Bitcoin – How is SEED created?

The creation of a wallet and its private/public key pairs begins with the generation of a SEED. Here is the process.

Bitcoin Improvement Proposal 39

Certain standards have imposed themselves as wallets have evolved. Notably :

-The mnemonic phrase (also called “seed” by abuse of language): BIP-39
-The HD (Hierarchical Deterministic) wallet: BIP-32

Today, almost all wallets use the BIP-39 protocol proposed in 2013 by Marek Palatinus and Pavol Rusnak (co-founders of Satoshilabs).

BIP-39 gets its name because it is the 39th bitcoin improvement proposal (BIP). It is a protocol for randomly generating a mnemonic phrase that is then used to create an HD wallet.

Since BIP-32, key pairs always derive the same (deterministic) way. This protocol being widely adopted, it is now possible to find all its private keys (and therefore access to its BTC) by entering its mnemonic phrase in most wallets.

Another advantage is that it is no longer necessary to directly use private keys that are very difficult to memorize. Memorizing a mnemonic phrase of 12 words is enough to regain access to millions of keys.

The seed creation process is divided into two phases:

– Generation of the mnemonic phrase (a group of easy to remember words)
-Conversion to seed (from which all the private/public keys of the wallet will be derived)

[Pour rappel, il faut utiliser une adresse (une paire de clé privée/publique) différente pour chaque transaction afin de gagner en anonymat.]

Seed generation

1) Generate entropy

Entropy is choosing a large number with a size between 128 and 256 bits. 128 bits of entropy correspond to a mnemonic phrase of 12 words.

160 bits of entropy = 15 words
192 bits of entropy = 18 words
224 bits of entropy = 21 words
256 bits of entropy = 24 words

We take for our example an entropy of 128 bits:

0 0 0 0 0 1 1 0 1 1 0 0 1 0 0 1 1 0 0 0 1 0 0 1 0 0 1 1 0 1 0 1 1 1 1 0 1 0 1 1 1 1 0 1 0 1 1 1 0 1 0 0 1 0 1 0 0 0 1 1 0 0 0 0 1 1 0 1 0 1 0 1 0 1 1 0 0 0 1 1 1 1 1 0 0 1 1 1 1 0 0 1 0 1 0 0 1 1 0 0 1 0 0 1 1 0 0 0 1 0 0 1 1 1 0 1 1 0 0 0 1 1 1 0 0 0 0 1

(i.e. 9,021,802,605,472,555,840,788,517,848,795,437,281 in decimal format)

This number is randomly generated by your wallet (which is already quite a program which we will not discuss).

2) Generate a checksum

First you have to pass the entropy into the hashing algorithm SHA-256 which gives us the hash:

40f006b68841cd790b25b66008366cc130b6b1e274399be44c4d0e7df283376a

Then take the first four bits of this hash (which is expressed in hexadecimal) and add them to the end of the entropy. The number 4 corresponds to 0100 in binary:

00000110110010011000100100110101111010111101011110100101000110000110101010110001111100111100101001100100110001001110110001 1100001[0100]

3) Make 11-bit splits

00000110110 / 01001100010 / 01001101011 / 11010111101 / 01110100101 / 00011000011 / 01010101100 / 01111100111 / 10010100110 / 0100 1100010 / 01110110001 / 11000010100

4) Convert to decimal

0 0 0 0 0 1 1 0 1 1 0 = 54
0 1 0 0 1 1 0 0 0 1 0 = 610
0 1 0 0 1 1 0 1 0 1 1 = 619
1 1 0 1 0 1 1 1 1 0 1 = 1725
0 1 1 1 0 1 0 0 1 0 1 = 933
0 0 0 1 1 0 0 0 0 1 1 = 195
0 1 0 1 0 1 0 1 1 0 0 = 684
0 1 1 1 1 1 0 0 1 1 1 = 999
1 0 0 1 0 1 0 0 1 1 0 = 1190
0 1 0 0 1 1 0 0 0 1 0 = 610
0 1 1 1 0 1 1 0 0 0 1 = 945
1 1 0 0 0 0 1 0 1 0 0 = 1556

These decimal representations vary from 0 to 2047 (211 possibilities). As many numbers each corresponding to a word from a list of 2048 words introduced in BIP-39.

This list is such that no word begins with the same four letters. Simply saving the first four letters of each word is therefore sufficient to find them.

5) Find the words corresponding to these numbers:

54 = Allow
610 = Team
619 = Petrol
1,725 ​​= Stuff
933 = Innocent
195 = Blue
684 = Fever
999 = Lamp
1190 = Net
610 = Team
945 = Prompt
1556 = Second

The mnemonic phrase of twelve words will therefore be:

Allow Equip essence Stuff Innocent Blue Fever Lamp Net Equip Invite Second

Summary diagram :

Seed conversion

Wallets most often use the function PBKDF2 (Password-Based Key Derivation Function) to convert the mnemonic phrase into a seed. This is a key derivation function.

In our case, the key will be the seed from which private/public key pairs will be derived using elliptic curve cryptography.

The PBKDF2 applies a hash function (HMAC-SHA-512) to the mnemonic phrase. The operation is repeated 2048 times in a row to generate the seed.

Note that additional information (the “salt”) is also added to reinforce the security of the information that is hashed. This helps prevent certain types of attacks.

Salt is the default word “mnemonic”. But it is also possible to add a “passphrase”. Wallets like Trezor recommend it in order to make any extraction of seed from the hardware pointless.

The reason being that you must then remember two pieces of information (your seed and your passphrase), otherwise you will lose access to your BTC.

The 512-bit seed will be used to create the HD wallet. In our case, we end up with this 512-bit seed:

b8485829b0151585b9c24ba336811b7274c08d0d44380028f01f7d7e5e5c2e26811cef5b44c9785ffae7341ed8ec6f079a77829136b148b72b73f70ea7d31c02

Summary diagram :

The wallet takes care of converting the mnemonic words into a seed through a complex process of hashing, salting and checksum. This seed is then used to generate the private/public keys. All in a deterministic way.

In short, HD wallets make it easy to restore thousands, even millions of keys from a single mnemonic phrase which is also directly called the seed.

We will see in a future article how to derive the private and public keys from the seed (BIP-32). If you liked this article, you will appreciate: How are Bitcoin addresses created?

Connections :

-What is the difference between PBKDF and SHA512?

–What is the advantage of using PBKDF2 over SHA256?