Steven's BlogAppearance
bip-0032-关于HDWallet解读
BIP0032的核心就是子秘钥的推导
如何从父秘钥(父节点)推出子秘钥(子节点) 可以从父私钥到子私钥 也可以从父公钥到子公钥 也可以从父公钥到子私钥
go
// Child returns a derived child extended key at the given index. When this
// extended key is a private extended key (as determined by the IsPrivate
// function), a private extended key will be derived. Otherwise, the derived
// extended key will be also be a public extended key.
//
// When the index is greater to or equal than the HardenedKeyStart constant, the
// derived extended key will be a hardened extended key. It is only possible to
// derive a hardended extended key from a private extended key. Consequently,
// this function will return ErrDeriveHardFromPublic if a hardened child
// extended key is requested from a public extended key.
//
// A hardened extended key is useful since, as previously mentioned, it requires
// a parent private extended key to derive. In other words, normal child
// extended public keys can be derived from a parent public extended key (no
// knowledge of the parent private key) whereas hardened extended keys may not
// be.
//
// NOTE: There is an extremely small chance (< 1 in 2^127) the specific child
// index does not derive to a usable child. The ErrInvalidChild error will be
// returned if this should occur, and the caller is expected to ignore the
// invalid child and simply increment to the next index.
func (k *ExtendedKey) Child(i uint32) (*ExtendedKey, error) {
// Prevent derivation of children beyond the max allowed depth.
if k.depth == maxUint8 {
return nil, ErrDeriveBeyondMaxDepth
}
// There are four scenarios that could happen here:
// 1) Private extended key -> Hardened child private extended key
// 2) Private extended key -> Non-hardened child private extended key
// 3) Public extended key -> Non-hardened child public extended key
// 4) Public extended key -> Hardened child public extended key (INVALID!)
// Case #4 is invalid, so error out early.
// A hardened child extended key may not be created from a public
// extended key.
isChildHardened := i >= HardenedKeyStart
if !k.isPrivate && isChildHardened {
return nil, ErrDeriveHardFromPublic
}
// The data used to derive the child key depends on whether or not the
// child is hardened per [BIP32].
//
// For hardened children:
// 0x00 || ser256(parentKey) || ser32(i)
//
// For normal children:
// serP(parentPubKey) || ser32(i)
keyLen := 33
data := make([]byte, keyLen+4)
if isChildHardened {
// Case #1.
// When the child is a hardened child, the key is known to be a
// private key due to the above early return. Pad it with a
// leading zero as required by [BIP32] for deriving the child.
copy(data[1:], k.key)
} else {
// Case #2 or #3.
// This is either a public or private extended key, but in
// either case, the data which is used to derive the child key
// starts with the secp256k1 compressed public key bytes.
copy(data, k.pubKeyBytes())
}
binary.BigEndian.PutUint32(data[keyLen:], i)
// Take the HMAC-SHA512 of the current key's chain code and the derived
// data:
// I = HMAC-SHA512(Key = chainCode, Data = data)
hmac512 := hmac.New(sha512.New, k.chainCode)
hmac512.Write(data)
ilr := hmac512.Sum(nil)
// Split "I" into two 32-byte sequences Il and Ir where:
// Il = intermediate key used to derive the child
// Ir = child chain code
il := ilr[:len(ilr)/2]
childChainCode := ilr[len(ilr)/2:]
// Both derived public or private keys rely on treating the left 32-byte
// sequence calculated above (Il) as a 256-bit integer that must be
// within the valid range for a secp256k1 private key. There is a small
// chance (< 1 in 2^127) this condition will not hold, and in that case,
// a child extended key can't be created for this index and the caller
// should simply increment to the next index.
//这里的2^127是怎么算出来的呢?
/*
N=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
如果il是均匀分布,那么出现大于N的可能性是P{il>N}=(MaxUint256-N)/MaxUint256
约等于1/(2^127)
但是为什么要排除这种情况,而不是取模呢
*/
ilNum := new(big.Int).SetBytes(il)
if ilNum.Cmp(btcec.S256().N) >= 0 || ilNum.Sign() == 0 {
return nil, ErrInvalidChild
}
// The algorithm used to derive the child key depends on whether or not
// a private or public child is being derived.
//
// For private children:
// childKey = parse256(Il) + parentKey
//
// For public children:
// childKey = serP(point(parse256(Il)) + parentKey)
var isPrivate bool
var childKey []byte
if k.isPrivate {
// Case #1 or #2.
// Add the parent private key to the intermediate private key to
// derive the final child key.
//
// childKey = parse256(Il) + parenKey
keyNum := new(big.Int).SetBytes(k.key)
ilNum.Add(ilNum, keyNum)
ilNum.Mod(ilNum, btcec.S256().N)
childKey = ilNum.Bytes()
isPrivate = true
} else {
// Case #3.
// Calculate the corresponding intermediate public key for
// intermediate private key.
ilx, ily := btcec.S256().ScalarBaseMult(il)
if ilx.Sign() == 0 || ily.Sign() == 0 {
return nil, ErrInvalidChild
}
// Convert the serialized compressed parent public key into X
// and Y coordinates so it can be added to the intermediate
// public key.
pubKey, err := btcec.ParsePubKey(k.key, btcec.S256())
if err != nil {
return nil, err
}
// Add the intermediate public key to the parent public key to
// derive the final child key.
//
// childKey = serP(point(parse256(Il)) + parentKey)
childX, childY := btcec.S256().Add(ilx, ily, pubKey.X, pubKey.Y)
pk := btcec.PublicKey{Curve: btcec.S256(), X: childX, Y: childY}
childKey = pk.SerializeCompressed()
/*
childKey对应的私钥是什么呢?
K1=k1*G
K2=k2*G
K3=K1+K2=k1*G+k2*G=(k1+k2)*G
因此K3对应的私钥是k1+k2
所以childKey对应的私钥就是il+(k.key 对应的私钥)
*/
}
// The fingerprint of the parent for the derived child is the first 4
// bytes of the RIPEMD160(SHA256(parentPubKey)).
parentFP := btcutil.Hash160(k.pubKeyBytes())[:4]
return NewExtendedKey(k.version, childKey, childChainCode, parentFP,
k.depth+1, i, isPrivate), nil
}
为什么有强化衍生和普通衍生的区别
对于Index大于2^31的就是强化衍生(isChildHardened), 强化衍生使用父节点的私钥衍生Child的私钥和chainCode, 而普通衍生使用父节点的公钥衍生child的私钥和chainCode.
强化衍生和普通衍生的细节
一下来自于extendkey.go中的Child函数, 这两种方式都是得到子节点的PrivateKey和childChainCode. 同时无法通过子节点的PrivateKey和childChainCode来倒推父节点的.
go
if isChildHardened {
// Case #1.
// When the child is a hardened child, the key is known to be a
// private key due to the above early return. Pad it with a
// leading zero as required by [BIP32] for deriving the child.
copy(data[1:], k.key)
} else {
// Case #2 or #3.
// This is either a public or private extended key, but in
// either case, the data which is used to derive the child key
// starts with the secp256k1 compressed public key bytes.
copy(data, k.pubKeyBytes())
}
binary.BigEndian.PutUint32(data[keyLen:], i)
// Take the HMAC-SHA512 of the current key's chain code and the derived
// data:
// I = HMAC-SHA512(Key = chainCode, Data = data)
hmac512 := hmac.New(sha512.New, k.chainCode)
hmac512.Write(data)
ilr := hmac512.Sum(nil)
// Split "I" into two 32-byte sequences Il and Ir where:
// Il = intermediate key used to derive the child
// Ir = child chain code
il := ilr[:len(ilr)/2]
childChainCode := ilr[len(ilr)/2:]
父节点到子节点的三种推导方式
父私钥到子私钥
index大于2^31,
go
ilr:=sha512(0,ParentPrivateKey,index,ParentChainCode)
childPrivateKey:=ilr[:32]
childChainCode:=ilr[32:]
父公钥到子私钥
index小于2^31
go
ilr:=sha512(ParentPubicKey,index,ParentChainCode)
childPrivateKey:=ilr[:32]
childChainCode:=ilr[32:]
父公钥到子公钥
go
ilr:=sha512(ParentPubicKey,index,ParentChainCode)
il:=ilr[:32]
childChainCode:=ilr[32:]
ilx, ily := btcec.S256().ScalarBaseMult(il)
childX, childY := btcec.S256().Add(ilx, ily, paretPubKey.X, paretPubKey.Y)
pk := btcec.PublicKey{Curve: btcec.S256(), X: childX, Y: childY}
childPubKey = pk.SerializeCompressed()
childKey对应的私钥是什么呢? K1=k1G K2=k2G K3=K1+K2=k1G+k2G=(k1+k2)*G 因此K3对应的私钥是k1+k2 所以childKey对应的私钥就是il+(k.key 对应的私钥)
从推导过程可以看出,一旦子私钥暴露,这种方式会导致父私钥也暴露 不过这种也有明显的好处,就是我不需要知道父私钥,只需要知道父公钥和父chainCode就可以推导出所有需要的收款地址. 推导人自己都不知道推导出来的收款地址对应的私钥是什么.
BIP0032树状私钥管理
BIP0039 助记词
从助记词到Seed过程要计算起来非常耗时,否则容易被暴力攻破 
BIP0044 简介
BIP 0044实际上是如何规范使用bip0032,我们一般的钱包都是树状的, 这部分我没看懂,他是怎么管理的.
m / purpose' / coin_type' / account' / change / address_index purpose总是44, 第二层的coin_type有相关规范,自行查询即可 account就是对应钱包中的account
第一层的 purpose 总是被设定为 44'。 第二层的“coin_type”特指币种并且允许多元货币 HD 钱包中的货币在第二个层级 下有自己的亚树状结构。目前有三种货币被定义:Bitcoin is m/44'/0'、Bitcoin Testnet is m/44'/1',以及 Litecoin is m/44'/2'。 树的第三层级是“account”,这可以允许使用者为了会计或者组织目的,而去再细 分他们的钱包到独立的逻辑性亚账户。 举个例子,一个 HD 钱包可能包含两个比 特币“账户”:m/44'/0'/0' 和 m/44'/0'/1'。每个账户都是它自己亚树的根。
第四层级就是“change”。每一个 HD 钱包有两个亚树,一个是用来接收地址一个是 用来创造找零地址。注意无论先前的层级是否使用强化衍生,这一层级使用的都 是常规衍生。这是为了允许这一层级的树可以在不安全环境下,输出扩展公钥。
被 HD 钱包衍生的可用的地址是第四层级的子级,就是第五层级的树的 “address_index”。比如,第三个层级的主账户收到比特币支付的地址就是 M/44'/0'/0'/0/2。 表 5-7 展示了更多的例子。
| HD路径 | 主要描述 |
|---|---|
| M/44'/0'/0'/0/2 | 第三个收到公共钥匙的主比特币账户 |
| M/44'/0'/3'/1/14 | 第十五个改变地址公钥的第四个比特币账户 |
| m/44'/2'/0'/0/1 | 为了签署交易的在莱特币主账户的第二个私钥 |