This is a fun project that will help you understand Bitcoin keys better. You'll need a pencil, paper, something to generate random output in binary (like a coin) and a computer. The purpose here is to get you doing something which will help you learn a lot, instead of just reading about pure theory. And it’ll be easy enough that you can just jump right in and follow along.
Important Preamble
Don't use this key for your actual bitcoin. Practice with this guide first.
When you make your real key — the one that will hold real bitcoin — you must make it on an air-gapped computer if you use this method. An air-gapped computer must have no capability of connecting to the internet. It’s not enough to just temporarily switch off your wifi connection on a regular computer if you are serious about security; clever hackers exist and can extract your private keys even if you are temporarily disconnected from the internet. At the end I'll explain what to do next if you want to use this method to make your real keys.
Ok, let's begin the project…
Step #1 - Make A Big, Random Binary Number
You can flip a coin 256 times, but it’s better and faster to use dice. You can buy casino-grade dice to ensure fair, random rolls. But it’s also okay to just save money and just use any old dice. Even if your dice are not perfect and have some bias, as long as you use several at a time, you will achieve sufficient randomness.
This is the procedure (one of many ways)...
- Take four or so dice (e.g. from an old board game lying around).
- Consider the numbers 1, 2 or 3 to be an output of zero while 4, 5 or 6 will be an output of one. This way you'll get a binary output (only zeros and ones in the final result) with dice (e.g. roll a 3, record a zero; roll a 6, record a one).
- Roll them and read left to right (consistency, decided beforehand, is important to maintain randomness). If it's a close call about which is more to the left or right, just roll again.
- Make 23 lines of 11 digits. The 24th line will only need three digits only. For each line, clump digits into groups of 4-4-3 (see image below) for easy reading and calculating. Keep your vertical columns aligned as much as possible and leave space between each row for manual calculations. This will all make sense later.
Like this example:
There are 256 binary digits here — 23 complete sets of 11 digits with the 24th row only needing three digits.
You'll see later more clearly but, for now, understand that every 11 digits of binary will be translated to a mnemonic seed word. For the total 256 random binary digits, we can divide by 11 to get the number of words in the seed. But the answer to 256 divided by 11 is not a whole number; it's 23.27. We can't have 23.27 words in our seed.
We need eight more bits to have enough to make our 24th word. Once we have 264 bits in total, it all divides nicely into 24 sets of 11, yielding a 24-word mnemonic seed. As you’ll see later, these final eight extra bits will have their own important role to play.
A note on randomness:
You can make these 256 bits of random data any way you want, as long as it's actually random. If it's not random, someone might be able to reproduce the data. They would then be able to recreate your private key and could take all of your bitcoin. For example, if you make 256 bits of all zeroes (clearly not random), then someone will be able to guess your private key. Here's proof: I generated a private key from that terrible all-zeroes randomness and found someone’s existing wallet. If it hadn’t already been emptied, I could have stolen the funds.
They clearly knew what they were doing because it was a small amount and they didn't leave any coins there for long. It might have been a demonstration, who knows. But other people have made non-random private keys that were guessable and as a result lost their bitcoin. But don't worry, if you make a truly random private key, someone would have to exactly repeat your binary dice rolls or coin flips and, thanks to exponential math, that's not going to happen during the life of the universe.
Step 2 - Calculate The Checksum
These final missing eight digits need to be calculated to form what is called the “checksum.”
What is a checksum? A checksum is how computers know that you've made a typo when you enter things like your credit card number or bank account number. It's a useful thing to have the computer warn you that you've made a typo in your Bitcoin private key!
To calculate the checksum you'll need a Linux or Mac computer. If you have Windows 10, you can install the Ubuntu App (a version of Linux) from the Microsoft Store. Just search "Ubuntu" and install it. You'll use the Ubuntu terminal to run the commands that follow. The app is a temporary session; no files are stored on the Ubuntu app. This means you'll get a clean session each time you run it.
Windows users need to do this workaround and it's a nuisance. I tried other workarounds but met with various issues.
Now that you have a terminal on your Mac, Linux orWindows 10 machine, type the command below. Replace my binary digits with your own random binary digits (note that this should all be one very long line, even though the way it’s displayed here may look otherwise)
echo 1010111100111000000011110110001111010111101001010010001011001111011110100011000010100011111100100010100011110001110101000110011111110000101000110001010111010001010011111110101001010011110110110110000001101111010011000001110101101001000010001000010000100111 | shasum -a 256 -0
It can be hard to interpret that if you're not used to the command line. I'll spell it out: type "echo" then a space, then your series of zeros and ones without any spaces, then a space, then the “pipe” symbol (usually below the <delete> key on most keyboards), then a space, then the "shasum" command, a space, hyphen "a", a space, "256", a space, another hyphen and then the zero digit. Then hit <enter>.
Explanation of the code: The "echo" command just repeats back whatever you type next. The pipe symbol (“|”) takes that output and passes it to the command to the right of the pipe symbol (it “pipes” the data from left side to the right side!). The recipient of your bit stream is the ”shasum” hashing command. "-a" is an option to specify which algorithm to use. “256” represents SHA-256 — famous in the Bitcoin world — which is our choice for "-a". Finally, "-0" is an option to say that the input should be interpreted as binary data, not regular text (aka ASCII) data.
When I run this command my resulting hash is displayed under the command. It’s the line that starts with “b184”:
Now we can begin calculating the checksum. We take the first two digits of the hash output, in this case, "b" and "1". These are hexadecimal numbers. In hexadecimal, instead of displaying digits from 0 to 9, we count up to 15 by using letters of the alphabet to represent numbers greater than nine:
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f
Similar to how playing cards count from 1 to 13 using their own substitutions:
Ace, 2, 3, 4, 5, 6, 7, 8, 9, 10, Jack, Queen, King
So in my hash, my first digit, “b”, represents 11. And "1" in hexadecimal is the same as a "1" that we’re used to dealing with.
Now we convert these first two numbers to their four-digit binary representations. You can do this by referring to the chart below:
So we went from b and 1, to 11 and 1, and finally to 1011 and 0001.
These four-digit numbers are the checksum that we’ll add to our bits to complete our 24th word!
Add them to the 24th line to complete the final set of 11 binary digits. You now have 264 digits in total (see how the 24th line is completed in the diagram further down)
Step 3 - Converting Binary To Decimal
Each of the groups of 11 binary digits needs to be converted to a decimal number.
You can enter them into an online binary-to-decimal calculator, but only for this practice wallet. For your real wallet, I'll show you how to do it manually.
A bit about binary. In a binary number system, there is only 0 and 1. The other digits you know (2,3,4,5,6,7,8,9) don't exist. So counting upwards we start with 0, then 1, but the next number is unusual. There is no "2" available. So the next biggest number after 1 is "10". Don’t read it as “ten,” read it as “one, zero.” In binary, "10" represents the "2" you are used to. The next number up after 10 (binary) is “11” (“one, one,” not “eleven”!). That's equal to “3” in decimal. For the next number “12” is not possible because there is no “2” digit in binary; the next biggest number we can represent with just zeros and ones is “100” (“one, zero, zero”). That's actually “4” in decimal. Then 101=5, 110=6, 111=7, 1000=8, 1001=9 and so on.
With eleven binary digits, the smallest possible number is zero (00000000000), and the largest is 2047 (11111111111).
We take each of these eleven binary digits on our page (each line) and convert them to decimal. You can do it manually or convert them from the command line in Linux, Mac, or the Ubuntu App.
For the number 10101111001, you'd type:
echo "$((2#10101111001))"
You’ll get an output of “1401”. Just change the 10101010101 to match each group of eleven digits and calculate its equivalent decimal number.
Doing this conversion solely by hand is harder, but possible.
On the top of the page, write this exact sequence of numbers from right to left, vertically in line with the binary digits below:“1024” above the first column of binary digits. Then “512” over the next column. Then “256”. And on and on, halving the number each time until you end up with “1” above the last (eleventh) column of your binary digits.
Now look at the your first row of binary digits. Wherever there is a "1", you add the decimal number that's directly above it and record it below the binary digit. Where there is a "0" you ignore the number above. Like this:
In this example, there’s a “1” under the 1024 column, the 256 column, the 64, the 32, the 16, the 8 and the 1.
Add the decimal numbers to get the total:
Now repeat this process for all 24 rows:
You now will have 24 decimal numbers that range between 0 and 2047.
Step 3 - Look Up The BIP 39 Words
The BIP 39 protocol (Bitcoin Improvement Proposal number 39) specifies 2048 different words, listed in alphabetical order. When this list is read in by code, each word can be identified by its ordered position in the list. The numbers you just calculated are used to look up their corresponding word. For example, the first row resulted in the number 1401 which equals the word “quality” in the ordered BIP 39 wordlist.
Zero is the smallest possible value you could calculate for a row (from binary 00000000000). In that case you would select “abandon,” the first word on the list.
The largest possible number is 2047 (from 11111111111). The correct word for that would be “zoo,” the last word on the list. This is word number 2047.
There’s one confusing wrinkle to be aware of: computers count items starting at 0. So the fifth item in a list is the computer’s number 4.
This extra confusion is unfortunate. The official specification of the BIP 39 words is on GitHub but the word list is displayed with line numbers that start with one instead of zero. So while “abstract” is the eighth word and is listed on line number 8, its actual BIP 39 numeric equivalent is 7.
My first line of 11 binary digits adds up to 1401 in decimal. So on the list in Github, I have to find the word on line 1402 (1401 + 1). That word is "quality". Proceed to look up each decimal — taking care to add an extra 1 to your calculated result to match Github’s line numbering — and find the word for each of the 24 lines.
Well done if you've made it this far! You now have a valid 24-word Bitcoin mnemonic seed. You should now throw it away — unless you used the fully manual approach, you can't use these for your bitcoin as they were not created in a safe environment!
Actually, before you do toss them, you could enter the words into a hardware wallet or software wallet and see if they are rejected. If it is rejected, you've made an error somewhere, which is very easy to do with this manual approach. If there’s any error anywhere, the checksum will not match and all wallets will signal an error immediately.
For Your Real Keys
You really need to do key generation on an air-gapped computer.
You can learn to build a cheap $10 Raspberry Pi Zero air-gapped computer here, buy one ready-made or if you have extra money you can build a custom desktop computer without any wifi or Bluetooth components. The Raspberry Pi option is very cheap but the computer is very slow, so be warned. It is excellent if you want to have many distributed keys in a multisignature setup.
Heard some FUD about air-gapped computers? See some anti-FUD here in Q&A number 23.
In addition to the safe generation of keys, you have to consider storage and duplication or distribution.
To drastically reduce your risk of attack or loss, the next level up is learning about multisignature wallets — something I teach in my mentorship program.
If you are in the single-signature key phase of storage (most people are), then you really should keep your seed in a hardware device. Most people let the hardware wallet (HWW)make their key and never verify that key on an air-gapped computer. That's fine for most people. But if you are paranoid, you should verify that the key produces the public key and addresses you expect.
And now that you know how to securely make your own key (the totally manual, offline approach described above), you don’t have to trust the HWW to generate a good key. You first make a new key yourself and then instead of creating a new wallet on the hardware device, you "restore" a wallet instead and enter your newly calculated words into the device. The words are then "locked" in the HWW and protected by your PIN.
The hardware device is thus a digital safe for your private key.
You should never have just one copy of your private key. If you lose it, you will lose any bitcoin stored by the key in there. Technically there are no bitcoin in the device; they are on the blockchain. The hardware wallet, as I said, is a digital safe for your private key which is represented by the words you just made. To understand this a little better, see this article.
The code within the HWW uses mathematical functions to calculate your extended public key from the private key and then many individual public keys are mathematically derived from the extended public key. And then each of those can be used to calculate a collection of seemingly infinite addresses. Everything is downstream from the private key. You can enter your private key in a different device and reliably (mathematically) produce exactly the same collection of public keys and addresses. More details on this here.
The point of saying this is for you to appreciate that it's as if the bitcoin are stored on the 24 words you created — not the hardware wallet. And you should very, very carefully back up those words and keep them safe from thieves and natural disasters. If you make copies and store them in different locations, then a fire in one location won't cause you to lose all of your bitcoin because you'll have a copy somewhere else.
Inheritance
Once you have your keys that you generated on an air-gapped computer and you've backed them up very securely, it's time to think about how to pass them on to your heirs.
There are trusted third parties that can hold your keys or you can develop a plan in a trustless way — my preferred option. I am happy to assist people that need this.
Happy Bitcoining.
This is a guest post by Arman the Parman. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.