How to make a wallet out of randomness
A from-scratch tour of the cryptography behind every blockchain wallet — built live in your browser.
A blockchain wallet looks like an app. It is not.
The app — MetaMask, Phantom, Keplr, your bank-grade hardware device — is a polite wrapper around a single thing: a number. A very large, very specifically random number. Lose that number, lose every coin. Hand it to a stranger, hand them every coin. There is no support line. There is no password reset.
This post is about how that number comes to exist, why nobody can guess it, why it can stand in for your identity on five completely different blockchains at once, and why twelve seemingly innocuous English words written on a scrap of paper are enough to recover all of it.
We are going to build one together, end to end, in the browser. You will do the random part yourself.
1. Where does the randomness come from?
Pick a number between 1 and 2^256.
You cannot do this fairly. No human can. Whatever you reach for — your birthday, your phone number, the digits on the wall clock — sits inside a tiny, predictable, guessable subset of the possible numbers. If your private key falls inside that subset, an attacker who has seen even one transaction on the blockchain can iterate over the guessable region in seconds and walk away with your funds.
This isn’t theoretical. In 2013, a bug in Android’s SecureRandom left Bitcoin wallets generating private keys from a tiny, broken entropy pool. Within days, attackers found wallets generated by buggy phones and drained them — about 55 BTC worth at the time, recovered from addresses whose owners had done nothing wrong except trust their operating system.
So we need real randomness. The kind a computer can’t fabricate from a counter and a wall clock. We need entropy — physical unpredictability — fed into a buffer until we have enough of it.
How much is enough? 256 bits. That number is not arbitrary. With 256 truly random bits, the number of possible keys is roughly 2^256 — more atoms than there are in the observable universe, several times over. Even a galaxy-spanning civilization with quantum computers running for the heat-death of the cosmos cannot brute-force a 256-bit key.
So: move your mouse. Each jitter contributes a bit. Watch the bar fill.
When the bar is full, the buffer below it holds a number. That number is now your wallet. Everything else in this post is a transformation applied to that number, and a story we tell about it so a human can survive owning it.
2. From bits to words: BIP39
Look at the buffer. It is 128 binary digits (we use 128 here for a 12-word phrase; real wallets often use 256 bits for 24 words — the math is identical, just longer). Try to memorize it. Try to write it down without an error. Try to dictate it over the phone to your grandmother.
You can’t.
Humans are not designed for that. We are designed for words. So in 2013, a Bitcoin Improvement Proposal called BIP39 asked: what if we mapped binary entropy onto English words?
The recipe is:
- Start with the 128 bits of entropy.
- Compute SHA-256 of those bits. Take the first 4 bits as a checksum.
- Append the checksum → 132 bits total.
- Split into 12 chunks of 11 bits each.
- Each 11-bit chunk is an index into a fixed 2048-word list —
abandon,ability,able, …,zoo. (2^11 = 2048, which is why the wordlist is exactly that size.) - Write the 12 words down. In order.
That is your mnemonic phrase. It is mathematically identical to the random bits, but a human can copy it onto an index card without making a mistake — and if they do make a mistake, the checksum lets a wallet detect it.
The wordlist is deliberately boring. No proper nouns, no homophones, no profanity. Every word is recognizable in low-bandwidth handwriting and pronounceable to non-native English speakers. (Other languages have their own BIP39 wordlists; the math is the same.)
The phrase scrolling above this paragraph is your wallet. Everything that follows — keys, addresses, signatures, account balances on five different blockchains — is derived from those words. If somebody photographs them, your money is theirs. If you forget them and burn the paper, your money is no one’s. There is no recovery email.
3. From words to a master key
You now have twelve words. A blockchain doesn’t sign transactions with words. It signs them with raw private keys — 256-bit integers. So there is one more deterministic transformation in the way.
The mnemonic goes through PBKDF2, a key-derivation function. PBKDF2 takes your phrase plus an optional passphrase (most wallets leave the passphrase empty — but adding one is a powerful, often-overlooked layer of security), and runs HMAC-SHA512 over it 2048 times. The result is a 512-bit seed.
The seed gets fed into a second function — HMAC-SHA512, keyed with the constant string "Bitcoin seed" — which spits out:
- A 256-bit master private key.
- A 256-bit chain code (we’ll use this in Section 5 to derive child keys without leaking the parent).
The whole thing — entropy → mnemonic → seed → master key — is deterministic. The same words always produce the same key. The same key always produces the same seed. This is the magic that lets you walk into a new computer with twelve words on a scrap of paper and rematerialize your entire net worth.
It is also why a single typo destroys you.
4. Why nobody can reverse this
Why doesn’t an attacker work backwards? Public keys are public. Every transaction reveals one. Every block-explorer page lists thousands. If the math were reversible, anyone with internet would already be a billionaire.
The math is a one-way function: trivial to compute forward, computationally impossible to compute backward.
To feel this, try a tiny version. The slider below picks an exponent x. The output is y = 5^x mod 2017 — small numbers, easy modular arithmetic. Forward is instant.
Now flip the toggle: you’ll see only y, and the demo will try to find the x that produced it. It searches one candidate at a time.
At a modulus of 2017, the brute-force eventually wins — there are only ~2000 possible x values to try. Now imagine the modulus is a 256-bit number. There are roughly 2^256 candidates. A modern GPU can check ~10^10 keys per second. The age of the universe is ~4 × 10^17 seconds. Multiply those: even running on every GPU ever manufactured, you would not finish before the heat death of the cosmos.
Real blockchain wallets do not use modular exponentiation. They use elliptic curves — pubkey = privKey × G where G is a fixed point on a curve called secp256k1 (Bitcoin, Ethereum) or Curve25519 (Solana, Stellar). The shape of the math is different but the asymmetry is identical: easy forward (point multiplication), brutal backward (the elliptic curve discrete logarithm problem).
This is the entire reason crypto works. Pull the floor out from under it and every wallet on earth empties at once. (Sufficiently large quantum computers can pull this floor out. That’s why post-quantum cryptography matters — but that’s a different post.)
5. Same seed, five identities
Here is where the magic gets practical.
The seed you generated in Section 1 — those twelve words you watched assemble themselves — is enough to derive as many private keys as you want, on as many different blockchains as you want, deterministically, from the single starting point.
Three pieces make this possible:
BIP32 — Hierarchical Deterministic wallets. The master key + chain code can be combined with an index to produce a child key. That child has its own chain code, so you can derive grandchildren, and so on, forever. The whole thing forms a tree.
BIP44 — A convention for naming branches. Paths look like m/44'/60'/0'/0/0. The numbers mean: purpose / coin type / account / change / address index. Each blockchain claims a coin type number — Bitcoin is 0, Ethereum is 60, Cosmos is 118, Solana is 501, Stellar is 148.
SLIP-0010 — A parallel spec for chains that use Ed25519 (Solana, Stellar) instead of secp256k1 (Bitcoin, Ethereum, Cosmos). Ed25519 doesn’t support non-hardened child derivation, so every segment in those paths is “hardened” (the apostrophe in the path).
Put them together, and one mnemonic becomes:
Look at this carefully. Every address comes from the same twelve words. Different curves (secp256k1 vs Ed25519), different paths (different coin-type numbers), different final encoding (bech32 vs hex vs base58 vs strkey) — but the seed is identical. This is why importing a single phrase into MetaMask gives you an Ethereum account, importing the same phrase into Phantom gives you a Solana account, and importing it into Keplr gives you a Cosmos account. None of those wallets are talking to each other. They don’t have to. The math is deterministic and the standards are shared.
One nuance worth pausing on: notice the Solana and Stellar paths end in ' on every segment. That’s the SLIP-0010 hardened-only rule for Ed25519. The practical consequence: with secp256k1 chains, somebody with your public key alone can generate watch-only child addresses (useful for cold-wallet bookkeeping). With Ed25519 chains, every level needs the private key — so watch-only HD wallets are harder to build.
Also notice: every Cosmos zone (Osmosis, Celestia, Injective, dYdX, …) uses coin type 118 by convention, and changes only the bech32 prefix. So cosmos1... and osmo1... and celestia1... are all the same key under different clothing.
6. So what does owning a wallet actually mean?
You started this post with mouse movement. You ended it with addresses on five blockchains. Nothing in between left your browser.
A few things should now be uncomfortably clear:
- Lose the words, lose the money. No password reset exists. There is no human in the loop.
- Anyone with the words has total control. This includes screenshots in iCloud, photos in your camera roll, plain-text notes apps, browser auto-fill, helpful colleagues, and overly-clever AI assistants. The seed is the wallet. The seed is the money.
- Custodial wallets — Coinbase, Binance, Robinhood — hold the words for you. That is convenient, and it also means they own the key. You hold a database row in their system that says you are owed funds; they hold the cryptographic ability to move those funds. This is fine until it isn’t (FTX, Celsius, Mt. Gox).
- Hardware wallets (Ledger, Trezor) keep the words offline, in a chip that never gives them to your computer. They sign transactions on-device. They are the right answer for non-trivial amounts.
Now you know what a wallet is. In the next post, we’ll look at what you can actually do with one — how a transaction is built, signed with that key, broadcast to the network, and finalized. Different blockchains do it very differently, and the differences explain most of what people argue about online.
But first: write your words down. Twice. On paper. Not on your phone.