1

My understanding is that the 12-word seed is used to recover wallets' private keys. However, if each private key is 256-bits long, and the dictionary for the seed only contains 2048 words, then that's not nearly enough to cover them all: 2048^12 = 2^132 << 2^256.

Where is my misunderstanding?

Xophmeister
  • 141
  • 6

2 Answers2

2

2048^12 = 2^132 << 2^256

It doesn't need to be able to describe every private key. You always start with the mnemonic, never calculating a mnemonic from a private key.

weston
  • 431
  • 3
  • 13
  • But at some point (agreeably, a long time in the future; possibly after the heat death of the universe), the mnemonics will be exhausted but the private keys won't. Also, what stops clashes with private keys generated without the mnemonic? – Xophmeister Sep 08 '17 at 16:42
  • Firstly 2^132 is a huge number. Roughly equal to the number of atoms in the universe. And that also answers your second question, where pure chance basically is the answer. – weston Sep 08 '17 at 16:45
  • Actually, maybe not atoms in the universe, google failure there, but extremely huge. – weston Sep 08 '17 at 16:46
  • I invite you to experiment with https://iancoleman.github.io/bip39/ a great resource for seeing how it works. – weston Sep 08 '17 at 16:48
  • Also take a look at this https://bitcoin.stackexchange.com/questions/8804/is-each-bitcoin-address-unique which should answer your question on why there won't be clashes better than I can. – weston Sep 08 '17 at 16:50
  • So it's a "drop in the ocean" argument...actually, I just calculated that (average drop is ~50ml, volume of water on Earth is ~1.4Tm^3) and even that's a vast under-representation (by 15 orders of magnitude), so maybe that's a good way of visualising it. I don't know why I didn't see this before; it's pretty obvious when put like that! Thanks :) – Xophmeister Sep 08 '17 at 16:56
  • np, and what makes it even more amazing is that each mnemonic doesn't generate a single private key, but can generate infinite private keys on infinite derivation paths, and none of that matters, you still won't increase the chances of getting a clash – weston Sep 08 '17 at 16:57
  • 50ml is a big drop, that's 1/6-1/7th of a drink can! – weston Sep 08 '17 at 17:00
  • Typo; I meant μl! – Xophmeister Sep 08 '17 at 17:01
1

The seed is actually a 512 bit number, but you can generate one from a 128-256 bit number. This 128-256 bit number can be represented by a BIP39 mnemonic of 12-24 words. Just as you can hash any integer (even just the number 1) and get a 256 bit number, so too can you generate a 512 bit number from a 128 bit number.

The 512 bit seed provides a starting point for your HD addresses, and you can generate all the addresses you will need from this one seed.

John C.
  • 79
  • 2