Topic: Could the BIP39 word list be completely replaced? (Read 414 times)

The main feature of a wordlist is to prevent writing mistakes. Words are easier to reproduce than long numbers.
"Planet" is on the list, but "plane" isn't. Don't mistake it for "plain". "Brake" and "break" could lead to mistakes, and there are many more similar sounding or looking words. If the BIP39 list would have 30,000 words, spotting writing mistakes becomes much more difficult.

Yeah, I was confused about the original post as I was under the impression that it was talking about the entropy being used instead of the actual seed. You can also generate an insecure seed using any passphrase using an entropy and a hash to pad it to the appropriate size.

I wonder if and how many of the insecure brainwallet fails have been revived as initial entropy into BIP39 mnemonic words and wallet derivation. Not that this would make it any secure...

DO NOT use any publicly known words or sentences as input to SHA256 and the result as a private key or as initial entropy for BIP39. You will loose coins...

No, he is right. You can indeed use the word "hello" as an entire seed phrase if you want. Obviously it doesn't follow the BIP39 protocol in terms of length, entropy, checksum, etc., but you can indeed ignore all that, feed "hello" in to the PBKDF2 algorithm, and generate a wallet. In fact, someone has done that already. Using the string "hello" as a BIP39 seed phrase, you can generate the following address at m/44'/0'/0'/0/1:

19ag68hqdbjwC2cLDZs5HRrxRCm4ETr2Wb

This address was used back in 2017.

No, that is not what that post meant. Sufficient entropy is required to generate the mnemonic using BIP39. The acceptable size of the entropy is between 128bits to 256bits, and hence you can actually just use the SHA256 hash function of hello as the input for the entropy, generating a rather insecure mnemonic.

To calculate the addresses (as well as the corresponding private key), we use a KDF on the mnemonic to come up with the seed. For example, using SHA256 of "hello" as the entropy yields:

Yes you can actually use just any random words you like to create a seed phrase but most of those wallets that uses BIP39 standard will not be able to recover that wallet, as for the checksum it can easily be solved and then pick the word that matches it. But it is bad idea to actually manually generate your own seed phrase because it doesn’t create the randomness that your wallet or Machine will pick

One thing that I haven't seen mentioned that is worth pointing out is that the sequence of words is the actual seed input used in the HD wallet calculations - the 128 or 256 bits you start with is just a way to create the string of words, the bits are not the HD seed in itself.

This also means you can use any random garbage as a seed input for BIP39 wallets - you can, and someone already has, used stuff like "hello" as the seed phrase, and it works fine. Though most wallets will probably complain and/or disallow you to use something that doesn't follow the standard wordlist and checksum format.

Quantum computing doesn't affect private key generation as well as address generation because the speedup for asymmetric cryptography is far larger than the ones for symmetric cryptography. As such, it would be reasonable to assume that QC can potentially crack Bitcoin addresses only after the public key has been exposed, not just the hash and certainly not during the generation of addresses. It wouldn't matter how many words are in your wordlist or what kind of generation you're using.

This is when Bitcoin will need to have a serious fork in order to make it bullet-proof against quantum computing threats. But in this case, cryptography will face issues as a whole. It won't be bitcoin only that will need to change.

Apart from the fact that seed phrases are used for larger number of private keys !





When it is about quantum computing the cryptography used in Bitcoin it's obsolete, it need it need a (new) different way of ciphering called Quantum-Proof cryptography!

Even in case of an computer with more than 500 qubits?

It's certainly laziness, I can tell you from personal examples that people don't want to bother learning new stuff.

learnmebitcoin.com is indeed a great website. Personally I love reading "Mastering Bitcoin" by A. Antonopoulos which is one of the best books I have ever read, but it is a bit more difficult.

Then again, anyone can read both, but the question is, are they willing to do so?

Most people think what Synchronice says, that the more words, the more secure the phrase is. I would give a point though to those that don't know what a bit is in computer science. Unfortunately (and fortunately too) Bitcoin requires basic computer knowledge. But I find this as a strong positive of Bitcoin's.

Bitcoin is an incredible amalgam of Cryptography, Math and Computer Science. But luckily we are here to help and be helped.

Correct. You can see the subset of words from that list used here in Electrum version 1.1: https://github.com/spesmilo/electrum/blob/3760486a6a9279ffbd852f0be43c8f7a823a9427/lib/mnemonic.py#L23

No, it didn't. The seed phrases were still 128 bits of entropy, and there was no checksum. 12 words from a list of 1626 gives 128.005 bits. 1626 is precisely the minimum number of words the wordlist would need for 12 words to give a minimum of 128 bits; 1625 words gives 127.99 bits. Once you add the 4 bit checksum as BIP39 did and you want to encode 132 bits, then your wordlist needs to expand to 2048.

Here is the new_seed function from Electrum version 1.1 which as you can see generates a random 128 bit number: https://github.com/spesmilo/electrum/blob/3760486a6a9279ffbd852f0be43c8f7a823a9427/lib/wallet.py#L338

Exactly this. You could technically have a word list with only two words, it's just that your seed phrase would end up being 132 words long.

I don't think it matters as long as the as much as possible random entropy that is encoded or represented by the mnemonic words isn't bad, i.e. generated in a weak manner that would allow some sort of successful attack.

We don't have time, money or energy on this planet to break good random 128 bits of a wallet's initial entropy by brute-forcing it (there's no other way than that). And for a 256bit entropy it's not going to be easier, for sure.

In the end it doesn't really matter how you represent this random entropy by any wordlist as long as you can recreate the entropy from your mnemonic words in an unambigous way. What matters is standardisation if you want interoperability between different wallets.



Maybe people don't understand, maybe people are lazy to dig into the documentation of how BIP39 actually works. I don't know what exactly the problem is. You can read and try to understand BIP39 at various places where it's explained. For me a nice spot is here: https://learnmeabitcoin.com/technical/mnemonic, it's visual, some explanatory code for code nerds and lots of details and links.
Who doesn't understand that?

What people have to understand is the importance of good randomness of the initial entropy that's represented by some well defined procedure and standardized^{for interoperability!} wordlist. The size of the wordlist doesn't make the security. Fewer words in the wordlist means you need more of the words to represent your chunk of entropy and vice versa.

Some time ago i tried running Electrum 0.3 where it generate 128-bit seed, so assuming it's generated with secure RNG it should be plenty secure. Although i never checked how Electrum convert 128-bit seed to 12 words.


Small nitpick, you'll need different BIP number rather than adding version number. For example, Bech32 listed under BIP 173 while Bech32m listed under BIP 350.

[1] https://bitcointalksearch.org/topic/m.58942538

Why won't that be possible? Just have BIP V1 and BIP V2 and that's all. The question is, is there a necessity of different world list? Simply no, because this BIP wordlist is safe and there is nothing to worry about.

You explained it well with arguments but people still can't understand. They follow very primitive logic that more is better, they can't understand that the whole Thesaurus and a tiny BIP wordlist, both of them are equally safe for generating 12 or 24 words seed phrase. To be frank, no one ever had a problem with it, no one's wallet has ever been hacked by bruteforcing seed phrases and I don't really understand why are people looking for solutions for a problem that doesn't exist.

I have always been interested in the wordlist used by a early version of Electrum.

1626 words was the list size and it related to a US patent no 5892470 were each word does not represent a given digit.
Instead, the digit represented by a word is variable, it depends on the previous word.

I'm sure it used the list from http://en.wiktionary.org/wiki/Wiktionary:Frequency_lists/Contemporary_poetry

Since the wordlist was only 1626 would this not weaken anything generated by the early version of Elecrum 2011.

Something I have been looking at for some time now but never really seen it brought up in any of the topics around wordlists.

Technically, no. Practically, pretty much yes.

BIP39 can work with any wordlist. There are multiple wordlists in different languages, and you could even create and use your own wordlist if you wanted (although you definitely shouldn't do this). But because of the way BIP39 works, if you don't know the wordlist used then you cannot verify the checksum of your seed phrase. So if you used a customized wordlist then you would not be able to verify your checksum and might not be able to recover your wallet in any other piece of software. Because of this, every BIP39 wallet uses one of the standardized wordlists, and the vast majority of BIP39 wallets stick to using the English wordlist for maximum compatibility, since you cannot move the same seed phrase between wordlists.

BIP39 has wordlists that are of quite a few different languages. You can find this in the BIP39 repository on Github: https://github.com/bitcoin/bips/commits/master/bip-0039. Notice how for each language, there is only one corresponding wordlist. Having different wordlists of the same language introduces ambiguity, but it is fine to have multiple word lists of the same language as the languages can be treated as the method to differentiate which wordlists to refer to.

You are nearly there, but for 256 bits of initial entropy, after hashing it, you will keep the first 8 bits of the hashed value instead of 4 for the 128 bits.

So briefly:

128 bits of entropy + 4 bits checksum = 132 bits split into 12 segments of 11 bits = 12 words

256 bits of entropy + 8 bits checksum = 264 bits split into 24 segments of 11 bits = 24 words

Please refer to this link for more info https://github.com/bitcoinbook/bitcoinbook/blob/develop/ch05.asciidoc#mnemonic-code-words-bip-39

Thank you.

Just a clarification. Please let me know if I correctly argue.  

The device generates 128 bits and the output is 12 words (128 digits, 0 or 1), or 256 bits and the output is 24 words (256 digits, 0 or 1), and so on.
So the entropy's output is always a binary number, that can be 128 digit long or 256 digit long.
After this phase, the binary number has to be hashed, and the output will add 4 digits (128 becomes 132, 256 become 260), always taken between 0 and 1.


Am i right?

the following points


and


are a little bit confusing to me.

Please, can you let me know: BIP39 wordlist is an univocal list or not?

Thank you for your patience.

Correct.

However, my key point is that BIP39, will not change and its key feature on being reliant on that seed phrase will always be a feature of BIP39. Whilst we have different implementations of Mnemonic seeds, it is not formally standardised as a standard for all to follow. Armory, Electrum seeds, etc are not part of any finalised BIP proposals.

We already have electrum seed phrase which doesn't rely on any fixed wordlist.
Unlike BIP39 seed phrase, you can always derive the correct private keys from an electrum seed phrase even without knowing the wordlist used for generating the seed phrase.

A desired feature of a defined wordlist is interoperability. All wallets that understand BIP39 have to stick to its well defined fixed wordlist. I don't see a need to change the words as every word just represents an unique 11-bit-sequence (as already explained above you can only have 2048 unique and distinct 11-bit sequences).

All wallets that know the correct wordlist and what it represents can convert a mnemonic recovery backup to the same wallet seed.



Maybe OP can explain, why he asks his questions?

@ranochigo may have already point these out, but I think there are some important points to be emphasized.

1. The purpose of a word list in BIP 39 is to enable validation of a checksum.
2. If a seed phrase doesn't come from a standard word list or it is not compatible with BIP 39, most wallets will complain and some will reject it. But, some wallets will accept any phrase.
3. There are many BIP-39 word lists. Here is a list of the common ones: BIP-0039 Word Lists

Furthermore, any arbitrary word list will work with BIP-39 as long as there is a wallet that supports it. And it doesn't have to be associated with a language. It could be a list of anime characters, for example.

Which is a whole other can of worms. There is no versioning system within BIP39, if you have a different wordlist of the same language, there is no telling of which wordlist the wallet should use. If the wallet chooses the wrong wordlist, then the checksum can't be calculated accurately.

Subsequent implementations would deviate from BIP39. Hence, BIP39 seeds will always be BIP39 seeds and BIPXXX seed will be BIPXXX, if we were to come up with another. Calling it BIP39 would be misnomer; BIP39 has its own set of standard and will always come with that set of wordlist. Regardless, I do not expect an expansion of the number of words in the BIP39 wordlist under any foreseeable circumstances.

Thank you for your answers.


So, I understand what follows:
A) BIP39 could potentially be replaced, but....
B) ...in any case, the subsequent implementation will still consider BIP39 wordlist as correct, to avoid invalidating every seed generated according to BIP39 wordlist;
C) consequently, the new wordlist will be named "the BIPXXX wordlist", to prevent confusion with the previous list.

So, "the BIP39 wordlist" will be ever "the BIP39 wordlist".

Please, let me know if I am right.

Thank you again

As mentioned before, you can. For BIP39, likely not.

The key thing about BIP39 is that it relies on the wordlist to be able to calculate the checksum. If you modify the original word-list even a little, then you run the risk of invalidating everyone's seed phrase because the appropriate checksum word for everyone would be completely different. Hence, it is likely that the English wordlist is final.

That is also the key flaw of BIP39, having a fixed wordlist for everyone. I would think that the next implementation of a mnemonic seed phrase would ditch its dependency on a fixed list of words and allow as many as possible. However, also do consider that the phrases should ideally conform to the following, as specified in the current BIP:
1) Unambiguous in the selection of the words
2) Derivatives of a word should not be included

Yes. There is nothing stopping this from happening. There would be no way to convert "old" seed phrases to "new" ones, however.

When you use the BIP39 process, you use entropy to calculate your seed phrase, then you use the actual words in the seed phrase to generate your master keys and subsequent child keys. So even if you had two different seed phrases which were generated from identical entropy, they would both generate different wallets since it is the words themselves which generate the wallet, not the underlying entropy. If you encoded the same entropy as an English and a French seed phrase, for example, then you would have two different wallets. So if you turned an "old" seed phrase in to one using the new wordlist, you would generate a completely different wallet. And so, if you did update the BIP39 wordlist, most wallets would continue to support the old wordlist as well, as otherwise old seed phrase would become unrecoverable by that software (or at least, they could not verify the checksum on old seed phrase).

I don't think there is any point in replacing the wordlist, however. It does what it needs to do probably as well as can be done. A better solution rather than changing the wordlist would be to change the entire seed phrase generation process so it does not depend on a fixed wordlist at all and specifies what script type to use (as Electrum seed phrases do), and that it also encodes a wallet birthday.

Hi.

Let's examine how BIP39 works.

So, your device generates 128 bits of entropy (assuming you want 12 words seed phrase). Then the entropy looks like this:


Then the entropy is hashed with SHA256. From the output, you will hold only the first 4 bits.

So now you have 128 bits of entropy + 4 bits that are called "checksum".

We will split these 132 bits into 12 segments of 11-bits each.

Imagine something like:


Now we will convert those binaries to decimals:


Let's go to the BIP39 wordlist and check where these numbers correspond to:


Now, following this process you realise that the max decimal you can get with 11 bits is 2047 (index starts at 0). So the max number of words you can have is 2048.

What would be needed if we wanted more words? Larger initial entropy (more bits) or the same amount of bits but less segments to be split into.

Is it necessary, or is it better? No! the fact that your seed phrase is selected from a set of 2048 words makes it super secure, so anything higher is an overkill.

But, higher entropy doesn't mean more secure? Yes, it does, but when we talk about bitcoin private keys, you can only get a maximum of 128 bits of security. This means that even if you create an entropy of 2000 bits to produce a private key, there can be someone who will generate the same key by solving the ECDSA algorithm, without messing with the size of the seed phrase at all.

Therefore, I believe there is no need for larger seed phrases or more english words in them. We must focus on securing the backups properly and not on trying to increase security in this regard.

BIP39 word lists are also in other languages

https://github.com/bitcoin/bips/blob/master/bip-0039/bip-0039-wordlists.md

I do not think this will be possible in the future. I do not think it is worth speculating on. But no one knows what will happen in the future.

Hi everyone.

I have a question.

The BIP39 provides the word list in many languages, right? (see https://github.com/bitcoin/bips/blob/master/bip-0039/bip-0039-wordlists.md)
There are just 2048 records.
However, English has more than 20.000 words (ChatGPT says around 30.000.....).

My question is:

In the future, can the entire word list be completely replaced by a more comprehensive and agreed-upon BIP?
Or is it mathematically impossible to proceed with that substitution?


Thank you in advance