ArcBlock Technical Learning Series Presents Understanding HD Wallets. This talk will look at the building blocks to creating a virtual currency wallet including some of the basic design ideas, and implementation methods.
4. What is Wallet?
• Wallets contain keys, not coins, each user has a wallet containing keys
• Users sign transactions with the keys, all transactions stored on blockchain
4
7. What is Non-Deterministic Wallet?
Random Wallet
• Private/public key pairs are generated randomly, not related to each other
• Backup/restore/migration must be done with each key pair
• Satoshi Client : JBOK (just a bunch of keys)
7
9. What is Deterministic Wallet?
Seeded Wallet
• Derive large amounts of private/public key pairs from same single seed phrase
• Backup/restore/migration can be done with the seed phrase at creation time
• Derive algorithm = one way hash function
• Deterministic wallets can be sequential or hierarchical
9
13. What is Hierarchical Deterministic Wallet? (ctnd.)
• Generated private/public key pairs are organized into a tree, derived using a path
• Tree structure can be used to express additional organizational meaning
• Each node has private and public key, any node can derive any number of children
• Can be shared partially or entirely with different systems, each with or without the ability to
spend coins
• Industry standard for generating multiple network wallets with same seed phrase,
supported by most wallet apps
13
15. What is BIP then?
BIP = Bitcoin Improvement Proposal
Design document providing information to the Bitcoin community, or describing a new
feature for Bitcoin or its processes or environment. Each BIP is assigned a number.
• Meta BIP
• BIP Workflow
• Complete BIP list
15
16. HD Wallet related BIPs
• BIP32: Hierarchical Deterministic Wallets
• BIP43: Purpose Field for Deterministic Wallets
• BIP44: Multi-Account Hierarchy for Deterministic Wallets
16
17. What is BIP32?
Core BIP related to HD Wallet
• Spec for key pair derivation from a master seed
• Spec for wallet construction on top of such key pair tree
17
18. BIP32: Child Key Derivation Algorithm?
Child Key Derivation function
• CKD is one-way hash function that make uses of following 3 inputs
• A parent private or public key
• A seed called a chain code
• An index number (32 bits means 2^32 child)
• Important property of derived keys
• Child private keys are indistinguishable from non-deterministic (random) keys
• Can be used to make a public key and a address
• Can be used to sign transactions to spend anything paid to that address
• The fact that they are part of a sequence is not visible outside of the HD wallet
18
21. BIP32: How to Derive Child Key: Javascript
HDKey.prototype.deriveChild = function(index) {
var indexBuffer = Buffer.allocUnsafe(4);
indexBuffer.writeUInt32BE(index, 0);
var data = Buffer.concat([this.publicKey, indexBuffer]);
var I = crypto.createHmac('sha512', this.chainCode).update(data).digest();
var IL = I.slice(0, 32);
var IR = I.slice(32);
var child = new HDKey();
if (this.privateKey) {
child.privateKey = secp256k1.privateKeyTweakAdd(this.privateKey, IL);
} else {
child.publicKey = secp256k1.publicKeyTweakAdd(this.publicKey, IL, true);
}
child.chainCode = IR;
child.depth = this.depth + 1;
child.index = index;
return child;
};
21
22. BIP32: Child Key Derive Function Notation
• Child private key derivation:
• Child public key derivation:
22
23. BIP32: Why Chain Code in CKD?
• Introduce deterministic random data to the process
• Initial chain code seed (at the root of the tree) is generated from the seed
• Subsequent child chain codes are derived from each parent chain code
• Add another layer to HD wallet privacy
• Public key can be easily found, if chain code not present, all child keys are revealed
23
24. BIP32: What is Extended Key?
Child key derivation requires both parent key and parent chain code.
• Extensible keys, keys that can derive children
• Extended Private Key = Private Key + Chain Code , xpriv
• Extended Public Key = Public Key + Chain Code , xpub
• Can be root of a branch in the tree structure of the HD wallet
• Knowing xpriv allows reconstruction of all descendant private keys and public keys
• Knowing xpub allows reconstruction of all descendant public keys
• Should be treated with more care than random generated public key
24
25. BIP32: Where Should We Start? Master Key!
Now we have CKD functions, where should we start to generate a tree?
• Generate random extended keys directly?
• We have a total of 2^512 extended keys, because it’s 512 bits long
• But can only produced 2^256 possible public/private keys, because they are 256 bits long
• Generate master key from potential random value ( better )
• Generate seed of a chosen length from RNG
• Calculate HMAC-SHA512 hash from the seed
• Split hash into 2 256-bits sequences
• Left as master secret key, right as master chain code
25
32. Why BIP44?
• BIP32 specification offers implementors too many degrees of freedom, infinite depth
• BIP32 compatible wallets can produce wallets with different logical structures
32
33. What is BIP44?
• BIP43: Purpose Field for Deterministic Wallets
• BIP44: Multi-Account Hierarchy for Deterministic Wallets
• Defined a specific logical hierarchy for deterministic wallets based on the
algorithm described in BIP-32
• Provided a network agnostic method of generating secure keys in an incredibly
flexible manner
33
34. BIP44: Derive Path Notation
Notation
Example
• CKD: m : CKDpriv is used, M for CKDPub
• Purpose: 44' , hardened , which spec is used, 44 means BIP44
• Coin: 60' , hardened , 60 means Ethereum, coin types
• Account: 0' , hardened , enable multiple accounts under single network
• Change: 0 , 0 means external in Bitcoin, always 0 in Ethereum
• Index: 0 , the first public/private key pair leaf node
m / purpose' / coin_type' / account' / chain / address_index
m/44'/60'/0'/0/0
34
37. What is Mnemonic Code?
Mnemonic Code = Word sequences that represent a random number
used as a seed to derive HD wallets
• Easy to transcribe, record on paper
• Easy to export and import into another wallet
• More secure than brain wallet ,
37
38. What is BIP39?
Mnemonic code for generating deterministic keys
• Describes how to generate mnemonic code from random number
• Describes how to convert mnemonic code to master seed
38
40. BIP39: Entropy and Mnemonic code
Different length of random number( entropy ) leads to different Mnemonic length
Entropy Checksum Entropy + Checksum Mnemonic Length
128 4 132 12
160 5 165 15
192 6 198 18
224 7 231 21
256 8 264 24
Mnemonic word duplicate is possible
40
41. BIP39: Mnemonic Code Wordlist
Multilingual support (2048 words in each language):
• English
• Japanese
• Korean
• Spanish
• Chinese (Simplified)
• Chinese (Traditional)
• French
• Italian
41
42. BIP39: Mnemonic Generating Code: Javascript
function generateMnemonic(strength, rng, wordlist) {
strength = strength || 128;
if (strength % 32 !== 0) throw new TypeError(INVALID_ENTROPY);
rng = rng || randomBytes;
return entropyToMnemonic(rng(strength / 8), wordlist);
}
function entropyToMnemonic(entropy, wordlist) {
if (!Buffer.isBuffer(entropy)) entropy = Buffer.from(entropy, 'hex');
wordlist = wordlist || DEFAULT_WORDLIST;
var entropyBits = bytesToBinary([].slice.call(entropy));
var checksumBits = deriveChecksumBits(entropy);
var bits = entropyBits + checksumBits;
var chunks = bits.match(/(.{1,11})/g);
var words = chunks.map(function(binary) {
var index = binaryToByte(binary);
return wordlist[index];
});
return wordlist === JAPANESE_WORDLIST ? words.join('u3000') : words.join(' ');
}
42
43. BIP39: Possible to Brute Force Attack Mnemonic?
Take 12 words mnemonic, 2048 word list as example:
• Possible permutation = 2048!/(2048 - 12)! = 5.27e+39
• 10000 guess/second = 10000 * 60 * 60 * 24 * 364 = 3.15*e+11 guess/year
• Years take to check all = 1.67e+28 year
Longer Mnemonic = Better Randomness = Better Security
43
45. BIP39: From Mnemonic to Master Seed (code)
function mnemonicToSeed(mnemonic, password) {
var mnemonicBuffer = Buffer.from(unorm.nfkd(mnemonic), 'utf8');
var saltBuffer = Buffer.from(salt(unorm.nfkd(password)), 'utf8');
return pbkdf2(mnemonicBuffer, saltBuffer, 2048, 64, 'sha512');
}
45
46. BIP39: Mnemonic + Passphrase = Better Security
• Mnemonic
• Checksum makes randomly generated word sequences invalid mnemonic
• Possible set of 2^512 wallets, no practical possibility of brute-forcing or accidentally guessing
one that is in use
• Passphrase
• Given a single mnemonic, every possible passphrase leads to a different seed
• Passphrase as second factor, makes it hard to compromise the wallet when mnemonic leaked
46
51. Where to Learn More?
• BIP32: Hierarchical Deterministic Wallets
• BIP39: Mnemonic code for generating deterministic keys
• BIP43: Purpose Field for Deterministic Wallets
• BIP44: Multi-Account Hierarchy for Deterministic Wallets
• Master Bitcoin 2nd Edition: Wallets and Address
• Bitcoin Developer Guide
• HD Wallet Playground: Support Many Chains
• HD Wallet Playground: Only Ethereum Support
51