35
7
It sounds as if it's a process that enables a wallet to be rebuilt from a passphrase, or from several fragments scattered about. Could someone provide a detailed technical explanation?
What is a deterministic wallet?
Answers
15
You've hit the nail on the head. A deterministic wallet is any system which uses a passphrase or other snippet of data to build a keypair in a repeatable manner. So long as you remember the passphrase, the keypair can be re-generated from it, so storage is no longer a security concern. There are several methods for generating deterministic wallets, but my favorite is Casascius' Bitcoin-Address generator (C#, Windows, binaries here)
15
Normally, when you send money you also generate a new private/public key for the "change" to return. therefore every time you send money your wallet.dat grows a little bit.
The Basic Idea of the deterministic wallet: instead of a database with lots of private/public keys you start with a single private key, from which all future keys can be calculated.
This has many advantages. It is trivial to back up and transferable. it could be used from multiple computers.
afaik, webcoin.ch uses this concept. The current "official" client not.
12
A deterministic wallet is any wallet for which a given private key can be predictably recovered with just:
- the original secret seed
- the identifier / sequence number of the desired keypair
There are two types of deterministic wallets:
- sequential deterministic wallets
- hierarchical deterministic wallets
With a sequential deterministic wallet, the seed is a passphrase or sequence of characters that can be repeatedly incremented and hashed to generate new private keys.
For example, if I use the passphrase:
'shepherd mais pack rate enamel horace diva filesize maximum really roar mall'
...then I can create the first 100 private keys by doing the following:
hex(sha256('shepherd mais pack rate enamel horace diva filesize maximum really roar mall 0'))
hex(sha256('shepherd mais pack rate enamel horace diva filesize maximum really roar mall 1'))
...
And as long as I am consistent with how I modify the original passphrase, I can easily recover any given passphrase that I wish.
A hierarchical deterministic wallet, on the other hand, starts with a single keypair as the master keypair. The private key of this keypair is the secret seed.
Each keypair has children. And the public key of a given child of a given parent node in the tree is generated by performing elliptic curve multiplication on the parent's public key.
The private key of the child can be recovered by the owner by performing the same multiplicative operation on the parent's private key. This is because mPubkey/Pubkey = mPrivkey/Privkey.
The cool thing about this is that you can give a server a public key and that server can generate new addresses for you without ever having to know your private key.
...
If you're looking for a python implementation of sequential deterministic wallets, I put one together here: https://github.com/blockstack/pybitcoin (or just do "pip install pybitcoin").
I don't have a working implementation of hierarchical deterministic wallets quite yet, but for that I'd check out this python implementation or this ruby implementation.
1 Very nice. A bit over my head, but helpful to me at the moment. Will you please consider answering this question: What is the wallet "word seed" that is commonly used in popular wallets clients and what does it do?
@Ryan so this means parent always knows the public and private key of child but reverse is not true. – Prashant Prabhakar Singh – 2016-10-07T08:18:29.400
Is this function ( deriving a child private key from the master private key) a one way function? – Zacharin – 2018-04-21T12:03:06.483
4
Another example using deterministic wallets is the BCCAPI, which is a library for making light-weight secure Bitcoin clients. http://code.google.com/p/bccapi/
2
Primary Bitcoin Improvement Proposals (BIP) associated with deterministic, specifically hierarchical deterministic (HD) wallets to facilitate portability between implementations to avoid vendor lock-in are BIPs 32, 39, 44. BIPs get into the technical details. May want to examine libbitcoin for command line interface examples for applying BIPs 32, 39, and 44.
1It does not generate them in chunks of 100. It maintains a pool of 100 keys, and every time one is used, a new one is added. This will change though with encrypted wallets in 0.4.0, as keys cannot be generated safely when the wallet is locked. – Pieter Wuille – 2011-09-15T12:57:43.920
2Caveat - the wallet doesn't generate an address every time, it generates them in chunks of 100 and reuses them. So, backing up a wallet once every ~ 50 transactions should be safe. – ripper234 – 2011-09-08T05:56:31.997
2exactly, but the pre-generation of keys is not exactly the scope of this question, therefore the explanation "trivial to back up" should be sufficient. – Andreas Petersson – 2011-09-08T12:05:37.023