My notes on bitcoin wallets
Continuing on reading the very interesting book: Mastering Bitcoin by Andreas Antonopoulos, here are my notes on bitcoin wallets.
As I understand, there are different types of wallets. I will try to explain the common types in my own words.
Non deterministic Random Wallets
This is essentially, just a bunch of random keys. There is no relation between them and they are all derived seperately. It is hard to manage as one would need to regularly backup and keep track of all the private keys. Most of these wallets are being replaced by the deterministic variety.
Hierarchical Deterministic (HD) Wallets
All private and public keys are derived from a 512 bit seed. The master keys are created which in turn can be used to derive the child private and public keys creating a hierarchy of keys. One would only need the root seed for this. This 512 bit seed is usually derived from a mnemonic code, essentially a sequence of 12 to 24 predefined dictionary words. It makes it easier to write down, transcribe and can be used to recover the root seed. Mnemonic codes are defined in Bitcoin Improvement Proposal 39 (BIP0039).
Generating the mnemonic code:
1 - Create a random sequence of 128 - 256 bits of entropy2- Calculate the checksum of this sequence using SHA256. Add the first few bytes (depends on the entropy bits) to the end of the random sequence3- Divide the sequence into sections of 11 bits. Each section will be used to derive the word in the mnemonic code, based on an index of 2048 dictionary words4- Produce 12 - 24 words representing the mnemonic code5- The mnemonic code can be used to create the seed using a PBKDF2 key stretching function to produce the 512 bit root seed| ENT | CS | ENT+CS | MS |
+-------+----+--------+------+
| 128 | 4 | 132 | 12 |
| 160 | 5 | 165 | 15 |
| 192 | 6 | 198 | 18 |
| 224 | 7 | 231 | 21 |
| 256 | 8 | 264 | 24 |
Generating the master private and public key:
1- This 512 bit root seed is run thru a HMAC-SHA512 cryptographic hashing function to produce another 512 bit sequence2- The left 256 bits will form the "Master Private Key". The "Master Public Key" will be created using the normal k * G process.3- The right 256 bits will form the "Master Chain Code". A seemingly random sequence
Generating the child private key:
1- The parent public key - (264 bit) + parent chain code (256 bit) + index integer (32 bit) are combined and run thru the HMAC-SHA512 function to produce another 512 bit sequence.2- We take 256 bits of the right part of 512 bit sequence and this will form the child chain code3- The left 256 bits + parent private key will be used to produce the child private key thru some function4- The child public key will be created using the normal k * G process.
Generating the child public key (for a branch of public keys):
1- The parent public key - (264 bit) + parent chain code (256 bit) + index integer (32 bit) are combined and run thru the HMAC-SHA512 function to produce another 512 bit sequence.2- We take 256 bits of the right part of 512 bit sequence and this will form the child chain code3- The left 256 bits + parent public key will be used to produce the child public key thru some function4- To be able to spend BTC that are sent to these public key addresses, one would need to use the extended private key to derive the associated child private key
It is important to note that a key that contains the private key and the associated chain code would be called the ‘extended private key’. In the case for the public key, it would be called ‘extended public key’. Extended keys are used to derive the child keys. In the case of extended public keys, it can only be used to derive child public keys. Extended keys are represented in Base58Check with a special prefix that results in the string starting with “xprv” and “xpub”.
Hardened Child Key Derivation
There are some security risks involved in using the above to derive extended public keys. The extended key contains the chain code and if the child private key is somehow leaked, it can be used to derive all the heirarchical child keys! Worse, it can be used to deduce the parent private key!! To counter this, HD wallets will use hardened key derivation to break the relationship between the parent public key and the child chain code.
Generating the child public key using hardened child key derivation:
1- The parent private key - (256 bit) + parent chain code (256 bit) + index integer (32 bit) are combined and run thru the HMAC-SHA512 function to produce another 512 bit sequence.2- We take 256 bits of the right part of 512 bit sequence and this will form the child chain code3- The left 256 bits + parent private key will be used to produce the child private key thru some function4- The child public key will be created using the normal k * G process.
The resulting branch of public keys are used to derive public keys that are not “vulnerable”. As a best practice, the children derived from the master key should be derived with hardened key derivation.
HD Wallet Paths
m => master private key
M => master public keym/0/1 => The 2nd grandchild private key of the 1st child (m/0)
M/0/2 => The 3rd grandchild public key of the 1st child (M/0)
m/0'/0 => The 1st grandchild child private key derived from the 1st child which was derived with hardened key derivationBIP044 Wallet Path Structure:m / purpose' / coin_type' / account' / change / address_index
Paper Wallets
Bitcoin private keys printed on paper. Such private keys can be encrypted using BIP0038.
Hope that was helpful. I plan to have my next upcoming notes talking about ‘The Bitcoin Network’.