Topic: BIP 39 vs Electrum mnemonic seed (Read 6796 times)

Electrum 2.x by default starts with 136 bits of entropy, and then adds and increments a nonce until the resulting HMAC starts with 00000001₂, so the result has (slightly less than) 128 bits of entropy (since 2⁸-1 out of every 2⁸ potential mnemonics are discarded).

Slightly less, because Electrum also discards mnemonics which are valid for Electrum 1.x wallets to avoid any confusion from restoring such a mnemonic, which removes an additional small amount of entropy.

How do you mean?

Yes, but they compensate those lost entropy bits with other further bits of entropy

Doesn't this reduce the entropy of the seed? If you are going to discard the majority of them and only use the one's that have a mnemonic with a hash beginning with 01 then that reduces the pool of all possible seeds.

To determine if a mnemonic is valid without using a word list, Electrum 2.x takes an HMAC of it (using a hardcoded key) and looks at the first byte. In pseudocode:

The only way Electrum can create a mnemonic whose first byte of HMAC is the byte 0x01 is by generating different mnemonics and trying each's HMAC until it finds a valid one, similar to the way vanity address generators work. This takes on average 256 tries, whereas with BIP-39 only a single mnemonic is created, and then its checksum is simply appended.

In order to go from mnemonic to binary seed, 2048 HMAC-SHA512's are needed for both Electrum and BIP-39, so the effort difference is roughly 2304 for Electrum vs. 2048 for BIP-39, about 12.5% greater, not a big deal....

Thanks for the answer!

I don't undertand this part

Not quite.... They both use PBKDF2-HMAC-SHA512 to convert a mnemonic sentence to a binary seed (which becomes the extended master private key). BIP-39 uses the positions to calculate/verify the checksum, whereas Electrum uses an HMAC.


I think you just answered your own question

Electrum 2.x is not tied to any particular wordlist (good), however its mnemonics are not compatible with any other wallet (bad(?)). It's a judgement call....


True, on both points. Seedrecover.py for example assumes that for Electrum seeds, the word lists which currently ship with Electrum were used. If this assumption is wrong, or if Electrum is updated and I don't notice it and don't update seedrecover, it will silently fail.


One other potential minor negative to Electrum 2.x's method: although both can be used to create weak/ill-advised brain-wallet style mnemonics, Electrum's method makes it a bit easier. For example, these are all perfectly valid (if criminally stupid) Electrum 2.x seeds; feel free to try restoring them into Electrum if you doubt it:


edited to add: One other very small disadvantage with Electrum 2.x's method: it takes more effort (CPU time) to create a mnemonic, although this extra effort is small compared to the effort required to run PBKDF2 to generate the binary seed which both methods still require.

Hello folks,

BIP 39 and Electrum works differently to generate seeds, both use lists of words to encode the seed, but the first one use the positions of every word into the list to compute the seed, instead Electrum use the hash of the words as seed.

Which is the best approach? Why Electrum doesn't simply follow the standard? (At least from version 2).

With BIP 39 you have to known the wordlist, with Electrum you can (could) modify it, add words and so on; or use other language lists without wait that the list will be included into the standard.

With BIP 39 could be easyer rescue a damaged seed, since the wordlist is know (Ok, 99% of electrum seeds uses the same list).

Am I missing some point?