What is Bitcoin Improvement Proposal 32 (BIP-32)?
Bitcoin Improvement Proposal-32 or BIP-32 is a type of Informational BIP which describes hierarchical deterministic wallets or HD wallets. HD wallets are which can be shared partially or completely with different systems, each with or without the ability to spend coins
BIP 32 was a significant improvement for Bitcoin wallets in several ways. HD wallets greatly improved the interoperability of wallets, as a set of keys could be transferred between wallet software with a single extended private key.
Deterministic Wallets vs Hierarchical Deterministic Wallets
A deterministic wallet is a system of deriving keys from a single starting point known as a seed. It uses elliptic curve mathematics which enables it to calculate public keys without revealing the private keys. Deterministic wallets usually consists of a single “chain” of key pairs. The limitation of this is that the sharing of wallet happens on an all-or-nothing basis.
The advantage of HD wallets over simple deterministic wallets is that it provides multiple key pair chains thus enabling the wallet to selectively share the wallets.
BIP-32 Key Derivation
The public key cryptography used in bitcoin is elliptic curve cryptography using the field and curve parameters defined by secp256k1. The advantage of using ECC is that it reduces the key size and increases the speed.
The commercial standards for efficient and interoperable cryptography based on ECC is developed by The Standards for Efficient Cryptography Group(SECG) and it has published a document with a recommended set of elliptic curve domain parameters,
referred by the letters { p, a, b, G, n. h }.
This data set is collectively referred to as the Elliptic Curve Domain Parameters.
The secp256k1 uses the following elliptic curve equation,
y² = x³ + ax + b
Parameter a = 0
Parameter b = 7
Therefore the equation looks like: y² = x³ + 7
The finite field Fp is a field with a finite number of elements defined by parameter p, which is a prime number. Therefore, field Fp = {0,…,p-1} Therefore a modulo p operation should be used in the elliptic curve equation.
Hence the equation will be : y² = x³ + ax +b(mod p)
The parameter G is known as the generator or primitive element, which is a predetermined point (Xg, Yg) on the elliptic curve that is used to compute other points on the curve. The generator G, is displayed in two forms,
Compressed form (prefix: 02)
02 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798
Uncompressed form(prefix: 04)
04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8
When a certain number of operations is applied on the generator point G, the cycle starts all over again in the same order. The starting of the next cycle is indicated by the parameter n which is called the order of the generator point G.
The parameter n determines the maximum value until which it can be turned into a private key. Any 256-bit number in range [1,n-1] is a valid private key. The parameter h is called the co factor and has the constant value of 1.
The properties of the elliptic curve
- If a line intersects two points P and Q, it intersects a third point on the curve -R.
- If a line is tangent to the curve, it intersects another point on the curve,
- All vertical lines intersects the curve at infinity.
For the visual demo of Elliptic Curve visit this page,
There are two operations (dot operations) that can be performed to the generator, G on the elliptic curve.
- Point Addition
- Point Doubling
Point Addition
Point Addition is the operation of adding two points P and Q on an elliptic curve (P!=Q). Draw a straight line between P and Q. The line will intersect the curve at exactly on another point -R. The reflection of the point -R with respect to x-axis gives the point R which is the result of point addition.
Point Doubling
Doubling of a point P is the process of moving point Q to the coordinate of point P , (P=Q). Draw a tangent to the elliptic curve at point P. The line intersects the elliptic curve at the point -R. The reflection of the point -R w.r.t x-axis gives the point R, which is the result of doubling of point P.
Standard Conversion Functions
We assume the standard conversion functions when we talk about the algorithms in this BIP.
point(p): returns the coordinate pair resulting from EC point multiplication (repeated application of the EC group operation) of the secp256k1 base point with the integer p.
ser32(i): serialize a 32-bit unsigned integer i as a 4-byte sequence, most significant byte first.
ser256(p): serializes the integer p as a 32-byte sequence, most significant byte first.
serP(P): serializes the coordinate pair P = (x,y) as a byte sequence using SEC1’s compressed form: (0x02 or 0x03) || ser256(x), where the header byte depends on the parity of the omitted y coordinate.
parse256(p): interprets a 32-byte sequence as a 256-bit number, most significant byte first.
The BIP-39, is an improvement proposal which describes the implementation of mnemonic words to generate a 512 bit seed. This seed is then used to create an HD wallet. See more about BIP-39 here,
Extended Keys
The Bip39 seed (128–256 bit) generates a master private key (256 bit) using HMAC SHA512 hash function. A master chain code with an extra 256 bits of entropy is appended so that the derived keys from the master key doesn’t solely depend on the master key itself.
The extended private key is represented as (k,c) where k is the normal private key and c is the chain code. Each extended key derived from the parent key has 2³¹ normal child keys and 2³¹ hardened child keys. Each of these keys has an index. The normal child keys use indices 0 through 2³¹-1. The hardened child keys use indices 2³¹ through 2³¹-1.
Child Derivation(CKD) Function
Given a parent extended key and an index “i”, it is possible to calculate the corresponding child extended key but to do so, the algorithm depends on whether the child is a hardened key or not, and whether we are talking about private or public keys.
The HMAC-SHA512 hash function takes Three inputs, the parent private or public key, index number I and parent chain code. The output of the function gives a 256 bit left hash and 256 right hash bits.
If the key is a hardened key, then we get the child private key where the left hash bits are appended to the parent private key.
Extended Private key (xprv) = parent private key + parent chain code
Xprv keys can create a complete branch with private keys and child public keys.
If the key is a normal key, then we get the child public key where the left hash bits are appended to the parent public key.
Extended public key(xpub) = parent public key + parent chain code
Xpub keys creates only a branch of child public keys. It can not create hardened keys.
Derivation of Private Parent Key to Private Child Key
Derivation of Public Parent Key to Public Child Key
Derivation of Private Parent Key to Public Child Key
Using different index numbers(i) will create different unlinkable child keys from the same parent. Repeating the procedure for the child keys using the child chain code will create unlinkable grandchild keys. By changing the chain code, a new node (aka wallet) is created.
WALLET STRUCTURE
BIP39 imposes a wallet structure on the key trees and their nodes.
HDW is organized as several ‘accounts’. Accounts are numbered, the default account(“ ”) being number 0. Each account is composed of two key pair chains: an internal and an external one. The external chain is used to generate new public addresses, while the internal key chain is used for all other operations that doesn’t need any communication.
See the implementation of BIP-32 in python,
