A simpler way to memorize seed phrases

Seed phrases are mnemonic phrases of 12 or 24 words where each word is drawn from the BIP-0039 list of 2,048 distinct English words. There is a well-defined process where a seed phrase can be used to generate arbitrarily many private keys for cryptocurrency wallets. For people who self-custody their assets, i.e., directly access and interact with their own wallets, it is imperative to have access to the seed phrase used to generate them, in case of device failure, theft, unrecoverability, etc. However, memorizing 12 or 24 arbitrary words can be challenging and error-prone, while storing a seed phrase elsewhere (in a password manager, on a piece of paper, via a hardware wallet, and so on) exposes you to a variety of other risks.

I propose a novel method for generating “easily memorizable” seed phrases, which can be easily personalized or adapted as the user desires. These seed phrases are easy to remember, but hard to derive unless you have access to the Internet or a computer. In general, because you don’t typically benefit from having perfect recall of your seed phrase at all times (while you’re in the shower, hiking the Swiss Alps, and so on), you can memorize a procedure that is only computable with Internet access that is much easier to remember than a list of 12 or 24 arbitrary words. That is to say, we can choose to trade off “ease of reproduction” in return for “ease of memorization.”

It is easiest to demonstrate with an explicit example. Let’s say a seed phrase is a choice of 24 words from the BIP-0039 list, which we can represent as the values of a function f(i) \in {0, 2, \ldots, 2047} for i \in {0, 1, \ldots, 23}. If f(i) = C, we choose the (C+1)th word from the BIP-0039 list for the (i+1)\mathrm{th} word of the seed phrase.

The “randomly chosen seed phrase” method is to pick random values of f(i) for all i. However, what if f(i) has some structure? In theory, if the words are not chosen in a perfectly random manner, that exposes us to some risk. For example, if your seed phrase is literally the first 24 words of the BIP-0039 list, that is obviously quite insecure and any money you put in will be instantly drained. However, we can simply choose a more sophisticated function, and we can also apply some transformations to that function that only we remember.

For example, suppose that I take the digits of \pi = 3.141592653589793238462\ldots. How might we derive a seed phrase from these digits? We can break up the digits of pi into groups of 4 digits and take each group modulo 2048 to obtain a number from 0 to 2047. For example, the first 4 digits of \pi are 1415. Since this is below 2048, we can simply choose the 1416th word in the BIP-0039 list. The second 4 digits of \pi are 9265, which is congruent to 1073 modulo 2048. We therefore choose the 1074th word in the BIP-0039 list. If we do this 24 times, we get 24 words from the BIP-0039 list, constituting a seed phrase. There we go! All we had to do was to remember the simple generation procedure: “Take the digits of \pi, split them into groups of 4 digits, take each group modulo 2048, and use that number as a positional index in the BIP-0039 list.”

We can easily make this method more secure by adding a series of arbitrary transformations! Suppose that your birthday is January 2nd, 1990. One possible security measure is as follows: Take the 1st prime number (2, derived from the month), the 2nd prime number (3, derived from the day), and the 1990th prime number (17,317, derived from the year). Multiply these prime numbers together to get 103,902. Now, instead of starting from the very first digit of \pi, simply omit the first 103,902 digits, and then repeat the same process as above. Want to add another layer of security? The first Bitcoin transaction was made on January 12th, 2009; take the 1st, 12th, and 2009th prime number, multiply them together, and add that number to each group of 4 digits in the digits of \pi before the modulo step. And so on and so forth… By chaining more and more of these operations, you can get an easy to memorize process for generating your seed phrase which an adversary is very unlikely to guess.

Let’s go through our process as described above:

  • Call g(y,m,d) a function that takes a year, month, and day and returns the product of the yth, mth, and dth prime (indexing from 1)
  • Apply g to your birthday and to the date of the first Bitcoin transaction; call the outputs A and B respectively
  • Take the digits of \pi, throw away the first A digits, split them into groups of 4 digits, add B to each group, and take each group modulo 2048
  • Use the first 24 numbers generated in this way as a positional index for the BIP-0039 list

And voilà! Your seed phrase is ready!

Notice that you almost certainly need a computer and Internet access to actually generate the seed phrase. (Presumably you don’t have the BIP-0039 list or millions of digits of \pi memorized!) However, this is probably an acceptable tradeoff: after all, if you don’t have both of those, you probably won’t really have much need to access your cryptocurrency wallets anyway. In return for this sacrifice, we get a process which is, in my opinion, way easier to keep in permanent memory compared to a list of randomly selected, completely unrelated words.

If everyone used this exact same method to generate seed phrases, it would be pretty easy to brute force them. However, you really do get security through obscurity here; almost nobody is going to actually use such an autistic method for generating their seed phrases! Even if this catches on, you can make other modifications to increase its security:

  • Instead of \pi, choose a different irrational number, like e, \phi, \sqrt{2}, etc.
  • Instead of your birthday or the date of the first Bitcoin transaction, use some other date with special meaning to you
  • Don’t use dates at allーcome up with some other source of memorable integers instead
  • Add a multiplication as well as an additive offset to each group of digits
  • Use groups of 5, 6, 7, etc. digits instead of groups of 4 digits
  • Use a different method to derive large numbers from dates aside from the function g(y,m,d) described above
  • Instead of using the BIP-0039 list in the order given, use a different order (alphabetical ordering, alphabetical ordering starting from the last letter and going backwards, etc.)

You can even invent a totally different method from the one I’ve describedーthe basic idea is just that because you don’t actually need to always have perfect recall of your seed phrase, you can rely on memorizing a relatively secure procedure that relies on Internet access and get approximately the same level of security with much higher ease of memorization.

November 12th, 2022 | Posted in Crypto

3 Responses to “A simpler way to memorize seed phrases”

  1. nana Says:

    It’s definitely original I’ll give it that.

    But right or wrong, I have always just assumed you should never have a brain wallet of any size as you are then always subject to the $5 wrench attack.

  2. cz Says:

    seems likely one would forget their method

  3. Jalex Stark Says:

    To phrase your idea in a more theoretical language:
    You need to memorize a long seed phrase as input to a big pseudorandom generator you don’t understand.
    To do this, memorize the source code of a simpler pseudorandom generator and memorize the seed for that.

Leave a Reply