Inside a HD hardware wallet — BitGuard
Bitcoin is a digital decentralized currency which promises to replace existing currency model. Crypto currencies are having big impact on the society and removing the centralized banking system. With evolution in banking and currencies there is a need for evolution of wallets too.
Our traditional pocket leather wallets will evolve to pocket digital wallets which can store your digital assets.
Keeping your decentralized currency in centralized platforms defeats the purpose of “safety” that blockchains offers. If you want to use a cryptocurrency you need to have a specific private key for that currency.
What does these private key do? Why can’t we transfer cryptocurrencies like traditional currencies? I will answer these questions shortly. For now all we need to know is this:
Our cryptocurrencies are as safe as our private keys and you need the private key to spend your cryptocurrencies.
Different cryptocurrencies have different type of private keys. Keeping these 256 bit private key written on a paper or storing them on a third platform is a big hustle and may cost you. Here, comes the use of cryptocurrencies wallets which have been evolving in past years. Wallets makes spending your cryptos easy and store the private keys safe (true safety is achieved by a hardware wallet).
I have divided this article in two parts.
- First part will explain things in general way.
- Second part will give in depth knowledge.
Lastly, there is a demo video of a working Hardware wallet which is developed by Blockwala.
What are cryptocurrencies?
Crytpocurrencies are decentralized open ledger. These ledger stores all the transaction that has happened till now. In short one can say that one can find who has how much currencies. These transactions are not stored against name of a person but their public addresses.
Public addresses are, as the name suggests, publicly open personal address. Its like your house address, anyone who knows it can come by to drop a parcel. But no one who knows it can come to take that parcel (unless you leave your front door open). Public addresses are derived from private key.
So how do we spend our cryptocurrencies? Lets take one small example. If Bosco wants to send 3 XYZ coin to John, then he needs to broadcast it publicly that “Bosco gave 3 XYZ coin to John”.
Now, here comes a big problem anyone can state this statement “Bosco gave 3 XYZ coin to John”. How can we make sure that this statement was stated by Bosco only and no one else? To do so we need to digitally sign this statement or transaction. The transaction is signed using ECDSA which uses Bosco’s private key to sign the data. This private key is unique and public address derived from it will also be unique (chance of collision is even lesser than finding an alien life).
Since every transaction is stored against public keys, one can verify from this public key that given transaction was signed by the private key from which this public key was derived.
Types of Wallet
By now we know how important our private keys are. So to keep them safe we store them in different types of wallets. Their are many different parameters on which we can define a type of wallet. But lets start with the basic differences.
- Online Wallet: These types of wallet store your private keys on the cloud servers. Security of these wallets is as strong as the security of the cloud. Which is to say, as strong as the program/firewall/developer that defends it.
- Mobile Wallet: Mobile wallets are your mobile apps. They are very handy since they can be used as a means of payment even in physical stores. All you need to do is install an app on your phone and open an account. In general, mobile wallets are considered to be safer than cloud wallets. The risks associated with mobile wallets are losing your assets in case your phone breaks down or encounters a malware.
- Desktop Wallet: Desktop wallets is another popular choice which is also safer than online wallets. They are downloaded and installed on a PC or laptop and are accessible from the installation device. However, if your computer is infected with a virus, gets hacked or experiences external damage, there is a chance to lose all your Private keys.
- Paper Wallet: Paper wallets are by far the safest option to store your Private Keys. But, private Keys are too bulky and and case sensitive. So, its hard to write down on a paper. Plus if you have different cryptocurrencies then you have to write down many different private keys.
- Hardware Wallet: Hardware wallets are cold storage(no external connection except supporting software) devices like pen drive. They can store private key for different cryptocurrencies and they are the safest choice of wallets as your private keys never leaves the device. Transaction goes inside the wallet and then signed.
Now lets go into more detailed difference of each wallet. Basically these differences are based on the method used to derive your private key.
- Non-Deterministic Wallet: First came these wallets, which generate your private keys randomly. So your private key being unique completely depends on how good is your random method. To achieve a truly random method is in itself a tough task. So these types are outdated.
- Deterministic Wallets: These types are better then Non-Deterministic wallet as they use seed to generate private public key pair. These wallets are derived from a common seed, through the use of a one-way hash function.
- Hierarchical Deterministic Wallets: Deterministic wallets were developed to make it easy to derive many keys from a single “seed.” The most advanced form of deterministic wallets is the HD wallet defined by the BIP-32 standard. HD wallets contain keys derived in a tree structure, such that a parent key can derive a sequence of children keys, each of which can derive a sequence of grandchildren keys, and so on, to an infinite depth. This seed is derived form mnemonics using BIP39. For example mnemonics can be 12 words from which you can derive private key for all crypto currencies and they are easy to store. Even if you loose your wallet you can recover your whole wallet using these 12 words.
In Depth Working
Now, we have a basic idea about wallets, cryptocurrencies and how transactions are done. So, now we will move forward into in depth working of Hierarchical Deterministic Hardware Wallets. First, lets go through mathematics behind generation of public address from private key and transaction signing using ECDSA.
Mathematics Behind
Derivation of public keys and signing of transaction using private key is based around elliptic curve cryptography. Equation for elliptic curves is of this form.
y² = x³+ax+b
where 4a³+27b² ≠ 0 (this is required to avoid singular points).
Here are some example elliptic curves:
The type of elliptic curve which we will be using is Secp256k1 for both deriving public keys and signing the transaction.
y^2 = x^3 + 7
This is the equation for Secp256k1. What is so special about this curve? If you take any 2 points on this curve and draw a line passing through these two points, then this line will cut the curve on exactly one more point. This property of these curves is used in elliptic curve cryptography. If you are more curious about how it works you can read here.
Private and Public Keys
Private key is a randomly generated 256 bit long number. From which public key is derived using curve multiplication on elliptic curve (secp256k1). Public Key(K) is a point on the curve.
K=k*G
K is the Public Key.
k is the private Key.
G is the generator of secp256k1 curve
‘*’ stands for point multiplication on the curve secp256k1
From public key we need to derive public address. This address is used to send or receive XYZcoins. Steps involved in generating this 20 bytes public address are:
Hierarchical Deterministic Wallets
HD wallets are created from a single root seed, which is a 128-, 256-, or 512-bit random number. This seed is generated from mnemonics. First Step, BIP39 is used to generate root seed from mnemonics. Mnemonics is a list of 2048 words. Steps involved in generating mnemonics are:
- Create a random sequence (entropy) of 128 to 256 bits.
- Create a checksum of the random sequence by taking the first few bits of its SHA256 hash.
- Add the checksum to the end of the random sequence.
- Divide the sequence into sections of 11 bits, using those to index a dictionary of 2048 pre-defined words.
- Produce 12–24 words representing the mnemonic code.
Lets take an example with 12 words.
Every key in the HD wallet is deterministically derived from this root seed, which makes it possible to re-create the entire HD wallet from that seed in any compatible HD wallet. This makes it easy to back up, restore, export, and import HD wallets containing thousands or even millions of keys by simply transferring only the mnemonic that the root seed is derived from. Now lets move forward on how these keys are generated from this root seed.
Seed To Master Keys
The root seed is input into the HMAC-SHA512 algorithm and the resulting hash is used to create a master private key (m) and a master chain code .The master private key (m) then generates a corresponding master public key (M) using the normal elliptic curve multiplication process m * G that we saw in private and public keys.The chain code is used to introduce entropy in the function that creates child keys from parent keys, as we will see in the next section.
Private child key derivation
HD wallets use a child key derivation (CKD) function to derive child keys from parent keys.The child key derivation functions are based on a one-way hash function that combines a parent private or public key, seed called a chain code (256 bits), index number (32 bits).
The parent public key, chain code, and the index number are combined and hashed with the HMAC-SHA512 algorithm to produce a 512-bit hash. This 512-bit hash is split into two 256-bit halves. The right-half 256 bits of the hash output become the chain code for the child. The left-half 256 bits of the hash are added to the parent private key to produce the child private key. In Extending a parent private key to create a child private key, we see this illustrated with the index set to 0 to produce the “zero” (first by index) child of the parent.Changing the index allows us to extend the parent and create the other children in the sequence, e.g., Child 0, Child 1, Child 2, etc. Each parent key can have 2,147,483,647 (231) children (231 is half of the entire 232 range available because the other half is reserved for a special type of derivation(hardened derivation).
Hardened child key derivation
The ability to derive a branch of public keys from an xpub is very useful, but it comes with a potential risk. Access to an xpub does not give access to child private keys. However, because the xpub contains the chain code, if a child private key is known, or somehow leaked, it can be used with the chain code to derive all the other child private keys. A single leaked child private key, together with a parent chain code, reveals all the private keys of all the children. Worse, the child private key together with a parent chain code can be used to deduce the parent private key.
To counter this risk, HD wallets use an alternative derivation function called hardened derivation, which “breaks” the relationship between parent public key and child chain code. The hardened derivation function uses the parent private key to derive the child chain code, instead of the parent public key. This creates a “firewall” in the parent/child sequence, with a chain code that cannot be used to compromise a parent or sibling private key. The hardened derivation function looks almost identical to the normal child private key derivation, except that the parent private key is used as input to the hash function, instead of the parent public key.
Few Examples on Derivation of keys
For example lets take BitCoin the derivation path is m/44'/0'/0'/0, for ETH derivation path is m/44'/60'/0'/0. You can get private and public keys for any crypto-currencies. You can try to generate your own private and public key using this method here.
HD-Hardware Wallet
There are already few HD-hardware wallets in market like nano ledger S, trezor. Here at Blockwala we recently released our wallet application BitGuard for Android. In near future this app will be compatible with HD-Hardware Wallet that we will be releasing soon. In this section I will give brief working of our HD-hardware wallet BitGuard.
BitGuard
BitGuard is a HD-Hardware Wallet, which does not store your private keys. It just stores the 12 words mnemonics. From these mnemonics your private key is derived every time you do a transaction and then the transaction is signed. Hardware is divided into two parts. One part will be storing a custom bootloader and other part will be storing the firmware. Mnemonics will be stored in eeprom which will never leave the device. Lets look into details of its working.
Communication
BitGuard will be compatible with PC, android and Ios. There will be two types of communications one over USB and another over BLE(bluetooth 4.0). Both modes will be working on UART communication(Universal asynchronous receiver-transmitter). UART is basic type of communication and hacking a device through it is really tough.
Bootloader
Bootloader is used to update the firmware through serial port. This is needed for Over the Air update of the device’s firmware. We will be coming up with our own bootloader which will do the decryption of encrypted firmware code and like this malicious firmware wont be able to uploaded on the device. Which will avoid hackers to temper with the integrity of the device. In short no one will be able to access its eeprom, hence mnemonics.
Eeprom
Electrically Erasable Programable Read Only Memory will store the mnemonics in encrypted form. Which can only be decrypted by the firmware while signing the transaction.
Flash memory
In this section of the device firmware will be stored. Which will handle the user interface components like Screen and buttons.
Right now fully working prototype is ready and we are done with first draft of pcb design. We will also come up with a test bench to check the integrity of the device and do testing. Soon BitGuard will be available in market.
Conclusion
I hope this helped you understand the inner working of a HD hardware wallet , I tried keep it as simple as possible. If you have any questions please feel free to ask them. A clap or a share always helps!
References:
Ref1: http://apprize.info/payment/bitcoin_3/5.html
Ref2: https://www.ietf.org/rfc/rfc2898.txt
Ref3: https://bitcoin.stackexchange.com/questions/3374/how-to-redeem-a-basic-tx