Mastering Bitcoin. A highly recommended read if you want to have a deep dive.
Generating mnemonic words
- Create a random sequence (entropy) of 128 to 256 bits.
- Create a checksum of the random sequence by taking the first (entropy-
length/32) bits of its SHA256 hash.- Add the checksum to the end of the random sequence.
- Divide the sequence into sections of 11 bits.
- Map each 11-bit value to a word from the predefined dictionary of 2048 words.
- The mnemonic code is the sequence of words.
The mnemonic words represent entropy with a length of 128 to 256 bits. The entropy
is then used to derive a longer (512-bit) seed through the use of the key-stretching
function PBKDF2. The seed produced is then used to build a deterministic wallet and
derive its keys.
The key-stretching function takes two parameters: the mnemonic and a salt. The pur.
pose of a salt in a key-stretching function is to make it difficult to build a lookup table
enabling a brute-force attack. In the BIP-39 standard, the salt has another purpose-it
allows the introduction of a passphrase that serves as an additional security factor
protecting the seed, as we will describe in more detail in
“Optional passphrase in
BIP-39” on page 104.
- The first parameter to the PBKDF2 key-stretching function is the mnemonic pro-
duced from step 6.- The second parameter to the PBKDF2 key-stretching function is a salt. The salt is
composed of the string constant “nnemonic” concatenated with an optional user-
supplied passphrase string.- PBKDF2 stretches the mnemonic and salt parameters using 2048 rounds of hash-
ing with the HMAC-SHA512 algorithm, producing a 512-bit value as its final
output. That 512-bit value is the seed.
The key-stretching function, with its 2048 rounds of hashing, is a
very effective protection against brute-force attacks against the
mnemonic or the passphrase. It makes it extremely costly (in com-
putation) to try more than a few thousand passphrase and
mnemonic combinations, while the number of possible derived
seeds is vast (2512).
Optional passphrase in BIP-39
The BIP-39 standard allows the use of an optional passphrase in the derivation of the
seed. If no passphrase is used, the mnemonic is stretched with a salt consisting of the
constant string
“mnemonic”, producing a specific 512-bit seed from any given
mnemonic. If a passphrase is used, the stretching function produces a different seed
from that same mnemonic. In fact, given a single mnemonic, every possible pass-
phrase leads to a different seed. Essentially, there is no
“wrong” passphrase. All pass-
phrases are valid and they all lead to different seeds, forming a vast set of possible
uninitialized wallets. The set of possible wallets is so large (2512) that there is no prac-
tical possibility of brute-forcing or accidentally guessing one that is in use.
The optional passphrase creates two important features:
• A second factor (something memorized) that makes a mnemonic useless on its
own, protecting mnemonic backups from compromise by a thief.
A form of plausible deniability or “duress wallet,” where a chosen passphrase
leads to a wallet with a small amount of funds used to distract an attacker from
the “real” wallet that contains the majority of funds.
However, it is important to note that the use of a passphrase also introduces the risk
ofloss:
. If the wallet owner is incapacitated or dead and no one else knows the pass-
phrase, the seed is useless and all the funds stored in the wallet are lost forever.
Conversely, if the owner backs up the passphrase in the same place as the seed, it
defeats the purpose of a second factor.
While passphrases are very useful, they should only be used in combination with a
carefully planned process for backup and recovery, considering the possibility of sur-
viving the owner and allowing his or her family to recover the cryptocurrency estate.
Summary: From what I understand it doesn’t make it any easier or harder to “brute-force” your wallet. The real purpose of the 25th phrase is to protect your 12/24 word seed phrase from those who get access to it.
Edit: To correct myself – whether or not 25th word (salt) makes it more difficult to brute-force your wallet depends on the technique the hackers use to do it. Practically impossible anyways. But it’s a good idea to add this word if you are sure you can mitigate the risks associated with keeping it safe and accessible by you or your loved ones when needed.
