pull down to refresh

Part #1: https://stacker.news/items/539202/r/Fabs

Derivation of Master Extended Private Key:

The derivation of the master extended private key (xpriv) out of the master seed, is facilitated by the Hash-based Message Authentication Code with Secure Hash Algorithm 512-bit (HMAC-SHA-512), a specialized algorithm that converts the initial input, or master seed plus constant message, into a 64-byte, or 512-bit hash value.
The 512-bit (64-byte) hash value is subsequently split into two halves: the first 256 bits (32 bytes) depict the private key, and the remaining 256 bits (32 bytes) depict the chain code.
  • The constant value, or message, is a fixed value, or sequence of 1024-bits, included in addition to the initial input, or master seed.
(In regards to ⬆️: I'm referring to the second input besides the master seed, which is the string "Bitcoin Seed"; does it check out?)
  • The linking of the chain code with the private key turns the (normal) private key into the master extended private key, enabling the deterministic derivation of child keys.

Derivation of Master Extended Public Key:

The derivation of the master extended public key (xpub) out of the master extended private key (xpriv), is facilitated by elliptic curve multiplication, which defines an operation applied in Elliptic Curve Cryptography; a type of cryptography that relies on the algebraic structure of elliptic curves over finite fields.
  • The term "algebraic structure" refers to the mathematical properties and operations performed on the set of points that lie on the elliptic curve, "elliptic" in "elliptic curve" refers to the geometric shape of the curve when graphed on a Cartesian coordinate system, and “finite field” refers to the set of numbers over which the elliptic curve is defined.
In ECC, cryptographic keys are generated from points on the elliptic curve, which is facilitated by operations such as point addition, doubling and scalar multiplication.
(Include: explaining and diagrams of the above three operations) - personal note
(Also Include: The order n of the subgroup determines the size of the subgroup and influences the security of cryptographic operations based on the elliptic curve, such as the difficulty of solving the elliptic curve discrete logarithm problem (ECDLP).) - personal note
An elliptic curve is a mathematical curve, or in the context of Bitcoin, the secp256k1 curve, which is defined by an equation of the form y² = x³ + ax + b (mod p):
  • y² and x³ depict the coordinates of a given point on the curve, and a, b, and p define the parameters of the elliptic curve, where a and b are constants that specify the specific shape and properties of the curve, and where mod p denotes arithmetic operations performed modulo a prime number p, ensuring that all computations remain within the finite field.
  • The term “arithmetic operations” typically refers to addition, subtraction, multiplication, and division performed on elements (points), and are conducted within the constraints of the finite field.
  • Arithmetic operations that are performed modulo a prime number p, indicate that after performing an arithmetic operation (such as addition or multiplication), the result is reduced to the remainder when divided by p, ensuring that the results remain within the range of 0 to p−1, effectively "wrapping around", or starting at 0, if it exceeds p−1.
Elliptic curves have a predetermined generator point, denoted as G; the initial element, or point on the curve, out of which every other point can be derived by adding G to itself.
  • The generator point is added to itself by the order (a prime number) of G, denoted as n, creating a subgroup, denoted as ⟨G⟩, that contains the total number of reachable points on the curve by repeatedly adding G to itself.
The derivation of the master extended public key (xpub), or K, out of the master extended private key (xpriv), or k, is facilitated by elliptic curve multiplication, indicating the operation of repeatedly adding the generator point, or G, to itself, whereby the number of additions is determined by a scalar value, denoted as k.
  • The scalar used in the derivation of the master extended public key consists of the master extended private key.
In order to derive public key K, generator point G is added to itself k times, or K = k × G, where K is the resulting point, or public key, k is the scalar, or private key, and G is the generator point.
  • Each addition of G to itself represents one "step" in the multiplication process, and after k steps, one arrives at the resulting point K, the public key corresponding to the master extended private key, or k.
Once the public key is known, it’s combined with the chain code derived from the extended private key, a checksum is computed and appended, and the package is encoded into Base 58, rendering the master extended public key human-readable and suitable for use in HD wallets.

The End.

I'd like to hear if the above is already going into the right direction, along with what points may need to be improved, corrected or expanded upon!
  • It's an early work-in-progress, as the "personal notes may already have signaled, and the structure as well as explanations of some parts may- or will be improved upon on a later stage.
Greg Walker from Learnmeabitcoin.com already gave it a look, and stated that it is both chronologically and factually correct in it's current form, but the more input, the better. 🤠
  • It's important that I get this correct, as I'll build the rest off of the above.
I'll @dd ya since you guys replied to the initial post, feel free to comment. 😶‍🌫️🌞
reply
reply
🤨
reply
Another great post packed with valuable information, not for Bitcoin newbies 🤪 Thanks for sharing!
reply
You know, I'm starting to develop a soft spot for you---and the number of free spots in my feeble heart are close to none. 🥲
reply
@Fabs, great post! I think it's a complicated topic, but you've explained it quite well.
This actually explains why, even though it's almost impossible today, there's still the theoretical possibility of deriving the private key from a public key.
The theory behind this is, in very simplified terms, similar to doing 3 * 5 = 15. In this example, your private key would be 35 and your public key would be 15. There's a possibility of knowing your private key (35) with your public key (15), but there are many possibilities.
When you apply this to elliptic curve cryptography, the possibilities are so vast that it becomes practically impossible to determine the private key from the public key!
Thanks for the post! Accept my sats! 😜
reply
Thanks! It's quite a difficult topic indeed, but also Bitcoin's bedrock.
I don't quite follow your example, though, could you expand on it?
reply
Interesting reading. Well, it's difficult to follow because the natural language is often very inaccurate and it is not always clear what you refer to. But, it looks like a transcript of your mind. And in this sense, good job...
If you don't mind, here are few exercises that might help you in your way:
  • if you know someone's master chain code, is it sufficient to compute any related addresses or private keys?
  • given an xpub and an indexed utxo set, how reasonable is to find all related funds (compute total balance)?
  • which of the following derivation paths do not make sense? xpub/1/0/2, xpub/1/2h/0, xpriv/1h/2h/3, xpriv/4/1/0h, xpub/0h/1h, xpriv/1/2/3
  • what inputs (components) do you need to compute a subkey for a given hardened derivation path (e.g. /0h/2h/1h/0h)?
  • if I give you (any) 2 private keys and a chain code, under what circumstances can you tell me whether are those two private keys related?
  • if I give you my xpub and a related private key (for a public key at derivation path xpub/1/0/2), which funds could you steal from me?
  • if I give you my xpub and a related private key at derivation path xpriv/1h/0/1, where xpriv is unknown to you, what can you steal and/or discover? (xpub is counterpart of the unknown xpriv)
  • is it safe (or how much safe is) to give your xpub to anybody?
reply
"But, it looks like a transcript of your mind. And in this sense, good job..." Spot on!
Man... You're clearly way way ahead of me... I can't answer any of those except maybe:
"if I give you my xpub and a related private key (for a public key at derivation path xpub/1/0/2), which funds could you steal from me?"
I think a malicious actor can acquire the xpriv by working backwards from the xpub + a related private key, potentially stealing all the funds.
"if I give you my xpub and a related private key at derivation path xpriv/1h/0/1, where xpriv is unknown to you, what can you steal and/or discover? (xpub is counterpart of the unknown xpriv)"
Only the "local" funds of that respective key pair?
"is it safe (or how much safe is) to give your xpub to anybody?"
Generally, yes, as long as there are no related private keys leaked.
I'm absolutely at the beginning of this topic, but man!
Could I sway you to help me improve on this part? You seem like a treasure trove. 🤠🔥
reply
Man... You're clearly way way ahead of me... I can't answer any of those except maybe:
Yes, you can. At least according to your answers below...
"if I give you my xpub and a related private key (for a public key at derivation path xpub/1/0/2), which funds could you steal from me?"
I think a malicious actor can acquire the xpriv by working backwards from the xpub + a related private key, potentially stealing all the funds.
Explain why or show how to do it 😉.
"if I give you my xpub and a related private key at derivation path xpriv/1h/0/1, where xpriv is unknown to you, what can you steal and/or discover? (xpub is counterpart of the unknown xpriv)"
Only the "local" funds of that respective key pair?
👍
"is it safe (or how much safe is) to give your xpub to anybody?"
Generally, yes,
Well, depends, publishing xpub generally breaks privacy.
as long as there are no related private keys leaked.
...and assuming that no related private key would leak in the future.
I'm absolutely at the beginning of this topic, but man! Could I sway you to help me improve on this part? You seem like a treasure trove. 🤠🔥
I believe that these exercises cover the most important parts of bip39 well. If you can answer them with confidence, you understood it enough. If you have a question, just ask...
reply
Hm, alrighty! Besides: how did you manage to quote like that?
reply
Hm, alrighty! Besides: how did you manage to quote like that?
This way?
Select text and click reply. It uses '>' character like in emails.
reply
Select text and click reply. It uses '>' character like in emails.
Ahh! Awesome! I don't have the "reply" button, but the little arrow does the trick, awesome!
reply
0 sats \ 1 reply \ @Lumor 17 May
You could go into child key derivation and how the public key of hardened child keys cannot be derived using an xpub. But I guess you are getting there.
How are G, p and n chosen/discovered? I assume p was the largest prime number that fit into 256 bits? My impression is that the G point might have been chosen based on it producing a high enough n before repeating the sequence when adding to itself mod p.
reply
"You could go into child key derivation and how the public key of hardened child keys cannot be derived using an xpub. But I guess you are getting there."
Already covered, yet not included as it was still a bit wordy, I'll include it another time.
"My impression is that the G point might have been chosen based on it producing a high enough n before repeating the sequence when adding to itself mod p."
Yes. As for p and n, and don't know exactly, only that that's their denotation.
reply
For bitcoin beginners with degrees in mathematics or related fields
Where possible, it would be nice to get some motivation. Why this procedure, instead of something else? What exactly is this accomplishing?
It's tough sledding for most of us to read and understand a dense block of technical details, even if we have the requisite knowledge to do so.
Another very impressive post!
reply
"Where possible, it would be nice to get some motivation. Why this procedure, instead of something else? What exactly is this accomplishing?"
Man, I don't even know that myself (yet). I'm simply trying to accrue the necessary"facts" in the right order, and form it into a sort of "canvas" to work off of, to try and have it make sense to me. 🥲
I know it's tough, and it's not even close to how broadly it could be written...
It makes you wonder how a supposedly single coder could think about all these intricacies, and have them not only make [functional] sense, but have it also weather every storm...
Mind. Blown.
I'm pushing close to a hundred hours on the first part and second draft alone... I'm happy to call it a day on those when it's done.
reply
It makes you wonder how a supposedly single coder could think about all these intricacies
Are you thinking about Pieter Wuille or Greg Maxwell here? Cause it's probably not Satoshi. https://en.bitcoin.it/wiki/BIP_0032
reply
Well, that, but elliptic curves are also used in transaction signing et cetera.
reply
What did the single coder do? I think a mathematician must have invented the use of elliptic curves for cryptographic signing way back.
reply
You're making me uncomfortable, Lumor.
reply
Sorry about that.
I guess my drive is to have technically minded people to not ascribe too much genius to others that came before them. It can be demoralizing, at least to myself to put them on too high pedestals. Everyone should contribute their part.
reply
And I'm with you on that! I wonder what you're up to; anything in the making? 😶‍🌫️🌝
I also think it's fine to have these two summaries be highly technical, since you're planning on building off of them. Some of the context and "Why should I care?" will come later.
reply
Yeah... At least that's what I hope 🤣
reply