Topic: Create a seed from a selection of words - page 2. (Read 1188 times)

To be clear hash collision (even with weak algorithms) has nothing to do with finding a mnemonic collision.
The hash algorithms that are used under the hood of BIP39/BIP32 are there to give us a deterministic way of deriving child keys from an entropy and the security of this whole setup is determined by the size of that entropy not by the collision strength of the underlying hash algorithm. In other words in a 12-word seed you still have to face 2¹²⁸ possibilities even if the scheme was using a hash algorithm that is weak against collision attack like SHA1/MD5 (ignoring their small digest size).

I'd say as long as the hash algorithm doesn't produce biased digests, any algorithm can be used but there is no reason to since SHA256/512 are both fast and efficient for the job.

Give me break! By the time Satoshi wrote and sent his email the concept of hierarchicaly deterministic wallets (BIP-32) was not yet invented, nor was BIP-39 a thing. It's ridiculous to try to dig something from Satoshi's public messages and think he used it to derive his keys.

And it's proven that e.g. brainwallets based on publicly available data have been a recipe for desaster already.

There's first random entropy which is encoded into mnemonic words. The opposite direction is only used for a recovery. Just don't pick the mnemonic words by any human influenced ways, period! As @o_e_l_e_o said, you never pick mnemonic words by any humanish schemes, as that's usually a recipe for desaster.

Yeah, this is an awful way to generate a seed phrase. You definitely shouldn't be manually picking words, you definitely shouldn't be manually picking words from publicly available texts, and you definitely shouldn't be manually picking words from publicly available texts which are intrinsically linked to bitcoin.

It wouldn't surprise me at all if the addresses you generate through this method are already on one or more lists of addresses being monitored 24/7 by bots waiting to steal any coins which are sent to them.

Just generate your seed phrase properly and stop risking everything with such harebrained schemes.

I had originally found words in the first email from Satoshi Nakamoto that occurred in the 2048 words and 23 of them occurred in the email only 1x see image:
https://i.postimg.cc/L6sMjPdy/satoshi-email-Kopie.jpg
So I thought it could be a code. In the end I used lastWord (https://github.com/PawelGorny/lostword) to create all possible (valid) 24 seeds.

I used this config for that:


(of course 23 other words come in here) as you can see there was set 24 words, but there are only 23 words, so the tool goes through everything and spits out all valid combinations.

But as the others said it is not safe to mix it by yourself, I don't know if it is unsafe from the entropy, I personally think that someone could guess it.

e.g. you could take these 11 words and calculate the missing one to make it valid: satoshi payment perfect story unique unit use system cover bonus era galaxy

The phrase might be easy to remember but a person's mindset is vulnerable, the randomness that some wallets throw together is not and therefore a pattern is hard to discern. I think it is rather all that makes it insecure.

On the other hand, I often think, wallets can do anything if we can not see the source code, when generating the seed could go to the manufacturer, who collects them for 10 years and then clears all wallets that were created with the program. Therefore, open source is very important.

When a wallet is created that is represented by 12 mnemonic recovery words according to BIP39, the basic first steps are the following:

• a 128-bit random number is generated (some call it the entropy)
• these 128 random bits are devided in 11-bit chunks where each chunk is represented by one mnemonic word (11 bits can represent 2048 states, guess what, the BIP39 word list is 2048 words long, every word represents an unique 11-bit combination)
• 12 times 11 gives 132 bits, so there's room for a 4-bit partial hash checksum (the checksum is 4-bits from SHA256(the 128-bit random number))
• change a single bit in the 128-bit random number and due to properties of SHA256 the checksum will change completely, there's a good chance that this also changes the partial 4-bit part of it, though 4 bits is really short and there's a non-zero probability that the 4-bit checksum partial chunk isn't changed

It makes no sense that a human tries to fiddle with the BIP39 words and choose words by some crazy intuition of "feelings" or whatnot. It's likely going to be a recipe for bad entropy.

Seed phrases contain a checksum. If you start manually swapping words, chances are you will invalidate the checksum and so your wallet software will reject your new seed phrase.

But at a more basic level, you should never manually pick/swap/arrange words in your seed phrase. Humans are an incredibly poor source of entropy, and whatever you end up with will be less secure than you think or than you want.

Adding to the above discussion is it really possible to scramble the words that we actually receive from the automated generator? I don’t know depth of it, but when we generate any address the phrases are already associated with it and there is no way we can change it. I am saying the first time change when we generate it. Let us say I have newly generated address and creating a wallet with Back up keys. Wallet has given 12 words but I want to change them right away manually, why isn’t that possible?

Is it possibly because someone might overlap with my words and sequence? (Though this may not happen considering the 12 words and their numerous combinations. But just curious about the technical explanation behind this.

As I said above, there won't be an address (or seed phrase) collision before the sun dies in ~5 billion years.

Let's say all 8 billion people on the planet all generate 1,000 new addresses every second for the next 5 billion years non stop. After 5 billion years we will only have generated 0.00000000000000009% of all possible addresses.

If you don't trust any software to generate a seed phrase for you, then generate your own entropy by flipping a coin and converting each 11 bits to the corresponding word. You'll still need to use a piece of software to calculate the checksum and import the seed phrase to generate a wallet, however.

I also think that it is unlikely that someone will find the same seed or a seed that matches the same address.
Especially if you consider the following factors:

The normal user generates in his life maybe 10 addresses and not always the sum times the number of people who live in 100 years make it very unlikely.

A hacker generates wallets to crack an existing wallet with money in it, he would have to check all wallets every hour to see if there are coins in them.

Even if a hacker would do that, then his storage space is not enough and it is again limited.

Despite everything, what method would you recommend or what software to create a wallet?
I could also create a 23 digit seed by hand and use lastWord to convert it to a wallet, but that is again insecure. And I am so paranoid to trust the fewest companies. OpenSource Sacen would be a solution, but I don't know the programming languages to verify that.
Apart from the fact that the effort is higher than the value I could ever protect.

You definitely will.

Taking SHA256 as an example - the output is always 256 bits, so there are 2²⁵⁶ possible outputs. However, the input can be anything up to 2⁶⁴ - 1 bits in length, which works out to any data up to 2 million terabytes in size. Therefore, there are exponentially more possible inputs than possible outputs, so collisions are guaranteed.

The same seed phrase will always generate the same address at the same derivation path, regardless of what wallet you use (provided all the wallets are following the BIP39 standard and not doing something unique or non-standard).

Technically speaking, given the number of possible derivation paths, every seed phrase in existence is almost certainly capable of generating every possible address. But in practice, there will never be an address collision before the death of the sun.

I am not sure I am understanding you correctly. Are you asking if it's possible to generate the same address with different seed phrases?
If so, no. That's not possible.

Take note that in theory it's possible that you generate the same address with different seed phrases, but that's not practically impossible. Maybe, that's what you've heard before.

I did some research on hash collisions today and there are collisions in MD5 that have 2 inputs but the same output. In sha256 or even sha128 you will never have the same output. I am also aware that a seed of 12 words will surely be unbreakable for the next 50 to 100 years. I think I heard that it is possible to access coins in the wallet with different seeds, but probably with subaccounts.
Surely this will not refer to the direct address of the wallet but a generated in it. And as I understand it, you always have access to all sub-accounts created in the main wallet, no matter what the first generated address is. I mean when I log into Metamask with the seeds I have the same address as Exodus or the recently tiled Atomic Wallet, that's what I mean by main wallet.

What do you think it is possible to get access to the same coins with different seeds? Or did I record there stupid stuff?

If you did brute force a seed phrase which gave you the desired vanity address at m/84'/0'/0'/0/0 (for example), then bear in mind that only that single address would have your desired prefix, and every other address in that wallet would be completely random. Seems like a lot to go through for a single address, when you can already just use VanitySearch.

Note that I would use VanitySearch (https://bitcointalksearch.org/topic/vanitysearch-yet-another-address-prefix-finder-5112311) over VanityGen. It is much faster.

Also note that Bitcoin Core does not use seed phrases at all, so the concept of extending your seed phrase with a passphrase does not exist. As hosseinimr93 says, a passphrase in Bitcoin Core is simply the password for your local wallet file.

The private key which your vanity address is derived from is like any other private key. It provides 128 bits of security.
A 24 word BIP39 seed phrase provides 256 bits of entropy.


They are different.
The term "passphrase" is usually used to refer to characters or words you use to extend your seed phrase. When you add a passphrase to your seed phrase, you generate a completely different wallet.
In bitcoin core, the passphrase is like a password which encrypts your wallet file.

Thanks for all the info. How much entropy does Vanitygen have? So programs that generate 24 words have 256bit? Is there also 512bit with Bitcoin?
I also think that Vanitygen is a game in itself, an address that you can own to receive money on the Internet and have a cool address when there is little money on it.

And something else, there is a passphrase in Bip39 and a passphrase in Bitcoin Core, in Bitcoin Core you can change the passphrase and the addresses remain, but how is it with Bip39 there is a separate address generated?

That with the Bip39 passphrase and less entropy sounds strange at first but I think it has to do with Bip39 itself and any human intervention disturbs the algorithm somewhere?

As said here before 24 mnemonic words from the BIP39 set of words encode a 256-bit random number and include also a partial hash checksum which allows very certain detection of an error in the sequence of words. To me your 128-char mnemonic passphrase is a bit of over the top. It's random which is good, likely very few humans can type it without any error which is a risk. That means you have to store your mnemonic passphrase in a digital file on a computer which shouldn't ever go online for safety reasons. Practically you can only copy/paste such a mnemonic passphrase. If you care for security this mandates that you don't use any online device with such a mnemonic passphrase and it makes an analog backup copy of the passphrase nearly impossible as the smallest error will give you a different and empty wallet.

You're making your life harder than necessary. You can't have a hierarchical deterministic wallet with fancy addresses, very unlikely to happen. Vanitygen addresses might be fancy but are a pain to generate securely and to keep secure, too.

Get a decent hardware wallet (and that's no Ledger crap device) and have piece of mind. Learn on HD wallets and derivation paths e.g. at https://learnmeabitcoin.com and make yourself familiar with a good hardware wallet. Practice recovery with some Testnet bitcoins and you will have a much more secure storage of your wallet than with any online software wallet solution.

The meaning of the word "entropy" differs a little depending on the context.

A 24-word mnemonic is an encoding of 256 bits of entropy (in this case, "entropy" means random data). Adding a password to the mnemonic increases the entropy (in this case, "entropy" means the amount of randomness). The seed is then derived from the mnemonic plus password (if there is one).


The strength is determined by the number of digits in the number or the strength of its source, whichever is less, and not the value of the number itself.


So, if you want to create an address that looks cool like it was generated by vanitygen, why not just use vanitygen? Some wallets have the ability to import private keys, allowing you to spend the funds received at the address.

Note that a wallet and an address are different things. A wallet contains one or more addresses.

So, you want to have a seed which produces “nice” address for a given derivation path.
Testing addresses on the path is quite “expensive” operation, so the whole process will be much slower (less efficient) than “normal” vanitygen.
But I understand your doubts, you consider testing different seeds or one seed and different passwords.

I have understood a little more out there but only bip39 uses a Mnemonic seed? Because many wallets from different manufacturers are often compatible.
Assuming I have a 24 digit Mnemonic, example of the website you linked:
the seed is out:
Is this the entropy at the same time?

if i now add a 128 digit password:

the seed becomes:

In the hey area the f at the beginning is higher than the 1 so seen like this almost 8 times as strong, or how does this entropy calculate?

Background of my question is simply that I want to create a wallet that is as secure as possible but where also the address looks cool as generated by vanitygen.
If I wanted to create a wallet here now, how could I influence the entropy?
https://github.com/adrijano/Bitcoin-wallet-cracker

I could also use the links you sent to create a wallet offline but I can't see the source code and there could be providers who create and store millions of wallets and only these are generated and connected to the provider, even if you generate it offline, if it's from pre-generated seeds, it's all useless.

I think you will find answer for that question if you look at the page: https://iancoleman.io/bip39/

After you generate/paste seed, you may check addresses generated by different derivation paths.
In general, we may say we have: "m/[BIP]/[COIN]/["Account"]/address"

Using your example, m/44'/60 will produce addresses for Ethereum (see the list: https://github.com/satoshilabs/slips/blob/master/slip-0044.md)