Topic: What to know about Mnemonic phrase/BIP39 (Read 645 times)

There have been no known cases of anyone truly randomly creating a previously used seed phrase. Every case of people having their seed phrase stolen, or generating one that someone else has already generated in the past, has been down to keyloggers, non-random entropy, malicious software, etc.

The reason this hasn't happened is down to simple math. There are 2048 possible words in the BIP39 word list. For a 12 word seed, this means there are 2048¹² combinations, which is the same as 132 bits or 2¹³². Since the last 4 bits are a checksum, this encodes 128 bits of entropy, or 2¹²⁸, or 5.44*10³⁹.

This is a staggeringly large number. Larger than humans can comprehend. There have "only" been 4.32*10¹⁷ seconds since the birth of the universe. If you were to try 1 billion different word combinations every second since the birth of the universe 13.7 billion years ago, you would have tried approximately 0.0000000001% of all possible 12 word seeds. If you are using a 24 word seed, the numbers become even more comical.

It depends, it is very possible for seed phrase to be compromised, but normally, the way seed phrase are generated, it will be difficult or something impossible to be compromised, but people could make mistake while backing up.

For instance,
You back up you seed phrase, and it was leaked and hackers saw it. That means the wallet will be completely hijacked.
Some people make the mistake to back up the seed phrase with its passphrase, which means any access to the back up by hackers can lead to wallet hijack.

Another example,
Some can divide seed phrase or the back up words and store some in one location and the other in another location, if one of the back up is revealed or known to someone, it can be used to generation other words, if the scammer do not generate the words, he can still sell the ones he knows to professional hackers that could later generate the whole 12 to 24 words.
Some recommend Shamir's secret sharing to divide the words in a way that it can not be compromised but many developers still against this.

Another example,
Some can store in online, and this method is so wrong, anything stored online is not safe anymore and can be known to hackers as soon as possible and lead to wallet hijack.


So, normally, if the seed phrase is well backed up, it is 100% impossible to be known, and that means the wallet is safe in respect to the seed phrase back up. But, like you said, through phishing attacks and keyloggers, seed phrase is not safe if the wallet owner do not practice safe browsing. These attacks do successful by malware installation on wallet devices. If the wallet owner can avoid malware, so, it is still 100% safe he is so careful also about the back up by not let anyone go know about it.

I am just curious is there a Mnemonic/seed phrase that has been compromised before, excluding phishing and keyloggers? Or is it possible to be compromised/hacked? It is just words what if someone just luckily guesses the combination and order of words? Can really someone bruteforce hack seed phrase but maybe it takes so much time so no one tries it. 

You are right,  https://iancoleman.io/bip39/ is a site you can generate everything about wallet, it generates entropy, seed phrase, seed, private keys, public keys and addresses. I did not include it yet because I still have a topic to write to talk more about BIP39, this is just the introduction. And you know, the site is a even a topic on its own because of what I said above.

I am suggesting you put https://iancoleman.io/bip39/ as BIP39 tool into your original thread for your audience learning how to:
1. generate mnemonic with other languages
2. use passphrase
3. learning derivation path
4. generate the Split seed ( Shamir's secret sharing)
5. BIP32 Root Key (master private key)
6. Entropy, Binary and Hexadecimal
7. Derived Addresses
8. Mnemonic
... etc
The audience can use this tool without having to be online.
Right-click page save page as file or download source file from the repository - https://github.com/iancoleman/bip39

Looks like you are getting there. One more point of clarification:

You actually use both the parent private key and the parent public key (as well as the parent chain code) to generate a child private key. The parent public key and parent chain code are fed in to a HMAC-SHA512 function along with the address index, and the left 256 bits of the output are added modulo n (which we discussed above) to the parent private key to give the child private key.

The only time you use only the parent private key (as well as the parent chain code) and not both the parent private and public keys is when you are generating hardened child private keys.

I have known little more about private key generation, especially in HD wallets in which, what is first generated are mnemonic code words (seed phrase), these code words represent the entropy in 128-256 bits that was first generated, this is used to generate a seed, after a seed (512 bit seed) is generated through key stretching function PBKDF2 using HMAC-SHA512, then master private, master public key and master chain code is generated through one way hash function using HMAC-SHA512. The master private key can be used to generate child private keys. Although, I only talked about generation of a private key but in HD wallet master private keys can be used to generate child private keys, the child private keys can generate grandchild keys which makes the wallet in form of a hierarchy and it is worth knowing.

Thank you for the link, and I also get it clearer now that HMAC-SHA512 is required to turn seed numbers into private key while SHA256 can be used to generate private key in such a way that brain wallet is created. With time, I will get this better.

They don't. You can generate a private key using SHA256, by inputting any string of characters or numbers, and it will output a 256 bit number which can be used as a private key. This is essentially creating a brain wallet, and is a very poor way to generate private keys. But what we are talking about here, deriving private keys from a seed phrase, does not use SHA256.

Also, Mastering Bitcoin is available for free on GitHub. It's much easier to read there than on a Google preview. Link: https://github.com/bitcoinbook/bitcoinbook

I agree, they are not generated the same way, but I think both uses SHA256, i am still a beginner, I make use of this page to learn little about the SHA256, it was the book that did not say it completely.

https://books.google.it/books?id=IXmrBQAAQBAJ&pg=PA64&lpg=PA64&dq=n+%3D+1.158+*+1077&source=bl&ots=9BgSltKnRY&sig=ACfU3U3FnBeD39fzvwumLIXSAujMLCCJLg&hl=en&sa=X&ved=2ahUKEwjQmNuhncrpAhXpiIsKHQDbD-kQ6AEwAXoECAYQAQ#v=onepage&q=n%20%3D%201.158%20*%201077&f=false

But about how both are generated, you are right, not in the same way.

That's not accurate either. SHA256 is only used to calculate the checksum of the entropy which is then turned in to your seed phrase. Turning the seed phrase in to a seed number, and turning that seed number in to private keys uses HMAC-SHA512, not SHA256. In the case of generating a private keys, the left 256 bits are used to generate the private key and the right 256 bits becomes the chain code.

Actually, since private keys are modulo n, you can generate private keys above n-1, and they will just loop round again.

No and no. Private keys are not converted in to words, and we cannot say private keys are seed phrases - they are two very different things.
 
Private keys are never converted to words called seed phrases.

I would suggest you learn more about this topic before trying to educate others on it.

I am still learning, your are pro compare to me, thanks for the correction. But what I was just trying to say is that passphrase can be passworded in a way that the password will be used to access the seed phrase and that it is called passphrase. But, I will still talk about this in a topic to know how a seed phrase can have a passphrase but it is not necessary for seed phrase to be accessed with passphrase like you said. You are correct.

(n=1.158*10^77,  slightly less than 2^2256) where private key can be a number from n and n-1 and n is a constant like you said, but this is an order of elliptic curve used in bitcoin, this is another field of cryptography. This is used in generating private key,

But, when generating private key, the SHA256 hash algorthm will be used which is the same SHA256 hash algorithm used in generatng seed phrase, and in a way that this produces 256 bit numbers. In case of private key generation the number should not be less than 1 and should not be more than n-1, else, it will fail to generate but in case of seed phrase the number used fall within the 2048 words.

So, seed phrase are generated in such manner too but in a way that the private keys are converted into words. So, we can say private keys are the hexadecimal formats of  seed phrase which are in words.

So the number you have quoted there is to do with the number of possible private keys which exist. It isn't directly related the seed phrase (other than the fact that your private keys are eventually derived from your seed phrase).

Specifically, the number we are talking about here is (in hex):


This number is called n, and is the order of the base point G of the secp256k1 curve that bitcoin uses. In simple terms, it is the number of points on the curve. The upper limit for a private key is therefore n-1, or:


In base 10, that number is:


Which approximates to 1.158*10⁷⁷, and is very marginally smaller than the number 2²⁵⁶.

In terms of having a hard time understanding this number, I'll quote a post of mine from a year ago:

I think this question is somehow related to mnemonic phrase. I just have a hard time understanding this number. If I am not mistaken, this is a very huge number. Is this the range of number we can choose from to generate a private key?

For a 12 word seed phrase, the first 11 words can be any word from the BIP39 wordlist. It is only the last word (of any seed phrase length) which needs be chosen specifically. This is because the last word contains the checksum for the rest of the words - 4 bits in the case of a 12 word seed, 8 bits in the case of a 24 word seed. This is also why a 12 word seed phrase isn't 132 bits of security, but 128 bits - the last 4 bits are the checksum.

This is incorrect. The passphrase does not encrypt your seed phrase, and the seed phrase can be easily accessed without knowing the passphrase. The passphrase is used as part of a second parameter in PBKDF2 to turn your seed phrase in to your 512 bit seed number. You can use as many different passphrases as you like with the same seed phrase, and the result will be a different set of addresses each time.

Introduction
Hierarchical deterministic wallets make use of seed phrase to recover a wallet. Mnemonic phrase is also referred to as master seed, wallet back up or recovery seed/phrase. So, they serve as a back-up in case of wallet theft or damage. Bitcoin Improvement Proposal: 0039 (BIP39) that was approved by bitcoin community that most wallets are using today is referred to as mnemonic phrase.

The English version of the phrase are taking from group of 2048 words containing in a supported wallet, they are known as BIP39 word list. For a 12 random word, the number combination that could be possible is 2048^12 and equals to 2^132 which will make the phrase 132 bit security, but the 12 word seed is 128 bits which means all the 12 words are not randomly selected but approximately have the same strength like private keys. The BIP39 support 128 to 256 bits that can generate 12 to 24 words.

Bits of entropy    Number of words
        128                                 12
        160                                 15
        192                                 18
        224                                  21
        256                                  24

Common wallets that support BIP39

Hardware Wallets   
         Trezor
         Ledger   
         Keepkey   
         Cool Wallet   
         Coldcard   

Software Wallets                   Support
         Bread                           Android, iOS
         Exodus                             Windows, macOS, Linux, Android,  iOS
         Mycelium                Android, iOS
         Samourai                Android
         Coinomi                Windows, macOS, Linux, Android, iOS
         Blockchain                Android, iOS
         Copay                             iOS, Android,  Chrome, Linux, Windows, MacOS
         Jaxx                       Android, iOS, MacOS, Windows, Linux, Chrome
         Blockstream Green      Android, iOS
         Ownbit                       Android, iOS
         BlueWallet                    Android, iOS
         Enjin                       Android, iOS
         Wasabi                        Linux, Windows, MacOS


The passphrase
This is the protection of seed phrase with password, this password makes it impossible to access the seed phrase without knowing password, they are called passphare, the passphras is required to access the seed phrase, some wallets call the passphrase seed extention and it is referred to as the 13th/25th word.


BIP39 FAQ
Can I use the seed phrase to recover back my wallet?
Yes, if the wallet support seed phrase called BIP39, it is a backup and can be used to restore back your bitcoin or any cryptocurrency  stored on your wallet.
 
Can I use the my wallet seed phrase to recover my bitcoin and altcoins on another wallet?
Yes, it is very possible, but the wallet must support the cryptocurrencies  you have on your previous wallet and must also support BIP39, which means the wallet should support BIP39 for seed phrase,  BIP32 which defines account and BIP44 for multiple coin types.

How can I back-up my wallet seed phrase?
The recommended way is to get a paper and write it down with a paper. Having duplicate will be good and should be kept in different safe places. Also, it can be stored written on a metal or printed paper.

Should I split my seed phrase into two?
No, if one part is know to hackers, it can be used to generation others words possibly, the cryptographic security of the back up is can be compromised. But if you want to split it into two in a way that will make the words useless for hackers, you can use With text: Shamir's secret sharing and make sure you use 24 words phrase.

Can I recover back my bitcoin or altcoin without without passphrase when enabled?
No, it is not possible, be careful when choosing passphrase to protect your seed phrase.

What should I do if I have forgotten my passphrase?
If you remeber your access pin or password to your wallet and you can send out your coins to another wallet, it is advisable to send your coins to another wallet entirely, otherwise, your coins may be lost.

How to recover bitcoin using seed phrase?
Be careful of malware, it can result to bitcoin or altcoin loss to hackers. That is why hardware wallets are better use for this without connecting it to any device.

Should I check back up regularly?
Yes, check it often, read it often daily because it is memorizable but do not think you know off hand after memorizing it, still check it often and keep it safe.

Can I back up my seed phrase on computer or cloud storage?
Phones, computers including cloud storage like google drive and one drive are not advisable, paper back up is the best, be it written or printed.


Conclusion
The BIP39 is a means of recovering lost bitcoin or altcoins, it should be back up and stored safely, also if it is passphrase, the passphrase should not be forgotten in order to be able to access the seed phrase.




https://github.com/6102bitcoin/FAQ/blob/master/seed.md

https://www.blockplate.com/blogs/blockplate/list-of-bip39-wallets-mnemonic-seed

https://en.bitcoin.it/wiki/Seed_phrase

https://bitcoin.stackexchange.com/questions/80531/seed-restore-from-one-wallet-to-another