What methods are used by wallets to generate keys?

Bitcoin wallets contain a collection of key pairs, each consisting of a private key and a public key. Bitcoins are stored on the public blockchain, in the form of unspent transaction outputs. In order for a user to spend his coins, or in other words unlock his unspent transaction outputs, the user will need to sign a transaction with his private key. By signing a transaction the user delivers proof he owns the bitcoins (i.e. the unspent transaction outputs).

Recently, I have been pondering the question, “what methods are used by wallets to generate keys?” I did a little research and here is what I found. There are 2 major types of wallets, each using a different method to generate key pairs: (1) non deterministic wallets and (2) deterministic wallets. The most popular implementation of a deterministic wallet is the type-2 hierarchical deterministic wallet, otherwise known as HD wallet.

Just what is the difference between these 2 different types of wallets and their method of key generation? Are there any downsides or advantages to any of these particular methods of key generation? Let’s examine these and a few more questions below.

The 2 methods of key pair generation

Wallets contain a collection fo key pairs. Each pair of keys consists of a private key and – derived from it – a public key. The public key is used to receive bitcoins, and the private key is used to spend bitcoins by signing transactions.

A private key is a randomly generated binary number of 256 bits (a ‘bit’ is either 0 or 1). The public key is calculated from the private key by applying elliptic curve multiplication.

Non deterministic wallets

The first type of wallets are type-0 non deterministic wallets, also known as JBOK wallets (JBOK stands for “Just a Bunch of Keys”).

This type of wallet randomly generates a collection of private keys, without there being any mathematical relationship between the randomly generated private keys.

Non deterministic wallet
Illustration of a non deterministic wallet containing a collection of randomly generated keys (‘k’).

Non deterministic wallets are impractical to work with. Each randomly generated private key needs to be backed up, or you risk losing access to the coins it controls when you lose access to your wallet. This can quickly become cumbersome when generating multiple private keys. Considering it is generally good practice to use a new bitcoin address for each transaction, each transaction will require a new pair of keys from which a new address can be derived. You will need to keep a copy of each private key and create a new back up each time a new private key is generated. In addition, if you decide to import or export a non-deterministic wallet the entire collection of keys of the wallet will needs to be imported or exported (as opposed to only a single “seed” from which the entire wallet can be recreated, see infra section ‘Deterministic wallets’).

An example of a non deterministic wallet is the wallet used by the Bitcoin Core client. However, for the reasons set out above it is no longer recommended to use a non deterministic wallet, considering that better alternatives are available.

Deterministic wallets

The second type of wallets are deterministic wallets, also know as “seeded” wallets.

Deterministic wallets are wallets that generate key pairs beginning from a single starting point; a common seed. A “seed” is a randomly generated number that is combined with additional data (e.g. a chain code, see infra section ‘Hierarchical deterministic wallets’) Each new private key is derived from a previous private key, using a one-way hash function. This effectively means that you can recreate an entire sequence of key pairs, on the basis of a single seed. There are a variety of implementations of such type of wallet, such as (a) sequential deterministic wallets and (b) hierarchical deterministic wallets.

Type 1 deterministic wallet
Illustration of a sequential deterministic wallet.

Using deterministic wallets has two major advantages over the use of non deterministic wallets:

  1. You only need to make a single back-up of the seed.
  2. Importing or exporting a wallet becomes easy.

Considering that all key pairs within a deterministic wallet are derived from a single seed, the entire wallet can be recreated on the basis of that seed. This means that a single backup of the seed at the time of creation of the wallet is sufficient (as opposed to individual backups of each private key contained in the wallet).

Transferring data between deterministic wallets (e.g. importing or exporting a wallet) becomes easy. Only the seed needs to be transferred to the new wallet, in order to be able to recreate the entire sequence of key pairs of the transferred deterministic wallet.

Hierarchical deterministic wallets

The most popular implementation of deterministic wallets is what is known as the type-2 hierarchical deterministic wallets (short: HD wallets).

HD wallets are deterministic wallets in which the key pairs are derived in a tree structure, instead of in a linear fashion.

HD wallet
Illustration of a HD wallet.

The wallet is created from a single seed (i.e. a 128, 256 or 512-bit random number). First a parent key pair is generated on the basis of the seed. Children key pairs are subsequently derived from the parent key pair, using a one-way hash function, known as the child key derivation (CKD) function .

More in particular, the CKD function is applied to the combination of 3 elements: (1) the parent private or public key, (2) the parent chain code (i.e. 256 bits, used as entropy in the CKD function) and (3) an index number (32 bits). By altering the index number, you are able to create additional child key pairs on the basis of one parent key pair.

The resulting hash is then split into 2 different pieces:

  1. the right half of the hash output (256 bits) becomes the chain code for the child key pair; and
  2. the left half of the hash output (256 bits) and the index number are added to the parent private key to produce the child private key.
child key derivation
Illustration of child key derivation by applying the one-way HMAC-SHA512 function (otherwise known as CKD function).

This process can then be repeated on the level of the child key pairs. Each child key pair can in turn become a parent key pair from which its own children key pairs can be generated. This process can be repeated ad infinitum. There is no limit in the number of generations of key pairs that can be produced using this method.

The HD wallet structure is for example fully implemented in, amongst others, the popular Trezor wallet and the Electrum wallet.

Advantages of using HD wallets

There are two main advantages of using HD wallets:

  1. The tree structure of the wallet provides additional organizational possibilities for the user.
  2. In HD wallets a branch of public child keys can be created, without the user needing access to any of the corresponding parent private keys. This feature limits the exposure of private keys and is often used by wallet implementations to enhance security.

1. Tree structure for organizational purposes

The tree structure provides the possibility for the user to assign a certain organizational purpose to one or more particular branches of the tree structure. One can imagine a particular branch of an HD wallet being used for the sole purpose of receiving incoming payments in a business or being dedicated to a particular branch within a business.

2. Creating a branch of public child keys, without the user needing access to any of the corresponding parent private keys.

There are two methods to derive a child public key from a parent key pair:

  1. Indirect method: Calculating the child private key first, by applying the CKD function on the extended private key (‘xprv’, xprv = parent private key + parent chain code). Once the child private key has been calculated you can then derive the child public key from the child private key (as explained here); or
  2. Direct method: Deriving the child public key directly, by applying the CKD function on the extended public key (‘xpub’, whereby xpub = parent public key + parent chain code). This method does not involve the parent private key.
Extended Public Key
Illustration of calculating the child public key on the basis of the extended public key (‘xpub’).

Extended public (xpub) keys can only generate a branch of child public keys (as opposed to child private keys). This feature can be used to generate very secure public-keys only wallet implementations. E.g.: if you want a wallet which can only watch account balances and receive coins but cannot spend coins because the private keys are not available (for example, the corresponding extended private keys are kept in a separate more secure environment).

This particular feature of HD wallets is commonly used by hardware wallets, such as the Trezor and Ledger hardware wallets. The extended private keys are kept safe on the hardware wallet device and only the extended public keys are kept on an online server. The owner of the hardware wallet can create new addresses in the online wallet interface and receive payments, without needing access to the private keys that are kept offline on the device. To spend coins the user will need to sign the transaction with his private keys on the hardware wallet device. The private keys never leave the device and are therefore never exposed to the outside world.

Conclusion

There are 2 major types of wallets, each using a different method to generate key pairs: (1) non deterministic wallets and (2) deterministic wallets.

The most popular implementation of a deterministic wallet is the type-2 hierarchical deterministic wallet, otherwise known as HD wallet.

HD wallets are commonly used by hardware wallet manufacturers, such as the Trezor and Ledger hardware wallets, because of the possibility if offers to create branches of public keys without accessing the corresponding private keys that can therefore be kept in a secure offline environment.


Attention! Do you store your cryptocurrencies on an online platform? Please note, in that case you are not the actual owner of your cryptocurrencies!

In particular, you run the risk of losing all your cryptocurrencies, without any recourse, in the event that the online platform or your personal account falls victim to hacking or in the event of an unexpected closure (e.g. insolvency) of the online platform.

Protect yourself against hacking and take real ownership of your cryptocurrencies by storing your cryptocurrencies offline on your very own Trezor hardware wallet. Don’t wait before it’s too late and take immediate action now!

Click on the ‘Buy Now’ button below to buy a Trezor wallet from the official Trezor website.

Trezor Model T – hardware wallet

Want to spread the word about bitcoin? Get yourself a cool bitcoin shirt now!

Click on the button below.

180+ original designs available