Topic: 12 Words + Passphrase == 12 other words? (Read 221 times)

Save it also the private key if you want to be more secure and paranoid if the resulting address is different after adding Passphrase.

Because there are have possibility of negligence if someone uses an additional Passphrase, like forget an uppercase letter, symbols, numbers, etc.

Passphrase is sensitive, just a little bit wrong put . (dot) You will got the different address generated.

wallets cannot identify like we use passwords. the wallet will remain open like there's no mistake when put wrong passphrase

Naa, it's more like two aliens pick the same atom in a super-cluster of galaxies by chance (and they don't start from the same location, let's assume they have Warp drive capabilities). 

Humans can't really comprehend such large numbers.

2²⁵⁶ is roughly ~1.16x10⁷⁷

Our solar system has approx. 10⁵⁷ atoms. Multiply by roughly 10¹¹ for the atoms in our Milky Way galaxy (we're at about 10⁶⁸ atoms now for our galaxy). Take a billion galaxies like ours and we're about in the same magnitude as possible private keys. Dang!
(I googled the numbers and if you need me to provide at least some source, then take this here...)


I was pretty sure it's the video from 3Blue1Brown and yes, it was it as expected and always nice to watch again and begin to wonder.

I always like to send people this video, when they are afraid that their funds can get lost due to a collision or a brute-force attack.
I believe the best way to explain the vastness of the bitcoin's computation space, is to watch a video, because human brain is not able to fully understand numbers that are this big.

The most five year old explanation I can offer to understand this is that collision of two Bitcoin Private Keys is like us randomly finding and picking up the same pebble on Earth.  While it is possible, because it IS possible, the reality is that I will never find that exact one pebble you did.

Now if everybody started to look for it, the chances are higher of course.  Maybe if everybody is looking after the same set of a few hundred thousand pebbles, one day MAYBE somebody finds one of them.  But it is still almost impossible.

So while it is pretty scary to think that all of us Bitcoin users CAN generate another used Private Key at any given time using the one same Seed we have, this is so impossible that it is useless to fear such a collision.

The question is from which side you approach the potential hash collision.

Sure, if you look at only a 12-recovery words "seed" and no optional mnemonic passphrase you stretch an 128bit input space to a 512bit output space, but you only can have 2¹²⁸ at best unique hashes, not any more.

It is possible that you simply can't find any exact match for a final 512bit PBKDF2 hash of a given 12-word "seed" with a particular mnemonic passphrase. That is, because you have potentially 2³⁸⁴ times more different "source" hashes than our "puny" 2¹²⁸ that you can match at maximum.

Above illustrates one given sample of 12 recovery words with a specific non-empty mnemonic passphrase for which you try to find a 512bit hash match with any of the possible 2¹²⁸ 12 recovery word combinations without a mnemonic passphrase.

This may fail and there's no guarantee for a match, besides we don't have time and energy to exhaust the search space of 128bit magnitude.


If you approach the collision from the other side, i.e. a given 12 recovery words "seed" without mnemonic passphrase should be matched by any combination of 12 recovery words with a non-empty mnemonic passphrase, then a collision is mathematically guaranteed. Because the vastness of input space can easily exceed^§ the hash output space of 2⁵¹² magnitude.

^§ Reason: it's no problem to create more than 2³⁸⁴ different mnemonic passphrases times 2¹²⁸ 12-word combinations.

While the existance of a hash collision in this case is guaranteed, it's still practically impossible to find it, not enough time and energy in this part (or whole) of the universe to exhaust the search.

It is similar to importing a wallet using seed phrase and instead of using all the 12 words correctly is that you intentionally change one word which the wallet that will be imported is different. In this case, instead of changing one word is that there will be an extended word (passphrase) that will generate different wallet. If you want to explore it then you can try create a dummy wallet and use passphrase. You can use electrum for that where you can add custom words when adding a wallet.

To be honest, I don't understand how a collision can happen if PBKDF2 literally stretches to 512bits, a initial entropy between 128 and 256 bits according to BIP39. That is to say the entropy of the seed without any passphrase. Maybe 2 seeds with a passphrase can create the same key at the end, but I highly doubt it could happen between 2 seeds witout passphrase or between a seed without passphrase and a seed with one.

https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki

It's a simple fact that hash collisions must occur when the input space is larger than the hash output space. Of course, it's usually not probable to execute an exhaustive search to find such a collision. We don't have the time and energy to even search something like a 128bit space exhaustively. And hash output space for RIPEMD160, SHA256 and of course SHA512 are completely out of reach, unless some major flaw is discovered and by the time those hash functions are known, it's not very likely to discover serious flaws.

While the fate of the universe is a topic still to debate because we have no real clue what dark energy and/or dark matter could be, I'm not so much concerned about this boundary.

The life cycle of our sun will limit life on this planet way before anything else concerning the fate of the universe. Not so many cozy places in this solar system either.

I'm more worried that humanity will destroy itself or the habitability of this planet in much shorter time spans. Humanity is stupid enough to have create more than enough nukes and weapons to destroy habitability of the only place we currently can live on. And too many stupids still entertain war after war. What a great progress... (Sorry for this slight drift to off-topic)

This reminded me of a thread of mine where i made an assumption about private key collisions, basically the same question as the OP.

However, due to the time and energy spent, it's impossible today and may continue to be impractical in millions or billions of years and so on.

In other words, it is practically easier for the universe to "end" than to collide with a set of private keys/seeds that you had created with or without a passphrase.

In the case of bitcoin and a couple of other cryptocurrencies using BIP39 (Mnemonic Seed) wallets the answer is simply NO.
A 12-word seed phrase combined with an optional passphrase (BIP39 extension) actually generates a unique private key. Changing the passphrase or using a completely different 12-word seed phrase will produce a distinct private key. It's a kinda straight forward process.

Private keys are hashed and gotten from the seed phrase and that means if you add a new word or even a new character the result of the hashing will also be altered. If I have a 12 word seed , it's a wallet seed yes but if I add say a word or two I'll get a new wallet since the private keys would be different. Meaning who has only the 12 words will not be able to spend funds in the wallet with custom seed.

What you are looking for is a hash collision after 2048 rounds of PBKDF2 (which uses HMAC-SHA512 as pseudo-random hash function).
The mnemonic recovery words (as UTF-8 NFKD) are used as password input and the optional mnemonic passphrase  (as UTF-8 NFKD) is used as salt, specifically "mnemonic" + optional passphrase with an empty string "" for optional passphrase when there is no optional passphrase provided. (Put in slightly other words from the BIP39 definition.)
So the salt is always something:

• "mnemonic" as UTF-8 NFKD when there is no optional mnemonic passphrase
• "mnemonic" as UTF-8 NFKD; replace with the used mnemonic passphrase

It's worth mentioning that the optional mnemonic passphrase could be everything within bounds of UTF-8, not limited to a single "word" or so.

Now for OP's initial question: a hash collision after 2048 rounds of PBKDF2 is mathematically possible because the input space with an optional mnemonic passphrase exceeds the vastness of the output space of SHA512 (used in PBKDF2). There's no limitation to the size of the optional mnemonic passphrase, at least not by definition. You can therefore mathematically get any 512bits output after the 2048 rounds of PBKDF2. Because of this you could match the resulting binary seed (512bits) yielded after the PBKDF2 rounds for any 12 recovery words plus no mnemonic passphrase (for the latter the input space is vastly smaller than with an mnenmonic passphrase).

Is it probable to find such a collision? No, not at all. It's theoretically possible, practically it's impossible due to lack of time and energy.

Thank you guys for clear explanation. Love this forum, I'm in crypto for years, still I learn something new every day.

To answer your question, every private that ever existed can be generated by the exact same seed phrase (12 words), combined with random passphrases.

I will do the ELI5 version of my answer.
In Bitcoin, a BIP39 seed phrase of 12 words is parsed through a hashing function, called PBKDF2, to generate all these key-pairs that you see in your wallet.
If you add any passphrase, then the PBKDF2 function will return something completely unique.
Since you have an unlimited number of passphrases that you can use (all characters are valid, all lengths are valid), then you can generate all the private keys in the world.

Wow, thanks! It answers my question

OP, adding a custom word (a.k.a passphrase) to the 12/18/24 words seed will result in generating a completely different wallet (different addresses).

But since you said "different words", I assume you are asking about the possibilty of having a collusion! In that case, you can read this topic:
Wallet "overlap"

Although both of them are used to enhance the security of the wallet, they are completely different. A password is used to encrypt the wallet while a passphrase creates a different wallet.

I believe he is referring to the BIP39 passphrases. These are optional, extra words you can add to your seed phrase for even more security. Its different from your regular wallet password. You cant recover your wallet without this passphrase. People sometimes call it the "25th word," but it can actually be any phrase or set of characters.

As for the wallets, almost all the most popular wallets support it. For example, Trezor hardware wallet allows you to create one standard wallet (without a passphrase) and a number of secret (hidden) wallets depending on the additional passphrase. (Each new passphrase will generate a new unique wallet.)

Electrum, Sparrow, Bluewallet, Unstoppable wallets and many other wallets support passphrase. The passphrase is used to access the right keys and not the wallet precisely. If you lose the passphrase, it is like you lose the seed phrase as the coins will be lost.

The Password you use when login to the wallet is not what is called the passphrase, the passphrase or custom word as some wallet called it is used to extend your seed phrase, for a 12 word seed phrase the passphrase is the 13th word as such with a passphrase extended to your seed phrase that particular wallet has different private key and addresses when the same seed phrase doesn’t have any passphrase,

Electrum and almost all reputable bitcoin wallets like BlueWallet, Sparrow wallet allows the extension of seed phrase with pass phrase, but it is different from the password or pin required to login into the wallet

I didn't know that there is option like that, to generate different wallets depending on password. All wallet apps that I used had password protection to guard the access to app.

Could you share what wallet do you use?

The purpose of passphrase is to generate different keys and addresses that are entirely different from the keys and addresses that is generated if the passphrase is not included. It is not possible. The extended word is enough to make all the keys and addresses different.