Private key to mnemonic words, is it safe?

Here are two mechanisms for converting a 256-bit (64 hexadecimal characters) seed into a Electrum seed word mnemonics, and back again.

#1 JavaScript-based

#2 C++ - based

However, the command line interface example below, using mechanism #2, uses one of the most unsafe private seeds is used for demonstrative reference purposes only.

1% echo -n "0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff" | ./bytes_to_words

rover akin begun nifty laboratory point injury upper eldest enjoy gotten suffice batch snake hospital veteran eagle weird sieve podcast mighty oozed bimonthly biggest upper

2% echo "rover akin begun nifty laboratory point injury upper eldest enjoy gotten suffice batch snake hospital veteran eagle weird sieve podcast mighty oozed bimonthly biggest upper" | ./inverse_mnemonics

0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff

The results are repeatable using mechanism #1.

BIP 39 doesn't require invertability support (analogous to ./inverse_mnemonics for Electrum words) albeit it can be accomplished. See How to generate a valid hash for a bip39 seed phrase? for an approach for accomplishing this task.

The mapping back to the BIP 39 root seed in hex is guaranteed to be unique. However, due to normalization associated with ed25519 cryptography, not currently used by Bitcoin, it is possible to have multiple two sets of 25 Electrum words that map to the same functional private key.

skaht

Posted 2018-05-01T09:54:04.983

Reputation: 2 588

What do you mean by unsafe private seeds? I have implemented my own method today. Similar to bip39. Split the byte buffer into equal size bit chunks and then use them as indices for words. – i squared - Keep it Real – 2018-05-01T19:48:37.090

I have about the same number of combinations of words as in bip39 between level with 24 words and whatever is before 24 (21 words?) – i squared - Keep it Real – 2018-05-01T19:51:09.717

The key 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff has very little entropy and can be easily guessed and used by a bot. The Electrum example provided uses 25 words. The 25th Electrum word is always a repeat of the other 24 words and is used for error checking purposes. – skaht – 2018-05-01T20:22:06.067

Oh I got it. Thanks. How exactly is it used for error checking? Is it like a checksum? – i squared - Keep it Real – 2018-05-01T20:23:58.753

% echo -n 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff | bx mnemonic-new

abandon above dust dust case often baby melt fever creek oven upper mass error grit fetch roof taxi creek roof ten jazz zoo unique – skaht – 2018-05-01T20:27:42.200

The BIP 39 example just provided is essentially not invertible. Each 32-bits of hexadecimal numbers maps to three BIP 39 words. I believe but am not sure how the 25th Electrum word provides checksum services. – skaht – 2018-05-01T20:32:47.087

See How to generate a valid hash for a bip39 seed phrase? and https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#generating-the-mnemonic for how the last BIP 39 word impacts error checking.

– skaht – 2018-06-07T03:27:18.593

that's not a valid electrum seed – Abdussamad – 2018-08-17T07:01:07.950

actually the above wouldn't work. Because You won't get equal number of bit chunks if you use 11 bits like in BIP39. – i squared - Keep it Real – 2018-05-01T12:43:53.043

Extended keys used by BIP 39 are 512 bits in length. Generally speaking, the path from BIP 39 words to private keys, especially when using detached keys, are not invertable. This is unlike Electrum mnemonic seed words that are invertable. The Electrum mnemonic can represent 256 bits. – skaht – 2018-05-01T19:18:31.433

Private key to mnemonic words, is it safe?

Answers