Motivation:
BIP-39 proposes using a mnemonic code to make it easier for users to interact with their wallets. It replaces the handling of raw binary or hexadecimal representations of wallet seeds with a group of easy-to-remember words.
The mnemonic sentence can be written on paper or spoken over the telephone, making it more accessible and user-friendly.
Generating the Mnemonic:
The mnemonic is generated from an initial entropy of a certain length (ENT), which should be a multiple of 32 bits and can range from 128 to 256 bits.
A checksum is generated by taking the first ENT / 32 bits of the SHA256 hash of the initial entropy.
The checksum is appended to the initial entropy, and the concatenated bits are split into groups of 11 bits. Each 11-bit group encodes a number from 0 to 2047, which serves as an index into a predefined wordlist.
Finally, these numbers are converted into words using the wordlist, resulting in the mnemonic sentence.
Wordlist and Sentence Length:
The wordlist contains a carefully selected set of words to ensure easy identification with just the first four letters.
Words that are similar, like "build" and "built," are avoided to prevent confusion.
The wordlist is sorted, allowing for efficient lookup of code words.
The length of the mnemonic sentence depends on the initial entropy length (ENT) and the checksum length (CS).
The checksum length (CS) is ENT / 32, and the mnemonic sentence length (MS) is (ENT + CS) / 11.
Wordlists and Localization:
An ideal wordlist is sorted and has smart word selection to facilitate easy identification.
BIP-39 recommends using the English wordlist for compatibility reasons, as most BIP-39 wallets support only the English wordlist.
If your application requires a localized wordlist, it is better to use one of the recommended wordlists rather than creating your own.
From Mnemonic to Seed:
Users may decide to protect their mnemonic with a passphrase, but if none is provided, an empty string is used as the passphrase.
To create a binary seed from the mnemonic, the PBKDF2 function is used with the mnemonic sentence as the password and "mnemonic" + passphrase as the salt.
The PBKDF2 function iterates 2048 times and uses HMAC-SHA512 as the pseudo-random function.
The length of the derived key (seed) is 512 bits (64 bytes).
This seed can then be used to generate deterministic wallets using BIP-32 or similar methods.
Plausible Deniability:
BIP-39's method of generating the seed from the mnemonic provides plausible deniability. Every passphrase generates a valid seed and a deterministic wallet, but only the correct passphrase will make the desired wallet available. This feature allows users to have multiple passphrases for added security.