refer to characters or words you use to extend your seed phrase. When you add a passphrase to your seed phrase, you generate a completely different wallet.
In bitcoin core, the passphrase is like a password which encrypts your wallet file.

[o_e_l_e_o]

If you did brute force a seed phrase which gave you the desired vanity address at m/84'/0'/0'/0/0 (for example), then bear in mind that only that single address would have your desired prefix, and every other address in that wallet would be completely random. Seems like a lot to go through for a single address, when you can already just use VanitySearch.

Note that I would use VanitySearch (https://bitcointalk.org/index.php?topic=5112311.0) over VanityGen. It is much faster.

Also note that Bitcoin Core does not use seed phrases at all, so the concept of extending your seed phrase with a passphrase does not exist. As hosseinimr93 says, a passphrase in Bitcoin Core is simply the password for your local wallet file.

[unamic]

I did some research on hash collisions today and there are collisions in MD5 that have 2 inputs but the same output. In sha256 or even sha128 you will never have the same output. I am also aware that a seed of 12 words will surely be unbreakable for the next 50 to 100 years. I think I heard that it is possible to access coins in the wallet with different seeds, but probably with subaccounts.
Surely this will not refer to the direct address of the wallet but a generated in it. And as I understand it, you always have access to all sub-accounts created in the main wallet, no matter what the first generated address is. I mean when I log into Metamask with the seeds I have the same address as Exodus or the recently tiled Atomic Wallet, that's what I mean by main wallet.

What do you think it is possible to get access to the same coins with different seeds? Or did I record there stupid stuff?

[hosemary]

What do you think it is possible to get access to the same coins with different seeds? Or did I record there stupid stuff?

I am not sure I am understanding you correctly. Are you asking if it's possible to generate the same address with different seed phrases?
If so, no. That's not possible.

Take note that in theory it's possible that you generate the same address with different seed phrases, but that's not practically impossible. Maybe, that's what you've heard before.

[o_e_l_e_o]

In sha256 or even sha128 you will never have the same output.

You definitely will.

Taking SHA256 as an example - the output is always 256 bits, so there are 2²⁵⁶ possible outputs. However, the input can be anything up to 2⁶⁴ - 1 bits in length, which works out to any data up to 2 million terabytes in size. Therefore, there are exponentially more possible inputs than possible outputs, so collisions are guaranteed.

And as I understand it, you always have access to all sub-accounts created in the main wallet, no matter what the first generated address is. I mean when I log into Metamask with the seeds I have the same address as Exodus or the recently tiled Atomic Wallet, that's what I mean by main wallet.

The same seed phrase will always generate the same address at the same derivation path, regardless of what wallet you use (provided all the wallets are following the BIP39 standard and not doing something unique or non-standard).

What do you think it is possible to get access to the same coins with different seeds? Or did I record there stupid stuff?

Technically speaking, given the number of possible derivation paths, every seed phrase in existence is almost certainly capable of generating every possible address. But in practice, there will never be an address collision before the death of the sun.

[unamic]

I also think that it is unlikely that someone will find the same seed or a seed that matches the same address.
Especially if you consider the following factors:

The normal user generates in his life maybe 10 addresses and not always the sum times the number of people who live in 100 years make it very unlikely.

A hacker generates wallets to crack an existing wallet with money in it, he would have to check all wallets every hour to see if there are coins in them.

Even if a hacker would do that, then his storage space is not enough and it is again limited.

Despite everything, what method would you recommend or what software to create a wallet?
I could also create a 23 digit seed by hand and use lastWord to convert it to a wallet, but that is again insecure. And I am so paranoid to trust the fewest companies. OpenSource Sacen would be a solution, but I don't know the programming languages to verify that.
Apart from the fact that the effort is higher than the value I could ever protect.

[o_e_l_e_o]

Especially if you consider the following factors:

As I said above, there won't be an address (or seed phrase) collision before the sun dies in ~5 billion years.

The normal user generates in his life maybe 10 addresses and not always the sum times the number of people who live in 100 years make it very unlikely.

Let's say all 8 billion people on the planet all generate 1,000 new addresses every second for the next 5 billion years non stop. After 5 billion years we will only have generated 0.00000000000000009% of all possible addresses.

And I am so paranoid to trust the fewest companies.

If you don't trust any software to generate a seed phrase for you, then generate your own entropy by flipping a coin and converting each 11 bits to the corresponding word. You'll still need to use a piece of software to calculate the checksum and import the seed phrase to generate a wallet, however.

[Flexystar]

Adding to the above discussion is it really possible to scramble the words that we actually receive from the automated generator? I don’t know depth of it, but when we generate any address the phrases are already associated with it and there is no way we can change it. I am saying the first time change when we generate it. Let us say I have newly generated address and creating a wallet with Back up keys. Wallet has given 12 words but I want to change them right away manually, why isn’t that possible?

Is it possibly because someone might overlap with my words and sequence? (Though this may not happen considering the 12 words and their numerous combinations. But just curious about the technical explanation behind this.

[o_e_l_e_o]

Seed phrases contain a checksum. If you start manually swapping words, chances are you will invalidate the checksum and so your wallet software will reject your new seed phrase.

But at a more basic level, you should never manually pick/swap/arrange words in your seed phrase. Humans are an incredibly poor source of entropy, and whatever you end up with will be less secure than you think or than you want.

[Cricktor]

<snip>

When a wallet is created that is represented by 12 mnemonic recovery words according to BIP39, the basic first steps are the following:

• a 128-bit random number is generated (some call it the entropy)
• these 128 random bits are devided in 11-bit chunks where each chunk is represented by one mnemonic word (11 bits can represent 2048 states, guess what, the BIP39 word list is 2048 words long, every word represents an unique 11-bit combination)
• 12 times 11 gives 132 bits, so there's room for a 4-bit partial hash checksum (the checksum is 4-bits from SHA256(the 128-bit random number))
• change a single bit in the 128-bit random number and due to properties of SHA256 the checksum will change completely, there's a good chance that this also changes the partial 4-bit part of it, though 4 bits is really short and there's a non-zero probability that the 4-bit checksum partial chunk isn't changed

It makes no sense that a human tries to fiddle with the BIP39 words and choose words by some crazy intuition of "feelings" or whatnot. It's likely going to be a recipe for bad entropy.

[unamic]

Adding to the above discussion is it really possible to scramble the words that we actually receive from the automated generator? I don’t know depth of it, but when we generate any address the phrases are already associated with it and there is no way we can change it. I am saying the first time change when we generate it. Let us say I have newly generated address and creating a wallet with Back up keys. Wallet has given 12 words but I want to change them right away manually, why isn’t that possible?

Is it possibly because someone might overlap with my words and sequence? (Though this may not happen considering the 12 words and their numerous combinations. But just curious about the technical explanation behind this.

I had originally found words in the first email from Satoshi Nakamoto that occurred in the 2048 words and 23 of them occurred in the email only 1x see image:
https://i.postimg.cc/L6sMjPdy/satoshi-email-Kopie.jpg
So I thought it could be a code. In the end I used lastWord (https://github.com/PawelGorny/lostword) to create all possible (valid) 24 seeds.

I used this config for that:

Code:

ONE_UNKNOWN_CHECK_ALL
anyAddress
24
word1
word2
word3
word4
word5
word6
word7
word8
word9
word10
word11
word12
word13
word14
word15
word16
word17
word18
word19
word20
word21
word22
word23

(of course 23 other words come in here) as you can see there was set 24 words, but there are only 23 words, so the tool goes through everything and spits out all valid combinations.

But as the others said it is not safe to mix it by yourself, I don't know if it is unsafe from the entropy, I personally think that someone could guess it.

e.g. you could take these 11 words and calculate the missing one to make it valid: satoshi payment perfect story unique unit use system cover bonus era galaxy

The phrase might be easy to remember but a person's mindset is vulnerable, the randomness that some wallets throw together is not and therefore a pattern is hard to discern. I think it is rather all that makes it insecure.

On the other hand, I often think, wallets can do anything if we can not see the source code, when generating the seed could go to the manufacturer, who collects them for 10 years and then clears all wallets that were created with the program. Therefore, open source is very important.

[o_e_l_e_o]

But as the others said it is not safe to mix it by yourself

Yeah, this is an awful way to generate a seed phrase. You definitely shouldn't be manually picking words, you definitely shouldn't be manually picking words from publicly available texts, and you definitely shouldn't be manually picking words from publicly available texts which are intrinsically linked to bitcoin.

It wouldn't surprise me at all if the addresses you generate through this method are already on one or more lists of addresses being monitored 24/7 by bots waiting to steal any coins which are sent to them.

Just generate your seed phrase properly and stop risking everything with such harebrained schemes.