Let’s take if offline: BIP38 vs BIP39

The differences and similarities.

Despite the usage of the “vs” in the title denoting the word “versus”, this piece is in no way trying to shed more light on one over the other. But rather this piece is to provide more clarity and education into two private key encryption standards that are utilized in today’s crypto wallets. 

Just to be clear, both standards are absolutely secure and nearly impossible to crack on a brute-force attempt. Although BIP39 is today’s most commonly used standard amongst many wallets, BIP38 doesn’t deserve the credit it deserves despite its nearly identical sound security it provides: and it’s the technological cryptographic cornerstone instilled in every Ballet wallet. And interestingly enough, both BIPs had multiple authors where one author, Aaron Voisine, contributed code to both BIP38 and BIP39.

The major difference between the two is the way encrypted private keys are generated, encoded, and stored. 

And whether you are holding the BIP38 encrypted private key (along with a passphrase) or the BIP39 encrypted private key (in the form of human readable words), both come down to the responsibility of the user/holder of those private keys to keep them in a safe location and preferably backed up. So in either case, the proverbial “not your keys, not your crypto” are equally weighted in importance of private key security for both BIP38 and BIP39.

Let’s get started.

How does the BIP38 private key generation process work?

For a detailed breakdown of the BIP38 process, please refer to this other blog explaining the nuts and bolts.

The BIP38 standard (under the Encryption when EC multiply mode is used) allows two parties (Party A and Party B) to partake in the creation of the encrypted private keys. One party would hold the first part called the ‘passphrase’ and the other party would hold the second part known as the encrypted private keys in the format of 58 characters base58, starting with ‘6P’.

Party A starts by creating a randomly generated passphrase and some ‘salt’ to add more entropy to the process; an intermediate_passphrase_string is then derived and handed over to Party B to generate a public address and an encrypted private key. And to stress a key point here is that the intermediate_passphrase_string DOES NOT reveal the original passphrase, which is kept by Party A and is needed to decrypt the end resulting encrypted private key.

And in no part of the process reveals the unencrypted private key which is needed in signing transactions, until the user does so themselves.

Repeat: No part of the BIP38 encrypted private key generation reveals the decrypted (unencrypted) private key until the user uses both the passphrase and the encrypted private key in the signing of a transaction, which under the hood, then subsequently reveals the decrypted (unencrypted) private key. Just as a side note, the unencrypted private key usually takes the form of the Wallet Import Format (WIF).

The BIP38 standard was particularly chosen for the Ballet wallets due to this two party key generation functionality which is pivotal to our Two Factor Key Generation (2FKG) process. More on our 2FKG process can be found here.

To reiterate, having the encrypted private key in no way reveals the passphrase and vice versa. So in a way the BIP38 standard allows for the creation of a 2 of 2 multi-sig wallet. An analogy that Ballet Founder and CEO, Bobby Lee, described is to think of it as a safe deposit box that requires two keys. Just having access to one set of the keys is pointless.

How does the BIP39 mnemonic word seed phrase creation process work?

The BIP39 standard, which was proposed in 2013, is a standard that allows for private keys to be formatted as a mnemonic code seed phrase for generating deterministic keys. Amongst the popular wallets, many of them require you to write down a 12 or 24 word mnemonic code (also commonly referred to as a seed phrase) as a backup before proceeding to the next step of the wallet setup. Whether or not you think having to write down a bunch of words is a bit of hassle is subjective, but essentially those 24 words (we’ll just stick with the 24 word instead of saying ‘12 or 24’) are masking your unencrypted private key in a human readable way. 

After the generation of the 24 mnemonic words, those words then get passed through a password based key derivation function to create a binary seed, which is used for hierarchical deterministic wallet purposes. But we won’t get into that as that is where the slight differences between BIP38 and BIP39 start to diverge.

The way one’s 24 mnemonic words gets created starts with a random number of 256 bits which can also be formatted into hexadecimals. A checksum is then concatenated onto the end of the 256 bit entropy sequence. Then the whole entropy sequence is split into groups of 11 bits, with each group of 11 bits converted into its decimal form. 

The decimal representation can vary from a range of 1-2048, which works out as an index of a mnemonic word list consisting of 2048 words. This official word list can be found here

And in actuality, you only need the first 4 letters of the mnemonic word.


Start with 256 bit of entropy:


Concatenate a checksum at the end:

Checksum = 01000100 = first 8 bits of SHA256 of entropy (44d41bf5f46ecc1bcef7c41ddfc8dcdc09175bf91a62b378d3df502910ca0dea)


Split bit entropy into 24 groups of 11 bits, which will look like this:

And just like that you have 24 words that are formatted to conceal your private keys. To pronounce the equal security of both the BIP38 encrypted private key + passphrase and BIP39’s 24 mnemonic word seed, the WIF unencrypted private key, that belongs to the 24 word seed, can also be encrypted using BIP38 (non-EC multiply).

So if we take a look at the image above: Figure A represents a BIP39 mnemonic word phrase and Figure B represents a BIP38 encrypted private key used in tandem with a passphrase. Both are just different formats of the same exact WIF unencrypted private key, which subsequently has access to the same exact UTXOs.

Different formats, same security, same UTXOs, same bitcoins.

Differences and similarities

As shown above, both the BIP38 and BIP39 can convert a WIF unencrypted private key into different formats but essentially both cryptographically mask the private key. We’ll point out some of the nuanced differences and similarities between the two below.

Year Proposed

The BIP38 standard was the first to have been proposed back in 2012, authored by Mike Caldwell and Aaron Voisine. The BIP39 standard was introduced a year later in 2013 with 4 different authors including Aaron Voisine. 


Considering that both utilize the SHA256 deterministic one way hashing function (along with other crypto native functions), which is nearly impossible to crack, you can be assured that both are just as secure as SHA256.


BIP38 actually has two methodologies in generating an encrypted private key. Besides the one mentioned earlier above, one could also just take a pre-generated unencrypted private key and run it through the BIP38 algorithm, with a passphrase of your choice, to generate the encrypted private key. BIP39 starts out with a randomized entropy of a certain number of bits to be converted into a mnemonic word seed. These words are actually then further used to create a binary seed for HD wallet purposes (we won’t be covering this part). 

Private Key Format

BIP38 encrypted private keys are formatted as 58 characters base58 format (starting with ‘6P’) and a random secret passphrase. BIP39 uses 24 mnemonic words (based on a 256 bit key size).


In the BIP38 standard, a passphrase is necessary to be used in conjunction with the encrypted private key. In BIP39, a passphrase is not necessary but the BIP39 standard actually allows for a way of passphrase-protecting a mnemonic word seed phrase. Then both the seed phrase and extra word are required to recover the wallet. Some wallets call the passphrase a “seed extension”, “extension word” or “13th/25th word”.

Possible formatted combinations

For the BIP39 standard, the mnemonic word seed phrase is limited to 2048 words. Let’s say for example we use the longest length of 24 words, that gives us about 2048^24 combinations, which is more than one can pathom. But with BIP38, the passphrase factor can essentially be of anything, which then makes the possible formatted combinations theoretically limitless! 


So there you have it. Two BIPs. Two methodologies in keeping your raw private keys obfuscated to the less informed. Two different standards in today’s myriad number of bitcoin wallets. One goal of keeping your bitcoins more secure in a world of heightened cybersecurity. 

We hope after reading this you are now more well informed of both standards and its processes. Furthermore, the goal is not to merely praise one’s security over the other but rather to fairly showcase both are fairly secured and both can actually be used together as evident in the image above. And in general, both are merely just taking an arbitrary number of bits and reshuffling its format for wallet capability purposes. At the end of the day, what you do with either the BIP38 encrypted private key or the BIP39 24 mnemonic word seed phrase is dependent on how well you keep them secure. We just prefer having you keep them offline on a physical, air-gapped, robust metal material for added protection.