crypto for all
Join
A
A

Bitcoin – How to derive the keys from the twelve words?

Wed 02 Aug 2023 ▪ 6 min read ▪ by Nicolas T.
Learn Cybersecurity

Wallets are designed in such a way that a simple dozen words can be used to reconstruct thousands of addresses. But how?

HD Bitcoin wallet

Wallet BIP-32

Wallet HD stands for Hierarchical and Deterministic. These wallets use a single protocol to create addresses from seed.

Behind each address is a public key. It’s important to keep this in mind. An address is just an encoding of a public key. It’s all the same.

This concept of deterministic key derivation was introduced by Peter Wuille in BIP-32. In simple terms, the same seed will always produce the same private/public key pairs.

So a single seed is enough to restore dozens or hundreds of key pairs to which your BTCs are linked. Or even millions, in the case of an exchange.

Before going any further, it should be noted that a wallet can function perfectly well with a single pair of keys. The problem is the loss of confidentiality. So it’s best to create a new address (a new key pair) for each transaction.

Deriving keys from the seed

Here’s how the original seed is created. It all starts with the generation of an “entropy”, which is a random number of 128, 256 or 512 bits.

Let’s take the 128-bit entropy we previously used:

0 0 0 0 0 1 1 0 1 1 0 0 1 0 0 1 1 0 0 0 1 0 0 1 0 0 1 1 0 1 0 1 1 1 1 0 1 0 1 1 1 1 0 1 0 1 1 1 0 1 0 0 1 0 1 0 0 0 1 1 0 0 0 0 1 1 0 1 0 1 0 1 0 1 1 0 0 0 1 1 1 1 1 0 0 1 1 1 1 0 0 1 0 1 0 0 1 1 0 0 1 0 0 1 1 0 0 0 1 0 0 1 1 1 0 1 1 0 0 0 1 1 1 0 0 0 0 1

This number is randomly generated and expressed above in binary (base 2). Which, incidentally, corresponds to the number (9,021,802,605,472,555,840,788,517,848,795,437,281) in the decimal system (base 10).

This entropy is used to create the mnemonic phrase (the 12 words), which in our case will be :

Allow Equip essence Stuff Innocent Blue Fever Lamp Net Equip Invite Second

The mnemonic phrase is then converted into a hash using the HMAC-SHA-512 hash function. This hash is the famous 512-bit seed :

b8485829b0151585b9c24ba336811b7274c08d0d44380028f01f7d7e5e5c2e26811cef5b44c9785ffae7341ed8ec6f079a77829136b148b72b73f70ea7d31c02

The seed is expressed here in hexadecimal rather than bits, so as not to take up too much space.

This seed is then split in two to create the Master Private Key (m) and the main string code (c).

The 256 bits on the left act as the Master Private Key:

b8485829b0151585b9c24ba336811b7274c08d0d44380028f01f7d7e5e5c2e26

The 256 bits on the right are the very first string code:

811cef5b44c9785ffae7341ed8ec6f079a77829136b148b72b73f70ea7d31c02

Simple, isn’t it? Here’s an illustration:

HD wallet
Source: Mastering Bitcoin by Andreas Antonopoulos (Github)

The master private key (m) is then used to generate a corresponding master public key (M) using elliptic curve cryptography. This part is less obvious, but we’ll explain it shortly.

The other key pairs are then created in the same way. Except that, instead of starting with the seed, we start with the “extended public key” (or “Xpub” in the jargon).

This extended public key combines :

  • The master public key
  • An index number. The first derived key will have index number 0, the second index number 1, and so on.
  • The string code.

Example of an extended key:

xprv9v3zEm9W9QhLnMUEG9BkmpmGAf96uXh5NLMsdLWCVLur1fj26MY5ZjcXrb2aBF4U6uhzzs7Vw9jGopHxBYjsSmgozFBakbGiBgffGH

These three pieces of information put together form an “extended” public key, which will again be hashed by HMAC-SHA-512. The resulting hash will again be split into two 256-bit halves, one forming the daughter private key and the other a new string code.

By modifying the index, it is possible to extend the number of daughter keys 1,2,3, and so on. Each extended key can generate more than two billion daughter keys. And therefore as many bitcoin addresses.

And each daughter key can be used to create an extended key from which a new series of daughter keys (a new branch) can be derived:

wallet HD

That’s why BIP-32 lets you recover all your bitcoins with just a dozen words.

And since all wallets have adopted this protocol, you can also change wallet like shirt with the same seed.

Maximize your Cointribune experience with our "Read to Earn" program! For every article you read, earn points and access exclusive rewards. Sign up now and start earning benefits.



Join the program
A
A
Nicolas T. avatar
Nicolas T.

Bitcoin, geopolitical, economic and energy journalist.

DISCLAIMER

The views, thoughts, and opinions expressed in this article belong solely to the author, and should not be taken as investment advice. Do your own research before taking any investment decisions.