Overview
In Bitcoin, entropy refers to the quality and quantity of randomness used to generate private keys, seed phrases, and other cryptographic secrets. Entropy is measured in bits: a 128-bit entropy source has 2^128 possible values (approximately 3.4 x 10^38), while 256-bit entropy has 2^256 possible values (approximately 1.16 x 10^77). The security of every Bitcoin wallet ultimately depends on the entropy used at the moment of key generation — if the randomness is flawed, the resulting keys can be guessed or brute-forced regardless of how strong the cryptographic algorithms are.
The term comes from information theory, where entropy quantifies the unpredictability of a random variable. In cryptographic contexts, "high entropy" means the random data is truly unpredictable and uniformly distributed. "Low entropy" means there are patterns, biases, or a reduced number of possible values that an attacker could exploit.
Entropy in Key Generation
Key Generation Flow:
Entropy Source (OS CSPRNG, hardware RNG, dice rolls)
│
▼
┌──────────────────────┐
│ 128 or 256 bits of │
│ raw random data │
└──────────┬───────────┘
│
┌──────┴──────┐
│ │
▼ ▼
BIP39 Seed Raw Private Key
Phrase (256-bit number)
(12 or 24 │
words) ▼
│ Public Key
▼ (via ECC)
HD Wallet │
Key Tree ▼
Address
Every step downstream is deterministic.
ALL security comes from the initial entropy.
How Much Entropy Is Enough
| Bits of Entropy | Possible Values | Equivalent | Used For |
|---|---|---|---|
| 80 | ~10^24 | Considered minimum for short-term security | Not recommended for Bitcoin |
| 128 | ~3.4 x 10^38 | 12-word BIP39 seed phrase | Standard wallet security |
| 160 | ~1.5 x 10^48 | 15-word BIP39 seed phrase | Enhanced wallet security |
| 256 | ~1.16 x 10^77 | 24-word seed phrase, raw private key | Maximum security |
For perspective, 128 bits of entropy would require an attacker testing one trillion (10^12) keys per second approximately 10^19 years to exhaust the keyspace — far longer than the age of the universe.
Sources of Entropy
Not all randomness is created equal. Cryptographic security requires randomness that is truly unpredictable, not merely random-looking:
Good entropy sources:
- Operating system CSPRNG (Cryptographically Secure Pseudo-Random Number Generator):
/dev/urandomon Linux,CryptGenRandomon Windows,SecRandomCopyByteson macOS. These collect entropy from hardware interrupts, disk timing, mouse movements, and other physical sources. - Hardware random number generators: Dedicated chips that harvest randomness from physical phenomena (thermal noise, radioactive decay, shot noise)
- Dice rolls: Physical dice provide verifiable entropy. Rolling a standard die provides ~2.58 bits of entropy per roll; 50 rolls of a six-sided die provide approximately 128 bits.
Dangerous entropy sources:
- Human-chosen "random" numbers: Humans are terrible at generating randomness. Brain wallets using passphrases have been catastrophically exploited.
- Weak PRNGs: Non-cryptographic random number generators (like
Math.random()in JavaScript) are predictable and must never be used for key generation. - Insufficient seeding: A CSPRNG seeded with low-entropy data (e.g., only the current timestamp) produces predictable output.
Historical Entropy Failures
Several real-world incidents demonstrate the consequences of insufficient entropy:
- Android SecureRandom bug (2013): A flaw in Android's random number generator caused multiple Bitcoin wallets to generate the same private keys, resulting in stolen funds. The bug affected the ECDSA nonce generation, allowing private key extraction from signatures.
- Blockchain.info bug (2014): A server-side code change caused the wallet service to generate addresses using insufficient entropy, affecting thousands of users.
- Brain wallet attacks: Researchers have demonstrated automated tools that crack brain wallets (keys derived from human-chosen passphrases) by testing dictionaries and common phrases. Millions of dollars in Bitcoin have been stolen from brain wallets.
- Milk Sad vulnerability (2023): A flaw in the Libbitcoin Explorer's
bx seedcommand used an insufficient entropy source (Mersenne Twister PRNG seeded with 32 bits of system time), leading to the theft of approximately $900,000 in Bitcoin.
Verifiable Entropy with Dice
For users who want to verify the entropy in their seed phrase generation rather than trusting software, dice rolling provides a transparent process:
Generating a 12-word BIP39 seed phrase from dice:
1. Roll a six-sided die 50 times (≈128 bits of entropy)
2. Convert rolls to binary (1-3 = 0, 4-6 = 1)
3. Take the first 128 bits
4. Compute the BIP39 checksum (first 4 bits of SHA-256 hash)
5. Split 132 bits into twelve 11-bit groups
6. Map each group to a word from the BIP39 wordlist
This process is supported by tools like Coldcard's dice
roll feature and SeedSigner.
Related Concepts
- Seed Phrase — the human-readable encoding of the entropy that generates a wallet
- Mnemonic Phrase — the BIP39 word sequence derived from the initial entropy
- Key Pair — the private/public key pair whose security depends on entropy quality
- Hash Function — used in the derivation chain from entropy to keys
- Elliptic Curve Cryptography — the mathematics connecting private keys to public keys