Bitcoin Q&A: How do mnemonic seeds work?

Fabiano asks, “How do mnemonic seed
words work? It looks like magic to me.”
I believe it was Arthur C. Clarke who said,
“Any sufficiently advanced technology
is indistinguishable from magic,”
to a civilisation that’s not as advanced.
I think one of the funny things about a lot of the
mathematics involved in cryptography is that…
it seems like magic, takes a while to get
used to and understand how it works.
First of all, let’s let’s describe
what mnemonic seed words are.
Mnemonic seed words encode
a specific amount of randomness.
They are basically a number, but that number is
represented by words, almost like a lookup table.
What does that mean, exactly?
If you use a standard mnemonic, which is a BIP-39
mnemonic, there is a dictionary of 2048 words.
This dictionary of 2048 words has been carefully
[curated] so that the words do not appear similar,
and you can always figure out which word you’re
looking at just from the first four letters of that word.
The first four letters gives you a unique word in
this dictionary, but the letters don’t really matter.
What matters is that you have 2048 words.
Think of each [word] as a symbol.
For example, if you have a twelve-word mnemonic,
then those words encode 2048 ^ 12 possible numbers.
Essentially, each word represents about 11 bits of
binary information and can be used to construct a seed.
The seed is 128 bits if you have twelve words,
or 256 bits if you have twenty-four words.
From that 128 or 256 bit number, your wallet
then produces a master private key…
through a process of stretching.
‘Stretching’ is basically applying a
hash algorithm again and again.
In the case of BIP-39, the hash algorithm is applied two
thousand times, together with [an optional] passphrase,
to produce a master [private] key.
That master [private] key is then used with repeated hashing functions to produce a series of private keys.
These private keys can be used to do transactions.
You start with a long number, such as 128 bits.
That long number gets expressed as twelve
English words from a dictionary of 2048 words.
Those words are then stretched through a hashing
algorithm to produce an even longer number,
which is used as your master private key,
usually a 512 bit number.
That 512 bit number is used again with repeated
hashing to produce a tree of private keys.
That is a hierarchical deterministic wallet, or HD wallet.
Each one of those private keys can then produce
a public key and address [for doing] transactions.
If you take that mnemonic seed and put it into a
new wallet [that is compatible with the standards],
the new wallet can recreate that entire
process and produce all of the private keys.
There’s an infinite number of private keys that can
be produced from a seed in a specific sequence.
Your wallet will start from the beginning and look on
the blockchain to see if those keys have been used,
by looking at the addresses and whether they ever
had a balance or transaction related to them.
It will stop looking once it has found twenty empty
addresses, assuming you haven’t used any of those…
and didn’t get that far in the sequence.
That is how a mnemonic seed
is imported [to a new wallet].
All of this is part of two standards: BIP-39 for mnemonic
words, and BIP-32 for hierarchical deterministic wallets.
[Responding to] a quick question
from Barnabas that is a follow-up.
The words [in the mnemonic
phrase] are not selected by you;
the words are produced from a
128 or 256 bit random number.
When we say “random,” what does that mean?
Does that mean true random?
Does that mean cryptographically secure
pseudo-random [with a] number generator?
It really depends. You can generate
the seed entropy in any way you like.
You could use some kind of process with quantum
fluctuations in order to produce a true random number.
But for most purposes, a cryptographically
secure pseudo-random number generator,
such as that one provided by your computer
hardware and with sufficient [entropic inputs]
(wheeling your mouse, typing on the keyboard etc.),
will produce enough entropy for seed [creation].
If you wanted to, you could [use] casino dice, which
are properly balanced, well-designed, and audited.
You could put them in a shoebox, throw [or] shake them
together, use that to produce a 128 or 256 number.
Then encode that as a mnemonic phrase
of twelve or twenty-four English words.
There is no requirement in the specification
as to how you produce the randomness.
Susana asks, “Can the mnemonic seed
be imported to another wallet?” Yes.
One of the great features of mnemonic seeds, as long
as they follow a well-supported standard like BIP-39,
is they can be moved from any BIP-39 compatible
wallet to any other BIP-39 compatible wallet.
You can import a seed, and it should be able to find
all of your transaction [history], addresses, and keys.
You can also run the same mnemonic seed on multiple
wallets simultaneously, and spend from all of them.
Of course, keep in mind that possession of
the seed means possession of your funds.
Be very, very careful when managing seeds;
the more places you type it in, store as a backup,
the more likely you are to expose it to
a system that has been compromised.

Add a Comment

Your email address will not be published. Required fields are marked *