Deterministic wallet

From Bitcoin Wiki
This is the approved revision of this page, as well as being the most recent.
Jump to: navigation, search


HD Wallet - Hierarhical Deterministic wallet

Deterministic wallet (HD) is a system of deriving keys from a single starting point known as a seed. The seed allows a user to easily back up and restore a wallet without needing any other information and can in some cases allow the creation of public addresses without the knowledge of the private key. Seeds are typically serialized into human-readable words in a Mnemonic phrase.

HD Wallet – Hierarchical Deterministic Wallet[edit]

Since 2011, the Bitcoin core software team has been working on solving peril above issues, various implementations of more EPS, and ways to use it cryptocurrencies. After all, these developments under the no – BIP (Bitcoin Protocol improvement) 32, 39 and 44 were gathered under the common name-HD-Wallet.

The first approach to technology HD Wallet has become a utility Casascius bitcoin address. It was intended to generate Bitcoin Address from a team stroke. Changes to the Bitcoin Protocol called BIP 0032 are now used in many desktop, mobile and wallet devices - the TREZOR, electrum, CarbonWallet and many others. The main Secret key here is the 128-bit value, which for the user looks like a regular phrase of 12 words. In order to complicate the Poor Hacker simple FRA process, yet each phrase passes 100,000 ammo sofa and SHA256. Also, the HD-Wallet technology includes changes to the Bitcoin Protocol under the code BIP0039 (Mnemonic code for generating deterministic keys), and BIP 0044 (Multi-account in the hierarchy of Deterministic wallets).

How do Deterministic Wallets Work?[edit]

As it turns out, there are two major types of deterministic wallets currently in use: Electrum wallets and BIP32 wallets; they use a very similar algorithm, allowing them both to have the master public key property, although the BIP32 wallets go further by also including the hierarchy property – Electrum wallets are designed to only go down one level, although one certainly could extend the Electrum protocol to make it hierarchical as well.

The master public key property is perhaps the more surprising feature of deterministic wallets, and will be explored in detail first. The reason why it works is that Bitcoin public keys – not quite the same thing as Bitcoin addresses but a closely related form – can be added and subtracted just like normal integers can (although, notably, you cannot multiply two public keys together), and thus the same arithmetic operations can be done on two “levels” – to generate private keys, the arithmetic is done on the level of integers, and to generate public keys it is done on the level of public keys.

The precise algorithm used by all HD wallet systems is this. To calculate the private key at index i (say i = 5), calculate an “offset” parameter using a function (technically, a hash) of the index and the master public key. Then, simply add the master private key and the offset together. To calculate the public key at index i, calculate the offset in the same way, convert the offset to a public key, and add the master public key and the offset public key together.

We can repeat this with index 1, index 2, etc; you can try it yourself with your own Electrum wallet if you have one. The takeaway is this: you can safely give put your master public key in an insecure place, or even give it out to third parties like auditors, if it makes life more convenient for you; just keep the master private key (and the seed) to yourself.

Security and convenience[edit]

Understanding Hierarchichal Deterministic Wallets

Early clients such as the Satoshi client generate a buffer of fresh random private keys to be used as receiving and change addresses in the future. This has the effect of invalidating backups after a short period when the keypool buffer (typically 100 addresses) is exhausted. Deterministic wallets can generate an unlimited number of addresses on the fly and as such don't suffer from this issue. As the addresses are generated in a known fashion rather than randomly some clients can be used on multiple devices without the risk of losing funds. Users can conveniently create a single backup of the seed in a human readable format that will last the life of the wallet, without the worry of this backup becoming stale.

Certain types of deterministic wallet (BIP0032, Armory, Coinkite and Coinb.in ) additionally allow for the complete separation of private and public key creation for greater security and convenience. In this model a server can be set up to only know the Master Public Key of a particular deterministic (HD) wallet. This allows the server to create as many public keys as is necessary for receiving funds, but a compromise of the MPK will not allow an attacker to spend from the wallet. They can alternatively be used in Electrum and Armory to enable completely offline storage and spending, where an offline computer knows the private key and an online one knows only the MPK. Transactions spending coins are ferried between the two computers via USB storage which avoids exposing the offline computer to a network-based attack.

Deterministic wallets implemented by hardware wallets (Trezor Wallet) keep the generated private keys offline and do not expose them to the computer even when spending coins.

Types of wallets[edit]

Type 1 deterministic wallet[edit]

A type 1 deterministic wallet is a simple method of generating addresses from a known starting string, as such it does not allow advanced features such as a Master Public Key. To generate a private key take SHA-256(string + n), where n is an ASCII-coded number that starts from 1 and increments as additional keys are needed.

This type of wallet can be created by Casascius Bitcoin Address Utility.

Type 2 hierarchical deterministic wallet[edit]

This wallet type is described in BIP 0032 and is fully implemented in Trezor, Electrum and Carbon Wallet. The seed is a random 128 bit value presented to the user as a 12 word mnemonic using common English words. The seed is used after 100,000 rounds of SHA-256 to slow down attacks against weak user-chosen strings[1].

The initial description and workings of this wallet type is credited to Gregory Maxwell[2].

Armory deterministic wallet[edit]

Armory has its own Type-2 deterministic wallet format based on a "root key" and a "chain code." Earlier versions of Armory required backing up both the "root key" and "chaincode," while newer versions start deriving the chaincode from the private key in a non-reversible way. These newer Armory wallets (0.89+) only require the single, 256-bit root key. This older format is intended to be phased out in favor of the standard BIP0032 format. [3]

Sources[edit]

See Also[edit]

References[edit]

  1. BitcoinTalk.org - Key stretching weakness
  2. BitcoinTalk.org - Deterministic wallets
  3. Bitcointalk - Import armoury Wallet to Blockchain


Licence.png