Here's the long answer how this works:
As per BIP39, the mnemonic seed is a multiple of 32 bits between 128 and 256 bit (128 bit entropy is the minimum to be considered safe), plus 1 bit checksum(sha256) for every 32 bit appended to the end of the entropy.
With 128 bits you have 4×32 + 4 bit checksum, meaning the 12th word contains 4 bits of checksum. 2^4 = 16 possible words, once we have the first 128 bit of entropy.
Additional info: the number of bits contained in the entropy + checksum always follows this formula Y * 32 + Y where Y= 4 or 5 or 6 or 7 or 8 (12, 15, 18, 21, 24-word mnemonic seed, respectively). This is always a multiple of 11, since 32Y + Y = 33Y = 11 * 3 * Y.
So it is handy for the bip39 words to encode 11 bits, and 2^11 = 2048 possible words on the list. So e.g. the 12th word in a 12-word mnemonic consists of 11 - 4 = 7 bits of entropy.
In the case of the SeedSigner, you can create your seed phrase by drawing random words from some container having all 2048 words, putting words back after a draw.
You draw 11 words, but you cannot draw the 12th because that only encodes 7 bits of entropy and the checksum is deterministic after that, not arbitrary. So after the 11th word it instructs you to perform 7 coin tosses (e.g. heads = 1, tails = 0) and enter the resulting bits into the UI. It will then calculate the last 4 bits of checksum and that gives you the 12th word.
Five
npub16p…kfhdw
2025-03-19 05:17:16
in reply to nevent1q…cud4
Author Public Key
npub16p8v7varqwjes5hak6q7mz6pygqm4pwc6gve4mrned3xs8tz42gq7kfhdwPublished at
2025-03-19 05:17:16Event JSON
{
"id": "8e5332293f35b615ace5c8f8ad62c478a6f72178f12f049cb720f87e72da3ce1",
"pubkey": "d04ecf33a303a59852fdb681ed8b412201ba85d8d2199aec73cb62681d62aa90",
"created_at": 1742361436,
"kind": 1,
"tags": [
[
"e",
"58d599a81a80232a588922dd48358b9a0462e59a16513889f9e7c2fdf5432b92",
"",
"root"
],
[
"e",
"0e01ddeae258c15ae6b4ca95b9a4d78a42f9e0a7771dd1e089ede22af26631d1",
"",
"reply"
],
[
"p",
"9e7806cbea67a855d9472f495d9b46fa94e822292538e8e13b7fa14da271e5c3"
],
[
"p",
"922945779f93fd0b3759f1157e3d9fa20f3fd24c4b8f2bcf520cacf649af776d"
],
[
"p",
"6867d899ce6b677b89052602cfe04a165f26bb6a1a6390355f497f9ee5cb0796"
]
],
"content": "Here's the long answer how this works:\nAs per BIP39, the mnemonic seed is a multiple of 32 bits between 128 and 256 bit (128 bit entropy is the minimum to be considered safe), plus 1 bit checksum(sha256) for every 32 bit appended to the end of the entropy.\n\nWith 128 bits you have 4×32 + 4 bit checksum, meaning the 12th word contains 4 bits of checksum. 2^4 = 16 possible words, once we have the first 128 bit of entropy.\n\nAdditional info: the number of bits contained in the entropy + checksum always follows this formula Y * 32 + Y where Y= 4 or 5 or 6 or 7 or 8 (12, 15, 18, 21, 24-word mnemonic seed, respectively). This is always a multiple of 11, since 32Y + Y = 33Y = 11 * 3 * Y.\n\nSo it is handy for the bip39 words to encode 11 bits, and 2^11 = 2048 possible words on the list. So e.g. the 12th word in a 12-word mnemonic consists of 11 - 4 = 7 bits of entropy.\n\nIn the case of the SeedSigner, you can create your seed phrase by drawing random words from some container having all 2048 words, putting words back after a draw.\nYou draw 11 words, but you cannot draw the 12th because that only encodes 7 bits of entropy and the checksum is deterministic after that, not arbitrary. So after the 11th word it instructs you to perform 7 coin tosses (e.g. heads = 1, tails = 0) and enter the resulting bits into the UI. It will then calculate the last 4 bits of checksum and that gives you the 12th word.",
"sig": "764e524f1fd9312ae73f684de9206bab0739c08445f71117aa456b63dae44e1ddc9c71d01b2ac684703ec7e8dcb45df5288d7929338b493cbc839fe726fd94b4"
}