Topic: Create a seed from a selection of words - page 4. (Read 1191 times)

Which means that one must "preselect" another 3 bits. It would look like selecting the last word, taking it's 3 bits and then replace the last word by the final one.
Unfortunately you cannot finish the manual process after 23 words.
Other option is to see which of 8 "correct" last words you like the best.

No one has mentioned yet that because the checksum at the end is just 5 bytes long, one could take a subset of words [security warnings aside], but keep their positions in the wordlist so as not to confuse wallet implementations, and present a GUI to allow the user to select from these combinations for 11 spots, and then put three checkboxes at the end to flip on or off the leading 3 bytes of the last "mnemonic word" that come before the checksum.

That would give you 121 (instead of 128) bits and 253 (instead of 256) bits of entropy respectively. It may not be important for the second one but your first entropy is going to be a slightly weaker one than the security that bitcoin keys need (at least 128-bits).
This is because the last word is not the checksum, it contains checksum.

You can do that but human brain is known to be bad for creating random results, so I would not do this if you want to hold larger amount of coins.
You could use any eleven words you want and calculate last word to create entropy.
There is a website called seedpicker that can calculate everything for you, you can select any 23 words you want from all 2048 words and last word will be calculated.
This is open source tool, but use it carefully, read their guide and only do it if you know what you are doing:
https://seedpicker.net/calculator/last-word.html

You could use iancoleman website totally offline, and it is even advised to be always used like that.
In your browser, select file save-as, and save this page as a file, than double click that file to open it in a browser on your offline computer:
https://iancoleman.io/bip39/

Exactly.
In other words:
11 bits * 23 words = 253 bits. But you want to have 256. Each word encodes 11 bits, so any word you take will give you 3 bits of "data" + 8 bits of "checksum". Which means you may have 8 possibilities for a "beginning" of word and 256 possibilities for "end" of word. Any 3 bits you select, produces (with the rest) one of 256 possible checksum.

There are always exactly 8 possibilities for the last word for BIP39 (in the 24-word case).

Last word represents 11 bits, 8 of which are checksum. For every of the 3 bits we choose, there is always exactly one word with the needed checksum bits.

For a 24 word seed, there is a 12.65% of the same word appearing twice or more, and a 0.0479% of the same word appearing three times or more. So one in every 2,000 seed phrases roughly would have the same word three times. So not that unlikely by any means.

The last word only contains 7 bits of that number in a 12 word seed phrase, or 3 bits of that number in a 24 word seed phrase. The rest is checksum.

Assuming the first 23 words are known, there are 8 possibilities for the last word on average.
It's not that there are always exactly 8 possibilities for the last word.

Edit:
I stand corrected.
Thank you j2002ba2 and PawGo for your explanation.

We weren't talking about creating the seed phrase either!

Let's agree to some common semantics: seed = big random number; mnemonic seed (words) = the set of commonly 12 or 24 words which represent 128 or 256 bits of randomness/entropy. For HD wallets this entropy is processed by iteration of a key derivation function into a BIP39 seed of 512 bits length from which by rules of derivation path the private and public keys are derived.

Your smaller selection of words will likely leed to a less random seed. It may still be safe but you can't be sure of that. I won't be happy not to know that my seed isn't safely random enough. And as indicated below, usually the mnemonic words are derived from the random seed, not the other way around.

A repeated mnemonic word doesn't matter and can happen. This only means that a sequence of 11 bits is repeated in the seed at certain bit boundaries. While I don't think this happens often, I wouldn't worry too much about it. I'd be suspicious if a word is repeated three or more times because that means the seed is somewhat patterned (which technically can still happen with "true" randomness where every bit sequence in the seed is equally possible).

This is not the way a mnemonic seed is made, except you're foolish enough to pick the words yourself from a foolishly chosen set of 24 words out of 2048 and you pick those 24 randomly one after the other from a diminishing set of words. This might not necessarily leed to a weak seed but there's a high chance that something in the process goes (horribly) wrong.

The mnemonic seed words are a human readable representation of a random binary number. The random binary number comes first and is then translated into mnemonic words where every word out of 2048 represents 11 bits of that random binary number. A human is terrible to produce randomness by some arbitrary choice actions. Flipping a coin is OK, rolling dice is OK, if you want to produce 128 bits (12 words out of 2048) or 256 bits (24 words out of 2048) of random entropy.

You can use a smaller word dictionary but then you'd have to use more words for the encoding into mnemonic seed words.

To be more precise, we may say that if unknown word is on the last position, could be treated as a checksum word (word which contains binary checksum), then the rest (23 words) produce 8 possibilities at the last position. So, it is possible to optimize algorithm that after checking 8th correct checksum, it is smart to update 23 first words and do not waste time on the last one.
If you have unknown word in the middle, you may use similar evaluation, BUT it is not precise - because you modify checksum generator, you may say that statistically after 8 hits (for the given "checksum word" on the last position) you may skip work for that combination. Unfortunately, it could happen that more words modified in the middle produce the same checksum, so that approach is wrong (too optimistic). Maybe, maybe if you would set limit of hits to 9-10, it wild make more sense, but still - it is based on guessing.

If you know all 12 words, then btcrecover could descramble this in a matter of hours even with modest hardware, or much faster with good hardware. See: https://btcrecover.readthedocs.io/en/latest/Usage_Examples/2020-05-02_Descrambling_a_12_word_seed/Example_Descrambling_a_12_word_seed/

However, since OP is talking about 24 words, descrambling this is already impossible. Add in an unknown word and it becomes 2048 times more impossible.

Unusual use case, but you may try to play with my program lostwords : https://github.com/PawelGorny/lostword

You are probably interested in the feature PRINT_SEEDS, where you may provide the list of words you want to use (or '?' for all the words) and then select the seed you like.
 


now we talk about something different, worker PERMUTATION. But with 24 words it a very difficult task.

Thanks, then it would only be an average of 19,674 years for 1trillion combinations per second bruteforce speed for a disarranged 24-words seed then.
And only 479,001,600 combinations for a disarranged 12-word seed.

Considering that OP said they have the words, you should use factorial to compute all the combinations not a power. We have 24 words and for first position we can select one out of 24, the second position one out of remaining 23 and so on. That is 24*23*22*...*1=24! = 620,448,401,733,239,439,360,000

Yes, the last word is part of the "checksum". It has to be the right one to make the seed phrase valid.

The simplest bruteforce formula is 24^24 for disordered 24-word seed, which is 1,333,735,776,850,284,124,449,081,472,843,776 combinations.
Even if you can get up to 1trillions of combinations per second, it would still take 42,292,484,045,227 years to find the right order.
Even 10000-times that speed isn't any better.

Compare it to 12 which is only 8,916,100,448,256 combinations.

even if it takes a long time let's assume i have 24 words then can this also occur in another existing sequence of the rhine?

simply combining the words somehow doesn't work, it has to have a certain validity

I know it's well meant to tell me how long it's going to take or why I shouldn't do it, but it also has a learning background for me even if I don't know much about programming I'd like to know to what extent that's possible and Is there a program for that already?

You can create a seed phrase from as few words as you like using your own method. But anyone who knows the words you are selecting from will have an easier time guessing the phrase. One problem with selecting from a subset of words is that the standard construction of the phrase involves a checksum. A wallet validating your phrase might say the phrase is invalid.

The probability of a word being repeated in a 12-word (from 2048 words) phrase is 1 - 2048!/(2036!2048¹²) = 3%



Edit: I wrote that before reading your followup post.

The is no possibility of success with a 24-word phrase because there are just too many possibilities. A 12-word phrase will take a very long time. There are tools that might help: btcrecover and FinderOuter

There's brute forcing software for this, but if you have 24 words in random order, you won't find it. With 12 words it might be possible.

because i want to try to recover a wallet for which i know the words but not the order of the words. I'm actually also missing a word, that is, the tool should be such that I can say these 23 words must definitely occur. The last word can be used from the 2048.