Update on BIP-39 Entropy Distribution Analysis

Hello Cardano Community,

I would like to provide an important update to my previously published findings on the potential weaknesses in the entropy distribution of BIP-39 mnemonic phrases. You can find the original post here for reference:
Original Report on Cardano Forum

Expanded Dataset and New Observations

Since the initial report, I have significantly expanded the dataset and refined the analysis process, leading to new insights that further highlight statistical anomalies worth community attention:

• Increased Sample Size: The number of valid wallets generated using 24-word mnemonic phrases has now exceeded 87,000.

(Note: All 12-word phrases have been excluded in this phase to focus purely on 24-word patterns.)

• Unexpected 13-Word Valid Phrases:
  During the generation process for 24-word mnemonics, several 13-word phrases were observed to pass validation and generate valid wallets.
  This is highly unusual and may point to implementation inconsistencies in some libraries or platforms.
• Statistical Repetition (Word Frequency):
  • First-word position: Some words now appear over 970 times.
  • Middle positions: Repetitions range between 530 and 709 occurrences.
  • Last-word position: Stable but still notably high, around 468 repetitions.These figures represent a sharp increase compared to the earlier findings, where no word exceeded 100 appearances across any position.

Interpretation

To clarify:

• I am not questioning the BIP-39 specification itself.
• Nor am I pointing fingers at specific implementations.

However, these new statistical outliers could hint at:

• Insufficient entropy in some mnemonic generators.
• Implementation bugs allowing invalid phrases (e.g., 13-word acceptance).
• A potential reduction in brute-force complexity under certain conditions.

Final Notes

In the near future, I will be publishing a new update containing more precise statistics and sensitive insights. While these findings may not be relevant to everyone, they are of great significance to me as a researcher deeply focused on the technical patterns and implications within this domain. The upcoming data will require heightened attention and analytical focus, given its complex nature and depth.

I would like to express my sincere gratitude to the Cardano community for providing such an open and respectful platform to share my research and engage in meaningful dialogue. This kind of academic and technical openness reflects a mature and intellectually rich ecosystem, making Cardano a truly welcoming environment for researchers and security professionals alike.

Important Note:
The purpose of this research is not to promote or encourage any form of unlawful or unethical behavior. It is purely conducted in the spirit of academic research, aimed at creating a safer Web3 environment and securing user assets to the highest degree possible.

Let’s move beyond destructive criticism and hostile replies. Whether you’re a researcher, developer, or blockchain enthusiast, we all share the same responsibility:
To embody the spirit of progress, innovation, and mutual respect.

With appreciation,

Best regards,
Okba [GUIAR OQBA]
Security Researcher
techokba@gmail.com

Here’s a practical problem with BIP-39 itself for which I’ve never understood why it was designed this way: the words weren’t chosen so that no word would be a substring of another word.

I’ve seen this cause verification uncertainty on Cardano wallets: e.g. when words are entered by drop-down or autocompletion and multiple choices are possible for the same correctly typed word; most commonly seen with the many 3-letter words in the BIP-39 vocabulary (an easy thing to have avoided if there were no other contraints):

wget https://raw.githubusercontent.com/bitcoin/bips/refs/heads/master/bip-0039/english.txt
for i in `grep ^...$ english.txt`; do grep $i english.txt; done

You’re absolutely right — the lack of prefix uniqueness in the BIP-39 wordlist is a subtle yet practical flaw, especially when autocompletion or partial input is involved. It’s one of several design trade-offs that deserve more attention when evaluating the robustness of wallet recovery mechanisms.

As I requested in the original thread Potential Weakness in BIP-39 Mnemonic Entropy Distribution Across Multiple Languages and someone else asked you in your issue on Potential Weakness in BIP-39 Mnemonic Entropy Distribution Across Multiple Languages · Issue #134 · trezor/python-mnemonic · GitHub it would very much help if you explained exactly what you were doing to potentially clarify any possible misconceptions.

As far as I can see from the little that you do disclose, you simply generated random phrases from the BIP-39 wordlist and then checked them for validity. In the issue on the Trezor Github you write:

And that is simply false! The wallet apps accept any valid BIP 39 seed phrase. It does not give you any additional information to feed valid seed phrases to tools for one or the other blockchain. Also, that these tools accept them does not mean that someone else has ever used them before, that a wallet app has ever generated this seed phrase. They accept all valid seed phrases. You just generated this wallet. Nobody else did.

This would only be different if you find a wallet that has a transaction history, maybe even a balance, with this method. It is highly unlikely that you even find a single wallet used by someone else, let alone several thousand. If it were that easy, we would see wallets being emptied every day by people just doing the same as you did.

If your sample does show biases, the most plausible explanation is that they stem from your code generating the random phrases. As long as you only check for checksum validity, we don’t have to do any simulations, random experiments.

You can simply read and understand BIP39 to conclude that at least the first n-1 words of n word seed phrases are exactly evenly distributed. For each combination of 11 words, I can find exactly 128 last words to form a valid 12 word seed phrase. For each combination of 23 words, I can find exactly 8 last words to form a valid 24 word seed phrase.

The checksum that is contained in the last word – 4 of 11 bits for 12 words, 8 of 11 bits for 24 words – could theoretically introduce some bias for that last word. But that is also rather theoretical. They simply take the first bits of the SHA256 hash of the entropy. A bias there would mean a bias in SHA256 which is someho unlikely.

Possibility 1: That is simply a bug in whatever tool you were using there. BIP39 phrases have to be multiples of 3. It cannot even work with other lengths. Hard to tell if you don’t tell us which tool it was.
Possibility 2: The tool allows an additional passphrase as described in " From mnemonic to seed" and allows to give that passphrase as “13th word”.

This substring problem is funny since it makes BitcoinBIP-39 look like it was conceived in a hurry and never really intended for worldwide or long term use. Did they think that having both motion and emotion was not going to cause recording or verification errors? Or either and neither?

for i in `grep ^......$ english.txt`; do grep $i english.txt | grep -v ^${i}$ | grep $i; done
# note this requires colourised `grep` i.e. `--color=auto` to display usefully

My apologies if this seems off topic but I do believe the subject of “entropy” also applies to the literal structure of the vocabulary itself.

BIP39 is not even an integral part of Bitcoin. People were using Bitcoin without seed phrases with files or large strings of random letters for four years before BIP39 was invented in 2013.

But, yeah, the wordlist is not optimal. At least, four-letter prefixes are enough for uniqueness (which is employed by some of the “record your seed phrase in metal” tools).

Thank you for your input. Allow me to clarify the following points with full transparency and professionalism:

1. Yes, wallets with real activity have indeed been found among the results. This alone is 100% conclusive evidence of a real and existing bias—whether in the entropy distribution or in how some tools or libraries handle BIP-39 generation.

2. In the early stages of the process, I relied on basic random generation, and the results were very limited—generally fewer than 100 valid wallets per 100,000 attempts.
   However, after improving the generation logic to incorporate previously obtained results alongside the official BIP-39 wordlist, things changed significantly.
   The improved method consistently yields 400 to 800 valid wallets per 100,000 attempts, showing a fairly stable and repeatable pattern. This is not due to randomness, but the result of systematic and logical enhancements.

3. Most importantly, for every 500,000 generated phrases, I find 1 to 3 wallets with real activity, verified by transaction history or balances. This definitively refutes the claim that all randomly generated valid phrases are unused. On the contrary, it proves there are exploitable patterns that deserve deeper investigation—whether in entropy bias, language lists, or implementation inconsistencies.

As for the repeated doubts and demands for “script proofs”, I want to be very clear: I am continuing this research purely for scientific and ethical reasons. I have never shared any script or tool and never will, because I fully understand the potential risks involved. This kind of work must be approached with extreme responsibility, not sensationalism or public release.

And for those who keep asking for scripts as proof, while ignoring the fact that over 87,000 valid wallets have already been found, I ask:
Is this not evidence enough? Or are you just trying to block out the sun with a sieve?

If you don’t publish your methods, it’s not science, it’s bullshit.

I appreciate the passion, but let’s make one thing clear:
Using profanity and dismissive language doesn’t make your argument stronger – it just shows the lack of one.

Scientific research is not defined by whether it pleases your personal expectations.
It is defined by results, repeatability, and responsible conduct. I have chosen not to publish any scripts for ethical and security reasons, not because the findings are invalid.

The fact that wallets with transaction history and real activity were recovered is a strong indicator that there’s something worth investigating—whether you like it or not.

If you truly care about science, then maybe start with respectful discourse, not insults. Until then, I’ll let the results speak for themselves.

Look, without showing more than claims and half-arsed walls of text that in the first instance only prove your very limited understanding of computer science, blockchain, BIP-39, seed phrases, and mathematics, this is all just a huge waste of time.

“Security researcher”, my arse!

If I understand you correctly, you are claiming that you can generate keys to actual valid Bitcoin wallets at a rate of 400 to 800 out of 100,000 attempts.

All the good Bitcoin wallets randomly choose their seed phrases. Even a 12 word seed phrase randomly chosen has 128 bits of entropy. The chance of guessing this same key is 1 in 2^128. This is an incredibly tiny probability similar in magnitude to finding the same atom on a particular grain of sand out of all the grains of sand from all the beaches on earth. Even with the millions of used Bitcoin addresses the probability of finding the keys to any one is way, way, way, less than 400-800 out of 100,000 attempts.

We don’t believe you can find 400-800 keys for used Bitcoin wallets per 100,000 attempts. If you can truly do this then you must be already rich because you would be able to transfer all the found Bitcoin to yourself using the key.

Put up or shut up. Show us the evidence.

LOL, less talk, evidence must be shown indeed.

Thank you for your appreciation. Indeed, there are upcoming updates in the next few days that will include new data and deeper analysis, addressing core details related to the raised concerns. I truly value the support of the Cardano community and those who contribute constructive ideas.

If there is any tool or wallet procedure which is reproducing seed phrases this badly, then you should just tell them immediately.