2. Derivation rules [BIP32].
We generated a seed through BIP39, which we call the 'master seed'. According to the derivation rules of BIP32, we can derive the 'master private key', 'master public key', and 'master chain code' from the 'master seed', all three of which are referred to as 'keys'. We can continue to derive 'child keys' (child private key, child public key, child chain code) from the 'keys' as 'child seeds', and so on, allowing for an infinite generation of descendants, all derived from the 'master seed'; hence, the 'master seed' is also referred to as the 'root'. The 'master private key', 'master public key', and 'master chain code' are also referred to as the 'master keys'. As long as we back up the 'mnemonic phrase', we can export the 'root' -> 'master root' -> 'child root', etc.
It can be seen that each level of 'key' can be used as both a direct 'private key' and 'public key', and can also serve as the root for deriving the next level 'key'. How to arrange this will depend on the 'BIP44' protocol. In other words, BIP32 specifies the method of cooking, while BIP44 specifies whether the dish produced is used as ingredients for the next dish or eaten directly.
1) Derive the 'master key'.
Take the fixed string 'Bitcoin seed' as the key 'Key', and use the 'seed' as the data 'Data' to input into the function HMAC-SHA512(Key, Data) to generate a 512-bit binary number, taking the first 256 bits to generate the 'master private key' and the last 256 bits as the 'master chain code'. Based on the 'master private key', generate the 'master public key' using the previously mentioned public key generation method.
Figure 1, deriving the 'master key' from the 'seed'.
2) Derive the 'child key'.
The HMAC-SHA512(Key, Data) function is still used to derive child keys, but the parameters input to the function may use the 'master private key' or the 'master public key', which creates a distinction. Using the 'master private key' cannot generate a 'child public key' through 'normal derivation', so we refer to the method using the 'master private key' as 'hardened derivation', while the method using the 'master public key' is referred to as 'normal derivation'.
Introduce an index constant index, and when index ≥ 2^31, use hardened derivation; otherwise, use normal derivation. In the BIP32 rules, the following two pseudo functions are described.
CKDpriv(parent private key, parent chain code, index).
CKDpub(parent public key, parent chain code, index).
Both of these pseudo functions are implemented through the HMAC-SHA512(Key, Data) function for derivation.
Def CKDpriv(k_par, c_par, i):
if I >= 2³¹
data = 0x00 || ser256(k_par) || ser32(i) # Used for hardened derivation.
else
K_par = point(k_par).
data = serP(K_par) || ser32(i) # Used for normal derivation.
I = HMAC_SHA512(key = c_par, msg = data) I_L, I_R = I[:32], I[32:]
// Take the left 256 bits to generate the child private key, the right 256 bits are the child chain code.
k_i = (I_L + k_par) mod n # Core mechanism c_i = I_R return k_i, c_i.
// Input is the 'parent private key' and 'chain code', output is the 'child private key' and 'child chain code'.
--------------------------------------------------------------
Def CKDpub((K_par, c_par), i):
if i >= 2³¹ // Hardened derivation cannot be used for CKDpub.
throw InvalidChildError.
data = serP(K_par) || ser32(i).
I = HMAC-SHA512(Key = c_par, Data = data).
IL, IR = I[0:32], I[32:64].
K_i = point(IL) + K_par // Elliptic curve point addition, core mechanism.
c_i = IR return (K_i, c_i).
// Input is the 'parent public key' and 'chain code', output is the 'child public key' and 'child chain code'.
The functions of the above two are:
In hardened derivation:
The derived 'child private key' relies on the 'parent private key' and cannot generate a 'child public key' through 'normal derivation', hence higher security.
In normal derivation:
Through the 'parent private key' and 'parent chain code', we can obtain the 'child private key' and 'child public key' (the 'child private key' here is different from the 'child private key' derived through hardening).
Through the 'parent public key' and 'parent chain code', we can only obtain the 'child public key'.
This allows the 'parent public key' and 'parent chain code' to be published, generating a watch wallet. Since the parent private key cannot be obtained, the child private key cannot be generated, and thus the account cannot be operated.
Figure 2, the difference between the two derivation functions in normal derivation.
The function of 'chain code' is to ensure that two functions generate consistent 'child public keys' and support the generation of a 'key tree'.
Next, I will elaborate separately and summarize the two derivation logic approaches.
(1) Hardened derivation.
Input: parent private key (k_par), parent chain code (c_par), index (i ≥ 2^31).
Process:
Calculate I = HMAC-SHA512(c_par, k_par || index).
I_L (the first 256 bits), used to calculate the child private key.
Child private key, k_i = (k_par + I_L) mod n (n is the order of the elliptic curve).
I_R (the last 256 bits): child chain code (c_i).
Output: child private key (k_i), child chain code (c_i).
Characteristics: Requires the parent private key, cannot be derived from the parent public key, high security.
(2) Normal derivation.
Input: parent public key (K_par), parent chain code (c_par), index (i < 2^31).
Process:
Calculate I = HMAC-SHA512(c_par, K_par || index).
I_L: child private key, k_i = k_par + I_L (mod n).
I_R: child chain code (c_i).
Child public key: K_i = point(k_i) (point multiplication, secp256k1 curve).
Output: child public key (K_i), child chain code (c_i).
Characteristics: Can be derived from the parent public key, suitable for establishing a watch wallet.
(3) Key tree.
The master key is the main root, and the child keys are derived step by step through indices to form a tree structure.
Index range: 0 to 2^32-1 (0x00000000 to 0xFFFFFFFF).
Hardened index: 2^31 to 2^32-1 (0x80000000 to 0xFFFFFFFF).
Non-hardened index: 0 to 2^31-1 (0x00000000 to 0x7FFFFFFF).
