What makes Ellipticc Drive different from other cloud storage services?

Ellipticc Drive is the first cloud storage platform with post-quantum encryption using NIST-approved Kyber and Dilithium algorithms, true end-to-end encryption where keys never leave your device, and it's completely open-source.

Is Ellipticc Drive really free?

Yes, Ellipticc Drive offers 10 GB of free storage forever with no ads, no tracking, and no data selling. This is dedicated private storage, not shared limits.

How secure is Ellipticc Drive?

Ellipticc Drive uses post-quantum cryptography (Kyber + Dilithium), true end-to-end encryption, zero-knowledge file previews, and secure authentication where passwords are never sent to the server.

When will mobile apps be available?

Mobile apps for iOS and Android are coming in Q1 2026, along with desktop sync clients for macOS, Windows, and Linux.

Mnemonic Seed Phrases Explained: A Technical Deep Dive

Summary

The Engineering Summary: BIP-39 is a protocol that maps raw binary entropy (128-256 bits) into a sequence of readable words. This sequence is then salted and hashed using PBKDF2-HMAC-SHA512 (2048 iterations) to produce a 512-bit seed. This seed allows for the deterministic derivation of a BIP-32 Master Extended Private Key (xprv), which forms the root of a hierarchical deterministic (HD) wallet.

What Is a Mnemonic Seed Phrase? The Basics

Before we dive into the math and code, let’s start with the fundamentals. A mnemonic seed phrase is a set of 12 or 24 simple English words that act as a backup for your cryptocurrency wallet. It’s like a master password that unlocks all your private keys, but designed to be human-readable and easy to write down.

Why Do We Use Words Instead of Random Characters?

Human-Friendly: Random strings of letters and numbers are hard to remember, transcribe, or verify. Words are easier to read aloud, write by hand, and check for errors.
Backup Safety: If you lose your phone or hardware wallet, the seed phrase lets you restore your wallet on any compatible device. It’s your “lifeboat” for accessing funds.
Standardization: The BIP-39 standard ensures that wallets from different companies (like Ledger, Trezor, or software wallets) can all understand the same phrase.
Multi-Language Support: BIP-39 supports 8 languages (English, French, Italian, Japanese, Korean, Spanish, Chinese Simplified, Chinese Traditional), each with its own 2048-word list. This allows users to generate phrases in their native language for easier memorization, while maintaining cross-compatibility.

A Simple Example

Here’s a real 12-word seed phrase (this is a test vector from BIP-39, not a real wallet - never use it for actual funds):

1
abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about

This phrase represents 128 bits of random entropy plus a checksum. In a real scenario, your wallet generates this randomly when you create a new account. You write it down on paper and store it securely. If you need to recover your wallet, you enter these exact words in the correct order.

Note: Words are case-insensitive (typically entered in lowercase), but the sequence must be exact—reversing or swapping words will produce an invalid seed.

Why 12 or 24 Words?

12 Words: Sufficient for most users. Provides strong security against guessing or brute force.
24 Words: Extra security for large holdings or long-term storage. It’s like having a longer, more complex backup.

The key point: the phrase is not magic - it’s a coded way to store randomness. The words themselves are from a fixed public list, but the combination is what matters.

“Your seed phrase is your master key. Lose it, and you lose everything. Store it like your life depends on it - because your crypto life does.” – Anonymous Crypto Expert

The Anatomy of Entropy

Every wallet begins its life as a random number. This is not “kind of” random; it must be cryptographically secure. The standard allows for entropy sizes from 128 bits to 256 bits, in 32-bit increments.

Where Randomness Comes From: Generating Private Keys in Software

Software wallets generate entropy using the operating system’s Cryptographically Secure Pseudo-Random Number Generator (CSPRNG). This is crucial - weak randomness can lead to predictable keys.

On Linux/macOS: Uses /dev/urandom, seeded from hardware entropy sources like keyboard timings, mouse movements, and dedicated hardware RNGs (e.g., RDRAND on Intel CPUs).
On Windows: CryptGenRandom or BCryptGenRandom, drawing from system entropy pools.
On Mobile (Android/iOS): Platform-specific CSPRNGs, often backed by hardware.

How It Works in Code (Simplified):

1
import os
2
import secrets  # Python 3.6+ CSPRNG
3

4
# Generate 16 bytes (128 bits) of entropy
5
entropy = secrets.token_bytes(16)  # Or os.urandom(16)
6
print(entropy.hex())  # e.g., 'a1b2c3d4e5f678901234567890abcdef'

Avoid naming your script ‘random.py’ or ‘secrets.py’ to prevent conflicts with Python’s standard library modules.*

Hardware Wallets: Use dedicated RNG chips (e.g., TRNG - True Random Number Generators) that harvest noise from thermal or quantum effects. This is more secure than software RNGs.
Bad Examples: Early Android versions had predictable RNG due to poor seeding. Always use modern, audited libraries.

Without strong randomness, an attacker could predict your keys. That’s why reputable wallets emphasize secure entropy sources.

Offline Generation: To avoid malware stealing your entropy or seed, generate mnemonics on air-gapped devices (no internet connection). Hardware wallets like Ledger do this by default, but for software wallets, use offline tools or boot from a live USB.

Supported Word Counts and Entropy Levels

BIP-39 supports entropy sizes from 128 to 256 bits in 32-bit increments, resulting in 12 to 24 words.

Word Count	Entropy Bits	Checksum Bits	Total Bits	Security Level
12	128	4	132	$2^{128}$ (~ $3.4 \times 10^{38}$ )
15	160	5	165	$2^{160}$ (~ $1.46 \times 10^{48}$ )
18	192	6	198	$2^{192}$ (~ $6.28 \times 10^{57}$ )
21	224	7	231	$2^{224}$ (~ $2.7 \times 10^{67}$ )
24	256	8	264	$2^{256}$ (~ $1.16 \times 10^{77}$ )

The security margin of 128 bits is already astronomical ( $3.4 \times 10^{38}$ possible keys). Attempting a brute-force attack on a 128-bit key using the entire energy output of the sun effectively forever would still fail. 24 words offers protection against theoretical future quantum threats (Grover’s Algorithm reduces effective search space by square root) or weak RNG implementations.

Security Deep Dive: Probabilities, Collisions, and Brute Force

To understand why mnemonic seeds are secure, we need to talk probabilities. The security comes from the sheer size of the possible combinations, making random guessing or brute force impractical.

Probability of Generating the Same Seed Phrase

In a world with billions of wallets, what’s the chance someone else generates the exact same seed as you?

Birthday Paradox Analogy: Imagine a room with people. The chance of two sharing a birthday is higher than you’d think due to collisions. Similarly, with large key spaces, collisions become likely even with low probability per pair.
For 128-bit Seeds (12 words): There are $2^{128} \approx 3.4 \times 10^{38}$ possible seeds. If every person on Earth (8 billion) generates one seed per second for their entire life (70 years), we’d generate about $8 \times 10^9 \times 60 \times 60 \times 24 \times 365 \times 70 \approx 1.5 \times 10^{22}$ seeds. That’s still only a tiny fraction of the total space. The probability of a collision is negligible.
For 256-bit Seeds (24 words): $2^{256} \approx 1.16 \times 10^{77}$ . Collisions are effectively impossible even if every atom in the universe generated seeds.

Real-World Example: If 1 trillion ( $10^{12}$ ) wallets exist, the chance of any two having the same 128-bit seed is about $10^{12} \times 10^{12} / 2 \times 2^{128} \approx 10^{-26}$ , or one in a trillion trillion. For 256 bits, it’s astronomically smaller.

Brute Force Attack Feasibility

Brute forcing means trying every possible seed until you find the right one. This is computationally infeasible.

12 Words (128 bits): $2^{128}$ attempts needed. At 1 trillion ( $10^{12}$ ) guesses per second (a supercomputer’s speed), it would take $2^{128} / 10^{12} \approx 3.4 \times 10^{26}$ seconds. That’s about $10^{19}$ years - longer than the universe’s age (14 billion years).
24 Words (256 bits): $2^{256}$ attempts. Even with quantum computers using Grover’s algorithm (which squares the search space), effective security is 128 bits - still unbreakable.

Context: The fastest supercomputers today do about $10^{15}$ operations per second. Brute forcing 128 bits would require energy equivalent to boiling Earth’s oceans. For 256 bits, multiply by $2^{128}$ .

Why This Matters

No Realistic Threat: Seeds aren’t guessed; they’re leaked via poor storage or social engineering.
Quantum Resistance: 256-bit seeds provide a buffer against future quantum attacks.
Practical Security: Focus on offline storage and avoiding leaks - entropy handles the rest.

Warning

Never share your seed phrase with anyone, including support. Legitimate services will never ask for it. If someone does, it’s a scam.

Step-by-Step Walkthrough: From Bits to Words

Let’s trace the exact lifecycle of a seed. We will use a standard test vector from the BIP-39 specification to guarantee accuracy.

Input Entropy (128 bits / 16 bytes):

00000000000000000000000000000000

(In this example, our RNG produced 16 bytes of pure zeros. This is extremely unlikely in reality but perfect for demonstration.)

Step 2.1: Generating the Checksum

To create a checksum, we take the SHA-256 hash of the entropy. SHA256(Input) = 3793ea52945d7d79...

We only need the first 4 bits of this hash (since $128 / 32 = 4$ ). First byte is 0x37 (binary 00110111). The first 4 bits are 0011.

Step 2.2: Concatenation

We append the checksum (0011) to the end of our original entropy (0...0).

Original (128 bits): 00000000...00000000
Checksum (4 bits): 0011
Total (132 bits): 00000000...00000011

Step 2.3: Splitting into 11-bit Groups

We slice strict 11-bit chunks from the 132-bit string. $132 / 11 = 12$ chunks (words).

Chunk #	Binary (11 bits)	Decimal Index	Word (BIP-39 List)
1	`00000000000`	0	abandon
2	`00000000000`	0	abandon
…	`...`	…	…
11	`00000000000`	0	abandon
12	`00000000011`	3	about

Final Mnemonic: abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about

Note: The last word “about” (index 3) is different because it contains the checksum 0011.

Manual Checksum Verification

To verify a mnemonic’s validity manually (useful for paranoia or offline checks):

Map each word to its index in the BIP-39 word list (0-2047).
Convert indices to 11-bit binary and concatenate.
The last (entropy_bits / 32) bits are the checksum; the rest is entropy.
Compute SHA-256 of the entropy bytes.
Check if the first (entropy_bits / 32) bits of the hash match the checksum.

For the example above: Entropy is 128 bits, checksum 4 bits. SHA-256 of zeros starts with 00110111..., first 4 bits 0011 match.

Wallets do this automatically, but manual verification ensures no typos.

From Words to Seed (PBKDF2)

The mnemonic is not the key. It is the input to the key generation function. To get the actual binary root seed, we use PBKDF2 (Password-Based Key Derivation Function 2).

Function: PBKDF2(HMAC-SHA512, input, salt, iterations, output_length)
Input: The mnemonic string: "abandon abandon ... about" (UTF-8 NFKD normalized).
Salt: The string literal "mnemonic" concatenated with the user’s passphrase.
- If no passphrase: Salt = "mnemonic"
- If passphrase is “Secret123”: Salt = "mnemonicSecret123"
Iterations: 2048
Output Length: 512 bits (64 bytes)

Why this matters

Hardening: 2048 iterations make brute-forcing the seed computationally finding expensive, even if an attacker knows the salt.
Passphrase (“25th Word”): Since the passphrase is part of the salt, a different passphrase produces a completely unrelated 512-bit seed. This enables “hidden wallets.”

Resulting 512-bit Seed (Hex):

5eb00bbddcf069084889a8ab9155568165f5c453ccb85e70811aaed6f6da5fc19a5ac40b389cd370d086206dec8aa6c43daea6690f20ad3d8d48b2d2ce9e38e4

The Master Node: BIP-32 Hardened Derivation

Now we have a 512-bit seed. How does this become a Bitcoin or Ethereum wallet? We enter BIP-32 territory (Hierarchical Deterministic Wallets).

The 512-bit seed is hashed with HMAC-SHA512 again (using key "Bitcoin seed"). The 512-bit output is split perfectly in half:

Left 256 bits ( $I_L$ ): This becomes the Master Private Key.
Right 256 bits ( $I_R$ ): This becomes the Master Chain Code.

Together, $(Key + ChainCode)$ is called an Extended Private Key (xprv).

Derivation Paths

We don’t use the master key directly. We derive “child” keys using paths. Format: m / purpose' / coin_type' / account' / change / index

m: Master Node (root)
44’ / 84’: Purpose (BIP-44 Legacy vs Native SegWit)
0’ / 60’: Coin (0=Bitcoin, 60=Ethereum)

Example: Looking for the first receiving address in a Native SegWit Bitcoin wallet. Path: m/84'/0'/0'/0/0

Take Master Node ( $m$ ).
Derive Child $84'$ (Hardened).
From $84'$ , derive Child $0'$ (Hardened).
From $0'$ , derive Child $0'$ (Hardened).
From $0'$ , derive Child $0$ (Normal).
From $0$ , derive output index $0$ (Normal).

Each step involves hashing the parent’s public key (or private key for hardened) combined with the Chain Code and the index.

Concrete Example: Deriving the Master Private Key Using the 512-bit seed from earlier:

HMAC-SHA512(key=“Bitcoin seed”, data=seed) → 512-bit output.
Left 256 bits: Master Private Key (hex): 5eb00bbddcf069084889a8ab9155568165f5c453ccb85e70811aaed6f6da5fc19a5
Right 256 bits: Master Chain Code (hex): ac40b389cd370d086206dec8aa6c43daea6690f20ad3d8d48b2d2ce9e38e4

This master private key can then be used to derive child keys via BIP-32.

Python Code Example (Using Libraries):

1
from mnemonic import Mnemonic
2
from bip32 import BIP32
3

4
# Generate a random mnemonic (or use the test one)
5
mnemo = Mnemonic("english")
6
mnemonic = mnemo.generate(strength=128)  # 12 words
7

8
# Convert to seed
9
seed = mnemo.to_seed(mnemonic, passphrase="")  # 512-bit seed
10

11
# Derive master key
12
bip32 = BIP32.from_seed(seed)
13
master_private_key = bip32.get_privkey_from_path("m").hex()
14
print(f"Master Private Key: {master_private_key}")
15

16
# Derive a child key (e.g., first Bitcoin address)
17
child_priv = bip32.get_privkey_from_path("m/84'/0'/0'/0/0").hex()
18
print(f"Child Private Key: {child_priv}")

Output:

1
Master Private Key: 65a20ceeec62adfb4502d4954b2b090fc12b877240f731af90c64997cffc19f5
2
Child Private Key: a4c66ab815d2076ffcf427ef0b1cca9df4314df28b6c3e020cf31ecd27929b18

This shows how the mnemonic deterministically leads to specific private keys.

The Passphrase: Adding Extra Security

The BIP-39 passphrase (often called the “25th word”) is optional but powerful. It is concatenated to the salt in PBKDF2, creating a completely different seed even if the mnemonic is identical.

Example:

Mnemonic: abandon abandon ... about
Passphrase: MySecretPass
Salt becomes: "mnemonicMySecretPass"
This produces a new 512-bit seed, unrelated to the passphrase-less version.

Why Use It?

Hidden Wallets: Create multiple wallets from one mnemonic.
Extra Entropy: Adds user-controlled randomness.
Risk: If you forget the passphrase, the funds are lost forever. Treat it like an additional secret.

Code Example:

1
seed_with_pass = mnemo.to_seed(mnemonic, passphrase="MySecretPass")
2
bip32_pass = BIP32.from_seed(seed_with_pass)
3
master_with_pass = bip32_pass.get_privkey_from_path("m").hex()
4
print(f"Master with Passphrase: {master_with_pass}")  # Different from above

Quantum Threats and Future-Proofing

Quantum computers pose a theoretical threat via Grover’s Algorithm, which reduces brute-force search time for symmetric keys by square root.

For 128-bit entropy: Effective security drops to 64 bits (still hard, but concerning for long-term).
For 256-bit entropy: Effective security drops to 128 bits (comfortably secure).

This is why 24-word seeds (256 bits) are recommended for assets held long-term or in high-threat environments. Post-quantum cryptography (e.g., lattice-based schemes) may also become relevant, but BIP-39 remains solid for now.

Common Mistakes and Operational Security

Mistake: Screenshotting the Seed. Screenshots can be synced to cloud storage or exfiltrated by malware.
Mistake: Typing the Full Seed into Recovery Forms. This exposes it to servers or MITM attacks.
Mistake: Reusing Seeds Across Wallets. Each wallet should have its own seed.
Best Practice: Hardware Wallets. Generate and store seeds offline. Verify addresses on-device.
Example Scenario: You generate a seed on a compromised PC. Malware captures it during generation. Use a clean, air-gapped device instead.

Tip

Advanced Tip: When using a hardware wallet, verify the address on the device screen. Malware on your PC can swap the address on your monitor, but it cannot hack the display of an offline Ledger or Trezor.

Alternatives to BIP-39: SLIP-39

While BIP-39 is the most common, SLIP-39 offers an alternative using Shamir’s Secret Sharing. Instead of a single phrase, it generates multiple “shares” (e.g., 5 shares, requiring 3 to recover). This provides better redundancy and allows distributing shares to trusted parties without revealing the full seed. Supported by wallets like Trezor Model T for advanced users.

Wallet Types: Hot vs Cold, Hardware vs Software

Understanding wallet types is crucial for using mnemonic seeds safely. Wallets are categorized by connectivity (hot vs cold) and implementation (hardware vs software). Each has tradeoffs in security, convenience, and cost.

Hot Wallets: Connected and Convenient

Hot wallets are always online, connected to the internet. They are easy to use for frequent transactions but more vulnerable to hacks.

Examples:
- Mobile Apps: Trust Wallet, Coinbase Wallet. You install on your phone, generate or import a seed, and transact via the app. Convenient for daily use, but if your phone is compromised (e.g., via malware), the seed could be stolen.
- Web Wallets: MetaMask, MyEtherWallet. Browser-based; you access via a website. Great for DeFi, but phishing sites can steal seeds if you enter them.
- Exchange Wallets: Built-in wallets on platforms like Binance or Kraken. No seed control - you rely on the exchange’s security.
Pros: Quick access, user-friendly for beginners.
Cons: Exposed to online threats like hacking, phishing, or server breaches. Not ideal for large holdings.
Seed Usage: Seeds are stored encrypted on the device or server. Recovery involves re-entering the seed on a new device.

Cold Wallets: Offline and Secure

Cold wallets never connect to the internet. They generate and store keys offline, minimizing exposure to cyber threats.

Examples:
- Paper Wallets: Print your seed phrase and public addresses on paper. Generate offline (e.g., using a computer not connected to the net), then store the paper in a safe. To spend, import the seed into a hot wallet temporarily.
- Hardware Wallets: Dedicated devices like Ledger Nano S/X or Trezor. The seed is generated on the device and never leaves it. Transactions are signed offline and verified on-device.
- Air-Gapped Computers: A dedicated PC with no internet, used only for wallet operations.
Pros: Immune to remote hacks, malware, or phishing. Best for long-term storage.
Cons: Less convenient for frequent trading; requires physical access and careful handling.
Seed Usage: Seeds are generated offline and backed up manually. Hardware wallets display the seed on setup for writing down.

Hardware Wallets: Physical Security Devices

Hardware wallets are specialized cold wallets - small USB-like devices that handle key generation and signing.

How They Work: You connect to a computer to view balances or initiate transactions, but the private keys stay on the device. You confirm actions on the device’s screen.
Examples:
- Ledger: Supports multiple coins, has a secure element chip. Setup: Generate seed on-device, back it up on paper.
- Trezor: Open-source, similar to Ledger. Emphasizes passphrase support for hidden wallets.
Pros: Combines cold storage security with usability. PIN-protected, resistant to physical tampering.
Cons: Cost (~50-200 USD), potential for loss/theft of the device itself.
Seed Integration: Seeds are BIP-39 compliant. If the device fails, restore on a new one using the seed.

Software Wallets: Apps and Programs

Software wallets run on your computer, phone, or browser. They can be hot or cold depending on usage.

Examples:
- Desktop Wallets: Bitcoin Core (Bitcoin), Electrum (Bitcoin), Exodus (multi-coin). Install on PC; can be air-gapped if disconnected from internet.
- Mobile Wallets: As above, but can be used offline for signing.
Pros: Free, flexible, supports advanced features like multisig.
Cons: Vulnerable if the device is infected. Software can have bugs or backdoors.
Seed Usage: Seeds are stored in app data; backup by exporting the seed.

Choosing the Right Type

For Beginners/Daily Use: Start with a hot mobile wallet, but move funds to cold storage for savings.
For Serious Holdings: Hardware wallet + offline seed backup.
Hybrid Approach: Use hot wallets for small amounts, cold for bulk.
Example Workflow: Generate seed on a hardware wallet, back up on metal. Use the hardware for large transfers, a software wallet for small ones.

Tip

Test your backup: Restore your wallet on a new device using the seed before relying on it. Better to discover issues early.

Remember, no wallet is perfect - security depends on your practices. Always verify addresses and keep seeds offline.

Restoring a Wallet from Your Seed: Step-by-Step

Once you have your seed phrase, restoring access is straightforward but requires care.

Basic Recovery Process

Choose a Compatible Wallet: Use any BIP-39 supporting wallet (e.g., Ledger, Trezor, Electrum, MetaMask).
Enter the Seed: During setup, select “Restore from seed” and input the exact words in order. Include passphrase if used.
Verify: The wallet will regenerate your keys and show balances. Check a few addresses to ensure they match your records.

Example in Electrum (Bitcoin):

Install Electrum.
Select “Auto connect” or your node.
Choose “Standard wallet” > “I already have a seed”.
Enter your 12/24 words.
Set a password for the wallet file (not the seed).

Important Notes

Order Matters: Words must be in sequence. The checksum detects errors.
Passphrase: If forgotten, funds are lost - it’s not recoverable.
Cross-Chain: Seeds work across chains via derivation paths (e.g., Bitcoin m/44’/0’, Ethereum m/44’/60’).
Test First: Restore on a testnet to verify before mainnet.

Advanced: Multisig and Seeds

Multisig requires multiple keys. Seeds can generate one key; combine with others for security.

Example: 2-of-3 multisig - your seed provides one key, others from co-signers.
Tools: Electrum supports multisig; import seeds for each key.

Seed Phrases in Account Recovery: The Ellipticc Advantage

Many modern services, including Ellipticc, integrate mnemonic seeds into user accounts for secure, self-sovereign recovery.

How It Works in Practice

During Sign-Up: When you create an account with Ellipticc, a BIP-39 seed phrase is automatically and securely generated client-side. This seed is used to derive your account’s cryptographic keys, ensuring you control access.
Recovery Process: If you lose access (e.g., forget password or device is stolen), you can recover your account by entering the seed phrase. The service regenerates your keys and restores access without storing the seed on servers.
Client-Side Generation: Seeds are created on your device, never transmitted to servers. This maintains privacy and security.

Why This Is More Secure Than Traditional Passwords

Server-Side Verification: Unlike passwords, which are hashed and stored on servers (vulnerable to breaches), we store only a double SHA256 hash of your mnemonic for verification. The mnemonic is first hashed client-side with SHA256, sent to the backend, and hashed again with SHA256 before storage. This allows us to verify you have the correct seed without storing it, preventing breaches from exposing your recovery key. Double SHA256 provides strong collision resistance and preimage security, making it computationally infeasible to reverse-engineer the original mnemonic from the hash.
Rate Limiting Protects Against Brute Force: If an attacker tries to brute-force recovery attempts (e.g., guessing seeds online), server-side rate limiting kicks in. Attempts are throttled or blocked after a few tries, making automated attacks infeasible. This contrasts with offline seed security, where entropy alone protects, but online recovery adds this layer.
Self-Sovereignty: You own the recovery key. No support tickets or middlemen needed - recover anytime, anywhere.

Workflow with Ellipticc:

Sign up and generate a 12-word seed.
Back it up offline (paper or metal).
If account access is lost, use the seed to recover instantly.
Rate limiting ensures bad actors can’t spam recovery attempts.

This model combines the best of cryptographic security with practical usability.

Final Thoughts

Mnemonic seed phrases are the cornerstone of modern crypto security - simple yet powerful. They give you control, but with that comes responsibility. Generate them securely, store them offline, and use them wisely. Whether for personal wallets or services like Ellipticc, understanding the tech behind them empowers better practices.

“In crypto, your seed is your sovereignty. Protect it fiercely.” – Satoshi Nakamoto (inspired)

Important

Ready to secure your digital life? Try Ellipticc for advanced seed-based recovery and privacy tools. Sign up now and take control of your keys.