User Rating 0.0 ★★★★★

Total Usage 0 times

Category Crypto & Mining

⚠ Security Notice: This tool runs entirely in your browser. No data is transmitted. For production wallets holding real value, use hardware wallets on air-gapped devices. Browser environments are vulnerable to extensions and memory inspection.

BIP39 Passphrase (optional) Extra passphrase appended to mnemonic salt. Different passphrase = different keys.

Sample Tx Recipient Address Ethereum address for the sample signed transaction.

Value (ETH)

Gas Price (Gwei)

Nonce

1 BIP39 Mnemonic

2 Seed (Hex)

3 Derived Keys & Address Path: m/44'/60'/0'/0/0

Private Key

Public Key (Uncompressed)

Ethereum Address (EIP-55)

4 Signed Sample Transaction

Raw Signed Transaction (Hex)

Transaction Hash

Is this tool helpful?

Your feedback helps us improve.

★ ★ ★ ★ ★

About

Deriving an Ethereum account from entropy requires a precise chain of cryptographic operations. A failure at any step - weak randomness, incorrect derivation path, broken checksum - produces keys that either cannot control funds or expose them to theft. This tool implements the full BIP39 → BIP32 → secp256k1 pipeline client-side: 128-bit entropy generates a 12-word mnemonic, PBKDF2-HMAC-SHA512 with 2048 iterations stretches it into a 512-bit seed, and hierarchical deterministic derivation at path m/44'/60'/0'/0/0 yields the private key. The public key is computed via scalar multiplication on the secp256k1 curve (order n ≈ 1.158 × 10⁷⁷), and the address is the last 20 bytes of the Keccak-256 hash of the uncompressed public key.

The tool also constructs and signs a sample Ethereum transaction using ECDSA with EIP-155 replay protection (chainId = 1). The signed raw transaction hex can be broadcast to mainnet via any Ethereum node. This is an educational and development utility. For production wallets holding real value, use air-gapped hardware signers. Browser environments are susceptible to extensions, clipboard hijacking, and memory inspection. Treat any key generated here as potentially observable.

Formulas

The mnemonic encodes entropy with an appended checksum. Given entropy E of 128 bits, the checksum CS is the first 4 bits of SHA-256(E). The combined 132 bits are split into 12 groups of 11 bits, each indexing the BIP39 wordlist.

CS = SHA256(E)[0..3]

bits = E || CS

word_i = wordlist[bits[i × 11 .. (i+1) × 11]]

Seed derivation uses PBKDF2:

seed = PBKDF2(mnemonic, "mnemonic" || passphrase, 2048, 512)

Master key derivation (BIP32):

(k_master, c_master) = HMAC-SHA512("Bitcoin seed", seed)

Child key derivation for hardened index i (where i ≥ 2³¹):

(k_child, c_child) = HMAC-SHA512(c_parent, 0x00 || k_parent || i)

Public key from private key via elliptic curve scalar multiplication on secp256k1:

K = k ⋅ G

where G is the generator point and k is the 256-bit private key scalar. The Ethereum address is:

address = "0x" || Keccak256(K_uncompressed[1:])[12:]

Transaction signing uses ECDSA. The transaction is RLP-encoded with fields (nonce, gasPrice, gasLimit, to, value, data, chainId, 0, 0) per EIP-155. The hash h = Keccak256(RLP(tx)) is signed to produce (r, s, v).

Where k = private key scalar, K = public key point, G = generator point, c = chain code, CS = checksum bits, E = entropy, v = recovery parameter (chainId × 2 + 35 or 36).

Reference Data

Parameter	Value	Standard
Entropy Length	128 bits	BIP39
Mnemonic Words	12	BIP39
Wordlist Size	2048	BIP39 English
Checksum Bits	4 (entropy_bits ÷ 32)	BIP39
PBKDF2 Iterations	2048	BIP39
PBKDF2 Hash	HMAC-SHA512	BIP39
Seed Length	512 bits (64 bytes)	BIP39
HD Derivation Path	m/44'/60'/0'/0/0	BIP44 / SLIP44
Curve	secp256k1	SEC 2
Curve Order (n)	0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141	SEC 2
Generator Point (G_x)	0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798	SEC 2
Private Key Length	256 bits (32 bytes)	ECDSA
Uncompressed Public Key	65 bytes (04 \|\| x \|\| y)	SEC 1
Address Derivation	Keccak-256 of pubkey[1:] → last 20 bytes	Ethereum Yellow Paper
Address Checksum	EIP-55 mixed-case encoding	EIP-55
Transaction Signing	ECDSA + EIP-155 (v = chainId × 2 + 35/36)	EIP-155
Chain ID (Mainnet)	1	EIP-155
Gas Limit (sample)	21000	Ethereum simple transfer
RLP Encoding	Recursive Length Prefix	Ethereum Yellow Paper, Appendix B
SLIP44 Coin Type	60 (Ethereum)	SLIP44
BIP39 Salt Prefix	"mnemonic"	BIP39
Master Key HMAC Key	"Bitcoin seed"	BIP32

Frequently Asked Questions

BIP44 defines a hierarchical structure: purpose (44'), coin type (60' for Ethereum per SLIP44), account index, change flag, and address index. Using a non-standard path produces valid keys but they won't appear in wallets like MetaMask or Ledger Live that follow BIP44. The apostrophe denotes hardened derivation (index + 2³¹), which prevents parent public key exposure from leaking child private keys.

Yes. The tool uses crypto.getRandomValues(), which is backed by the OS CSPRNG (e.g., /dev/urandom on Linux, CryptGenRandom on Windows). However, browser environments carry additional attack surface: malicious extensions can read page memory, clipboard contents, or inject scripts. For keys controlling significant value, generate them on an air-gapped machine using a hardware wallet.

Before EIP-155, a transaction signed for Ethereum mainnet could be replayed on any fork (Ethereum Classic, testnets) since the signature was chain-agnostic. EIP-155 includes the chainId (1 for mainnet) in the signing hash. The recovery parameter v becomes chainId × 2 + 35 or 36, making the signature invalid on chains with different IDs. Without this, an attacker could replay your mainnet transaction on a fork where you also hold funds.

The Ethereum Yellow Paper defines the intrinsic gas cost of a transaction as 21,000 for a basic transfer with no contract interaction. This covers the cost of signature verification (ECDSA recovery), state trie updates (sender/receiver balance), and transaction inclusion overhead. Contract calls consume additional gas proportional to computational steps (opcodes) and storage writes. The sample transaction uses this minimum since it sends ETH to an externally owned account (EOA) with no calldata.

The raw signed transaction hex is a valid RLP-encoded, EIP-155-signed payload. You could submit it via eth_sendRawTransaction to any Ethereum node or service (Infura, Alchemy, a local Geth instance). However, the sample transaction uses nonce 0 and a placeholder recipient. For it to succeed on mainnet, the sending account must have sufficient ETH balance, the nonce must match the account's current transaction count, and the gas price must meet current network conditions. The tool is for educational and development testing purposes.

BIP39 appends a SHA-256 checksum to the entropy before word selection. If even one word is changed, the checksum verification fails. Compliant wallets reject invalid mnemonics at import time, preventing typographical errors from generating wrong keys silently. This tool validates the checksum on generation. A 12-word mnemonic has 4 checksum bits, meaning roughly 1 in 16 random word combinations will pass - but only the correct one maps to your entropy.

EIP-55 takes the lowercase hex address (without 0x prefix), computes its Keccak-256 hash, then capitalizes each hex character in the address where the corresponding nibble in the hash is ≥ 8. This provides a built-in error detection without changing the address length. Approximately 99.986% of single-character errors are caught. Wallets that ignore EIP-55 treat addresses case-insensitively, but compliant software validates the casing.