From entropy to addresses: Anatomy of a bitcoin wallet explained
Originally published on the Unchained blog.
In a recent article titled Your bitcoin isn’t in your wallet, we examined the word “wallet” in the context of bitcoin. While it can be a challenging term to correctly understand, we proposed that a wallet can be conceptualized as “a collection of addresses controlled by the same keys in the same way.” We also covered a few terms used to describe various types of wallets.
In this article, we’ll cover the primary components of a bitcoin wallet and how they are chronologically created. Several of these components are regularly discussed, but often misunderstood or confused with one another: seed phrases, private keys, extended public keys (xpubs), public keys, and addresses. Let’s discuss what each of these are, where they come from, where they might be stored, and how sensitive they are.
Beginning with entropy
If a wallet is “a collection of addresses controlled by the same keys in the same way,” it raises a question about which gets created first: the controlling keys, or the addresses themselves? The answer is the keys—in order to build the addresses, critical information must first come from the keys.
In order to create keys securely, the starting point must be entropy, which can be thought of as randomness. A bitcoin key is merely secretive information, which the user doesn’t want other people to learn or guess. Therefore, the best way to create a key is by selecting a very large number (generally one between 0 and 2128, or 0 and 2256) in an unpredictable way. The entropy can be generated by flipping coins, rolling dice, or ideally using a specialized offline device such as a hardware wallet that can help prevent mistakes. Once you have securely generated the entropy, the next step typically involves moving on to a seed phrase.
Seed phrase
The entropy (large random number) is important information to record and protect, otherwise the keys controlling the bitcoin could be lost forever. A seed phrase, or mnemonic seed, is a set of words that represent the entropy. Words are preferable to numbers while recording information in writing or memory, because they can help guard against the propensity for typos and other errors. You can learn more about the basics of seed phrases here.
How is a seed phrase created?
Seed phrases are created by expressing the entropy in binary format. This looks like a bunch of 1s and 0s, called bits. Usually, people will be operating with a total of 128 or 256 bits. Groups of 11 bits at a time, each allowing for 211 or 2048 possibilities, can then be easily converted into one of the 2048 unique words on the official BIP39 wordlist.
All but the final word can be calculated easily by hand. The final word requires extra bits produced from a SHA-256 hash function, serving as a checksum. At the end of the process, 128 bits will have resulted in 12 words, while 256 bits will have resulted in 24 words. You can learn more about the details of how seed phrases are created here.
How sensitive is a seed phrase?
A seed phrase represents your entropy, which is intended to be kept secret. If your seed phrase is exposed to someone, that person will have permanent access to the private keys produced by that seed phrase, which we will cover in the next section. This means that the person would have full or partial power to spend any bitcoin controlled by those keys. You should never share your seed phrase with anyone, unless you want that person to be able to spend funds out of the wallets which your seed phrase is protecting.
Where is a seed phrase stored?
A seed phrase should be written on paper, or stamped into metal. It shouldn’t be stored digitally, except inside a device specifically designed to protect it from internet exposure, such as a hardware wallet. You can learn more about seed phrase storage here.
Master private key
A master private key, or colloquially just “a private key” (which is technically imprecise) is a string of alphanumeric data. It can be used to apply cryptographic signatures to a transaction designed to spend bitcoin out of a wallet. These signatures are typically required in order for the bitcoin network to accept the transaction as valid.
How is a master private key created?
In the context of most modern bitcoin wallets, the master private key is created from a seed phrase. This is done through a series of cryptographic hashing operations. First, the seed phrase is converted into just a “seed,” which uses 64 bytes as the final representation of the entropy. This seed is then put through a final HMAC-SHA512 hashing function, resulting in the master private key, a new set of 64 bytes. You can learn more about the details of this process here. By following the proper steps, the same seed phrase will always result in the same master private key.
How sensitive is a master private key?
A master private key is equally as sensitive as a seed phrase. Your master private key should never be shared with anyone, unless you want that person to have full or partial power to spend wallet funds.
Where is a master private key stored?
In the context of secure cold storage, a master private key will exist inside an offline hardware wallet, after the device calculates it from a seed phrase. If a private key is ever generated by, stored on, or exposed to an internet-connected device, then it should be considered a “hot key,” which is substantially less secure.
Private keys are rarely seen by the end user, which helps prevent the user from backing up the private keys directly. It would be easy to make a mistake while recording a seemingly random string of hexadecimal characters. It’s much safer to write down a 12 or 24 word seed phrase, which can be used to reproduce the same master private key later on.
Extended public key (xpub)
With a master private key, a user can now proceed to create the addresses for a wallet which that key will fully or partially control. In the conventional modern wallet structure (also called HD, or hierarchical deterministic), the next step will be generating an extended public key, or “xpub.” This is an alphanumeric string of data which serves as the main ingredient for building a wallet. Since a master private key can create many different xpubs, that means the master private key can also be associated with many different bitcoin wallets.
Just one xpub will be enough to create a singlesig wallet. Combining an xpub with other xpubs produced by other master private keys is how to create a multisig wallet. You can learn more about xpubs here.
How is an xpub created?
The process to get from a master private key to an xpub is less straightforward than the steps we’ve covered up to this point. Since a master private key can create many different xpubs, the question becomes which xpub the user wants to create. This is determined by a derivation path, which can be thought of as the pathway instructions to get from the master private key to one of the many keys which it can produce. The derivation path can sometimes be chosen by the user, but oftentimes it is automatically chosen by the particular wallet software, and will tend to follow certain industry standards to protect the user from mistakes.
Once the desired pathway is chosen, elliptic curve cryptography combined with a series of HMAC-SHA512 hashing functions will reach the particular xpub. More technical details of this procedure can be found here. The end result is 65 bytes, which can then be serialized into Base58 formatting, creating the alphanumeric string beginning with “xpub” that many users are familiar with.
How sensitive is an xpub?
An xpub can’t be used to approve spending bitcoin out of a wallet, like a private key can. Instead, xpubs—and their child public keys, which we will cover soon—are limited to helping the user receive bitcoin or check wallet balances. This means they are less sensitive than private keys and seed phrases from a security perspective, but they can still be sensitive from a privacy perspective.
If you have a singlesig wallet and someone learns the xpub used to build it, they will be able to monitor your full wallet balance and transaction history. The same is true if someone learns all of the xpubs involved in a multisig wallet.
Where is an xpub stored?
Hardware wallets are designed to be able to export xpubs to an internet-connected device, while still protecting the private keys from such exposure. A wallet coordinator software (sometimes called a watch-only wallet) on a laptop or phone can receive an xpub, and then provide the user with an interface for the associated wallet. These wallet coordinators store the xpub, and will also typically connect to a bitcoin node, so that they can search the blockchain to find wallet balances and display them to the user. Examples of wallet coordinator software include the Unchained platform, Caravan, Sparrow Wallet, Trezor Suite, and Ledger Live.
For a multisig wallet, a wallet descriptor or configuration file is a collection of information containing all of the relevant xpubs for that wallet. A wallet coordinator requires the entirety of this information to derive the wallet addresses and find the wallet balance. This is a critically important fact for anyone who uses multisig, and one of the reasons that guidance and education from a professional collaborative custody partnership can be beneficial.
Child public key
An xpub can create millions of other public keys, known as child public keys. While an xpub is the main ingredient to build a wallet, a child public key is the main ingredient to create an address. Since one xpub is able to create many child public keys, this explains why a wallet is made up of many addresses.
A public key is yet another string of data, which can be compressed to 33 bytes. Only one public key is needed to create an address for a singlesig wallet. To create an address for a multisig wallet, one public key is needed from each xpub involved.
How is a child public key created?
Similar to the creation of an xpub, the first step is deciding which public key the user wants to create. This process involves the same derivation path system mentioned earlier, and it allows the user to create an ordered list of public keys, simply by incrementing a number in the pathway, also called an index number. You can learn more about this here. Once the pathway is determined, using HMAC-SHA512 hashing functions will lead to the desired public key.
How sensitive is a child public key?
Similar to an extended public key, a child public key can’t be used to approve a transfer of bitcoin, so it is much less sensitive than a private key. From a privacy standpoint, it is also less sensitive than an xpub. This is because an xpub can reveal balance information about an entire wallet, whereas a child public key is limited to the balance information of one particular address. In fact, a public key is approximately as sensitive as an address itself, which is meant to be shared with other people who want to send you bitcoin.
Where is a child public key stored?
Child public keys can exist wherever the xpub that produced them exists, which is typically within a wallet coordinator software. They are rarely seen by the end user, because they don’t need to be interacted with directly. Instead, they are used to create addresses, which the user can see and share.
Address
An address is an alphanumeric string that is used to receive bitcoin. A recipient will need to provide an address to the sender to specify the proper destination of the bitcoin. You can learn more about the basics of bitcoin addresses here.
How is an address created?
There are several different types of bitcoin addresses, which we covered in an earlier article. The steps to create an address will vary depending on which type is used. To create an address for a singlesig wallet (address types P2PKH or P2WPKH), a child public key will go through SHA-256 and RIPEMD-160 hashing functions, and have a prefix and checksum applied.
To create an address for a multisig wallet (address types P2SH or P2WSH), a similar process occurs, except rather than hashing a single public key, a script is hashed. The script can contain multiple public keys, and other instructions such as the multisig quorum size, which govern how bitcoin can be spent out of the address.
How sensitive is an address?
Sharing addresses is necessary for receiving bitcoin from other people. However, once an address is shared, all deposit and withdrawal activity for that address can be monitored, as well as the current balance. For better privacy, it’s often encouraged to use a new, fresh address for each deposit to your wallet. You can learn more about privacy best practices here.
Where is an address stored?
Your wallet’s addresses can be found inside your wallet coordinator software, the same place where the xpub(s) are held. Addresses that have been used to receive bitcoin can also be tracked on the blockchain. When a wallet coordinator software establishes a connection with the blockchain, it will be able to find the balance and transaction history for all of that wallet’s addresses.
Final thoughts
Now that we’ve covered the primary components of a bitcoin wallet which most users should be familiar with, a brief summary of the information can be compiled into a quick reference chart:
This chart applies to a basic singlesig wallet intended to secure bitcoin in cold storage. A multisig wallet has a bit more nuance and complexity, as referenced in the earlier sections.
In addition to these primary components, there are other elements within a standard wallet infrastructure that curious readers can learn about. For example, each extended public key has an associated extended private key (or xprv), and each child public key has an associated child private key. These items were not covered in this article, because they are rarely relevant to someone operating a modern wallet and understanding its basic functionality. This is due to the fact that as long as someone has their master private key, they will be able to produce any xprvs and child private keys behind the scenes that they might need.
There are great resources out there to dive deeper into the details behind keys and wallet infrastructure, including the free online version of Mastering Bitcoin by Andreas Antonopoulos and David Harding, as well as Greg Walker’s website Learn Me A Bitcoin, which was linked to earlier in this article several times.