This article is the fifth in a series of insights into the more purely technical part of Bitcoin, accessible even to those who are not familiar with coding.
This article is also a sort of guide designed to gradually go down what many call “the rabbit hole”.
In terms of books, it is necessary to mention “Mastering Bitcoin” by Andreas Antonopoulos, a regular reference, from which the images in this article were taken.
A wallet is a container of private keys, not coins. The keys are used to sign the transactions that actually send the coins, storing them on the blockchain in the form of UTXO, from one address to another. There are different types of wallets.
Non-deterministic random wallets (Type-0 non-deterministic wallets, “Just a Bunch Of Keys,” or JBOK). In the first Bitcoin clients, the wallets were simply randomly generated collections of keys (Bitcoin Core pre-generated initially 100 private keys, and subsequently additional when necessary, using each key only once (contrasting with the principle of avoiding the reuse of addresses to preserve privacy).
Deterministic wallets (Seeded). These are wallets containing private keys that are generated from a single seed. The seed is sufficient to restore all the derived keys and therefore a single backup is sufficient at the time of creation.
Mnemonic Code Words. (BIP 39) Mnemonic codes are sequences of words encoding a random number used as a seed to derive a deterministic wallet. A wallet application that implements deterministic wallets with a mnemonic code will show the user a sequence of 12-24 words when creating a wallet for the first time. This sequence of words is the wallet backup and can be used to retrieve and recreate all the keys in the same or in any compatible wallet application.
Hierarchical Deterministic wallets (or HD wallets – BIP 32 / BIP 44) The most advanced form of a deterministic wallet is the HD wallet defined by the BIP 32 standard. HD wallets contain derived keys in a tree structure so that a mother key can be used to derive a sequence of daughter keys, and each of these can be used to derive a sequence of grandchildren keys, and so on. This provides advantages:
- The tree structure can be used to represent an additional organisational structure (e.g. one branch of sub-keys for incoming payments and another to receive the rest from outgoing payments; one branch for each branch of business, etc);
- the ability to create a sequence of public keys without having access to the corresponding private keys (allows use on a non-secure server or with only reception capacity, with the issuance of a different public key for each transaction).
HD wallets are created from a single root seed (a random number of 128, 256, or 512 bits), everything else is derived in a deterministic way.
The root seed is the input to the HMAC-SHA512 algorithm and the resulting hash is used to create a master private key (m) and a master chain code. The master private key (m) generates a corresponding master public key (M), using the normal process of multiplication m * G of the elliptical curve. The chain code is used to introduce entropy into the function that creates the daughter keys from the mother key.
HD wallets use a function (CKD) to derive child keys, based on a one-way hashing function that involves:
- a private or public key (parent)
- a seed called “chain code” (256 bits)
- an index number (32 bits).
The chain code is used to introduce random data into the deterministic process so that knowing the index and the daughter key is not enough to derive the other daughters, unless also knowing the chain code. The initial chain code seed (at the root of the tree) is generated by the seed, while the others are generated by the chain code of the parents. These three items (parent key, chain code, and index) are included and “hashed” to generate child keys.
The parent’s public key, chain code and index are combined and hashed (HMAC-SHA512) to generate a 512-bit hash. This 512-bit hash is divided into two parts: the right-side 256 bits of the hash become the chain code for the children; while the left-side 256 bits of the hash are added to the parent’s private key to produce the child’s private key.
The key derivation function can be used to create children at any level of the structure, based on the three inputs (key, chain code, index of the desired child). The first two, combined, are called extended keys (they can be both private and public).
Hardened derivation is an alternative derivation function that breaks the link between the parent’s public key and the child’s chain code, using the parent’s private key to generate the child’s chain code instead of the public key.
Paper wallets. As the name suggests, these are paper wallets, ergo private keys printed on paper, sometimes accompanied by a bitcoin address to receive payments, and the common use case for them is to create backups or store bitcoins offline (cold storage). The security of the paper wallets can be increased via BIP 38, with the passphrase stored by the owner.