Mnemonic Seed — Technical

TECHNICAL_DOC // KEYS / MNEMONIC-SEED

MNEMONIC
SEED

A BIP 39 mnemonic seed encodes wallet entropy as a sequence of 12 to 24 ordinary English words, designed to be human-writable, error-checkable, and backup-friendly. The mnemonic is stretched via PBKDF2 into a 64-byte seed that becomes the root of an HD wallet. An optional passphrase (BIP 39 "25th word") creates an entirely different wallet from the same words.

MNEMONIC_GENERATION

FROM ENTROPY TO WORDS

Step 1: Generate entropy ENT bits from CSPRNG ENT ∈ {128, 160, 192, 224, 256} → 12, 15, 18, 21, or 24 words Step 2: Compute checksum CS = ENT / 32 bits checksum = first CS bits of SHA256(entropy) CS ∈ {4, 5, 6, 7, 8} Step 3: Concatenate full_bits = entropy || checksum total = ENT + CS bits (always divisible by 11) Step 4: Split into 11-bit groups Each 11-bit value = index 0…2047 Step 5: Map to wordlist Use BIP 39 English wordlist (2048 words) Output: space-separated words Standard sizes: 128 + 4 = 132 bits = 12 words 160 + 5 = 165 bits = 15 words 192 + 6 = 198 bits = 18 words 224 + 7 = 231 bits = 21 words 256 + 8 = 264 bits = 24 words

Mnemonic to Seed (PBKDF2)

KEY STRETCHING

The mnemonic is run through PBKDF2 with 2048 iterations of hmac-sha512/">HMAC-SHA512 to produce a 64-byte seed. The optional passphrase is appended to the salt.

seed = PBKDF2-HMAC-SHA512( password = mnemonic_string, (UTF-8 NFKD) salt = "mnemonic" + passphrase, (UTF-8 NFKD) iterations = 2048, length = 64 bytes ) If no passphrase: salt = "mnemonic" With passphrase: salt = "mnemonic" + user_passphrase The 64-byte seed feeds BIP 32 master key generation: I = HMAC-SHA512(key="Bitcoin seed", data=seed) master_priv = I[0:32] master_chain = I[32:64] Properties: Same mnemonic + same passphrase → same seed (deterministic) Same mnemonic + different passphrase → completely different wallet Empty passphrase ≠ no passphrase (both behave the same here)

BIP 39 Wordlist Properties

DESIGN

The 2048-word English list is carefully designed to maximize backup integrity and minimize ambiguity.

Wordlist size: 2048 (= 2¹¹) Each word encodes exactly 11 bits Word selection rules: - 4–8 letters per word - Unique by first 4 letters (only first 4 needed to identify) - No similar words (e.g. "build" + "built" excluded) - No simple/short alternatives confusable with non-English Why first-4-letter uniqueness matters: Hardware wallets can use 4-char input mode Typo-resistance: "abandon" vs "abate" — both fine Misspellings often still recoverable Other languages: French, Spanish, Italian, Portuguese, Czech, Japanese, Korean, simplified/traditional Chinese. Example mnemonic (12 words): legal winner thank year wave sausage worth useful legal winner thank yellow

Passphrase — BIP 39 25th Word

PLAUSIBLE DENIABILITY

The optional passphrase creates a fully separate wallet from the same words. There is no way to verify whether a passphrase is "correct" — every passphrase produces a valid wallet.

12 words alone: wallet A 12 words + "Cat": wallet B 12 words + "cat": wallet C (different! case-sensitive) 12 words + " ": wallet D (whitespace matters) Plausible deniability: Coercion victim reveals 12 words → "decoy" wallet Real funds at 12 words + secret passphrase No way to prove a passphrase exists at all Risks: Forgotten passphrase = permanent loss No checksum on passphrase → typos silently change wallets Always test passphrase recovery before depositing funds Implementation note: Some wallets use proprietary encoding (e.g. Trezor, Ledger) but BIP 39 standard appends to PBKDF2 salt.

TERMINOLOGY_INDEX

BIP 39

Specification for mnemonic codes for generating deterministic keys. Defines wordlist and PBKDF2 derivation.

Entropy

128–256 bits of random data from a CSPRNG that the mnemonic encodes. Higher = stronger key.

Checksum

First 4–8 bits of SHA256(entropy) appended to entropy. Detects most single-word transcription errors.

PBKDF2

Password-Based Key Derivation Function 2. 2048 iterations of HMAC-SHA512. Outputs 64-byte seed.

Passphrase

Optional user-chosen string appended to PBKDF2 salt. Creates a different wallet for the same 12 words.

INTERACTIVE — TRY IT YOURSELF

BIP39 / KEYS

Mnemonic Seed

BIP39 turns raw entropy bytes into a sequence of 12–24 English words that a human can write down. The words aren't magic — they're a human-friendly encoding of entropy bits. From those words, PBKDF2-HMAC-SHA512 (2048 rounds) stretches them into a 512-bit seed, from which an entire HD wallet hierarchy is deterministically derived.

STEP 1 — ENTROPY GENERATION

Everything begins with cryptographically secure random bytes. BIP39 supports 128, 160, 192, 224, or 256 bits of entropy, producing 12 to 24 words respectively. The entropy must come from a CSPRNG — never Math.random().

ENTROPY SOURCE & SIZEgenerate or paste your own

128 bits → 12 words

160 bits → 15 words

192 bits → 18 words

224 bits → 21 words

256 bits → 24 words

ENTROPY HEX (edit manually or generate below)

STEP 2 — CHECKSUM

A checksum of ENT/32 bits is appended to the entropy. For 128-bit entropy that's 4 bits; for 256-bit entropy it's 8 bits. The checksum is the first ENT/32 bits of SHA-256(entropy). This is why you can't freely change one word in a mnemonic — the last word encodes both data bits and the checksum.

ENTROPY + CHECKSUM → COMBINED BIT STRING

STEP 3 — BIT GROUPS → WORD INDICES

The combined bit string is split into 11-bit groups. Each 11-bit value (0–2047) is used as an index into the BIP39 wordlist of 2048 words. For 128-bit entropy: 128 + 4 = 132 bits ÷ 11 = 12 words exactly.

11-BIT GROUPS → WORD INDICES → WORDS

STEP 4 — MNEMONIC → SEED (PBKDF2)

The mnemonic phrase is fed into PBKDF2-HMAC-SHA512 with the password "mnemonic" + passphrase and 2048 rounds. The output is 512 bits — the BIP39 seed. The key-stretching makes brute-forcing expensive even with weak passphrases.

PBKDF2 KEY STRETCHINGoptional passphrase

PASSPHRASE

STEP 5 — SEED → MASTER KEY (BIP32)

The 512-bit seed is fed into HMAC-SHA512 with the key "Bitcoin seed". The 64-byte output splits in half: the left 32 bytes become the master private key, the right 32 bytes become the master chain code. These two values are the root of the entire HD wallet tree.

SEED → MASTER PRIVATE KEY + CHAIN CODE

FULL PIPELINE SUMMARY

ENTROPY → WORDS → SEED → MASTER KEY

Never enter real mnemonic words into any website. This demo runs entirely in your browser with no network requests, but any website asking for your seed phrase is attempting to steal your funds. The mnemonic words generated here are for educational purposes — they use real cryptography but are displayed publicly.

Passphrase ≠ password. The BIP39 passphrase is part of the seed derivation — a different passphrase produces a completely different wallet with completely different addresses. There is no "wrong" passphrase; an attacker who finds your mnemonic still can't access funds without the passphrase. But if you forget it, your funds are permanently gone.