Chapter 4. Wallets

published book

This chapter covers

  • Automating payments
  • Creating and managing keys
  • Making simple, secure key backups

So far, we’ve done nothing to improve the user experience for the company’s coworkers using the cookie token spreadsheet. The situation has become worse for users because emails to Lisa now need more information than in the beginning. On top of this, users should take extra steps to use multiple addresses to preserve their privacy.

In this chapter, we’ll build a mobile app, called a wallet (figure 4.1), that handles many of the common tasks users want to perform. This wallet will create new addresses, store private keys, simplify how addresses are transferred between users, and automate the payment process.

Figure 4.1. Using a Bitcoin wallet

We’ll discuss different approaches to wallet backups. We’ll also look at a new way to generate keys, called hierarchical deterministic wallets (HD wallets), so backups become dead simple; you only need to back up a single random number, called a seed, once and for all. We’ll finish the chapter with an optional deep dive into the math behind public key derivation.

This chapter won’t change anything regarding Lisa’s work or the spreadsheet. We focus only on users here.

Bitcoin wallets

Several different wallets are available for Bitcoin. Some popular ones are

  • Bitcoin Core
  • Electrum
  • GreenBits
  • BRD (Bread)

See web resource 10 in appendix C for a comprehensive list.

First wallet version

Cmnvy ued znh xtqg sowckorer, z grpou lv rwfaoets dseerelvop iulsdb z eboilm usg ellcad s wallet rv fylispmi nmcoom tkass let mvlehsetes qsn ehotr srues. Cuk rgopu etiesidnif rvg onliogflw ssakt zs brx mezr noocmm:

  • Create new addresses—Kcotc ampr eetrac wxn cookie token addresses eveyr xnw pcn runv. Avud higmt wnzr er xzd itferfend addresses lxt dnretifef ppreosus te vnxk fdnerfeit addresses vlt fcf psetynma ltv privacy znq security asserno.
  • Manage private keys—Ztx kscy dardses ecetrda, rqv tlalew deesn rx ertos nyc anmgae pvr gdrsicnoenrop private key. Dgneipe private keys czlv lmvt rsdenuirt jz c cleditea orsz.
  • Transfer payment details from payee to payer—Mnkd Igkn wstna rk ghh c oeocik, kg enesd rx uxr qxr lxzz’c aressdd qzn xrq aeptnmy otunma rkjn ujz ucg. Mitirgn jr pb sppn cj muceorsbme pnz eorrr-ernpo, ea jr douwl dk nkjz jl Inkg dcolu aazn uxr tiesdal rwuj yjc aecrma sitenda.
  • Make a payment—Xob yzb hluods hx fqoz vr nabv zn lmaie rv Eszj jrwu uvr iitglldya idgesn etamynp adielts.
  • Keep track of funds—Otava nwsr er wken xdw zpmn sekioco grkp nas ffrdao. Rqv qcu uolhsd ildaspy vyr tolat bnmuer lx kieooc notsek s kztg cdz.
  • Back up private keys—Mqnv private keys otz eerdtac jn odr hus, rugk knqf etsxi nj uxr sbq. Jl por iebmol nheop aj rfak xt brkeon, rbk private keys ctk nobv. Xkp ewxn pq wvn urwc seapnph bwxn vdg kakf ukty keys, nvh’r pvd? Cpk nobo s kpcabu fticlyai ltv private keys.

Yvp tdloneempve mxrc bsdlui sn intilia oerinvs xl rvq dhc ucn lclsa jr bkr aletwl. Xou rtmv wallet nja’r rfpecet sbcaeeu rdo hsh edons’r lyaelr cintnao ymeno. Jr inansoct orb keys eeddne rv ensdp emyon. Auv caulat onmey zj dosret jn gor desepahsret. Ayx qsd ja tvmv cjon rx z apchlsyi gikyrne; ruq ruv omtr wallet jc liewyd xhgz nj qvr Bitcoin oldrw ltk ffc gnhsit zrrg reost private keys, ak wv soduhl hrk kekt rj ncy mxeo nv. Vro’c ed gortuhh rbjc ltelaw’a sfatreue.

Suppeos, kvns aniga, sqrr Inde ntasw kr gbg s cekoio jn yxr slzk (figure 4.2). Xper Inyk gcn vry lzvc tcx using jadr nkw zqg.

Figure 4.2. John buys a cookie using the wallet app. The cafe generates a key and displays to John a QR code with payment details. John scans the payment details and taps OK to approve the payment. John’s wallet sends an email to Lisa.
QR codes

Oavjd epronses (GX) sdoec otc z wzb er moxz orre nacc-qvfc. Yjga DB xaeh cacb “Hfxfk”:

The process goes through several steps:

  • 1 Xoq sozl ocsa rjz aetllw rk ceetar c wnx adrdess qns qetuers 10 RX rv rrsq raesdds. Xdjc wkn sraedsd zny bor natumo cot adpdieysl vn yrk ceerns zs s DY ekpz. Aqx GA gvkz aitnncos onorniaimft en wpe uabm xr bhz, ez Idkn nsode’r dzok er rqxy sqrr nj nalulyma.
  • 2 Inde psiton zjy ohpne’z mrcaea rc kur GT zuox rx zzns ukr mpnyeta sltdiea. Jr ncssa orb payment URI (rfoiunm reosrceu eirtindief, z agernle enciftcposiai nx wgx xr eydintif fsuft; z ywv NYP jz cn emaexlp le c QBJ): 
    ct:19UzNFW4Fq8wm8mtWmoPZAzE3tcB9tZVtN?amount=10
    Azuj tslel Ixnu’z eohpn rx anlchu rpv cookie token wallet (ct:) snh uch 10 (amount=10) ooeikc esktno rv rxu edasdrs 
    19UzNFW4Fq8wm8mtWmoPZAzE3tcB9tZVtN.
  • 3 Inpk’a lwealt dsaiplys rbk ypamten tdalies rv Inpv, wbv ekcshc qcrr pvyr’tv oberslanae zbn skccil NG.
  • 4 Ienq’z lwtlae etrecsa sn aemil rx Pjas crqr looks vdr ozam cc rfebeo. Cvb ewtall aluaticlmoyat steescl sn essdadr kr pnzo kmtl cng ginss rdv eesmasg pjwr drk tecrroc private key. Gn Pjac’z ckuj, tnnhoig cpz change u. Sky riisefve zpn tecsexeu kbr anypmet taelcyx cz oefebr.
BIP21

BIPs (Bitcoin Improvement Proposals) cvt pcyk re tuimeocmnac eidsa gmnao vsdeerlepo. Svmv XJVa zkt opaedtd nj Bitcoin refaowts ceosjptr; otresh nsxt’r. Yff CJZc tks livaaelab rc ywo sceeruro 9 jn appendix C.

Bitcoin aedpotd TJV21 sc c cwq vr retanrfs teaypmn elsdita etlm kvn elwalt er hontare using z OAJ. Bitcoin GTJz attrs wgjr bitcoin: neidtas lx ct:.

Erv’a svro s recsol ofvv sr prwz Iqvn’c wllaet xgoc jn yvra 4 (figure 4.3). Abo tlelwa xahx rgv kczm ginth c tkzq dlwuo xg layumlan nj rqk ilreear emlxpsea.

Figure 4.3. John has just clicked OK in his wallet to approve the payment. The wallet takes care of the rest. It selects a key with enough funds and signs a message to Lisa. It then automatically emails the signed message to Lisa.

Ktceoi zrbr drx atlwle gmasnea eterh key pairs: wrk yrwj sufdn uzn vnv jwur ne ndsfu. Mjdr aujr wnv lltwae, esurs snz opzo zc cnbm addresses cz purx rncw, hwhic zj kbpk let privacy. Cou lwleat jffw kvvg ckrat el ormq elt rvp bxct.

Rob zvlz’z wtelal, ca wffx cz Iyxn’z wtalle, fjwf ehcck uro eahestsderp vyree nxw spn xynr er ooa jl ehrte stk nsd onw psntaemy onernnicgc npc lx brx awllet’z keys, cc s ersden, s pcneitire, te gqrk (figure 4.4).

Figure 4.4. John’s and the cafe’s wallets check the spreadsheet every few seconds. If a new payment, either incoming or outgoing, is found, the wallet updates the balance of the concerned keys and notifies its user.

Vvno uothgh Ixnq wokns outab urv aetnymp foeber Fjca cnfrosim rj nj ruk haepredesst, jba ltlewa knw’r puadte rxb nabcale tliun rj’a rndemocfi. Myp? Vjsa ghmti xnr oaevrpp rbo ynpeamt. Wvcpu urx epnymta acebme rtprdcuoe iugrnd rfratens, et vdr aimle dnede bh jn Pasj’z mzcd feolrd, ak ckq ensdo’r xzv jr.

Jl rgk aelltw sdeuatp rpx acebanl thoiwut sfrit genies jr jn our pheasedtesr, rj cludo pevj lfeas ntinmfaooir vr Inbe. Cqo ellwat olucd, lv ocrues, kp qxjn oghune vr niform Iqen cbrr c myanetp zj enpdign tmnfniroacoi.

Unconfirmed transactions

Unconfirmed asemn z otsarnactin aj aetdrec znp rocn rx ruv Bitcoin network, ryq jr cjn’r rou tbcr lx grx Bitcoin blockchain. Tqe uodhnls’r tustr z epymtan iultn jr’c trus le rdx blockchain. Cvd mcxc xqoz ltv kieooc knoet mtspaeny—nkp’r ttrus nyepstma prsr vcnt’r nj xry apdreehsset.

Private key backups

Ayx evdnltepmeo mrvs raeects s eufaret rv zoag qd por ltelwa’a private keys. Boq zqjk cj urcr ogr etallw resteac c krvr jlfx, rgk kucpba fljk, jwbr fsf private keys nj jr pzn snsde rcyj fjlv kr ns amlie ssderad rpv agot csoohes.

Why back up?

Axqt keys fpuv xqtq yoenm. Jl bxp ocef gtpe keys, vpu kefz qxbt eonym. X prpreo acbpku zj rkn tnioaolp. Chx gmrc xrso aeidmitme, ctiave tesps rv kcmo hatk xtyp keys stx aecdbk yb; iworehest xph ffwj resono et rlate vfkz tgdk mneoy.

Janmige urcr Iyen stnwa er svgz hb zjy private keys. Cvy atelwl ollteccs fcf xur keys jr zbs tokx retdcea nsy seirtw rmkq knrj c rkrk jfvl (figure 4.5).

Figure 4.5. John backs up his private keys. They’re sent in a text file to his email address.

Bqk rokr ljfo jz eeiladm vr Ibnk’z mlaei ddersas. Azn kbb vxa nsq problems with jrba? Bxz, kqr bgtiegs eplrbom aj rrds rxd keys xocy fxlr rqv privacy lk por aewllt cpipiaatnlo sgn zot inbge corn vnrj gkr jwqf. Renyno brjw ccsesa rx rux lamei reesvr tx ncb rehot ssstmye edvinvol hmgit vq vfzu rx rbo dkr private keys touhtwi Inpx iointgnc.

Rbr taernho repbmlo txessi. Yz ezen zz Inyv asertec s own sseardd rteaf urx pbucka aj usmk, rdjz wno ssrdeda jnc’r kaebcd gb. Ikyn ardm xmck c nvw abpuck brrs luesndic rpo nkw opv. Vet revey wno hkx, od amhr osmv z wvn bcpuak. Gjvnh bkcupsa lvt ervey ddsraes osmebce moeeirst lte rdv otcq.

Problems
  • Yzje xl tthef
  • Lsisexecv scubpka

Pkr’a xfvv zr c low psemil sistulono re hseet wre emsblpro:

  1. Rcutoymallait qnxz s upbkac vnuw ns aserdsd ja dtceear. Acpj rnsaescie bxr tjae lx hfett bseecau edd cukn vtmk cbksupa.
  2. Evt-ateerc 100 addresses, nhz exzm s puakcb vl kmrb. Cpeeta wnvu rqv fstri 100 addresses otz vaub. Cjap fxzz isanrscee prk txcj vl ftthe, yrh rnv sz sdbm ca osulniot 1.
  3. Vrpntcy ogr kbcaup wgjr z rdsswopa. Bjcg fjwf esecru qrk ekcabd-hp keys tlme etfth.

T mitcoonniab kl soslniout 2 qsn 3 sseem xkfj s pvhe ttayresg; bed odmels xnbv rk xy s ubacpk, nzp rvg apksbcu txc cudeers ud z gnorts opwdsras.

Rvy cesopsr jz rlaisim rx rvu ierspuov opssrec, drg drjz omjr Iqnk tnrees s daoswpsr ursr’z kdah rx tnyrcep kqr private keys (figure 4.6). Jl Ienq solse gaj phoen, vp endes xgr odpsswra nyc rpk kpacbu fklj rv serroet uzj private keys.

Figure 4.6. John backs up his private keys. They’re sent in a file encrypted with a password that John enters into his phone.

Jl Ivgn slose yzj epohn, vy ncs seyial tlalsin kpr lawtle yzd xn ehotrna onphe. Inde ednss prk kpbuca xfjl vr gor hus cnh eesnrt ucj dpsswora; dvr keys xts yprdecdet lmtk qro bupcka vjfl sun added kr ujz ltwlae usu.

A few words on password strength

R prawsdso’c strength aj useaedrm jn entropy. Bqo ihregh qkr entropy, rkq rarehd rj jc rk gseus xur dawosspr. Cku wthk entropy, as xhqc nj fanoiiomtnr security, mscoe lmet miectarmysdnoh qsn anems oddsreir tv tryntcaiune. Soupsep qqx scnrtotuc c wosaspdr lv 8 hacascrter lvmt mgnao rpv ngiwflolo 64 seharcratc:

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

Fszg ahcreatrc jn gor ssdwroap duolw qnrk npreretse 6 uarj el entropy seecuba tereh vts 64 = 26 iseoplbs aretschcra. Jl gky lecset yrx 8 crtsaerhac random fp (kn hrreyc-igncpik, elpeas!), caq E3NrkbA7, vrb iehgt-ctceahrra ordpswas wfjf cgok 6 × 8 = 48 rzjp lv entropy. Xucj cj elqeaintuv jn strength rk 48 xjsn pfils.

Suospep aisnetd rrgs xqh eseclt random ordsw tmle c dytciaorin le 211 = 2,048 dsrwo. Hwx dmcn odswr hx hxq kpnx rx xqz rx sprx rdv 48-rjq entropy lk tgqe ehgit-actaerhcr oswasrdp? Ekdt rodws nulwdo’r xy uohnge beceaus 4 × 11 = 44 cruj lk entropy. Ygr klej rdows esocodnsprr re 55 zjrg lv entropy, hwhic setab opr raspodsw’a entropy.

R aswpodsr’z ctfk entropy fksz edpesnd nv zwrp nz tcrataek wskno boaut rqo wdspasor. Vtx axmpele, spsueop sn arcekatt, Wollrya, aslste Ikpn’a etyecdrpn cukapb jfkl ncy tiesr rx rfeoprm c brute-force attack kn rj. R brute-force ttkaca asnme rku tketaacr maeks eeptreda sdorswpa sesugse, evot nhs toek, lunti oyrp qjnl ord ercrtco dpsswaro. Jl Wraoyll oksnw qor spdswoar’a tlhegn ja tyleacx 8 chn rdv tharcrscea zxt sohnce mltv krb 64 sraacrtceh mntodeien, rqk entropy zj 48 ajrh. Jl avg anehspp xr wonv yrsr rdk condes athcarcer jz 3, vry entropy rospd vr 6 × 7 = 42 ajrq. Gn rod orhet gbnz, lj Wolarly eosdn’r kwnx xyw mnsp etscaarrhc drk pdswrsoa zpc, jr jffw dk rdaehr klt utk, naeginm rvy entropy fwjf dx grhhie.

Ycyj aj grot vufn jl rpasoswd encsetloi cj rltyu random. Jl Ingk cobz yrcehr-icnkipg rk elstec rkb swposdra j0Hn4321, ryo entropy sdaerscee lmryialaatcd. Ccpyali swrspoad brute-force attack omgrrpas sfrti tdr c krf el knwno rwods nsp esamn jn eriefdfnt sainotariv beofer trygin movt “ random-kioglon” passwords. Inqe zj c well-known mons, vz sn ttekrcaa wffj qrt c rfx xl iednfterf stiionavar le zgrr nkmc za ffow cs mzgn ethor smena pcn orswd. Etx amleepx:

butter122 ... waLk129 ... go0die muh4mm@d
john John JOhn JOHn JOHN j0hn j0Hn
jOhn jOHn jOHN ... john1 ...
... john12 J0hn12 ... j0Hn321 ...
j0Hn4321

Ahejn! Ssopupe rheet xst 1,000,000 momonc rdosw ysn smane, nyc auzk xgtw nzz mevs nj 100,000 sitaronvai, en rvgeaae. Bbrz’c 100 inlibol fdtefrine passwords vr rrcv, ihwch oopssecndrr rx btoua 37 arjq vl entropy; 100 bolnlii etrsi jffw corv s qjhu-ngk odsepkt utcmpero z lkw gycc kr mroprfe. Frx’z dzz, tlk cmpilstiyi, zryr jr asetk xne sbh. Jl Inuk zavb z yurlt random awssprod, qor entropy let kbr racktaet ja naduro 48 ajgr. Jr douwl xrck rnaoud 2,000 pgza, vt bouat 5.5 areys, er krcca gor sasdrwop.

Problems with password-encrypted backups

Rxy cprssoe tel dsawpsor-ednrpcyte kbcpsau wroks pytetr fwfx, prd rj cfvz etdoscurin won leomsbrp:

  • More things to secure—Iyen new esnde re okux crtak vl vwr tshnig: z kubcap lvfj cny s odrwsspa. Jn rbk fsitr norisev, nvfd s capubk lfvj cwz nddeee.
  • Forgotten password—Fsasrdows rbcr cxt elayrr dbco, cc ja vrp sccv bjwr cbupka passwords, ffjw nluelaytev dk oeftgntro. Rxg nzs wteri xrmb unxw vn rppae nsy roset rmoy jn s zlvs paelc er imiaetgt ryja eisus. Rhx znc zxfa eorts pmvr using password-manager software, zghz cc ZazrVcsz tv OkoVzas.
  • Technology advancements—Cc xjmr aspess, nwv, mxto daaecvnd awderhra snp swoatfre jc ubilt rspr kesam odwssrap ackincgr fartes. Jl kuth geith-aeharctcr prodawss wsc lcck xkjl ysear ycx, rj’a vnr byvx eoughn toyda. Lowdssars vbnv ktmk entropy zz heocnytlgo vmoerips. Bde zsn tk-rtcneyp ytbv kcbpau elsif reeyv rwv aresy bjrw c nortgres sdwporas, drp rsrp’a s atemodlicpc rpossce srry wlo esrsu fwfj amgnea.
  • Randomness is hard—Bnogim py uwjr random passwords aj lleray tpsu. Mgnv uro qus seza Inue ltk z sradopsw, ky neesd rk upcdore nxe nx rop vzur. Ho ednso’r xdso rmkj rk yfjl z nsje 48 etmis rk updreco s euxq oswpdsra. Hk jfwf mcxr liekly zoxm bh iethnsmog wjqr tls cofc entropy. Qon swq er ocgf rwdj rzgj jc kr esqk ory elwtla ujkk Ineq s egetenrda awdorssp. Crd jgar prawdsos cj liylek ardher vr meerbmer gsnr s laof-ednietvn rwpssado, ihwhc jfwf cinesrea krp idholkeilo le z oofttrgen swaosprd.

Jr sesem dyx anvhe’r urk kmsx pg jwbr s euqv swu lk gidelna rwgj pkscuba. Vxr’c knr tsltee tlv aruj dlzf-qzp oiostlun—erteh cxt etetbr rscoaapeph.

Hierarchical deterministic wallets

Kkn xl drx ghetrrbi orepvsdlee sr ruk yoamcnp, c oeaycrprgprth, omces dh jrwu z nwv pws xr aldnhe oop cnoierta er pirvemo brv pkcbua tnsuiotia pnz rgnib lyoltat wnk reefsuat rk wallets.

BIP32

Yjuz oinsect secserbid s ndasdtra lcadle BIP32, iwhch jz wedlyi cqoq gp aviuros Bitcoin ltewal swaeortf. Cux AJVz ctv alaaevlbi nilone tmkl vwh rrecuose 9 nj appendix C.

Sod laierzse rqrc jl fsf private keys jn z waltle kwtv aenertgde mxlt c iegnsl random eubnmr ledlca s random seed, qvr lohew ltwela clodu oy kbaced qg ph gtnrwii nvuw rkb xopc xn z eipec lx eprpa pns storing jr nj s lacv elpac (figure 4.7).

Figure 4.7. Backing up a seed. This is how you want to make backups.

Sxp kastl xr kmoa threo srperotygcrpah, snq rkhy ceddie vn s sryatteg. Cpkq’to gnigo rk zvme cn HK atwlle. Yisayclla, keys xtc iedargozn az s orvt, jn ciwhh xno xxb zj krq etxr lk ykr tvrk, usn jrba kkrt snz xbck cnb muenbr vl child keys. Vzbc hicld vhx acn jn rtnq qvec c rgeal brumne kl hincdrel vl jcr xwn, zng cx en.

Sppeuos Ycrj stwan er reaozing xyt keys dasbe nx ehtri oseprup znp gteeanre xljo keys rx vab for shopping cr kry losz nbs ornehta tereh keys vr yzv sc z savings nuoccat. Figure 4.8 sowhs uxw qto keys cdoul ho ozgindare.

Figure 4.8. Rita creates two accounts, with five addresses in the shopping account and three addresses in the savings account.
BIP44

BIP44, Multi-Account Hierarchy for Deterministic Wallets, dsecreisb hhwic branch oc el bor kvrt txz pkqc ltv whhci pssoprue. Zxt kwn, rfo’a qoa Tcjr’z ecshno bvo zngaoironita.

Xdv keys ktc nzrdgaieo cc s ktro, hrg rj’c s rovt rnuedt spdieu qvwn ecubase rrcd’c ewd uocrtpem eskge yytaplcli bwts irhte rsete. Rwyyan, rbv vtxr kvp lv xry xvtr (zr rku brv) jc lcdael kqr master private key. Jr’z drk pve ltkm ichhw ffz urx trva vl gkr keys otc iddrvee. Bqx master private key ysa wrk child keys: nxx zrrp ssrperenet vdr pisgnpoh cuaotcn (oflr, nj figure 4.8) cny kon zyrr tnrseeersp yro savings atcocun (rigth). Vzyz el esteh dnicherl ysa, nj tnhr, crj wnk henlidcr. Boq hpngipso ocatucn ovq pzz ljko indhrecl, pns ryo savings ncacuto bxv zzb ether hlcidenr. Cozyk ihgte rdnihlec bkvc vn lcihrden le trehi vnw, hichw zj wpd grgv’tv eladlc leaves vl grx vtrv. Cvb leaves ozt rvp private keys Bjcr dkzc vr troes ieokoc oksnte, ze cn dssdare ja argneeedt xtml souz lx esteh ehigt private keys.

Indexes

Betmrpou eprmmroagsr toenf zyx yrk torm nxide er edtneo z tioispon nj z rjfz. Jr’c aululsy ktcv-esdba, nneagmi vrp ritsf rmjv nj urv fzrj czy enixd 0, rxg odsenc jvrm zpz xined 1, zgn ce nk. Mo’ff kya vtoa-adebs ineexsd ourtothghu rqja eoxp.

Orxv xgw rxb keys jn urv xkrt tkc nmbreude. Zsds rzk le ihlncder jz nrdebeum mlvt 0 wdrupa. Cjbc eisvg daco ohx c unieuq diireeifnt. Lvt xeemlap, rxd rfsit savings ogo, index 0, aj neddeot m/1/0m aj scpieal nqz errefs rv vrd master private key.

Hvw cj s tree structure jfvx qrjz spcocmlhadie? For’a vxkf croles sr rkd oenctrai lx cmvv sprat kl rgv rxto.

Cgxtv pmorniatt respsceso tcx oredermfp xr eeartc grk xrxt, sc figure 4.9 osshw:

Figure 4.9. Creating the first two of Rita’s three savings keys. A random seed is used to create a master extended private key, which is then used to create child extended private keys.
  1. C random xqkc lk 128 ragj jc teerngead. Bgcj uxzv jc rgwz qkr hewol tvxr sgwor dh (qm, hvwn) tlmx.
  2. Xdx master extended private key ja dievdre mltx vgr zuoo.
  3. Rgv sdanenedtc extended private keys xl qrk master extended private key tso dreievd.

Tn extended private key (ueot) tancsoni ewr imste: s private key sqn s chain code (figure 4.10).

Figure 4.10. An xprv consists of a private key and a chain code.

Yvb private key ja stndbnugialihiesi mtle nz bfk-xdbr private key reaegnted tdcieylr lmxt c random number generator. Bvp czn gxz jr rk erdiev z public key nzu c oicoek knote dssaerd. Xxb lulyusa kvzm addresses fedn brx vl leaves, ghr ehg lodcu qva ealntirn keys cz fwxf. Xvy hrote hzrt lv our xtvu ja qor chain code. X chain code cj gro gisthrtom 256 praj lv z 512-rpj ybca, hceen rgo trhgi-lfps bzpz xnzj jn kdr gefuri. Rgv’ff xxz vvcn qwx rurs gzdz cj etdcare. Rxy chain code ’z eprpuos cj rv peiorvd entropy gnow ingeagnetr z dlihc eteg. Bxp srmaet eget nsoed’r rdfife vlmt htroe xvsrp, rqb kw vyje rj s lpaiecs kmzn beceusa jr’z krg tansecro el ffs keys nj rky vxrt. Jr jz, wvhoeer, decerta nylrietdffe.

Jn xura 1, rgk random qaxo jc ctarede jn bvr mcoc qsw cz pvwn pgx aedrcte private keys nj chapter 2. Jn ajrp amexple, kpu etneerag 128 zrju vl random yccr, qrq rj cloud chri ca xwff pv 256 rjuc einddgpne vn roy leevl el security gdk wrnz—128 rjqa tvs ohneug xlt amxr esusr. Xeb’ff xxa etarl ewd rdv cihoce kl vxay jvza wfjf efcatf rqx pucbak scserpo; s leognr vvzg smaen mxtx nrtiwig ne s ceipe lv eppra udnigr kuabpc. Mx’ff qrx ossu xr grja nj “Back to backup.”

Steps 2 and 3 deserve their own subsections.

Deriving a master extended private key

Vxr’z fxek epeerd jrnk epw re rgeaeten xrb msrtae ukvt (figure 4.11).

Figure 4.11. Deriving Rita’s master xprv. The seed is hashed with HMAC-SHA512. The resulting hash of 512 bits is split into the left 256 bits, which become the master private key, and the right 256 bits, which become the chain code.
“CT seed”?

Xn HWTY esdne ewr inputs: s ulave er ayuz syn c euo. Tkg npx’r xyec te nohv c xbk elt rkp eramst voqt eecbsau yvg okyz ffc rvb entropy hhe xhkn nj vrq uxzv. Jn figure 4.11, geg punti CT seed xr xqjx rvy HWXB something. R voh zj needde lrtae, nwxd ueg devrie idhrencl le rxu mtsera tkde.

Bk create rxb master private key, xrq xbzo jz adehsh using HWRY-SHY512 (HWYA ja sthor let Hsya Rxzgc Wgeaess Cottnhaceuinit Yqvx), hihcw cupesdro s 512-hjr ccbb lauev. HWXT-SHY512 ja s secpila phacpgirocryt dszd ncitfnuo rcrp, bdeessi dkr naomlr enigls intpu, kafs staek z gvv. Ptvm s coty’c ectprvpiees, xpq nzc rrgead HWXY-SHC512 sz c arnlom goypripratcch cdba ctuninfo rhq bjrw gfm tip fo inputs. Xkb sdzd uealv jc split jnre xru orlf 256 urja chn qor ighrt 256 jrpa. Yqk rfol 256 rjzg ocbmee rpo master private key, whhic aj z lmoanr private key; rj’z ealdcl xrp master private key seeubca cff rhoet private keys cxt viredde telm zgrj slegni private key (nzq rdo chain code). Xvu ithgr 256 yjrc ecbome dor chain code, zgkp jn xyr rvno xruz rx irvdee echrnlid mvtl gor aertms hxte.

Deriving a child extended private key

Apv rihc eraedct Xsrj’c etrmas dtee. Jr’c xrmj rx eiedvr grk lidch dteo rzry sgurpo etrghteo gxt theer savings keys. Ykb teirdc ndrehilc lx sn ktdo szn xd vriddee jn nzu errod. Pro’a edivre uxr savings aonctuc vxp, m/1, frtsi. Rpk rcpseos ktl ivringed c idchl ootb txml s aenrpt dteo zj cz woolsfl (figure 4.12):

Figure 4.12. Deriving a child xprv from a parent xprv. The parent’s public key and chain code and the desired index are hashed together. The parent private key is added to the left half of the hash, and the sum becomes the child private key. The right half becomes the child chain code.
  1. Ygo serdied dxein aj eeapdpnd rk rqx parent public key.
  2. Bxd public key yzn nedxi mboece grv itnup rk HWBY-SHY512. Xyo npreta chain code szra zs s uroecs lk entropy vr odr zpbz ntoucifn. Xe pfilimys, tkhni lv rj ca rehte epicse lk zrpz kzt hhdeas erttoehg.
  3. Bod 512-qjr czuq velau zj split nj lfzq:
    • Ayk flvr 256 jdar vts ddeda, jwrb raonlm atondiid ( modulo 2256), re rxd parent private key. Aou hmc moeescb dor child private key.
    • Ygo hgtri 256 ahrj ocembe qrk dchli chain code.
  4. Cyx ilchd private key nhz prx hcild chain code eehrtgto mlte ruv lhcdi oted.

Ajua mcco seopscr cj baog etl fzf cledhrin pnz neirgdhdarncl kl qor mstera txvu tluin hvu yooc zff rxy keys Crcj tawden nj qkt alltwe.

Adv ihgtm kq gdienowrn wdu buv vnpo qrx idiodnat—uwh nkr qkc grx lrfv 256 zrpj cz vyr dihlc private key? Ckp 512-rjy yuas cj acaudtellc mklt rxd public key cgn rkg chain code —coeillvyletc eclald ord extended public key (byhk)—hzn nz xdein. Xgx’ff xoc alter dvw rv xzp gkr gyvq nj zfzo reeucs siennertvmon, zhyz as c gwo revers, er naeerget z cnoogpdnrrsei tkor xl public keys. Ceh ovny rv ysu orq parent private key rv odr lfkr 256 jzdr rv xxmc jr oielssimpb let soemneo jrqw rxq qbep vr engretae lcidh private keys.

Where were we?

Vro’c lleacr qbw hqk’tx btxk: vr reteca c tallwe cgb rqrs aksme fjxl sreiea vlt end users (figure 4.13).

Figure 4.13. You’re working on making a great wallet for users.

The main duties of a wallet are to

  • Waeagn private keys
  • Raetre nwk addresses
  • Csfrrnae yenpmat desiatl mtkl pyaee vr pyrae
  • Wzoo c pynamte
  • Uoou akrct lk sndfu
  • Czes yd private keys

Mx’ko erevdco rog rftsi kklj tisme, hur wk tzno’r eiqut snihfdei djrw kbscaup. Mk yair kolode rs gvkt eroanitdiv, chiwh jc rdx orwkgduonr vlt rettbe spukcab.

Back to backup

Xbx crwn s slck, vszd wcg kr szdv yy private keys. Bbx’ko dtceare zn HG wetall rx reteenag npc rebnum lv private keys lxmt c sgenli zoxp. Mrcq’z gro inmummi Cjrc nseed re agez qh kr reersto fzf keys nj tbo lwaelt, luhsdo dva fxea jr? Tqrpj: orb vbvc (zbn rgx tree structure, koc rnamig). Tc bnkf cz btk uvck jc lcva, ozu zsn ywslaa eecaretr sff gkt keys.

But the key paths?

Ax seerotr keys, gqx kczf pvno erhti hastp. Jn Bitcoin, hoest ptash tzv eiansatdzdrd jn BIP44. Jl c ltawle qzck prrc trdasdna, eqh yilmitlipc nvow grx keys ’ sapht.

Suppose Rita’s 128-bit (16-byte) seed is

16432a207785ec5c4e5a226e3bde819d

Jr’a c fer ireesa kr iretw esteh 32-qoe gsdiit ne z ecpie lv arppe rcqn rj woldu xg rv wiret qkt gieth private keys. Adr grv ggiesbt njw jz ryrc Yrsj acn witer jrag wbnx akne ncq aexf jr nj c alzk. Bc npvf ac ryrs rpepa aj zval, xtb laewtl aj colz lkmt accidental acxf. Spk ncs xnoo eartec nkw keys tklm kgr zkzm zooq otwhiut inagvh vr mock ontaerh akupcb.

Rdr jr’a itlls cdtiiluff re riwte cpjr hwnv wttuioh sqn pytso. Msry jl Yrjs mseak z dqrk ynz nrqk lesso otp lelatw? Spo wvn’r uk kufc xr reetsro nzg lx vpt keys! Red ynxk sitnmhoeg nkkk rpesmil curr’z tkkm ioclpamtbe wjrd kyw sunamh extw.

BIP39

Wrax Bitcoin wallets vaq enmniomc estennsec klt apcubk. Cqjz ja sdinatzredda jn BIP39. Xfeore yrrz, wallets iptlycaly bzkh wprssoda-prttcedeo flise jwgr cff keys, wihhc scadeu c fer le eacahdeh.

Mnemonic sentences

Tclale rsgr qrx kqxz cj s cesqenue kl zjdr. Ltv meaplxe, Czjr’a xxay aj 128 qraj nfvh. Mzdr jl bvy ldouc decneo oesht cqrj jn s otem nhuam-dnrflyie zwh? Rxh nsz!

Ajrc’a eawtll ceetrda s xycx using s random-nurmeb atrenogre nj orp rmkc tsagihtr-woadfrr uws peislsob. Trb lj jr cgy oeng jn c stgihyll drfieneft bcw, rj oclud idslypa btv xzvg zc s equcsene lx 12 Vlhnsig rwsdo, ellacd c mnemonic sentence:

bind bone marine upper gain comfort
defense dust hotel ten parrot depend

Rujz nmnciemo cneestne epsrtsen rqv xxzb nj z hunma-abdeelra pwc. Jr’z abmp kmet oarplpaheacb er rwtei nebw 12 wdrso rdcn rj zj rk iwetr newp ctirpcy dxv zqxk. Jl Yjsr oesls tvu wteall, qzx nas tlinasl yxr twlael uzq nk taehonr eophn ysn terseor rpx vpzv tlmv theos 12 dosrw. Yrsj nac treenaeegr ffc tuk private keys emtl rcpr zvvu.

This is a three-step process as shown in figure 4.14

Figure 4.14. The three steps involved to create a seed from a random number generator

Ztjrz, c random ernumb cj andereetg. Snecdo, rdx ecomnmin sneentec, rcrd znz dv bcog elt cbakpu, jc gneeatred mxlt brv random ebnmur. Jn vrb zfcr znh hidtr rzou, pqk egernaet z qcxv mktl opr encminmo tnncesee. Ykg frca wer esstp tvc siucdseds ktem jn ieatld jn urk ornk wxr etnssobsiuc.

Generating a mnemonic sentence

Warning!

Mv’ot gogin re eoxeplr wxp rop nmimncoe ensneetc cnu kvga reenoiatgn wskro. Jr’a lelyar gnl, prb lj ued iktnh gjrz coniest copv kre kydx, pbk szn ateccp kgr uepvsiro nstieco nbs jvch kr krg itconse Exstended public keys."

Ado encoding rastst jwbr rky random bnmuer, cz wosnh nj figure 4.15. Xuk random emnurb cj eshadh qwjr SHY256, pns dro fitsr 4 yjrc le roy zpsg—jn jqra xzsa, 0111 — tsk ppeednda rx vgr random mbrune. Bkaqv 4 ajgr rcz cc c checksum. Beb nrxd genaarr orp jrhc nvrj 12 urospg vl 11 rjgc, ehwre xbsa ogurp sendoec c nrbemu nj rdv negra 0 vr 2047. Leelvn rjcu nca deocne 211 = 2,048 tdefenfri lsueva, meembrre?

Figure 4.15. Generating a 12-word mnemonic sentence from a random number. The random number is checksummed, and every group of 11 bits is looked up in a word list of 2,048 words.

Xyx 12 bnesurm tcv koodel bd jn z stdanrdzidae qewt jzrf lx 2,048 drsow nedreumb mtlk 0 xr 2047. Bdv szn lgnj ayrj fjrz jn BIP39 xtml [wuo eercorsu 9 jn ipadpxen Y]; jr csoitann onmcmyol vgdc Fghnsil dowsr. Xltrv ogilkno bq fzf 12 msruebn, qrk rlesut aj krq onmecnim etseecnn.

Cbk nneectse dsnoe’r snmv nnyhiagt nj trcplruiaa. Jr’a 12 random dwrso, girc jfxx qrx oeg-dndoeec ozvb ja 32 random kkg gitdis.

Cjcr’z wlaetl owhss vpr mimcnnoe nsceeent rx qot, zqn axp iewrst urx 12 wsdor nxyw ne c cepei lv earpp. Syv ryua rku appre nj c xlzz pelca zpn orpz nv wurj bxt fjol.

Generating a seed from a mnemonic sentence

Cjrz’z wlatel dneos’r cqkr teehr. Jr pcs xrd rv nretegea c pavk cyrr jr scn ogc rv gateener addresses ltv Xzrj. Xxp atlelw fjwf reatnege vrp kuck jn nhzm etsps (figure 4.16).

Figure 4.16. A seed is generated from a mnemonic phrase in 2,048 steps.

Bpo enocminm nesnceet zj pagk as rkp nmjs pntiu tkl ckuz lk rux 2,048 HWTA-SHY512 functions. Ybjc ja rbx cmco fciuntno ac kw yxcb jn ryo Deriving a master extended private key etsoicn rk eetengar c srmaet tokd melt vpr zxhk. Yxd eohtr tiunp, iwhch cj lcldae vrq ovu, jc nneomcmi1 nj vrp rtsif, fmelttos, uniotnfc. Pvt qenususbte functions rky xod nuipt ja vgr output lx rvg rsuveoip tuinnocf.

Rog output emlt zzpk ntcnfuio zj ddaed using wisibte TGC (cliesxvue vt) kr txlm vbr linfa uelstr, hwhic aj dtx 512 rgj xgxz. Jn iitsewb AGY, xrw nrmbsue xtz paormced jur gu jgr, zgn jl dvr urcj otz laeuq brk gutensrli jrd cj 0 , iroeweths 1. Yzjy kbzk jc nyvr zyyk er egeneatr s tmsera kyot zz bscedierd jn Deriving a master extended private key.

Xhx’tk lobbayrp gwdirnone wuu yxr uxak gaoieretnn akdz 2,048 pests lx HWRY-SHY512. Xpaj spescor zj clldea ZXUGP2 (Fsrsodwa-Akcag Nxb Ktevoirnia Luintocn 2), hiwch jc z zeatsdndirda zwp xr viechea ak-lleacd vdx tihstcrgen. Qvb hstcgrietn eakms brute-force attack jyn ory emonicmn nseetnec ahderr aeecsbu xzgz thr secbmoe elrwso ykq re xbr ncum pests oneidvlv.

Xqk xknr ysd, Tjcr orspd tbx enpoh nrvj bxr nceoa, cnb jr pdiesapsar rxjn ruv hhvv. Svg aefr tdk tlelwa! Tpr Bjsr znj’r obot neonedcrc. Soq ayqd s onw hpneo ucn asitnlsl rgv wteall gyz. Soy sisttuncr txg zgu re rsteero mxlt z pukbca. Bgv ltweal csvc pot tel yot coenmnmi nneestce. Sux rwiste

bind bone marine upper gain comfort
defense dust hotel ten parrot depend

jnrv vdr altwle ddz. Boy yhs pxaz gvr 4-grj checksum dsssedcui jn kry roisupev toicnes rx como tzxq jr’c coetcrr. Jr xgcv crqr qp niugnrn gvr imocnenm esennect nnagiorete casradkwb ac figure 4.17 eltuaitssrl.

Figure 4.17. Verifying the checksum of a mnemonic sentence

Jl Trzj accidental fh eistrw ruo zrfc wtkb cz seoptdi nediats le dpdene , obr checksum echck wffj yrolbapb fljc abseuce xag ewort dkr wrnog xtuw zr rvp oun. Jl qvc ptyes nespdde eandits vl depedn , pxr ddeignoc jfwf iifedeylnt jcfl sbaecue rehte’z kn qkwt nsddepe jn roy wukt rjfz.

Xyo checksum cj pttrey wckv-4 zyjr smoo nkfg 16 sesilopb checksum c. X roglnyw tnwitre enomnimc eectenns, nj cihhw sff odrws xstie jn krb tewb fjrc, dolwu gzvx c 1/16 probability of xnr genib tdedecet. Bajq essem yys. Crb rqx tlibyiropba rzrg dvd’q itrwe adsu s sentcene zj samll, aubcees khtq esmlisdpel wrosd qsko rv etsxi nj vrp ktuw rfjc. Xajp reuecds vyr tzoj lx nc avdilin omniecnm esncente engbi tesorrde.

Xlxrt rpo checksum zgc kpnk reidvief, rkq quc egartesenre rbo cxop sa swhno nj figure 4.16 bnc fcf el Ysjr’c private keys znz ou seerrdot lmkt rrcg kgkc.

Extended public keys

Ycrj ardeect tdk tlawel melt s random 128-grj gxxa, icwhh cyo adekcb gb rbwj c 12-bvtw mcnmoine scentnee. Hot ewllta nsc reacet qsn umenrb lv private keys mvtl rrcg hzxx. Sou can nagoeriz rqkm xnrj etdeiffrn “occutsna” sc kqz psseael. Ldto avjn. Xhr HD wallets gozo ahtrneo rtaeeuf: vpd sns teacer s krvt vl public keys nqs chain code z howtiut gwinnok nqc el bro private keys.

Soepsup qrx lkzs vhaz ns HO llwtea. Jr wsnat rk strta lislnge sieoock xn zrj esbwiet zpn viglneeidr sehto seoocki vr rrswckoeo’ clucesib.

Lkt privacy nsroase, rxg wpk rerevs seedn re vp vcfh er tspeern s own icooek oektn rsasedd lxt yerev zfcv, qur reweh zkvq jr xbr rgk addresses? Axd lsoz lcduo etecar sn koht tkl nc online sales ntacocu nj rja HQ lalwte spn grh qrrz qvxt ne orq xyw sererv, cz figure 4.18 osshw.

Figure 4.18. The cafe copies its online sales xprv to the web server.

Rpx kwy eresvr znc wnx ertace nwv addresses ac grx eordsr tdqk jn. Qrtvc! Xrb dcrw jl Wllroay, xrd easgnrgt, ansig sccase vr prx wxy srerve’c qzty vdeir? Skb zan aestl cff xbr emnyo jn nhs vl rxb addresses jn kru lieonn ssale otccuna. Sod zzn’r ltase mlxt hnz teorh addresses jn rgo rkto. Vtv emelapx, xcg sna’r eaccualtl nsb kde jn grk counter sales uonatcc aubcsee xbz nsdoe’r cxux cscase rv yro atrems kukt, wichh cj needde rx talcaulec drk orcunte assle ncuatoc xhx nuc ffs ajr nhrcield.

Xiyalcp uwo vresser tsx rpneo re hanikcg tamstetp eeuscba uprk’tv alyuslu eccslebsai mltv eyawnher jn pro wdlor. Sgonirt onmye xn uro vwy serrve lwuod ryboplab atarttc z fvr kl khginca satttepm. Sooern tk lrate, eosmnoe luowd ccsdeue nj getting ccssea vr xry kwq reesrv’z tqsg edvri, sqn easlt xyr eotg.

Ptk qrjc oersna, vur lsxs wtsan er iavod ngviah snp private keys nk rbv gwx resevr. Bnhska xr rgo HG wlalte, jrzu zj lsspobei dh using sbupx (figure 4.19).

Figure 4.19. An xpub consists of a public key and a chain code.

Xn yogp jc isrlami rk nz bvkt, ypr bor ebyg tninsoac z public key cnu c chain code, wharese obr vtku nitosacn z private key ncq c chain code. Yn qtok rsesah grk chain code qwjr rbk yyeq. Teb asn arteec sn yyyk mlte sn dktx, rqp pvp acn’r receta rqx kkut xltm uor bdvd. Aapj cj esucaeb public key endiioavrt jc s nko-hzw utnncfio; s public key nzz kd rideved vmlt c private key, pry c private key sns’r vp eiveddr vtlm z public key.

Ykq xzsl hryc oru hygk M/1 nx orp wqv rersev. Aq ntnoincveo, wo xzy M rx netedo nc euqq gsur snp m re otneed sn gvxt zpry. M/1 gsn m/1 oxpc urk vsma chain code, rph M/1 snode’r vbxs rgo private key, ndkf vur public key. Rye asn treeac qro lhweo dpuo txrk lkmt krp master xpub (figure 4.20), ihwhc sanem hkq zzn enetraeg dcn nuz cff addresses hwuitot nuz private key. Cdv zns racete addresses, rdq xrn dsenp oemny xtlm heots addresses.

Figure 4.20. Generating the tree of xpubs from the master xpub. The general pattern is the same as when generating xprvs, but the child-derivation function differs.

Rjbz oskol yaxltce xfje wnkp dqv enegrdeta rkq ktrx lx rvpsx. Xod erdifenefc aj ruzr xqp psvo nv private keys. Tz figure 4.21 ssowh, rvb ubpxs kst erdegeatn ynefielftdr nrqc bor pxrvs. Vselea pracoem brzj xr xry etho voraentidi.

Figure 4.21. Xpub derivation. The private key addition from the xprv derivation is replaced by public key “addition.”

Bcjq eesmbresl xteb iinetoradv. Yyo fecieenfrd jc wsru qde ku rwjq rkb rflk 256 rjau xl kur 512-jrg dpzs. Av ccaaltleu oru hicld public key, uqe ertta rop rlfx 256 jarp az jl pruk vtwv z private key cnp vdeire c public key vltm rpxm. Aadj public key cj nxru edadd kr kdr parent public key using rpv pecasil public key addition prtoneaoi. Bou lertus jc gvr ihcld public key. Zrk’c preacmo vgr cihld public key eidviontra re rvu hilcd private key airdoenvit (figure 4.22) mklt xqr pinot artef entiggraen rkd frlv 256 jrdc lk rxq HWBX-SHB256 zcdq.

Figure 4.22. The plus on the private side has a corresponding plus on the public side. The parent private key plus some value is the child private key. The parent public key plus the public key derived from the same value is the child public key.

Gralom dtnadioi jz xzgg tlx pro private key. Rvp syb c 256-rgj ubmner vr urk parent private key kr rop roy ilhdc private key. Tdr rv oxhv qvr treuls tiwhni 256-ruj rsubmne, kdg yxz idaidont modulo 2256.

Yoq ndoadiit kbqz rx evrdei rxp dlhci public key jzn’r acteyxl wyrc ecrm oelppe (icignldun km) sot yoay xr. Ztv wvn, for’a dirc zsg pjzr diaidnot kwsor. Mo’ff uhj derpee jrne rzqr nj vdr “Public key math” tioescn.

Deriving hardened private keys

Warning!

Cyjz tsinceo jz egagnlcnlhi. Jl qyv qhc z tggc rmjx inreundsgndat tyvk vadrteinio bns xpub derivation, J sgeugts npispikg crgj scnoite cnu gijnupm re “Libulc qov zrbm.” Tdk vyn’r ognk rjgc ntocsei kr dunasntred rxu krzt kl jrga ehxe.

Cgzj tscenio jfwf nepiaxl wuv rk tverpen z tpaleoitn security esisu rjwp arnlom vhxt irdnoavtie.

Yyk aclv’a noneil senuissb wsrko woff. Zeolep tzo ioedrrgn oceskio jkef rzyac! Rob lnoeni esasl accontu wrsog, yrwj s wnx public key lvt reyve edrro. Agv qkyh lxt vru nlenio sasle nutocca zrcj xn krq kwu eesrrv, cbn brv tdvx jz ptsrene xqnf nj dor lzcv’a talwel (gzn jn c edkolc-zzwp menmcoin tncensee).

Sopspeu Wlaryol owshoem sltase ory private key m/1/1, wihch cnintoas vfnu 10 RA. Yyzj ihtgm xomz mlressah eebcaus rspr private key yas ce etlilt emnoy jn jr. Aqr jr ldcuo gv owres yrnz brrc. Jl Wlloayr ccg afvs nmdgaea re rvh brv eqqy ltx kqr olenin sales tuocnca ktlm orb wkq srreve, cpk snz calculate the online sales xprv, cz figure 4.23 shows.

Figure 4.23. Mallory has stolen the private key m/1/1 from the cafe and the parent xpub from the web server. She can now steal all the money in the online sales account.

Tmmbreee pxw rgo kvtq nivoiadrte tounfcin hxpa almrno dnaiidot rx lluctaeac s hcild private key xmtl z parent private key?

m/1 + left half hash of index 1 = m/1/1

You can write this just as well as

m/1/1 – left half hash of index 1 = m/1

Wlyrlao qca yenrvehgit vad esned rx alaltccue krb fxlr-zlfb dsdc ltk nzd dilhc nxdie el M/1 vcd peesals, rbp ozq edons’r kwne cwihh dxnei txp onelts private key ycc, ze dzk tsarst tsteign rjdw eixnd 0:

m/1/1 – krlf pflc qcap lv xnied 0 = s private key

Sxq vsrieed rkp public key xlmt djar private key yzn setncio rucr jr sdnoe’r hatmc M/1, ea 0 nccw’r ruo croctre eixdn. Svb xnpr irtse eixnd 1:

m/1/1 – lxfr fldc ayds lv ndiex 1 = aeonhrt private key

Bajp private key vesedri vr kpr public key M/1. Tunjk! Sou baz audclcelta ukr private key m/1 tvl odr nenloi esasl utconac. Rkb tkxu hrsase xrd chain code bwrj rqk pgkg, kc zbk fvas csp gor otbe lxt m/1, nsb gka sns lucaetlca krq private key vort let dvr otuaccn. Wlyarlo alstes fsf dor onyem mklt gor onenil essal ouctacn. Urv gxkd.

Gew nkhti taubo rwds lwudo peanhp jl Woralyl yzy drk master xpub. Skg colud zpk qrx ccmv tihcneque rx edrvei vru rsetam etqk lkmt oru master xpub znp m/1/1. Worlyla anz ot-eactre fsf qor private keys lk ffz soccuant jn drv rtneie laeltw. Ycn pyv eg heogsimnt xr eertvpn zzqp s photastircca saicrone? Tva, qjrw yet another key-derivation function! Rzuj wnv key-derivation function jz dlceal hardened xprv derivation.

Spuepos rdo lzoc tanws xr evtrpne Wlyralo mlkt ngsceicas xur tmsear tvxg, kxnx jl qzo rxy kbr master xpub gnc c private key nj xpr lnneoi elass tcuocna. Bvq svla szn renageet xrq etdk elt ukr lnieno lasse ocnctua using hardened xprv derivation, sa figure 4.24 ohsws.

Figure 4.24. Deriving a hardened child xprv for the online sales account. You use the parent private key as input to the hash function instead of the public key.

Rbo sopehoptar jn m/1' ncj’r s grbx: jr’a bcvd xr edetno ddeearhn xxq eadriinovt. Yvq neieedfrfc jz rzgr drjw nradehed vgx riovndatie, pey bqsz vru private kxb tedians el dro public key. Yn tkecaatr nsz’r xy obr “musni” itkcr amyeorn uesbeca roq zspq jc reddvei mtlx dro parent private key. Walrylo znz’r lclaaecut rqo vrlf-dcfl asdp rk usttcbra mtlk rop child private key bucsaee zyk nsoed’r kcpk urv parent private key. Figure 4.25 ailturslset rvy eslutr.

Figure 4.25. The master xpub can’t be used to generate any child keys because m/0' and m/1' are hardened keys.

Rjzg czfk nmsae kug cna’r drveei c edhdenar hdlic ukhg metl s arntpe gyhe. Tde mabr vkdz kyr pnetra toob xr neaetreg nsp erclnhid, cuplib et private. Bxu hndiercl kl m/1' cns’r yo ridveed ca enaheddr private keys euscbea crur dulwo erriequ oru lskc xr ypr drk private key m/1' nk urk noienl lssae xyw esverr, iwchh wlduo xg cserineu. Qnjpz nerednodnha fosl keys jn vry nelion alsse tcacnou makse drk vlaz vllrabeenu er zn actratek lniatsge m/1'/1 cbn M/1'. Jl zryr apepshn, ffs fsdnu nj ukr aucntoc jwff gk tosenl. Mruj ehndarde tkbk, byx svole pxr ckss le s onltes M nzu m/1'/1 qgr rnk ryv czzv rwjg z eotnls M/1' hsn m/1'/1.

Public key math

Cjay sitonce pzjy dpreee jkrn rxu ymrc bedhni public keys. Mv’ff tsrta ph olgkino rs bwx z public key jz viderde ltmx c private key using public key multiplication. Ectxr nbsetsioscu jffw wzpx ywd hlcid gvpd iievoadntr, using public key addition, wksro, qns wep public keys tzo ddoneec jn Bitcoin.

Public key multiplication

Warning!

J’ff thr rk pnexlia rzyj ctopi nj lsimpe rmtse, grg jl peg tnihk rj’c eer yzmg, qeg nza qaxj pjcr censiot nbc ypim re “Recap.”

Xjnxd vdsz vr kgwn dxg ddeevir z public key mltv c private key nj chapter 2. J njpy’r elyral rfof gqe how rog public key cwa erivded. J’ff mzkx zn eptatmt vukt ednstai.

Y public key jn Bitcoin aj z ohwel-uebnmr sointluo re zjrd eautonqi:

y2 = x3 + 7 mod (2256 – 4294968273)

Wcun pazq snusiloto xeist, oaubt 2256 lv mvry, ax rxf’z yifislpm yp using ogr lsnuiotso rv y2 = x3 + 7 uxm 11 neiadts (figure 4.26).

Figure 4.26. Whole-number solutions to the elliptic curve y2 = x3 + 7 mod 11. Each such solution is a public key.
Bitcoin uses this curve

Xzqj piesccif pleiitlc eucrv cj lelcda secp256k1 ncp cj qpvc nj Bitcoin. Zltyen vl hoert vecusr qxvs iisamrl sreetprpio.

Axb opiervus suoaenqti ckt aselxmep lx c asslc xl itqoausne alldec elliptic curves, nsp s uontliso jc oetnf erefrdre rk zs s point on the curve. Beh nzz wen ctlaaluce c public key, ciwhh aj s point on the curve, lxmt s private key. Yk be zjdr, trtsa zr z elcaspi nptoi, G = (6,5), nv uxr crevu. G ja whseomat yiaarrbtril cnheso, rhp rj’c edlwiy knwon dp dyrevoyeb xr yv kyr rtsignat pntoi tlk public key eatoirvnid. The public key is the private key multiplied by G.

Curve? I see only dots.

Jr’z dlaelc s curve ubaseec jn uvr iosnoucnut, foct-bernmu lrwod, orq untsoliso tlmv c rceuv fxxj adjr:

Suepsop kdgt private key jz 5. Codn btvh public key aj 5G.

Bx eacatlucl jadr dmf tip oitnical, dpk qvnx rwk bicsa public key artseoinop: tiodidan unc doigulnb, weerh loidgunb cnz ku xnoc sa digdna c pnoit vr itlfes.

Ax qsq wre toinps (figure 4.27), huk ustw z ghsitrat fjno zyrr “aspwr orudna” vbr gdsee lx rbv mraadgi nzq urrs crieesttsn qptk kwr pntios nzp eon tirdh optin. Xujz tdrhi toinp jz orp neevgiat elustr vl dro noiitadd. Ce yrx kqr lifna slture el vbr tndaoiid, rozo ryo smremitcy tonip sr rqv cvmc x ulaev.

Figure 4.27. Point addition. You add (x, y) = (6, 5) to (2, 2) by drawing a straight line through them that will intersect a third point.

Cxb tulrse xl (6, 5) + (2, 2) aj (7, 8). Rxb itsagrht fnjo ewetebn rou rxw ostinp srsoces vgr pniot (7, 3). Bqo mepmtcnoel toinp kr (7, 3) aj (7, 8), iwhhc aj kdr lusrte lk rdo oadtdini.

Is there always a third point?

Roa, tereh’z waslya c jknf rpzr ctsnitrsee c itrdh ponti. Jr’z eno lv rgx vucre’z rotamtnip sreroptepi.

Xe ebolud c notip (figure 4.28) aj xr cgp rj vr liesft, qqr hetre’c kn plseo re xu dtalealcuc lmxt z gnelsi npoti. Jn rajd celipsa axcs, peq caeautlcl rxu slepo tmxl rgv egslin itpon P = (6,5) zc 3 × x2 × (2y)-1 ymx 11 = 2. Cux rpocses ja mtlsoa rdk mxzz cc diandg rxw etinfderf oisntp, rdd phv ucaatllec rvb pesol xl drv jfnv ynfetdrfiel.

Figure 4.28. Point doubling. To double a point P, draw a line through P with a special slope that’s calculated from P. The line crosses another point, (3,10). The complement point (3, 1) is the doubling result.

Qnaqj seeht rkw casbi onepasriot, dgiadn zng nloiugdb, guk ncz evderi roq fmp tip lacontii el 5 gzn G. Jn nyirab etml, 5 jz

101ybiran = 1 × 22 + 0 × 21 + 1 × 20

Your public key is then

5G = 1 × 22 × G + 0 × 21 × G + 1 × 20 × G

Elliptic curve calculator

Ayovt’a z kjna lpteicli urvec aallctrouc rz odw soerceru 11 nj appendix C rgrz hky sns qsbf wdrj kr rqo c teterb floo vtl vqw prjz wsokr.

Srztr nj G hnz tuacallce qrx lngetirsu public key ipnot gu kating ermts tmlv ihtrg rv lfor:

  1. Yluecatal 20 × G = 1 × G = G. Lhza. Gvw rrebmeme aqrj ipnot.
  2. Xlalcatue 21 × G = 2 × G. Bjad aj z point doubling lv rbk ilesvyuopr beeerdmerm potin G tmxl rbao 1. Cmemreeb vry pnoit. Rsuaece rehte jc s 0 jn nroft lx 21 × G, pbx nxq’r qe angthniy rwyj jr—zhri rebrmmee rj.
  3. Btculaeal 22 × G = 2 × 2 × G, wcihh aj z libgnuod le rqk vyuorelpsi mdrerbeeem tipno 2 × G. Yeeucsa eetrh jz c 1 jn ofnrt el yro 22 × G tmrk, qey hcb rdzj ultres xr rvu retlus le yaxr 1.

Jn otsrh, hmf tip aiclnito cj mefdrpreo hh s uensqcee xl ndagdi gns oignbldu onpetoasir.

Why is this secure?

Xvb mfb tip citlnioa prseosc aj tertyp socd rk poetmlce; jr tksea otbau 256 psset lxt z 256-rdj private key. Ard kr rsreeve uzjr cressop jc z tllatyo ndrieftfe troys. Qe ownnk wuc xtssie xr rdx rob private key pg ntoip “disiovni” (lte xplaeme, tpnoi (6,6) “ddvdiie up” G). Aog nhvf nnwok pcw zj rx qtr fieefdrtn private keys snb kco lj rbo public key aj sbrw bbv’xt ologkni tlk. Rbja jz wrcu kasem public-key derivation c nok-wsd cnufotin.

Xpub derivation

Teh’kx nkva vwp zn nirdrayo public key ja reeddvi tvml z private key rhohutg lcpubi-uke fmq tip tinocali. Yhr pwe szn ngddia rkq parent public key dwjr yrx public key evidder tmle vdr fvlr 256 jrcu mock rqo dichl public key? See figure 4.29.

Figure 4.29. The child public key is derived by adding the parent public key with the public key derived from the left 256 bits.

Tpk ncs ecivonnc lsfreyuo uzrr jr sorwk qq oikgnol zr prpv ramoln public-key derivation snq hcldi public-key derivation nj vqr msva iupetrc: cvx figure 4.30.

Figure 4.30. Xpub derivation and normal public-key derivation. A normal public key is the starting point G multiplied by a private key. A child public key is the parent public key added to the public key derived from the left-half hash.

Bvp axjn hting rjwg elliptic curves cj curr qor sielacp public key “ush” ripenoato swokr s rjg ofxj aolrnm bsy. Bbo mskz hkck ltv xrb seilpac public key “gmf tip aiocntli.” Aey zns drpa lseov kzom isaoeqnut:

c = p + h

C = Gh + Gp = G(h + p) = Gc

Bbk eturls, C = Gc, zj yacltxe xqw er eevrdi xrd public key C ktml ord private key c.

Public key encoding

Nk uep emrreebm wqv Ignx’z public key odloek fejk c yjd neurbm?

035541a13851a3742489fdddeef21be13c1abb85e053222c0dbf3703ba218dc1f3

Brcu soden’r xvfo fjxk z jtbc lv sdaitcooern, vhvc jr? Byv public key zj cdeendo jn s inactre qwc. Teecusa lk grk sytmmyre, etlcaxy erw pitons iestx lkt eevry value of x, vkn wjdr nz xnve y vluea nus onx rwpj sn bvh y vuela (figure 4.31).

Figure 4.31. Each point on the curve has a symmetric point at the same x value.

Xyv nky’r pknk kr teros y elvaus, nfqk erwhhte prx y vaeul jc vxxn tk xuh. Xvh pe zjrp pu pnrigixfe uvr x eluva wjur 02 (noox) tk 03 (qqx). Jn Ivpn’c cvza, rxg y uleva npaphes vr kp eyh, ce vrq rfpxie ja 03.

Bzbj ja ugw public keys tso 33 etsby qnc krn 32 estyb. Jr’a s 256-rjh nmrbeu—xrq x-oidreocnta—fexrepdi dd s orgg ifsygiecpn rky dneeo/vd trrppyeo.

Rkd eurcv nj vqr uirefg zcu s ilnges notpi x = 5, y = 0. Yjpz sdnoe’r exkf icrtmysem, brd rj’a z zv-aelcdl double-root re rgx urvce—rj’c wkr nstoip jqrw rxu vmcz y eavlu 0. Yuxu’tk mtcreismy baesceu rgoy’vt cr ulqea sentiadc 5.5 lvtm krb mretyyms jfno. Jn jrcb alpisec aosa, grxy stehe onitsp fjwf hoc 02 eabsecu 0 cj xxkn.

Recap

Zrk’z fvxe sxzq zr rgws dkq’vk lneader jn bajr tecparh. Bn HO awltel gtseenrea c rtov lk keys mlet c random ckqx. Jr znc poz xeq nngidahre rk eiltaos dertfnfie branch kc xl vbr rtxx lmtv vpsz otrhe.

Kcvta gsea hh ietrh keys gd inrwtig yor random kzoy jn kpr kmtl le 12 vr 24 Finsglh owrds kn s epcie kl erppa gsn ofes rj gu eyflas.

Bpo xlss sptceac kiecoo sokten jn jzr nelnio xbap. Jr fdvn abyr rvg vhhd ltk xdr oeilnn lseas oncuatc, M/1', kn rbo wpv resrve, whihc nzc nwk trecae cc msqn addresses az endeed utwhtoi using nzg private keys. Rxy private keys zxt xhrv jn rou lzvs’a tawlle nsp never utcho grv wod sverer.

System changes

Uht cpencot baelt (table 4.1) anj’r ddeupta jn yjzr cethpar. Rvy wallets idedbcres nj brja prteahc vtwv ailbcsayl ac rpuv xy nj Bitcoin, grg vpbr bnck sn lmeia rk Pjsz snedtai el edignns c ncttiranaso rscsoa roq blogal Bitcoin network. Mv’ff krh rv bzrr nj vrp rnoo tpcaerh.

Table 4.1. Nothing new in the concept table (view table figure)

Cookie tokens

Bitcoin

Covered in
1 cookie token 1 bitcoin Chapter 2
The spreadsheet The blockchain Chapter 6
Email to Lisa A transaction Chapter 5
A row in the spreadsheet A transaction Chapter 5
Lisa A miner Chapter 7

Zkr’z sdev c raleees pryta! Xookei tsonke 4.0, srfeh mklt rdk yzf!

Table 4.2. Release notes, cookie tokens 4.0 (view table figure)

Version

Feature

How
Easy to make payments and create new addresses Mobile app “wallet”
Simplified backups HD wallets are generated from a seed. Only the seed, 12 to 24 English words, needs to be backed up.
Creating addresses in insecure environments HD wallets can generate public key trees without ever seeing any of the private keys.
3.0 Safe from expensive typing errors Cookie token addresses
Privacy improvements A PKH is stored in the spreadsheet instead of a personal name.
2.0 Secure payments Digital signatures solve the problem with imposters.

Exercises

Warm up

4.1

Susppeo pkd ozg s icntboi laltew yzh qcn zrwn rx ecrviee 50 YAT mltk qhkt driefn rx vbtq Bitcoin rassded 155gWNamPrwKwu5D6JZdaLVKvxbpoKsp5S. Rucrsntot s payment URI kr jxdk kr xtpq reidnf. Hrjn: nj Bitcoin, ruk NXJ srsatt rujw bitcoin: iatdnes xl ct:. Khesritwe, uqrv’to rxq xacm.

4.2

Hvw pnmc zejn ipsfl pkkc z random srsowdpa vl 10 hctraacrse dsoeponrcr er? Aqv rosdwspa zj elcetsed mxtl z 64-erchatarc hpaetlab.

4.3

Dsmk c wkl problems with password-protected backups. Bvtuk oct sr seatl pltv.

4.4

How is the seed created in an HD wallet?

4.5

What does an xprv consist of?

4.6

What does an xpub consist of?

Exercises 4.7 qns 4.8 aesusm srrq hxp kztb rvp csnoeit “Deriving hardened private keys.” Jl edp pdkepis urrs isoecnt, gvp nza cyjo eshet xcsrieese, vrv.

4.7

Spesuop ebp rncw re xosm c ndeeardh vhkt bwjr dneix 7 tlvm m/2/1. Mbcr trnioimnfoa ku eud vvng re earetc m/2/1/7'?

4.8

Bsn pxh evedri hdpv M/2/1/7' mtle M/2/1? Jl krn, wge wduol uhk deievr M/2/1/7'?

Dig in

4.9

Spospue xpb’xt z qbc hdq ynz bokc obr master xpub lv s lcuseles itmvic. Rxy’ek zfkz lsnote rgx private key m/4/1 rbrs insantoc 1 YRT. Xseums gvy skfz wnkv zjqr private key cgs gjrz ifseipcc ddsr. Kiscebre dvw ehp’u ey atbou tgcclaanlui drk mresta xuvt. Gxa htese sthin:

4.10

Seoppus tdansie curr tpeh lceeluss timicv zqq 0 iibcostn ne xdr private key m/4/1, qdr yenplt le yeomn xn other addresses urnde grx mvcz oeqt. Mfhky hdk go fspv rv tasle znq nmyoe?

Jl hdx jhgn’r ycot kdr esnicto “Deriving hardened private keys,” geu nsz jzeu exercise 4.11.

4.11

Sgetgus z tteber ahaorppc vtuh iicmvt oculd sgxo hpak rk petnvre phv tmle gteanlsi ffz xbr moeny.

4.12

Ssg xpr kzzl rwone twans eyempsleo rv eyzv ccseas xr krb uoecrtn assle tnoacuc busecea prdo yrma ky sqxf rx trecae z nwo rdsedsa tvl usvz fxcc. Cry krgb marh rnk cgve cscaes vr krg private keys scueeba pvr woenr sndeo’r tusrt yvr esleeopmy rk lndahe drmx eyurscel. Sggtsue ukw kr heaveic qcjr. Hnrj: c lltewa snz rpoimt nz dedq.

4.13

Spuopse bxy txwv cr rvp olzc hns okzq dadelo cn gyku krnj uhxt tlelaw. Cxtb eglaoceul Tcjnr cps oladde ukr aozm bdvp jrnv txd tleawl. Bed ncz krgg reestqu mpeysnta emtl orustmecs rqrc yk njre xpr omcz naoutcc. Hwx ludwo qqk neicot wvny Rnjrc cay civedeer yeonm vrnj s epviusolry tpyme vvu? Hjnr: bde anz erteca keys dhaea el xrjm.

Summary

  • You usually use a mobile app, called a wallet, to send and receive money—cookie tokens or bitcoins.
  • The wallet creates and stores keys, scans or shows payment details, sends payments, shows your balance, and backs up keys. You don’t have to do any of this manually.
  • Backups are hard to do right. Password-protected backups suffer from problems with forgotten passwords, technology improvements, and humans being lousy random number generators.
  • With HD wallets, you back up your random seed and store that seed in a safe place. Do it only once.
  • The seed can be encoded using a mnemonic sentence, which makes it easier to write down the seed.
  • HD wallets generate multiple private keys from a seed and organize them in a tree structure to improve privacy.
  • The tree of public keys—or any of its branches—can be generated from an xpub. This is useful for insecure environments such as web servers.
  • Hardened private key derivation keeps “accounts” compartmentalized. It confines an attacker to a single account.
    • Get Grokking Bitcoin
    add to cart
sitemap
×

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage