There are essentially four types of mnemonic seed phrases used in Bitcoin:
- Shamir Shares (SLIP39)
- LND (AEZEED)
Why do they exist? What makes them different from each other? Can we identify them easily? In this short guide we’ll try to address these questions.
What’s the purpose of mnemonic seed phrases?
The main purpose of mnemonic seeds is to convert a very large number (a private key) into a human readable form which can be copied and backed up by humans without using electronic devices. Why is it important? Well, electronic devices and especially Internet connected devices can be hacked into more easily than physical seed backups (for example paper or metal). Internet connected devices and storage enable remote attacks and physical backups require physical access and are much harder to perform.
This format was created in 2013 and has since gained the most traction and use. It supports encoding between 128 and 256 bits of entropy, a checksum and an optional passphrase for additional protection of the seed. The word list is fixed and consists of 2048 words. In addition to the English list there are seven other languages but they’re not used commonly. This format doesn’t support versioning on purpose (simplicity).
Electrum uses 2 seed formats. The “old” version from circa 2011 to circa 2014. Starting with version 2.0 Electrum uses a “new” seed format.
- Electrum old seed format (Electrum versions prior to 2.0): The wordlist contains 1626 English words. There is some overlap between this list and the BIP39 wordlist but they’re not the same This format uses bidirectional encoding between seed phrase and entropy. “Bidirectional” here means that you can turn binary entropy into a mnemonic and vice-versa. This format doesn’t use a checksum. Current versions of Electrum can still recognise this format and import such wallets (the process is automatic upon entry of the seed).
- Electrum new seed format: Starting with Electrum version 2.0 it introduced a new seed format, the “Seed Version System” to fix some of the perceived shortcomings of BIP39. This format derives keys and addresses from a hash of the UTF8 normalised seed phrase with no dependency on a fixed wordlist. Even though it doesn’t depend on a fixed wordlist it uses the same 2048 English wordlist as BIP39. Another distinctive feature of this format is the version number encoded in the seed. The purpose of the version number is to enable forward compatibility with future releases of the wallet. The version number also encodes the type of output addresses (Legacy, P2SH-Segwit, Native Segwit) , network (mainnet or testnet) used and whether it’s a single or a multisig wallet which makes future recovery easier. The full description of this format is here.
Shamir Secret Sharing aka SLIP39
In 2019 SatoshiLabs released a seed splitting format codenamed SLIP39 based on the idea of secret sharing published by Adi Shamir in 1979. The main purpose of this format is the ability to encode the seed in N lists of words in such a way that to recover the seed only M number of shares is required (where M <= N). It’s a threshold seed splitting scheme where one can encode the seed in for example 3 different shares (seed phrases) where only 2 shares are required to recover the seed. Up to 16 shares are supported.
This encoding scheme supports a robust checksum based on Reed-Solomon code that guarantees detection of any error affecting at most 3 words and has less than a 1 in 10^9 chance of failing to detect more errors. Like BIP39 it also supports an optional passphrase for extra protection/multi account setups.
This format doesn’t support versioning. The wordlist contains 1024 English words. The typical mnemonic seed length is 20 words. 33 words are also possible but no hardware wallet currently supports it. Trezor Model T uses 20 words.
Neither BIP39 nor the Electrum format was robust enough to cover the needs of the Lightning Network Daemon developers who created a new format in 2018. The main reasons against using BIP39 were:
- lack of versioning (so future versions of the wallet may not necessarily know how to derive all the required addresses)
- lack of wallet birthday (so wallets may not know how far back to look in the chain)
And so LND AEZEED was created. It is a versioned scheme which encodes a birthday. It supports an optional passphrase and uses the same BIP39 wordlist. The mnemonic seed phrase is 24 words long.
Interestingly no other Lightning Network wallet uses AEZEED format. For example Eclair uses BIP39 and C–Lightning uses Bitcoin Core built-in wallet.
There are a few interesting properties of AEZEED which are worth mentioning:
- The mnemonic itself is a cipher text, meaning leaving it in plaintext is advisable if the user also sets a passphrase. This is in contrast to BIP 39 where the mnemonic alone (without a passphrase) may be sufficient to steal funds.
- A cipherseed can be modified to change the passphrase. This means that if the users wants a stronger passphrase, they can decipher (with the old passphrase), then encipher (with a new passphrase). The end result is the users upgraded the passphrase but uses the same HD key path as before (same wallet addresses). Compared to BIP 39, where if the users used a passphrase, since the mapping is one way, they can’t change the passphrase of their existing HD key chain (changing the passphrase in BIP39 generates a completely new HD key chain and thus addresses).
- The downside of the above is you can’t use multiple passphrases with a single mnemonic (like you can with BIP39). Using a new passphrase in AEZEED creates a new mnemonic because the passphrase is used to encode the final mnemonic. In BIP39 the passphrase is used only in the final step of turning the mnemonic into binary seed.
|Default length||Wordlist||Passphrase||Used since|
|BIP39||Unidirectional||12 or 24 words||2048 words||Optional||2013|
|Electrum (old seed)||Bidirectional||12 words||1626 words||None||2011-2014|
|Electrum (new seed)||Unidirectional||12 words||BIP39 wordlist||Optional||2014|
|Shamir Secret Sharing (SLIP39)||Bidirectional||20 words||1024 words||Optional||2019|
|LND (AEZEED)||Bidirectional||24 words||BIP39 wordlist||Optional||2018|
Does it mean having a mnemonic seed might not be enough to recover a Bitcoin wallet?
Correct. In some cases having just a 12 or 24 word seed might not be enough to recover a wallet. You may not remember which wallet you used to create the seed so recovering may mean trying out a few different combinations and formats. Hopefully the list above will guide you.
Coldbit Steel has it covered
Regardless of which type of mnemonic seed you use, our metal wallet Coldbit Steel can backup them all. It provides space to stamp up to 24 words on a 4mm thick stainless steel plate and a line to stamp the wallet ID. The wallet ID can be a name of the wallet used to generate the seed (eg. Mycelium).
Additionally on the back of the 2mm cover plate there’s space to stamp some of the metadata above to enable easier recovery in the future. The data includes:
- Type of mnemonic seed (BIP39, Electrum or LND)
- Whether the seed it’s passphrase protected
- Types of output addresses used (Legacy, P2SH-Segwit or Native Segwit)
- Whether the seed is part of a multisig setup or a Shamir share.
Coldbit Steel is the only metal wallet currently available on the market that lets you record this metadata along with the main seed, securely stamped in waterproof, fireproof and acid proof stainless steel and can even withstand 20 tonnes of pressure and store safely for decades.
In addition to the main seed backup each wallet comes with a passphrase backup on a stainless steel, hex rod which can store up to 6 passphrases (each up to 4-6 words long):
If you want to learn more about Bitcoin wallet/key security and best practices for safe storage sign up to our newsletter below: