BIP-39

BIP-39 specifies how a wallet turns raw entropy into a human-friendly mnemonic phrase and then back into a binary seed. Authored by Marek Palatinus and others in 2013, it's the reason 12 words can stand in for a 256-bit secret.

The encoding step takes 128–256 bits of entropy, appends a SHA-256 checksum (4 bits per 128 bits of entropy), and slices the result into 11-bit groups. Each group indexes into a fixed 2048-word list — 12 or 24 words come out. The checksum is what catches a typo: only ~1 in 16 random 12-word sequences will validate.

The derivation step is where the confusion lives. The words themselves are *not* the seed. They run through PBKDF2-HMAC-SHA512 with 2048 iterations, using the string "mnemonic" + passphrase as salt, producing a 64-byte output. That output is the seed that feeds into BIP-32. The optional passphrase ("25th word") yields a different wallet for each passphrase value — a feature wallets use for plausible-deniability vaults.

The wordlist is intentionally constrained: every word is unique in its first four letters, no two words sound alike, and there are no offensive terms. Reference: [github.com/bitcoin/bips/blob/master/bip-0039.mediawiki](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki).