ArcBlock Technical Learning Series Presents Understanding HD Wallets. This talk will look at the building blocks to creating a virtual currency wallet including some of the basic design ideas, and implementation methods.

1. Understanding HD Wallets: Design and Implementation
Brought to you by Shijun Wang
1

2. HD Wallet= Hierarchical Deterministic Wallet
2

3. Wallet
3

4. What is Wallet?
• Wallets contain keys, not coins, each user has a wallet containing keys
• Users sign transactions with the keys, all transactions stored on blockchain
4

5. What is Wallet? (ctnd.) 5

6. Deterministic Wallet
6

7. What is Non-Deterministic Wallet?
Random Wallet
• Private/public key pairs are generated randomly, not related to each other
• Backup/restore/migration must be done with each key pair
• Satoshi Client : JBOK (just a bunch of keys)
7

8. What is Non-Deterministic Wallet? (ctnd.) 8

9. What is Deterministic Wallet?
Seeded Wallet
• Derive large amounts of private/public key pairs from same single seed phrase
• Backup/restore/migration can be done with the seed phrase at creation time
• Derive algorithm = one way hash function
• Deterministic wallets can be sequential or hierarchical
9

10. What is Sequential Deterministic Wallet? 10

11. Hierarchical Deterministic Wallet
11

12. What is Hierarchical Deterministic Wallet? 12

13. What is Hierarchical Deterministic Wallet? (ctnd.)
• Generated private/public key pairs are organized into a tree, derived using a path
• Tree structure can be used to express additional organizational meaning
• Each node has private and public key, any node can derive any number of children
• Can be shared partially or entirely with different systems, each with or without the ability to
spend coins
• Industry standard for generating multiple network wallets with same seed phrase,
supported by most wallet apps
13

14. Design and Implementation (BIP32 and BIP44)
14

15. What is BIP then?
BIP = Bitcoin Improvement Proposal
Design document providing information to the Bitcoin community, or describing a new
feature for Bitcoin or its processes or environment. Each BIP is assigned a number.
• Meta BIP
• BIP Workflow
• Complete BIP list
15

16. HD Wallet related BIPs
• BIP32: Hierarchical Deterministic Wallets
• BIP43: Purpose Field for Deterministic Wallets
• BIP44: Multi-Account Hierarchy for Deterministic Wallets
16

17. What is BIP32?
Core BIP related to HD Wallet
• Spec for key pair derivation from a master seed
• Spec for wallet construction on top of such key pair tree
17

18. BIP32: Child Key Derivation Algorithm?
Child Key Derivation function
• CKD is one-way hash function that make uses of following 3 inputs
• A parent private or public key
• A seed called a chain code
• An index number (32 bits means 2^32 child)
• Important property of derived keys
• Child private keys are indistinguishable from non-deterministic (random) keys
• Can be used to make a public key and a address
• Can be used to sign transactions to spend anything paid to that address
• The fact that they are part of a sequence is not visible outside of the HD wallet
18

19. BIP32: How to Derive Child Private Key? 19

20. BIP32: How to Derive Child Public Key? 20

21. BIP32: How to Derive Child Key: Javascript
HDKey.prototype.deriveChild = function(index) {
var indexBuffer = Buffer.allocUnsafe(4);
indexBuffer.writeUInt32BE(index, 0);
var data = Buffer.concat([this.publicKey, indexBuffer]);
var I = crypto.createHmac('sha512', this.chainCode).update(data).digest();
var IL = I.slice(0, 32);
var IR = I.slice(32);
var child = new HDKey();
if (this.privateKey) {
child.privateKey = secp256k1.privateKeyTweakAdd(this.privateKey, IL);
} else {
child.publicKey = secp256k1.publicKeyTweakAdd(this.publicKey, IL, true);
}
child.chainCode = IR;
child.depth = this.depth + 1;
child.index = index;
return child;
};
21

22. BIP32: Child Key Derive Function Notation
• Child private key derivation:
• Child public key derivation:
22

23. BIP32: Why Chain Code in CKD?
• Introduce deterministic random data to the process
• Initial chain code seed (at the root of the tree) is generated from the seed
• Subsequent child chain codes are derived from each parent chain code
• Add another layer to HD wallet privacy
• Public key can be easily found, if chain code not present, all child keys are revealed
23

24. BIP32: What is Extended Key?
Child key derivation requires both parent key and parent chain code.
• Extensible keys, keys that can derive children
• Extended Private Key = Private Key + Chain Code , xpriv
• Extended Public Key = Public Key + Chain Code , xpub
• Can be root of a branch in the tree structure of the HD wallet
• Knowing xpriv allows reconstruction of all descendant private keys and public keys
• Knowing xpub allows reconstruction of all descendant public keys
• Should be treated with more care than random generated public key
24

25. BIP32: Where Should We Start? Master Key!
Now we have CKD functions, where should we start to generate a tree?
• Generate random extended keys directly?
• We have a total of 2^512 extended keys, because it’s 512 bits long
• But can only produced 2^256 possible public/private keys, because they are 256 bits long
• Generate master key from potential random value ( better )
• Generate seed of a chosen length from RNG
• Calculate HMAC-SHA512 hash from the seed
• Split hash into 2 256-bits sequences
• Left as master secret key, right as master chain code
25

26. BIP32: From Seed to Master Key and Extended Key 26

27. BIP32: Security Flaw with CKD 27

28. BIP32: Rescue to Security Flaw: Hardened CKD 28

29. BIP32: Child Key Derive Path Notation
• CKDpriv(CKDpriv(CKDpriv(m,3),2),5) => m/3/2/5
• CKDpriv(CKDpriv(CKDpriv(m,3H),2),5) => m/3'/2/5
• CKDpub(CKDpub(CKDpub(m,0),0),0) => M/0/0/0
29

30. BIP32: HD Wallet Structure Overview 30

31. Why BIP44? 31

32. Why BIP44?
• BIP32 specification offers implementors too many degrees of freedom, infinite depth
• BIP32 compatible wallets can produce wallets with different logical structures
32

33. What is BIP44?
• BIP43: Purpose Field for Deterministic Wallets
• BIP44: Multi-Account Hierarchy for Deterministic Wallets
• Defined a specific logical hierarchy for deterministic wallets based on the
algorithm described in BIP-32
• Provided a network agnostic method of generating secure keys in an incredibly
flexible manner
33

34. BIP44: Derive Path Notation
Notation
Example
• CKD: m : CKDpriv is used, M for CKDPub
• Purpose: 44' , hardened , which spec is used, 44 means BIP44
• Coin: 60' , hardened , 60 means Ethereum, coin types
• Account: 0' , hardened , enable multiple accounts under single network
• Change: 0 , 0 means external in Bitcoin, always 0 in Ethereum
• Index: 0 , the first public/private key pair leaf node
m / purpose' / coin_type' / account' / chain / address_index
m/44'/60'/0'/0/0
34

35. Making HD Wallet User Friendly (BIP39)
35

36. Why BIP39? 36

37. What is Mnemonic Code?
Mnemonic Code = Word sequences that represent a random number
used as a seed to derive HD wallets
• Easy to transcribe, record on paper
• Easy to export and import into another wallet
• More secure than brain wallet ,
37

38. What is BIP39?
Mnemonic code for generating deterministic keys
• Describes how to generate mnemonic code from random number
• Describes how to convert mnemonic code to master seed
38

39. BIP39: Mnemonic Generating Work ow 39

40. BIP39: Entropy and Mnemonic code
Different length of random number( entropy ) leads to different Mnemonic length
Entropy Checksum Entropy + Checksum Mnemonic Length
128 4 132 12
160 5 165 15
192 6 198 18
224 7 231 21
256 8 264 24
Mnemonic word duplicate is possible
40

41. BIP39: Mnemonic Code Wordlist
Multilingual support (2048 words in each language):
• English
• Japanese
• Korean
• Spanish
• Chinese (Simplified)
• Chinese (Traditional)
• French
• Italian
41

42. BIP39: Mnemonic Generating Code: Javascript
function generateMnemonic(strength, rng, wordlist) {
strength = strength || 128;
if (strength % 32 !== 0) throw new TypeError(INVALID_ENTROPY);
rng = rng || randomBytes;
return entropyToMnemonic(rng(strength / 8), wordlist);
}
function entropyToMnemonic(entropy, wordlist) {
if (!Buffer.isBuffer(entropy)) entropy = Buffer.from(entropy, 'hex');
wordlist = wordlist || DEFAULT_WORDLIST;
var entropyBits = bytesToBinary([].slice.call(entropy));
var checksumBits = deriveChecksumBits(entropy);
var bits = entropyBits + checksumBits;
var chunks = bits.match(/(.{1,11})/g);
var words = chunks.map(function(binary) {
var index = binaryToByte(binary);
return wordlist[index];
});
return wordlist === JAPANESE_WORDLIST ? words.join('u3000') : words.join(' ');
}
42

43. BIP39: Possible to Brute Force Attack Mnemonic?
Take 12 words mnemonic, 2048 word list as example:
• Possible permutation = 2048!/(2048 - 12)! = 5.27e+39
• 10000 guess/second = 10000 * 60 * 60 * 24 * 364 = 3.15*e+11 guess/year
• Years take to check all = 1.67e+28 year
Longer Mnemonic = Better Randomness = Better Security
43

44. BIP39: From Mnemonic to Master Seed 44

45. BIP39: From Mnemonic to Master Seed (code)
function mnemonicToSeed(mnemonic, password) {
var mnemonicBuffer = Buffer.from(unorm.nfkd(mnemonic), 'utf8');
var saltBuffer = Buffer.from(salt(unorm.nfkd(password)), 'utf8');
return pbkdf2(mnemonicBuffer, saltBuffer, 2048, 64, 'sha512');
}
45

46. BIP39: Mnemonic + Passphrase = Better Security
• Mnemonic
• Checksum makes randomly generated word sequences invalid mnemonic
• Possible set of 2^512 wallets, no practical possibility of brute-forcing or accidentally guessing
one that is in use
• Passphrase
• Given a single mnemonic, every possible passphrase leads to a different seed
• Passphrase as second factor, makes it hard to compromise the wallet when mnemonic leaked
46

47. Connect the Dots
47

48. Mnemonic => Ethereum HD Wallet
const bip39 = require('bip39');
const HDKey = require('hdkey');
const EthUtil = require('ethereumjs-util');
const mnemonic = bip39.generateMnemonic(128);
const seed = bip39.mnemonicToSeed(mnemonic, '');
const master = HDKey.fromMasterSeed(seed);
const account = master.derive("m/44'/60'/0'");
const addr = account.deriveChild(0).deriveChild(0);
const pubKey = EthUtil.privateToPublic(addr.privateKey);
const address = EthUtil.publicToAddress(pubKey).toString('hex');
// address: 0xd98efff831aaa4fe8834f9cb211d8397193a5492
48

49. Mnemonic HD Wallet in Action
49

50. One More Thing
50

51. Where to Learn More?
• BIP32: Hierarchical Deterministic Wallets
• BIP39: Mnemonic code for generating deterministic keys
• BIP43: Purpose Field for Deterministic Wallets
• BIP44: Multi-Account Hierarchy for Deterministic Wallets
• Master Bitcoin 2nd Edition: Wallets and Address
• Bitcoin Developer Guide
• HD Wallet Playground: Support Many Chains
• HD Wallet Playground: Only Ethereum Support
51

52. 52