Deterministic wallet: Difference between revisions

From Bitcoin Wiki
Jump to navigation Jump to search
Ianpurton (talk | contribs)
No edit summary
Pancyrus (talk | contribs)
mNo edit summary
 
(19 intermediate revisions by 11 users not shown)
Line 1: Line 1:
A deterministic wallet is a wallet where private and public keys are all derived from a starting seed value. This could be a long passcode/password, or be a random series of letters and numbers.  
A deterministic wallet is a system of deriving keys from a single starting point known as a seed. The seed allows a user to easily back up and restore a wallet without needing any other information and can in some cases allow the creation of public addresses without the knowledge of the private key. Seeds are typically serialized into human-readable words in a [[seed phrase]]. The [[BIP 0032]] standard for hierarchical deterministic wallets is used by all good wallets as of 2019.


== Benefits ==
== Benefits ==


A typical wallet creates private and public keys on demand for the user. This means that the wallet needs to be backed up frequently, otherwise coins may be lost. Also, having multiple machines with wallets on them means it is difficult to manage all of your coins together.
Early clients such as the [[Satoshi client]] generate a buffer of fresh random private keys to be used as receiving and [[change|change addresses]] in the future. This has the effect of invalidating backups after a short period when the keypool buffer (typically 100 addresses) is exhausted. Deterministic wallets can generate an unlimited number of addresses on the fly and as such don't suffer from this issue. As the addresses are generated in a known fashion rather than randomly some clients can be used on multiple devices without the risk of losing funds. Users can conveniently create a single backup of the seed in a human readable format that will last the life of the wallet, without the worry of this backup becoming stale.  


A deterministic wallet can be backed up by simply copying the starting seed value to a secure location, and this only needs to be done once. If the wallet ever gets lost, all private and public keys can be regenerated from the initial seed.
=== Master public key ===


Also, multiple devices could host the same wallet based off of the same seed and automatically stay in sync with eachother. Non-critical information such as address books would need to be stored and copied between wallets.
Certain types of deterministic wallet (BIP0032, Armory, [[Coinkite]] and [https://coinb.in/#newHDaddress Coinb.in] ) additionally allow for the complete separation of private and public key creation for greater security and convenience. In this model a server can be set up to only know the Master Public Key (MPK) of a particular deterministic wallet. This allows the server to create as many public keys as is necessary for receiving funds, but a compromise of the MPK will not allow an attacker to spend from the wallet. They can alternatively be used in [[Electrum]] and [[Armory]] to enable completely offline storage and spending, where an offline computer knows the private key and an online one knows only the MPK. Transactions spending coins are ferried between the two computers via USB storage which avoids exposing the offline computer to a network-based attack.


==Drawbacks==
Deterministic wallets implemented by hardware wallets ([[TREZOR]]) keep the generated private keys offline and do not expose them to the computer even when spending coins.


If the initial seed value was either guessed or taken, the attacker could take all of the coins from the wallet. Also, they could retain that seed value, and wait until some future date to take all of the coins.
==Types==


==Passwords vs Random Strings==
===Type 1: Deterministic wallet===
A type 1 deterministic wallet is a simple method of generating addresses from a known starting string, as such it does not allow advanced features such as a Master Public Key. To generate a private key take SHA256(string + ''n''), where ''n'' is an ASCII-coded number that starts from 1 and increments as additional keys are needed.


The passcode/password has the benefit of being memorizable by the user, but at the expense of being either forgotten, or weak enough that the password could be guessed or brute forced. If a user used a password such as abc123, and an attacker might simply go through a list of common passwords, create wallets for them, and see if the public addresses match anything currently in the blockchain.
This  type of wallet can be created by Casascius Bitcoin Address Utility.


A long string of letters and numbers would be a way to prevent a brute force attack. This has the drawback of having to be actually stored somewhere. If this code was ever lost, the wallet would be lost forever.
===Type 2: Hierarchical deterministic wallet===
This wallet type is described in [[BIP 0032]] and is fully implemented in [[TREZOR]], [[Electrum]] and [[CarbonWallet]]. The seed is a random 128-bit value presented to the user as a 12-word seed phrase using common English words. The seed is used after 100,000 rounds of SHA256 to slow down attacks against weak user-chosen strings.<ref>https://bitcointalk.org/index.php?topic=330672.msg3547258#msg3547258</ref>


==Types of deterministic wallet in use==
The initial description and workings of this wallet type is credited to Gregory Maxwell.<ref>https://bitcointalk.org/index.php?topic=19137.msg239768#msg239768</ref>
Each implementer of deterministic wallets should make sure that this article leads to a publicly available reference describing how to reconstitute the deterministic wallet from its seed.


===Type 1 deterministic wallet===
===Armory deterministic wallet===
A Type 1 deterministic wallet is created from a stringSimply take SHA256(string + n), where n is an ASCII-coded number that starts from 1 and increments as additional keys are needed. This simple type of wallet can be created by Casascius Bitcoin Address Utility.
[[Armory]] has its own Type-2 deterministic wallet format based on a "root key" and a "chain code". Earlier versions of Armory required backing up both the "root key" and "chaincode", while newer versions start deriving the chaincode from the private key in a non-reversible wayThese newer Armory wallets (0.89+) only require the single, 256-bit root key. This older format is intended to be phased out in favour of the standard BIP0032 format.<ref>https://bitcointalk.org/index.php?topic=351099.msg3770818#msg3770818</ref>


===Type 2 deterministic wallet===
== References ==
Not sure on the details, but mention was made of a "type-2 deterministic wallet" in [[BIP 0032]] and credited to Gregory Maxwell, so this is a placeholder to describe that implementation. The relevant form topic is [https://bitcointalk.org/index.php?topic=19137.0 here].
<references />


===BIP 0032 deterministic wallet===
== See also ==
Described in [[BIP 0032]] (currently a draft) and described as a ''hierarchical deterministic'' (HD) wallet, a BIP 0032 deterministic wallet allows sharing smaller deterministic wallets that are subportions of a larger one.


===Electrum deterministic wallet===
* [[Seed phrase]]
[[Electrum]] implements a Type-2 deterministic wallet format based on a 128-bit seed.  It uses a word list and converts the seed to a series of words as an aid to help the user record the seed.
* [[BIP 0032]]
* [[Deterministic wallet tools]]


===CarbonWallet deterministic wallet===
[[Category:Technical]]
[[CarbonWallet]] also implements a Type-2 deterministic wallet format based on a 128-bit seed.  It uses the same word list as Electrum and is therefore compatible with Electrum passphrases.
[[Category:Wallets| ]]
 
===Armory deterministic wallet===
[[Armory]] has its own Type-2 deterministic wallet format based on a "root key" and a "chain code."  The Armory client has a "Paper Backup" screen that allows the user to print these data or copy it down by hand.  Earlier versions of Armory required backing up both the "root key" and "chaincode," while newer versions start deriving the chaincode from the private key in a non-reversible way.  These newer Armory wallets (0.89+) only require the single, 256-bit root key.

Latest revision as of 17:04, 27 July 2023

A deterministic wallet is a system of deriving keys from a single starting point known as a seed. The seed allows a user to easily back up and restore a wallet without needing any other information and can in some cases allow the creation of public addresses without the knowledge of the private key. Seeds are typically serialized into human-readable words in a seed phrase. The BIP 0032 standard for hierarchical deterministic wallets is used by all good wallets as of 2019.

Benefits

Early clients such as the Satoshi client generate a buffer of fresh random private keys to be used as receiving and change addresses in the future. This has the effect of invalidating backups after a short period when the keypool buffer (typically 100 addresses) is exhausted. Deterministic wallets can generate an unlimited number of addresses on the fly and as such don't suffer from this issue. As the addresses are generated in a known fashion rather than randomly some clients can be used on multiple devices without the risk of losing funds. Users can conveniently create a single backup of the seed in a human readable format that will last the life of the wallet, without the worry of this backup becoming stale.

Master public key

Certain types of deterministic wallet (BIP0032, Armory, Coinkite and Coinb.in ) additionally allow for the complete separation of private and public key creation for greater security and convenience. In this model a server can be set up to only know the Master Public Key (MPK) of a particular deterministic wallet. This allows the server to create as many public keys as is necessary for receiving funds, but a compromise of the MPK will not allow an attacker to spend from the wallet. They can alternatively be used in Electrum and Armory to enable completely offline storage and spending, where an offline computer knows the private key and an online one knows only the MPK. Transactions spending coins are ferried between the two computers via USB storage which avoids exposing the offline computer to a network-based attack.

Deterministic wallets implemented by hardware wallets (TREZOR) keep the generated private keys offline and do not expose them to the computer even when spending coins.

Types

Type 1: Deterministic wallet

A type 1 deterministic wallet is a simple method of generating addresses from a known starting string, as such it does not allow advanced features such as a Master Public Key. To generate a private key take SHA256(string + n), where n is an ASCII-coded number that starts from 1 and increments as additional keys are needed.

This type of wallet can be created by Casascius Bitcoin Address Utility.

Type 2: Hierarchical deterministic wallet

This wallet type is described in BIP 0032 and is fully implemented in TREZOR, Electrum and CarbonWallet. The seed is a random 128-bit value presented to the user as a 12-word seed phrase using common English words. The seed is used after 100,000 rounds of SHA256 to slow down attacks against weak user-chosen strings.[1]

The initial description and workings of this wallet type is credited to Gregory Maxwell.[2]

Armory deterministic wallet

Armory has its own Type-2 deterministic wallet format based on a "root key" and a "chain code". Earlier versions of Armory required backing up both the "root key" and "chaincode", while newer versions start deriving the chaincode from the private key in a non-reversible way. These newer Armory wallets (0.89+) only require the single, 256-bit root key. This older format is intended to be phased out in favour of the standard BIP0032 format.[3]

References

See also