Most Ledger Nano owners at some point start to wonder if there is a possibility to customize their seed. Some might go even further and try to use randomly chosen words during the recovery process. In such cases, after confirming the last word, they will almost certainly see the message:
"Recovery phrase is invalid, retry"
Does this mean that creating a new wallet with your own custom word set is impossible?
Here is a nice surprise: it is possible, though with a certain limitation. But let's start from the beginning.
The first restriction is the requirement that all words must be on the BIP39 standard list
(Bitcoin Improvement Proposal - number 39). You can find out exactly what Bitcoin Improvement Proposals are
here.
BIP39 is nothing more than just a set of 2048 words, chosen in such a way that the first 4 letters of every word are unique. This rule even applies to 3-letter words.
This property makes them easier to remember when creating a multi-word sequence, which is exactly what your seed is.
The second restriction is a requirement to the last word of your sequence. It is a specific checksum determined by all the rest of sequence elements and you can't just choose it by yourself. This is exactly the reason why we see an error message, anytime we try to enter randomly chosen words as a seed to our Ledger Nano. Usually, the checksum condition is met by more than just one word; however, the chance of finding a valid one by simply guessing is incredibly small. The number of words that satisfy the checksum condition is strictly related to the total number of seed words. In the case of a 24-word seed (the most secure option), there are always exactly 8 possible words that can serve as the checksum. Thus, the chance of randomly drawing a valid one from the 2048-word BIP39 set is exactly 8 in 2048, or a mere 0.39%. It is no wonder you saw an error message.
Then how can we find the proper checksum for a sequence of our own choosing? For example, let's take a random set of 23 words that comply with the BIP39 standard:
Every word has an index, which is a number based on its alphabetical order. It is important to start the numbering from 0. Each index must then be expressed as a binary value. Since the BIP39 list contains 2048 elements, every word index must consist of 11 bits. Thus we find:
In the next step, we concatenate all the indexes, preserving their order of appearance. This gives us a 253-bit binary sequence:
The obtained result we complement with additional 3 bits of our own choice.
Do you remember as we said that 24 words seed has exactly 8 possible checksum results?
Number 8 is just a simple consequence of those 3 bits.
All of the 8 results we will get by simple putting here 000, 001, 010, 011, 100, 101, 110 and 111.
For this example we choose: 000.
We concatenate it at the end, which results in a 256-bit binary word:
The next step is to calculate SHA256 hash of such prepared binary data.
The SHA256 algorithm (secure hashing algorithm, 256-bit output) is an essential part of the blockchain technology.
More about what the SHA256 is you can find here.
As a result of this calculation we get the following hexadecimal word:
The next move is to extract the first 8 bits from the result above. Thus we take the first 2 hex characters - 27.
They correspond to:
Once again we use the same 3 bits we have chosen before. This time we concat them to the front of the extracted binary string. Consequently, we get:
which is binary value 39. This is a BIP39 index of the checksum word we are trying to find. Don't forget that the index numeration starts from '0'. So if you use a BIP39 wordlist with standard numeration starting from '1', then the actual index number will be 40. We find the proper index on the BIP39 list and we get the word: agent Finally 24-word seed containing 23 words of our own choice is:
For the remaining 3-bit combinations the last checksum word is:
