Hierarchical Deterministic Wallet (HD Wallet)

An HD wallet is derived from a single seed phrase (typically 12 or 24 words), also known as a mnemonic phrase or recovery phrase. This master seed is the root of all keys and addresses. The entire wallet can be backed up and restored using this one secret, eliminating the need to manage individual private keys.

• Example: A 12-word phrase like abandon ability able about ... generates all future keys.
• Security: The seed is generated from a high-entropy source and is protected by a BIP-39 standard.

HD wallets use a deterministic algorithm to generate an unlimited sequence of private keys and addresses from the master seed. This process is repeatable: the same seed will always produce the same sequence of keys. The core standard is BIP-32 (Bitcoin Improvement Proposal 32), which defines the hierarchical tree structure and the cryptographic functions for deriving child keys.

• Key Derivation: Uses a one-way hash function (HMAC-SHA512) to create child keys.
• Predictability: Enables advanced features like watch-only wallets that can generate all public addresses without the private keys.

Keys are organized in a tree structure, similar to folders in a file system. Each branch is identified by a derivation path, a standardized notation like m/44'/0'/0'/0/0. This path specifies the exact location of a key in the hierarchy.

• Purpose: Allows logical separation of keys for different accounts, coins, or purposes (e.g., m/44'/0' for Bitcoin, m/44'/60' for Ethereum).
• Hardened vs. Non-Hardened: Hardened derivation (') prevents a compromised parent key from exposing its children, enhancing security for master keys.

HD wallets improve privacy by generating a new public address for every transaction (a practice called address rotation), making it harder to link transactions to a single entity. The hierarchical structure also allows users to organize funds into separate accounts (e.g., Account 0, Account 1) for personal, business, or experimental use, all managed under one seed.

• Privacy Benefit: Mitigates address reuse, a common privacy vulnerability.
• Enterprise Use: A company can use different branches for different departments while maintaining a single backup.

Because the derivation standards (BIP-32, BIP-44, BIP-84) are widely adopted, an HD wallet's seed can be imported into any compatible software or hardware wallet from a different vendor. Furthermore, a single seed can govern keys for multiple cryptocurrencies by using different coin types in the derivation path (defined in BIP-44).

• Interoperability: Restore a Trezor seed in a Ledger or MetaMask.
• Multi-Coin: One seed manages Bitcoin (m/44'/0'), Ethereum (m/44'/60'), and Litecoin (m/44'/2').

A core component of BIP-32 is the extended key, which is a key (private or public) plus an extra 256 bits of chain code. An extended public key (xpub) can generate all descendant public keys without exposing the private keys. This enables the creation of watch-only wallets for accounting and auditing.

• xpub: Used by hardware wallets to provide a secure view of balances to a connected software wallet.
• Security Boundary: The private keys (and extended private key, xpriv) never leave the secure device.

BIP-32 (Bitcoin Improvement Proposal 32) defines the mathematical framework for HD wallets. It introduces the concept of deriving a hierarchy of private keys and public keys from a single master seed. Key features include:

• Deterministic Generation: All keys are derived predictably from the seed.
• Hierarchical Structure: Keys are organized in a tree, allowing for logical separation (e.g., by account, chain).
• Child Key Derivation (CKD): Uses a parent key and an index to generate child keys.
• Hardened Derivation: A more secure derivation path that prevents compromise of child keys from exposing the parent.

BIP-39 standardizes the creation of a human-readable mnemonic seed phrase (typically 12 or 24 words) from which the HD wallet's master seed is generated. This process involves:

• Generating entropy and converting it to a word list from a predefined dictionary.
• Adding a checksum for error detection.
• Using a key derivation function (PBKDF2) with the mnemonic and an optional passphrase to create the final binary seed. This standard is why users back up their wallet with a sequence of common words, enabling recovery across different wallet software.

BIP-44 establishes a logical hierarchy for organizing derived keys, defined by a derivation path format: m/purpose'/coin_type'/account'/change/address_index. This standard enables:

• Multi-Coin Support: The coin_type level allows a single seed to manage keys for Bitcoin (0), Ethereum (60), and other cryptocurrencies.
• Account Separation: The account level lets users create distinct accounts for different purposes (e.g., savings, trading).
• Internal/External Chains: The change level (0 for receiving addresses, 1 for change addresses) improves privacy and organization. It is the most widely adopted structure for HD wallets today.

HD wallets use extended keys to navigate the derivation tree without exposing the master seed. These are serialized keys with extra chain code and metadata.

• Extended Private Key (xpriv): Can derive all child private and public keys in its branch.
• Extended Public Key (xpub): Can derive all child public keys in its branch, but not private keys. This enables creating secure watch-only wallets for monitoring balances. For example, a business can share an xpub with an accountant to track incoming payments without granting spending authority. The serialization format is defined in BIP-32.

HD wallets are the foundation of modern non-custodial wallets (e.g., MetaMask, Ledger Live, Trust Wallet). Their primary user benefits are:

• Single Backup: The mnemonic phrase is the only backup needed for all derived keys and accounts.
• Cross-Platform Recovery: The same phrase can restore an entire wallet on different software/hardware that supports BIP-39/44.
• Privacy Enhancement: Generating a new address for each transaction (from the HD tree) improves privacy by reducing address reuse.
• Scalable Key Management: Applications can programmatically generate new addresses without requiring new backups.

BIP-85 extends the HD wallet concept to generate deterministic entropy. It allows a single master seed to derive the seeds for other applications, such as:

• Generating mnemonics for separate wallets.
• Creating deterministic passwords or PINs.
• Deriving encryption keys. The process uses the same BIP-32 derivation but outputs a random number instead of a key. This enables complete digital identity management from one root seed, though it creates a single point of failure—compromise of the root seed exposes all derived secrets.

The master seed (or mnemonic phrase) is the single point of failure. If compromised, an attacker can derive all current and future private keys in the wallet hierarchy. This makes secure generation and storage paramount.

• Generation: Must use a cryptographically secure random number generator (CSPRNG).
• Storage: Should be kept offline, never in digital form (photos, cloud storage, text files).
• Exposure: A single exposure compromises the entire wallet's past, present, and future addresses.

Using standardized BIP-44 derivation paths (e.g., m/44'/0'/0') improves interoperability but creates a privacy fingerprint. Blockchain analysts can often identify wallet software and link all derived addresses together.

• Privacy Risk: All addresses from a known path are linkable to the same seed.
• Non-Standard Paths: Using custom paths can increase privacy but may break compatibility with some wallet software and services.

HD wallets use two derivation functions with different security properties:

• Hardened Derivation: Uses the parent private key to derive child keys. A compromised child key cannot compromise the parent or siblings. Essential for accounts holding high value (m/44'/0'/0').
• Normal Derivation: Uses the parent public key. Allows generation of public child keys without the private key, useful for watch-only wallets. However, if a child private key and the parent public key are compromised, the parent private key can be calculated.

The 12 or 24-word mnemonic is the ultimate backup. Proper procedure is critical:

• Initial Backup: Must be done immediately upon wallet creation.
• Verification: The seed should be tested by restoring to a new, empty wallet to verify accuracy before funding.
• Single Point: Unlike backing up individual keys, one seed backup covers all derived addresses, simplifying the process but concentrating risk.
• Versioning: Adding a passphrase (BIP-39) creates a hidden wallet; the seed alone is insufficient for recovery.

For high-value storage, the derivation process itself can be isolated.

• Air-Gapped Signers: Devices like hardware wallets perform all key derivation and signing offline. The seed never touches an internet-connected device.
• Watching-Only Wallets: Public keys can be exported to an online device to monitor balances and create unsigned transactions, which are then transferred to the air-gapped signer for signing.
• Mitigation: This architecture mitigates risks from malware, phishing, and keyloggers on the online machine.

Security depends on correct implementation of BIP-32, BIP-39, and BIP-44 standards. Flaws can be catastrophic.

• Entropy Source: Weak randomness during seed generation (e.g., flawed CSPRNG) creates predictable seeds.
• Library Bugs: Errors in cryptographic libraries for elliptic curve operations or HMAC-SHA512 can lead to key leakage.
• Side-Channel Attacks: Physical attacks on hardware wallets (power analysis, timing attacks) targeting the derivation algorithm.
• Supply Chain: Compromised hardware or software at the point of distribution.