HD Wallets
Hierarchical Deterministic (HD) wallets generate all keys from a single master seed, enabling organized key management and simple backups. This is the foundation of modern Bitcoin wallet architecture.
Overview
HD wallets, defined in BIP32, allow a wallet to derive an unlimited number of key pairs from a single master seed. Combined with BIP39 (mnemonic phrases) and BIP44 (account structure), this creates a powerful and standardized wallet system.
Key Benefits:
- Single backup (seed phrase) for all keys
- Organized account and address structure
- Watch-only wallets using extended public keys
- Deterministic key generation across devices
BIP39: Mnemonic Seed Phrases
BIP39 defines how to generate human-readable seed phrases from random entropy.
Mnemonic Generation Process
- Generate random entropy (128-256 bits)
- Calculate checksum (first bits of SHA256 hash)
- Append checksum to entropy
- Split into 11-bit groups
- Map each group to a word from the 2048-word list
| Entropy (bits) | Checksum (bits) | Words |
|---|---|---|
| 128 | 4 | 12 |
| 160 | 5 | 15 |
| 192 | 6 | 18 |
| 224 | 7 | 21 |
| 256 | 8 | 24 |
Generating a Mnemonic
BIP32: Key Derivation
BIP32 defines how to derive child keys from parent keys using a hierarchical structure.
Extended Keys
Extended keys contain additional metadata for derivation:
- Extended Private Key (xprv): Can derive child private and public keys
- Extended Public Key (xpub): Can only derive child public keys
xprv = [4 bytes version][1 byte depth][4 bytes fingerprint][4 bytes child index][32 bytes chain code][33 bytes key]
Derivation Paths
Derivation paths use slash-separated indices:
m / purpose' / coin_type' / account' / change / address_index
Examples:
m/44'/0'/0'/0/0- First receiving address (BIP44 legacy)m/84'/0'/0'/0/0- First receiving address (BIP84 native SegWit)m/86'/0'/0'/0/0- First receiving address (BIP86 Taproot)
The apostrophe (') indicates hardened derivation.
Hardened vs Normal Derivation
| Type | Index Range | Security | Use Case |
|---|---|---|---|
| Normal | 0 to 2^31-1 | Child xpub can derive siblings | Receiving addresses |
| Hardened | 2^31 to 2^32-1 | Child xpub cannot derive siblings | Account separation |
Security Note: Always use hardened derivation for account-level keys. If a normal child private key is compromised along with the parent xpub, all sibling private keys can be derived.
Deriving Keys from Seed
BIP44: Multi-Account Hierarchy
BIP44 defines a standard account structure for HD wallets.
Path Structure
m / purpose' / coin_type' / account' / change / address_index
| Level | Hardened | Description |
|---|---|---|
| purpose | Yes | BIP number (44, 49, 84, 86) |
| coin_type | Yes | Coin identifier (0 = Bitcoin) |
| account | Yes | Account index (0, 1, 2...) |
| change | No | 0 = external (receiving), 1 = internal (change) |
| address_index | No | Address index within chain |
Purpose Values by Address Type
| BIP | Purpose | Address Type | Prefix |
|---|---|---|---|
| BIP44 | 44' | P2PKH (Legacy) | 1... |
| BIP49 | 49' | P2SH-P2WPKH (Nested SegWit) | 3... |
| BIP84 | 84' | P2WPKH (Native SegWit) | bc1q... |
| BIP86 | 86' | P2TR (Taproot) | bc1p... |
Watch-Only Wallets
Extended public keys (xpubs) enable watch-only wallets that can:
- Generate receiving addresses
- Monitor incoming transactions
- Calculate balances
Without being able to spend funds (no private keys).
Creating a Watch-Only Wallet
Security Best Practices
Seed Phrase Storage
- Physical backup: Write on paper or metal, store securely
- Never digital: Don't store on computers, phones, or cloud
- Multiple copies: Keep backups in separate locations
- Test recovery: Verify you can restore from backup
Passphrase (25th Word)
BIP39 supports an optional passphrase that:
- Creates a completely different wallet
- Provides plausible deniability
- Adds another layer of security
Warning: A forgotten passphrase means permanent loss of funds.
Extended Public Key Exposure
Exposing an xpub reveals:
- All past and future addresses
- Complete transaction history
- Total balance
Never share xpubs publicly unless intentional (e.g., donation addresses).
Gap Limit
The gap limit determines how many unused addresses to scan before stopping. Default is typically 20.
Important for wallet recovery: If you used addresses beyond the gap limit without using intermediate addresses, those funds may not appear in a recovered wallet.
Summary
HD wallets provide:
- Single backup: One seed phrase backs up all keys
- Organized structure: Hierarchical account and address management
- Watch-only capability: Monitor without spending ability
- Standardization: BIP32/39/44 ensure wallet interoperability
- Security: Hardened derivation protects account-level keys
Understanding HD wallets is essential for building modern Bitcoin wallet applications.
Related Topics
- Bitcoin Wallets - Introduction to Bitcoin wallets
- Address Types - Understanding different Bitcoin address formats
- Key Management - Secure key generation and storage
- Cryptography - Elliptic curve cryptography fundamentals