Recently I’ve become obsessed with the security of the seed that protects my bitcoin. Listening to people like Arkad or Michael Flaxman I’ve realized that we trust the seeds that software and hardware wallets provide us, but what if they are ‘rigged’ following a specific serie and they will empty our funds in the future? or what if their entropy or randomness generator simply doesn’t work as it should and generates a poor and insecure seed?

This last month, I’ve been visiting constantly the ‘seed generation’ rabbit hole and I have learned a lot: I have created my first program, I have made my first issue on github and **I have achieved a 100% sovereign, safe and offline method for seed generation**.

In this article I’m going to explain you this little adventure and how you can do the same with a sheet of paper, a coin, a pen and – for the moment – a SpecterDIY.

If you want to skip the theory and go straight to starting your own seed by hand, I recommend you to continue reading the ‘Coin-Seed’ chapter .

*NOTE: This is my first long bitcoin article translated to english (originally written in spanish). If you see any typos or mistakes, please reach out to me.*

Tabla de Contenidos

- 1 Introduction to entropy
- 2 What do you need to generate your seed with good entropy?
- 3 Searching for the last word
- 3.1 Hashing by hand is not that easy
- 3.2 Behind the scenes from the SpecterDIY possibility
- 3.3 The most recommended method: SpecterDIY
- 3.4 Offline computer methods: Important information
- 3.5 Offline computer methods: Seedpicker
- 3.6 Offline computer method: Ian Colemann
- 3.7 Offline computer methods: Semilla-Moneda by me myself

- 4 Conclusion

## Introduction to entropy

In information theory, the

entropyof a random variable is the average level of «information», «surprise», or «uncertainty» inherent in the variable’s possible outcomes. Wikipedia

A good entropy is a good disorder. A bad entropy is a bad disorder. Something that is truly random is likely to follow a good disorder and vice versa.

Although in many of the things we do we seek for order as our ultimate goal, disorder is also very useful. In the case at hand – Bitcoin – disorder, entropy or random numbers are very important for the most initial (and critical) moment of our adventure with Satoshi’s invention.

A **Bitcoin address** is nothing more than the simplification of a **public key**. This, in turn, is the result of operating a **private key** on an elliptical curve. And above the private key there’s nothing left. How secure your private key is will determine how secure your bitcoin is.

The private key, that strange phrase or set of 24 words that we have to protect, is really nothing more than a number chosen at random from 1 to 2²⁵⁶ (value developed below in bold). This number is usually selected by your software or hardware wallet.

Random selection is synonymous with good entropy and it is very important that the private key that secures your bitcoins has been chosen with good entropy. A really random private key will be a good private key. A private key chosen following a certain pattern will be a poor private key and the security of your bitcoin will be compromised.

Most of the private keys we use are generated by software or hardware wallets.

Should we be reassured that these are the ones who calculate our private key with good entropy?

Should we trust these devices to calculate our private key with good entropy?

### Why not trust anything: PRNG & TRNG

In software and hardware, having a source of random numbers is a necessity and therefore work has been done to achieve reliable sources of entropy. I am not an expert on the subject but I would like to highlight two terms that I have found during my research: **PRNG **(Pseudo Random Number Generator) and **TRNG **or HRNG (True/Hardware Random Number Generator).

- A
**PRNG**is «*an algorithm that produces a sequence of numbers that*» (source wikipedia)**is a very good approximation to a random**set of numbers.

- A
**TRNG**is*«a device that generates random numbers from a physical process, rather than by means of an algorithm. Such devices are often based on microscopic phenomena that generate low-level, statistically random «noise» signals … and other quantum phenomena.»*(source wikipedia)

About the first one, the **PRNG**, I emphasize the part of the definition that says ‘*it is a very good approximation*‘, with what I intuit that really it will not enjoy a good entropy.

An article on entropy recommended by Sergi Delgado (and which I also recommend 100%) talks about PRNG and says the following:

«… the “pseudo” in pseudorandom number generator (PRNG) is really a synonym for “not at all”. Granted, if you come in the middle of a good PRNG sequence, guessing the next number is nearly impossible. But if you know, or can guess, the

seedthat started the PRNG off, you know all past and future values nearly instantly; it’s a purely deterministic mathematical function. «

So, should we trust a PRNG as a source of randomness for our private key?

*Nah*

**TRNG’s **are something else. Here we do find a better entropy, but as in everything, there are also degrees and if you wanted to find another reason to use a Hardware wallet instead of a Software wallet, this can be a good reason. HWWs are minimalist physical devices designed for the sole purpose of storing bitcoin and therefore with a good TRNG inside (in theory).

A good hardware wallet not only has to be safe from physical and online attacks but also has to provide a good source of entropy, but what if, as Michael Flaxman explains in his latest pod with Stephan Livera, the manufacturer of your hardware wallet is malicious and has installed a tricked out TRNG in order to know what seeds his customers are generating to drain their funds in the future?

¿Should we trust them?

**No**

But then without the entropy of software wallets nor hardware wallets, how do we do it?

- By hand!

# Coin Seed

## What do you need to generate your seed with good entropy?

In this article, we will follow the principle *Don’t trust, verify*, and I will teach you how to generate your own 12, 15, 18, 21 or 24 word’s seed without anyone’s help and without needing any prior technical knowledge. To achieve this, you will need:

- a coin (any coin that you can play heads or tails with)
- a printed page with the Coin Seed PDF, although a blank page would also be worth (it’s in spanish but it explains itself)
- a pen
- The printed word list of the bip39 (or as prepared by seedpicker on 4 sheets)
- print this article or save it offline to your computer
- A Specter DIY or offline computer (I only recommend the Specter or a 100% offline computer)
*Optional*: A calculator (no mobile, no pc, no online connected device. A Casio, texas instrument or similar)

### The Coin-Seed method

A seed is the representation in human readable language of that large number which is your private key. Normally your private key is encoded in 12 or 24 English words.

The entropy of a Bitcoin seed that follows the BIP39 must be between 128 and 256 bits long, with a multiple intermediate value of 32. This leaves us with the possibility of working with entropies of 128, 160, 192, 224 and 256 bits, which will result in 12, 15, 18, 21 or 24 seed words.

But what does ‘xxx-bit entropy’ mean?

To represent entropy in bitcoin we use the native language of computers: bits or binary numbers. When we say that a seed has an entropy of 128bits, we are saying that to start generating it we need a string of ones and zeros, (which is how the binary 1010101111000110 is represented) of 128 values.

So, let’s get started!

### Generating your own entropy with a coin

To continue, you can print the Coin-Seed pattern I have prepared, or you can copy its structure by hand on your sheet of paper.

To start generating our seed of good entropy, we are going to** take a coin **and associate a value 0 to one side and a value 1 to the other. I, for example, have used a spanish 50ct coin and associated the number 1 to the face with the 50ct numeral, and the value 0 to the face with the Cervantes on it.

Now, let’s flip the coin as many times as entropy we want for our seed. For this example, I wanted to achieve a 256-bit seed of entropy, so I have flipped the coin 256 times.

Before you begin, please bear in mind the following considerations:

- This process has to be 100% manual so we don’t want any technology around us.

- In this pic above, you can see how my first attempt was, without pattern and 100% random. In the example filled in the printed PDF I didn’t really do the process and I made up the numbers as an example. You can see that entropy is not good. Do NOT do it like that.
- If you are going to have your cell phone close,
**cover the cameras**. You never know what may be watching you and if you don’t cover them when you least expect it, your subconscious will make you take your cellphone and pass it in front of your precious words, and by doing that, you are sold. - As you flip the coin and write down the results, it is normal that you will fall into a trance and say
**the results out loud. Do not do this**. People (family, couple or neighbors) hear you and therefore Alexa, google, and other devices too. - As you flip the coin, the trance you enter in will make your flip perfectly. This can lead to similar results.
**Make changes**. Move around, drop the coin on the table, floor, etc., throw it more or less hard, or change hands.**We want good entropy!** - While you are flipping you can do 3 or 4 throws in a row and then stop to write them down. That way you are not stopping after each throw.

With this in mind, make yourself comfortable, put some good music and flip a coin!

To find the values in this example I sat down on a carpet. This way, if the coin fell on the floor, it didn’t make much of a fuss. The whole 256bit process took me

17 minutes.

I started by filling in the first results in row 1 (fila1), box A, then B and so on up to K. Then I have followed by filling row 2 until you get to the third bit in row 24 which is where you get the 256 bits.

If you have filled in 256 bits as I have, you will see that from the last word, the 24th row, you have 8 bits left to fill in. It’s not a mistake. Later on I will tell you how we find those missing bits.

If you have filled in 128, 160, 192 or 224 bits, you will see that in the pdf guideline those values are marked in light grey.

When you have filled in the desired bits with good entropy, you can choose your path 🔀

**A.**Or continue reading the ‘*Decimal Conversion*‘ to manually calculate the words and end up using the method I recommend most (**SpecterDIY**)- B. Or jump directly into
*Ian Coleman’s*or the*Semilla-Moneda*system.

### Decimal conversion

**A.** Now let’s convert the 11 binary digits in each row to decimal. This process can be done 100% manually or using a traditional calculator (Casio, texas instrument etc).

Next, I will develop the manual calculation with what if you already know how to convert from binary to decimal, you can jump to ‘decimal conversion considerations’.

Converting a binary number to decimal is very simple. You only need to know that binary is positional and that each position is equivalent to one decimal value.

The value of the rightmost binary digit (of bit 1) will be equivalent to 2^0 (1) multiplied by the binary value it has (1 or 0). The next to 2^1 * 1 or 0. The next to 2^2 * 1 or 0 , etc.

In the case of the 11-digit binary 11111111111

- 1*2^0=1
- 1*2^1=2
- 1*2^2=4
- etc

When we have all the decimal results, we add them up and we get the decimal value of an 11bits figure. In the case of this example, we see what will be the maximum value of a 11-bit binary = **2047** in decimal. This means that a 11-bit binary can have **2048 **values: **from 0 to 2047**.

If you notice, the word list I asked you to print – the one from bip39 – is exactly 2048 words long. Each one of our 11-bit rows will be equivalent to one word in the bip39. All except the last row of the entropy you have selected (in this example, row 24), but we will talk about it below.

Let’s put another example of 11-bit value: 10000110111

The sum of the conversion, bit by bit, from binary to decimal, results in **1079**.

If we look for which word in the BIP39 list is equivalent we will have to check in which number the list starts:

- if the list starts with
**‘abandon’ being 0**, the word we are looking for will be 1079 - if the list starts with
**‘abandon’ being 1**, the word we are looking for will be 1079+1 = 1080 - The word in question is 👉 ‘manage’.

Now you know how to translate the results of flipping a coin into the BIP39 words. On the sheet I have designed, cross out the grey numbers under **each bit box containing a 0**. Don’t do anything where there is a 1.

In the corresponding calculation line, write down the values that have not been crossed out. While you write them down, you can add them up in pairs using the quick calculation ‘cheatsheet’.

Add the values and write down the result in the ‘**Suma**‘ box. If your list of words has the word ‘abandon’ in position 1 (and not 0) add one unit to the results and write it down in the ‘**+1?**‘ box.

Having this clear, you can take your Bip39 list of words (or the one from seedpicker) and start looking for the matching words to your hand-calculated entropy 🔝.

In my example, and without still being able to know the 24th word, the following seed has come out :

«title citizen snow place inner zoo exact element churn isolate tissue tonight preparepresentadmit sign since next siege certain reflectrecordXXXX»

Contrasting these hand-calculated decimal results against the entropy (also calculated by hand) I realized that I had made 2 mistakes:

- In the 14th row I had stopped adding the +1 of the bit 1
- In row 22 I had stopped crossing out the ’00 of bit 3

Although I could continue with the process of ‘Searching for the last seed’s word ‘ with these ‘wrong’ words, I have decided to correct the mistake and use *pretty *and *rebuild*.

With this, the seed ends up being:

«title citizen snow place inner zoo exact element churn isolate tissue tonight prepareprettyadmit sign since next siege certain reflectrebuildXXXX»

### Decimal conversion considerations

- 🚫 It has to be a totally offline process so in a 100% paranoid way, we are not going to use any computer (although with a windows 10 calculator we could quickly convert these values in programmer mode)

- If you have a 100% offline computer that never connects to the internet, you could use it.
- If you know how TailsOs works and you trust your device, you could start in airplane mode and calculate it there too.
- 🚫 Don’t use the calculator on your cell phone, it’s connected to the internet!
- There are Casio calculators (or similar), with which you can calculate binary values more quickly

## Searching for the last word

If you have tossed the coin 256 times, you will see that from the 24th word you only have 3 binary digits. That’s right, that’s correct. If you filled in the whole row 24 you would actually have 264 bits (11bits * 24 words) (incorrect value).

Okay, but with only 3 bits, the word 24 is incomplete! Where do we get the missing 8 bits?

To get the missing 8 bits we need to make a **hash **of the 256 bits of entropy that we have found with our currency.

A **hash** is a **deterministic**, **unidirectional **and **unpredictable function **(a function that always gives the same result, although you can’t foresee it or go backwards to know its origin).

The result of **hashing our entropy with the sha256 function** will be a different 256bit string. **The first 8 bits of this new string are the 8 bits** that we are missing **to complete the word 24**.

If we had used a 128 bits entropy we would be missing 4 bits and they would be also the first 4 of the hash > sha256 (entropy 128bits)

What we have just done is a **checksum**. A checksum ‘is a redundancy function whose main purpose is to detect accidental changes in a sequence of data to protect the integrity of these, verifying that there are no discrepancies between the values obtained when making an initial check and a final check after transmission.* (source wikipedia)*

In other words, this checksum serves to ensure that we introduce our seed correctly. The wallet that receives our seed will verify that the last word is the result of hashing its entropy. If it does not match, it will throw an error and will tell us that the seed is not correct.

So let’s get down to business and do the entropy!

### Hashing by hand is not that easy

Converting from binary to decimal is easy as we have seen. According to Sergi Delgado, even doing elliptic curve operations by hand is possible because as he says ‘they are easy math’ (😅), but **hashing by hand is practically impossible**, so here, we do need our beloved hardware devices.

To continue we have 2 options:

- Do it safely on an offline hardware wallet
- Doing it safely on a computer that is
**always**offline

At 20/10/20, the only safe way to complete your seed, without the need of a computer always offline, is to do it with SpecterDIY. And until yesterday this was not even possible!

### Behind the scenes from the SpecterDIY possibility

When I started to think about making my own seed by hand with good entropy I did not see a solution that I liked 100%. You always ended up using a computer and they have many attack vectors. Rarely would someone be able to use a computer always offline and I could only think of doing the whole process in a Live session from Ubuntu or TailsOS from a USB. I even dared to program my first script in python and with the help of Sergi Delgado I made my first project in Github. But I had the same problem of running it on a computer connected to the internet at some point.

But an idea came to my mind. What if one of the new hardware wallets that are 100% offline implemented the checksum calculation? And I said, why not? I got inspired and wrote an Issue in SpecterDIY’s github where I discussed the idea with Stepan.

Yesterday 19/10/20 Stepan released v1.4.0-pre1 including the Mnemonic fix feature!

Watching the twitter reception of the news of the implementation in SpecterDIY, I see that I was not the only one waiting for this functionality.

Other hardware wallet producers have already said that they will implement this functionality soon and I think it is something we all demand. A hardware wallet should be a tool of sovereignty.

If you ever imagine something you would like to see on a Hardware, Software or whatever, do not hesitate and encourage yourself to write to them by whatever means.

### The most recommended method: SpecterDIY

If you’ve done like me, you’ve just calculated the first 23 words of your 256-bit seed. This method that I am going to explain you now also works for 128 and 192 bits of entropiy.

To continue you will need a SpecterDIY with firmware version v1.4.0 or higher. If you want more info about how to assemble your Specter click here and look for the shopping list.

We initialize the SpecterDIY and enter our PIN. Once inside we click **Enter recovery phrase**.

Once in we will see the 24 empty spots and the keyboard ready for us to fill our words in. We do it and we type the 23 words that we have calculated by hand with good entropy.

When we get to the word 24 you will have to invent one and then, something magical will happen. Next to your invented word, a ‘fix’ button will appear. If we press it, **Specter DIY will fix this last invented word and give us a valid one for our checksum**. It will also offer you the possibility to ‘fix’ your checksum on word 12 and word 18.

This is what has happened when I have done it with the seed that I am calculating by hand.

Et voilá! your 24th word is **‘awake’ **!

In this moment you can already click ✔*Done *and save the seed in SpecterDIY. Then, write down the word 24 in the Coin-Seed pattern and save your seed of good entropy safely.

- With the latest version of SpecterDIY you can also save the seed in a microSD, encrypted with the device ID.
- It’s probably a good time to store it in metal with blockmit.

### Offline computer methods: Important information

IMPORTANT

- We need a secure or always offline computer. If your computer is compromised and has any malware, bear in mind that this whole process will be useless and your seed, that you have worked so hard to create, will be exposed.
- It is recommended to do this process in a live session of Ubuntu or TailsOs (from a USBStick).
- It is also recommended to cover all the cameras of your pc and cell phone while you do this process.
- If your computer is not always offline, I would recommend not using this system

### Offline computer methods: Seedpicker

This system only works if you have calculated an entropy of 256bits and you have calculated the first 23 words by hand. If you have chosen another entropy (128, 160, 192 or 224) use one of the following two methods.

On a computer with internet we will navigate to seedpicker.net

Once inside the web, we will do right click in some blank space and click ‘save as’ to download and have it offline. We will also do the same with https://iancoleman.io/bip39/ to verify that we have done things right.

We will copy the .html from these websites to a USB or SD card and pass it to the offline computer that will do the calculation.

Once in the offline PC, double click on the .html file from the seedpicker website that we have downloaded and enter our 23 hand-calculated words with spaces between them and hit *Calculate*!

Then, seedpicker will internally calculate the hash and checksum and give us the 24th word of our seed.

Et voilá! You already have the piece you were missing. The word 24 is ‘**awake**‘.

To verify that it really is a correct seed, open Ian Coleman’s html now and enter your complete seed in the BIP39 seed box.

If all is well, it will do various calculations below. If something is wrong, it will show you the orange ‘Invalid Mnemonic’ sign

If everything is correct, write down the 24th word on the ‘Coin Seed’ sheet and restart the computer to remove all traces. Now you can use your brand new seed and type it in your wallet. Even if you have calculated your seed with such an effort, don’t type it in a software wallet inside an online pc!

If you’re sure your computer isn’t compromised and you’ve done the whole process without exposing your seed to a camera or the Internet, you’ve just created your own seed by hand with very good entropy and you’ve probably learned Bitcoin along the way.

Congratulations!

### Offline computer method**: Ian Colemann**

This system works for any valid entropy (128, 160, 192 , 224 or 256) and without the need to do the calculation by hand to find the words of the bip39 from the binary. For this method you only need to flip the coin and know your binary sequence of good entropy.

On a computer with internet acces we are going to navigate to https://iancoleman.io/bip39/

Once inside the web, we will do right click in some blank space and click ‘save as’ to download and have it offline.

We will copy the .html from these websites to a USB or SD card and pass it to the offline computer that will do the calculation.

Once on the PC offline, double click on the .html file from Ian Coleman’s website that we have downloaded and click on ⬜ **Show entropy details**

An ‘Entropy’ drop-down menu will open and here we will introduce one by one the binary values of our entropy. If you have used the ‘Currency Seed’ pattern, you have to fill it in row by row, from left to right.

Important: Check the box ⚪**Binary [0-1]** in the right column (unchecked in the image)

Once the entropy is introduced, Ian Coleman’s website will calculate all the words in our seed, checksum included. In my case entropy has been:

1110001011100101001010110011011001010010111001110100011111111111110100111001001000111101001010001100111011010011100010110111001001001010100111110101010001000000111011100100001011001001001100101010101100100000000100101101101101000011011001101001100111111001

And the result:

*NOTE:*

*If you have also read the previous method with seedpicker, you realise soemthing is different from previous method. Ian Coleman’s says 24th word is ‘city‘ , while seedpicker calculated ‘awake‘. And both are right. Both are valid seeds. But how? It is all because of the last 3 bits for the entropy of 256.*

*Remember you calculated a few bits of the 24th word with the coin?*

*Well, given the same ’23 first words’ a seed will have 2² (8) valid seeds. To seedpicker you only introduce 23 words and therefore 256-3 bits (253 bits). Seedpicker calculates the checksum with a last 3 bits = ‘000’. Ian Coleman’s calculates the seed with all the entropy and that’s why that difference exists. If you modify my entropy and change the last 1 to 0, Ian Coleman will give you the same result as Seedpicker.*

If everything is correct, write down the 24th word on the ‘Coin Seed’ sheet and restart the computer to remove all traces. Now you can use your brand new seed and type it in your wallet. Even if you have calculated your seed with such an effort, don’t type it in a software wallet inside an online pc!

If you’re sure your computer isn’t compromised and you’ve done the whole process without exposing your seed to a camera or the Internet, you’ve just created your own seed by hand with very good entropy and you’ve probably learned Bitcoin along the way.

Congratulations!

**Offline computer methods: Semilla-Moneda by me myself**

I was left with the problem of not being able to provide an off-computer system (in the absence of SpecterDIY) so I tried to program the process of getting the checksum and the last word for all the entropies available. So I programmed it and with the help of Sergi (without him this doesn’t run or look so good) I created my first script: **semilla-moneda** (coin seed in spanish) https://github.com/lunaticoin/semilla_moneda

I still have to put a lot of information in github (this article could well be the README) but in general this program that I have written is where I want to continue my research.

Now, to further research and improve the system, the idea is not to have to run the script on an offline computer or depend solely on having a **SpecterDIY**. With Arkad we are thinking about how to run this script in a Raspberry pi 1 or 2 (the ones that have no internet) and for just 15-20 euros to be able to have your offline cheksum calculator.

If you have knowledge and can help us, I would really appreciate it if you would join us in making the calculation with good entropy of our own seed even easier.

## Conclusion

What more could you ask for? You have just calculated your own seed, with good entropy, without having to trust the TRNG of any hardware or software wallet and you have calculated the checksum – and your last word – with a 100% offline device.

This is **sovereingty **redifenided:

- The coin-seed sheet of paper
- a coin
- a SpecterDIY
- an open system to store your seed in metal like Blockmit one

All without giving up your name in any Bitcoin-related e-commerce. All without connecting your name to any Bitcoin product. No supply chain attack. 100% offline.

**ONWARD!**

Thank you Satoshi

pd: Don’t tell me Bitcoin isn’t elegant.

**About the author**

I am a Bitcoin spanish podcaster. I connect with Spanish-speaking people with their own profile within the Bitcoin world and share their value in my weekly podcast, twitter and EstudioBitcoin.

¿Has this article been useful for you? You can send me a tip on Lightning network or on chain 🙌**Lunaticoin**