Private key to mnemonic words, is it safe?

0

1

Is it safe to do the following?

Suppose I do not want the HD wallet, but I do want the convenience of using mnemonic words to remember the private key. I know I can convert the private key's hex representation to byte format from which I can get binary format, from there I can follow BIP-39 to generate 24 words that are represented by that private key (because general addresses are used by randomly producing a 256 bit word which is equivalent to 24 words). Can I now use these "mnemonic" words to remember my private key, and completely disregard it (since I can always use these words to get back to the private key). I guess what I am wondering is whether there are cases where different private keys can produce the same collection of 24 words.

i squared - Keep it Real

Posted 2018-05-01T09:54:04.983

Reputation: 143

actually the above wouldn't work. Because You won't get equal number of bit chunks if you use 11 bits like in BIP39.i squared - Keep it Real 2018-05-01T12:43:53.043

Extended keys used by BIP 39 are 512 bits in length. Generally speaking, the path from BIP 39 words to private keys, especially when using detached keys, are not invertable. This is unlike Electrum mnemonic seed words that are invertable. The Electrum mnemonic can represent 256 bits.skaht 2018-05-01T19:18:31.433

Answers

0

Here are two mechanisms for converting a 256-bit (64 hexadecimal characters) seed into a Electrum seed word mnemonics, and back again.

#1 JavaScript-based

#2 C++ - based

However, the command line interface example below, using mechanism #2, uses one of the most unsafe private seeds is used for demonstrative reference purposes only.

1% echo -n "0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff" | ./bytes_to_words

rover akin begun nifty laboratory point injury upper eldest enjoy gotten suffice batch snake hospital veteran eagle weird sieve podcast mighty oozed bimonthly biggest upper

2% echo "rover akin begun nifty laboratory point injury upper eldest enjoy gotten suffice batch snake hospital veteran eagle weird sieve podcast mighty oozed bimonthly biggest upper" | ./inverse_mnemonics

0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff

The results are repeatable using mechanism #1.

BIP 39 doesn't require invertability support (analogous to ./inverse_mnemonics for Electrum words) albeit it can be accomplished. See How to generate a valid hash for a bip39 seed phrase? for an approach for accomplishing this task.

The mapping back to the BIP 39 root seed in hex is guaranteed to be unique. However, due to normalization associated with ed25519 cryptography, not currently used by Bitcoin, it is possible to have multiple two sets of 25 Electrum words that map to the same functional private key.

skaht

Posted 2018-05-01T09:54:04.983

Reputation: 2 588

What do you mean by unsafe private seeds? I have implemented my own method today. Similar to bip39. Split the byte buffer into equal size bit chunks and then use them as indices for words.i squared - Keep it Real 2018-05-01T19:48:37.090

I have about the same number of combinations of words as in bip39 between level with 24 words and whatever is before 24 (21 words?)i squared - Keep it Real 2018-05-01T19:51:09.717

The key 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff has very little entropy and can be easily guessed and used by a bot. The Electrum example provided uses 25 words. The 25th Electrum word is always a repeat of the other 24 words and is used for error checking purposes.skaht 2018-05-01T20:22:06.067

Oh I got it. Thanks. How exactly is it used for error checking? Is it like a checksum?i squared - Keep it Real 2018-05-01T20:23:58.753

% echo -n 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff | bx mnemonic-new

abandon above dust dust case often baby melt fever creek oven upper mass error grit fetch roof taxi creek roof ten jazz zoo uniqueskaht 2018-05-01T20:27:42.200

The BIP 39 example just provided is essentially not invertible. Each 32-bits of hexadecimal numbers maps to three BIP 39 words. I believe but am not sure how the 25th Electrum word provides checksum services.skaht 2018-05-01T20:32:47.087

See How to generate a valid hash for a bip39 seed phrase? and https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#generating-the-mnemonic for how the last BIP 39 word impacts error checking.

skaht 2018-06-07T03:27:18.593

that's not a valid electrum seedAbdussamad 2018-08-17T07:01:07.950