BIP32 defines a procedure for deriving ec-keypairs from parent keys.
Given an elliptic-curve group
- the extended private key is a pair
$(a,c) \in \mathbb{Z^2_q}$ where- a is the regular private key
- c is the chain code
- the extended public key is the pair
$(A, c) \in \mathbb{E} \times \mathbb{Z_q}$ , where-
$A = aG$ is the regular public key, and - c the chain code.
-
Each extended key has :
-
$2^{31}$ neutered child keys, and -
$2^{31}$ hardened child keys.
Each of these child keys has an index:
- the neutered child keys use indices
$[0, \dots, 2^{31}-1]$ , - the hardened child keys use indices
$[2^{31}, \dots, 2^{32}-1]$
To ease notation for hardened key indices, we use the representation
The definition of bit and byte strings as used here is found in strings expressions.
A hardened derivation is only permitted for
$$z_{h<(b):512>} = HM_{<(b):512>}(c_{parent<(be:o):32>} || \text{0x00}{<(o):1>} || a{parent<(be:o):32:} || i_{child<(be:o):4>})$$
Where
-
$c_{parent<(be:o):32>}$ is the$32$ octets big endian representation of the parent chain code, -
$\text{0x00}_{<(o):1>}$ is a one octet padding used to achieve the same input length like neutered key derivation on public keys, -
$a_{parent<(be:o):32>}$ is the$32$ octet big endian representation of the parent private key, and -
$i_{child<(be:o):4>}$ is the$4$ octets big endian representation of the child index. Recall$i_{child} \ge 2^{31}$ for hardened derivation.
The resulting bit string
-
$n_{priv:i<(be:o):32>} = z_{hL} = z_{h<(b):512:[:255]>}$ is the child's random number from the parent private key.$z_{h<(b):512:[:255]>}$ selects the first$256$ bits of the string. Those are reorganized into a$32$ -octets string in big endian byte order and read as a$32$ bytes integer. -
$a_{child:i} \equiv n_{priv:i} + a_{parent} \pmod q$ , this random number is added to the parent private key to form the child's private key, -
$c_{child:i<(be:o):32>} = z_{hR} = z_{h<(b):512:[256:]>}$ is the child's chain code -
$A_{child:i} = a_{child:i}G$ , is the child's public key.
In case :
-
$n_{priv:i} \ge q$ or $a_{child:i} \equiv n_{priv:i} + a_{parent} \pmod q \equiv 0$
the resulting key is invalid, and one should proceed with the next value for
A neutered derivation is only permitted for
Where
-
$c_{parent<(be:o):32>}$ is the$32$ octets big endian representation of the parent chain code, -
$A_{parent<(ec:o):33>}$ is the$33$ octets compressed representation of the parent public key point. This is also known as elliptic curve point encoding (ec), and -
$i_{child<(be:o):4>}$ is the$4$ octets big endian representation of the child index. Recall$i_{child} \lt 2^{31}$ for neutered derivation.
The resulting bit string
-
$n_{pub:i<(be:o):32>} = z_{nL} = z_{n<(b):512:[:255]>}$ is the child's random number from the parent public key.$z_{n<(b):512:[:255]>}$ selects the first$256$ bits of the string. Those are reorganized into a$32$ -octet string in big endian byte order and read as a$32$ byte integer. -
$A_{child:i} = n_{pub:i}G \circ A_{parent}$ , is the child's public key. This is a simple point addition as the same random number is added to the parent private key to form the child's private key. -
$c_{child:i<(be:o):32>} = z_{nR} = z_{n<(b):512:[256:]>}$ is the child's chain code
When this computation is performed by the holder of the parent private key, the child private key can also be computed with
-
$a_{child:i} = n_{pub:i} + a_{parent}$ .
This procedure works because:
Recall the curve arithmetic allows
In case :
-
$n_{pub:i} \ge q$ or -
$A_{child:i} = O$ (Identity element)
the resulting key is invalid, and one should proceed with the next value for
For security properties of BIP32 keys, visit the original proposal at BIP32.
For a more formal analysis of the security of BIP32 keys, visit: The Exact Security of BIP32 Wallets.
Proceed with Threshold signature scheme (TSS) on ECDSA.