:::video id=60e3ade6-501b-4e1e-a85e-59257ef12900:::
Once the mnemonic phrase and the optional passphrase are generated, the process of deriving a Bitcoin HD wallet can begin. The mnemonic phrase is first converted into a seed which constitutes the base of all the keys of the wallet.
The Seed of an HD Wallet
The BIP39 standard defines the seed as a 512-bit sequence, which serves as the starting point for the derivation of all the keys of an HD wallet. The seed is derived from the mnemonic phrase and the possible passphrase using the PBKDF2 algorithm (Password-Based Key Derivation Function 2) which we have already discussed in chapter 3.3. In this derivation function, we will use the following parameters:
- $m$ : the mnemonic phrase;
- $p$ : an optional passphrase chosen by the user to enhance the security of the seed. If there is no passphrase, this field is left empty;
- $\text{PBKDF2}$ : the derivation function with $\text{HMAC-SHA512}$ and $2048$ iterations;
- $s$: the 512-bit wallet seed. Regardless of the mnemonic phrase length chosen (132 bits or 264 bits), the PBKDF2 function will always produce a 512-bit output, and the seed will therefore always be of this size.
Seed Derivation Scheme with PBKDF2
The following equation illustrates the derivation of the seed from the mnemonic phrase and the passphrase:
$$ s = \text{PBKDF2}_{\text{HMAC-SHA512}}(m, p, 2048) $$
The value of the seed is thus influenced by the value of the mnemonic phrase and the passphrase. By changing the passphrase, a different seed is obtained. However, with the same mnemonic phrase and passphrase, the same seed is always generated, since PBKDF2 is a deterministic function. This ensures that the same pairs of keys can be retrieved through our backups.
Note: In common language, the term "seed" often refers, by misuse of language, to the mnemonic phrase. Indeed, in the absence of a passphrase, one is simply the encoding of the other. However, as we have seen, in the technical reality of wallets, the seed and the mnemonic phrase are indeed two distinct elements.
Now that we have our seed, we can continue with the derivation of our Bitcoin wallet.
The Master Key and the Master Chain Code
Once the seed is obtained, the next step in deriving an HD wallet involves calculating the master private key and the master chain code, which will represent depth 0 of our wallet.
To obtain the master private key and the master chain code, the HMAC-SHA512 function is applied to the seed, using a fixed key "Bitcoin Seed" identical for all Bitcoin users. This constant is chosen to ensure that the key derivations are specific to Bitcoin. Here are the elements:
- $\text{HMAC-SHA512}$: the derivation function;
- $s$: the 512-bit wallet seed;
- $\text{"Bitcoin Seed"}$: the common derivation constant for all Bitcoin wallets.
$$
\text{output} = \text{HMAC-SHA512}(\text{"Bitcoin Seed"}, s)
$$
The output of this function is therefore 512 bits. It is then divided into 2 parts:
- The left 256 bits form the master private key;
- The right 256 bits form the master chain code.
Mathematically, these two values can be written as follows with $k_M$ being the master private key and $C_M$ the master chain code:
$$ k_M = \text{HMAC-SHA512}(\text{"Bitcoin Seed"}, s)_{[:256]} $$
$$ C_M = \text{HMAC-SHA512}(\text{"Bitcoin Seed"}, s)_{[256:]} $$
Role of the Master Key and the Chain Code
The master private key is considered the parent key, from which all derived private keys — children, grandchildren, great-grandchildren, etc. — will be generated. It represents the zero level in the hierarchy of derivation.
The master chain code, on the other hand, introduces an additional source of entropy into the key derivation process for children, in order to counter certain potential attacks. Moreover, in the HD wallet, each pair of keys has a unique chain code associated with it, which is also used to derive child keys from this pair, but we will discuss this in more detail in the coming chapters.
Before continuing with the derivation of the HD wallet with the following elements, I wish, in the next chapter, to introduce you to extended keys, which are often confused with the master key. We will see how they are constructed and what role they play in the Bitcoin wallet.