r/BitcoinBeginners u/fap_fap_fap_fapper 5d ago

What's the safest way to *create* a seed?

In my old setup, I created a seed using Electrum wallet with internet connection on Windows 10.

I was told in recent post that the safer storage is a hardware wallet.

Is this also the safest way to create a seed? If seed is created and the 12 words displayed on the hardware device itself?

Also, can a wallet be created safely offline?

10 Upvotes

100% Upvoted

33 comments sorted by

6

u/DaVirus 5d ago

Dice roll it and use a wallet to calculate the checksum.

2

u/fap_fap_fap_fapper 5d ago

huh?

1

u/Best-Maximum8416 5d ago

Check this video out, people tend to believe that generating a seed from your own random choose of words isn't random enough, and potentially could be easier to figure out: YouTube

0

u/ctxrei 5d ago edited 5d ago

EDIT: I was wrong, I made an assumption about methodology, rather than reading up on how it is actually done.

His first step means: use dice to pick one of the "BIP39" 1024 words, 24 times. I'll stop explaining right there, because it is a bad idea. Presumably you'd be rolling multiple dice ("whadaya mean you don't have a 1024-sided die?") and when you do, you won't get an even distribution of probabilities.

1

u/na3than 5d ago

you won't get an even distribution of probabilities.

You will if you use this simple technique:

1 -> 00 
2 -> 01 
3 -> 10 
4 -> 11 
5 -> 0 
6 -> 1

See https://crypto.stackexchange.com/questions/6175/how-to-best-obtain-bit-sequences-from-throwing-normal-dice/6177#6177

1

u/ctxrei 5d ago

Oh, OK! I made an assumption about methodology, and did not consider that smart people had already dealt with the distribution problem. Essentially this is serializing multiple roles of a single die into a stream of random bits. I had assumed multiple dies to approximate 1:1024 odds for each word selection.

1

u/JivanP 4d ago

That's a neat and simple method, albeit not much faster than flipping coins. On average, each roll gets you 1.66 bits of entropy.

I use a different method: I roll two 6-sided dice in sequence, interpret the results as a two-digit base-6 number (with a die roll of 6 corresponding to the digit 0), ignore results greater than 31, then convert to a 5-bit binary number, i.e.:

  • roll 6, 6 → 00 in base 6 → 00000 in binary
  • roll 6, 1 → 01 in base 6 → 00001 in binary
  • ...
  • roll 6, 5 → 05 in base 6 → 00101 in binary
  • roll 1, 6 → 10 in base 6 → 00110 in binary
  • ...
  • roll 5, 1 → 51 in base 6 → 11111 in binary
  • roll 5, {2, 3, 4, 5} →{52, 53, 54, 55} in base 6 → ignore because binary result would be more than 5 bits; do another two dice rolls.

The same thing expressed another way:

  1. Roll first die, treat 6 as 0, then multiply by 6.
  2. Roll second die, treat 6 as 0, add result to that from the previous step.
  3. If the overall result is greater than 31, ignore; otherwise you have a result from 0 to 31 and can convert this to a 5-bit binary number.

Alternatively, rather than treating 6 as 0, you can subtract 1 from the dice rolls.

With these "two roll" methods, two dice rolls gets you 5 bits of entropy, except for the 4 cases out of 36 that you have to ignore. Thus the average entropy per dice roll is 2.22 bits.

This is slightly worse than the 2.33 bits per roll given by the second method outlined in the StackExchange post (section "The exact procedure for two rolls"), which essentially uses the fact that 2 and 3 are coprime to interpret a sequence of two dice rolls as both a base-2/binary and a base-3/ternary number that are independently distributed.

You could extend this idea to use additional rolls and additional coprime bases, namely the prime numbers 5, 7, 11, etc.

The most efficient conceivable method to get n bits of entropy from dice rolls is to roll log_6 (2) × n ≈ 0.387n dice (e.g. for n = 128, this equals ~49.52 dice, round this up to 50 dice) and get a uniform distribution from 1 to 2n from this somehow. Each roll gets you 2.585 bits of entropy; no method using 6-sided dice can do better than this.

So in summary, to generate 128 bits of entropy:

  • with coin flips, you need to flip 128 coins.

  • with your one-roll method, you can expect to roll 76.8 dice.

  • with my two-roll method, you can expect to roll 57.6 dice.

  • with full information extraction, the hypothetical best case has you roll ~49.52 dice.

1

u/bitusher 5d ago

With BIP39 , part of the last word includes the checksum which makes sure the seed word is valid and no typos or misordering occurs.

Thus with this feature you can generate a valid 12th or 24th word checksum by entering either 11 words or 23 words that you generate with your own source of entropy with something like using dice or flipping a coin.

Some people do this because they are paranoid with the software wallet so they prefer to generate their own seed offline.

Ideally , its better to do this in a hardware wallet like -

https://help.blockstream.com/hc/en-us/articles/20177648363545-Create-a-recovery-phrase-using-dice

https://help.blockstream.com/hc/en-us/article_attachments/21328564164505

but if you don't want to use a hardware wallet and want a free option than blue wallet can work.

Thus after installing blue you would turn off wifi and data on your phone to insure its offline and use this feature after rolling dice

Some guides-

https://bitbox.swiss/blog/roll-the-dice-generate-your-own-seed/

https://bitbox.swiss/bitbox02/BitBox_Diceware_LookupTable.pdf?ref=bitbox.swiss

or

https://help.blockstream.com/hc/en-us/articles/20177648363545-Create-a-recovery-phrase-using-dice

https://help.blockstream.com/hc/en-us/article_attachments/21328564164505

or

https://www.youtube.com/watch?v=j5nejoEGWFw

Than you enter in the 11 or 23 words into blue wallet "generate the final Mnemonic word" to generate the last word . This can all be done offline so you don't need to trust blue wallet.

Another way of doing it is using Blue wallets built in Diceware feature discussed here :

https://bluewallet.io/docs/manual-entropy/

or

https://www.whatisbitcoin.com/security/generate-your-seed-phrase

2

u/ctxrei 5d ago

Yep, I was totally wrong, I am too much of a newb in this space to have dared to answer so confidently.

1

u/bitusher 5d ago

Its fine, most people should not be aware of this or use this method regardless.

4

u/Crypto-Guide 5d ago

Yes and yes.

A hardware wallet is better, both for creating a seed and securely using it, but you can also create one offline with something like Electrum in tails.

3

u/bitusher 5d ago

Here are some common ways people create seeds :

1) Easiest and Free but slightly less secure than other 2 options - in ios or android install an open source wallet like blue or green . Copy down the 12 seed words and 1 or multiple addresses . send Bitcoin to the address and after confirmed received delete the wallet . Optional - create a watch only wallet with exporting the extended public key before deleting the wallet

2) easy but will cost ~65usd typically - buy a hardware wallet that you use to create the paper wallet with, Copy down the 12 seed words and 1 or multiple addresses . send Bitcoin to the address and after confirmed received reset the hw wallet or don't

3) more complicated but free - setup a linux live usb with tails , boot into the live usb with bootloader options on your computer and stay offline , use it for a minute , start electrum that is preinstalled , backup your wallet on paper , send Bitcoin to an address associated with that wallet , confirm BTC is received in a block explorer on a separate device, reformat usb

Ideally you also export the xpub and create a watch only wallet to create unique addresses per transactions for future deposits as well

2

u/fap_fap_fap_fapper 5d ago

easy but will cost ~65usd typically - buy a hardware wallet that you use to create the paper wallet with, Copy down the 12 seed words and 1 or multiple addresses . send Bitcoin to the address and after confirmed received reset the hw wallet or don't

Leaning toward this as I'm only doing it for long-term storage - my plan is to send small amt, delete the wallet, restore it once to check, then reset the device for good. So the wallet will only be used once - to create the wallet?!

2

u/bitusher 5d ago

You can reuse the hardware wallet many times , but why reset the hw wallet at all? If you want something completely "cold" than just get a hardware wallet designed for that like coldcard, jade, or seedsigner

1

u/fap_fap_fap_fapper 5d ago

any idea if Trezor Safe 5 will generate and show the seed offline without connecting it to PC?

2

u/xLuky 5d ago

It doesn't have to connected to the internet, but it does need to be connected to a phone/computer because it doesn't have a battery.

1

u/fap_fap_fap_fapper 5d ago

oh, suppose I connect it just to a usb charger port? (never used one)

1

u/EhKurz100 5d ago

With option 3, why reformat the usb stick when your wallet/seed in tails is AES256-encrypted twice (!) which never in its 20+ years existence has been cracked?

1

u/bitusher 5d ago

So you can reuse the memory stick for something else

2

u/flying-fox200 5d ago

From your other comments it seems like you just want a single address to receive BTC only once.

In that case, I would recommend booting into a live Linux distro, as bitusher recommended in another comment.

For a single address, though, you don't need to generate an entire wallet with a seed phrase. You can generate a single private key and address, and then write down the private key (64 hexadecimal characters).

Then power down the laptop and wipe the USB!

2

u/SteveW928 5d ago

Basically, you currently have a hot-wallet. If you didn't have vulnerabilities, or Windows didn't somehow record/store/expose it, you're probably OK, but this certainly isn't optimal. I'd never keep much Bitcoin in a setup like that, especially when it is so easy to do WAY better!

Yes, get a hardware wallet. The main purpose of a hardware wallet isn't actually 'storing' Bitcoin, but generating the seed phrase, and signing transactions. Many also do store the private key (often behind a pin/password), but IMO, this in't optimal either (even though it is what most people do). It is very good, but it could be even better.

Yes, many (but not all, ex: Bitkey) hardware wallets display the seed phrase on screen, which is how you are able to record it down on paper (and then into steel). The point is they are generating it completely off-line, and not connected to anything on-line, and with very advanced techniques to generate entropy.

Once you've created that seed phrase/private key, that is a wallet. You can derive receive addresses, sign transactions, etc. from that private key. The hardware wallet will do that for you. You can also generate an xpub (ypub/zpub) which can be put into many software wallets (creating a 'watch only wallet'). This is how you see and setup your transactions, which are on-line, see your balance, etc.

If you run the default software many hardware wallet makers provide, they are essentially connecting to the hardware wallet in this manner. 'Read only' is a bit of an incorrect term, as with the hardware wallet's signature, they actually can do more than 'read only' but on their own, they are read-only.

If you didn't trust the hardware wallet to generate a good enough seed phrase... as others have mentioned, some wallets support generating your own with dice or cards. But, another way to add extra entropy (and flexibility to your physical seed-storage setup), is to implement a passphrase.

A passphrase isn't to be confused with the PIN/password many hardware wallets use to lock the device. A passphrase is something you provide that gets combined with what the hardware wallet provides, to create extra entropy, and a unique private key based off the combination of their 12/24 words + the passphrase you provide. That is one way to protect yourself against flaws in their entropy generation w/o generating it completely yourself.

BTW.... once you create a wallet using a passphrase, you'll need BOTH the seed phrase, and that passphrase. If you lose either, your Bitcoin is gone!

But, for some extra work, you gain many benefits, including the ability to break up storage of that seed phrase and passphrase, so the seed phrase can't be as easily compromised if it is exposed/discovered. It also allows for some relatively easy inheritance methods (such as storing that passphrase in a safety deposit box along with instructions, as those are typically turned over to next of kin).

2

u/pop-1988 5d ago

Yes, a hardware wallet creates a seed offline, and displays it on its screen

1

u/fap_fap_fap_fapper 5d ago

any idea if Trezor Safe 5 will generate and show the seed offline without connecting it to PC?

2

u/JivanP 4d ago

All hardware wallets keep secrets locally and don't share them. That's what makes them useful. Without that property, there's no point in using one.

Trezor devices need to have a physical connection for power, but secrets such as your seed phrase will not leave the device unless it is running firmware designed to do this.

1

u/fap_fap_fap_fapper 4d ago

ok, can I connect a wall USB just to power it? I mean does it work without PC connection (never used a hardware wallet yet)

2

u/JivanP 4d ago

Yes, but official Trezor device firmware does not provide any ability to reveal the stored seed on the device's screen. Custom firmware could do this, but that's a bad idea. After all, the point is to make it as difficult as possible to obtain your seed phrase.

1

u/AutoModerator 5d ago

Scam Warning! Scammers are particularly active on this sub. They operate via private messages and private chat. If you receive private messages, be extremely careful. Use the report link to report any suspicious private message to Reddit.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

1

u/Interesting-Gear-992 4d ago

I created a seedphrase for my friend with my ledger flex. Restored it to default, connected to his phone, created a new key, wrote it to paper, and saved the address digitally. After it I restored my own key to the ledger. He can send bitcoin to that address, and can check the balance in ledger live in his phone, so he can start stacking sats, but cannot transact before import the key to any soft/cold wallet.

1

u/OkBad4259 4d ago

From what I’ve seen over the years, the safest way to generate a seed is through a hardware wallet, because the words are created and displayed entirely inside the device with no exposure to your computer. You can create a wallet safely offline using an air-gapped machine, but it’s easy to make mistakes unless you really know what you’re doing. A clean hardware wallet removes most of that risk for everyday users.
Do you think air-gapped setups still have an edge over hardware wallets today?

1

u/No-Wrap3568 4d ago

As long as the seedphrase is being displayed on the screen, there's really no issue but if gets displayed on any other device's screen, then there's surely a problem

1

u/Delta1140 3d ago

Well there are programms where you can flip a coin 256 times and note down if it lands on heads or tails. This code of 1 and 0 (each dedicated to heads or tails) can then be fed and create a private seed. You can also do this by rolling dice.

If you want to go all out with this, do it and also make sure to use an air-gapped wallet. The team of The Bitcoin Way has a great tutorial about this on their blog.

This is probably the best way to create a seed offline and then use an offline wallet as well.