HMAC "Bitcoin Seed" for BIP32

2

1

Pybitcointools uses the following code for calculating a master private key (BIP32) from a seed:

def bip32_master_key(seed, vbytes=MAINNET_PRIVATE):
    I = hmac.new(from_string_to_bytes("Bitcoin seed"), seed, hashlib.sha512).digest()
    return bip32_serialize((vbytes, 0, b'\x00'*4, 0, I[32:], I[:32]+b'\x01'))

Why - specifically - is the byte string Bitcoin seed used in the HMAC algorithm? When one considers that the byte strings Mnemonic and Electrum are used in HMAC derivations (in BIP39/quasi BIP39, respectively), the labels seem overly non-specific. I'm wondering why the byte string doesn't clarify or specify a version, eg BIP32 V0.1 seed.

None of this is criticism, to be clear! I'm trying to elucidate how these decisions were chosen and implemented, which is often very difficult without being intimately knowledgeable in RFCs, Github etc.

Perhaps this could be explained in context of how HMAC works also?

Wizard Of Ozzie

Posted 2015-04-15T00:42:29.710

Reputation: 4 535

Answers

3

It is specified in BIP32 (https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki). The SHA512-HMAC function is reused because it is already part of the standard elsewhere, but it takes a key in addition to the data being hashed. As the key can be arbitrary, we opted to use to make sure the key derivation was Bitcoin-specific.

Pieter Wuille

Posted 2015-04-15T00:42:29.710

Reputation: 54 032

I've clarified the question.Wizard Of Ozzie 2015-04-16T13:54:32.587

Asked: 2015-04-15T00:42:29.710

Viewed: 851 times

Active: 2015-04-16T14:09:35.933