1. Initial Entropy

Generation of 128 bits of cryptographic random entropy

1. Generate 16 bytes (128 bits) of random entropy using crypto.getRandomValues()

2. Each byte is a number between 0 and 255 (8 bits)

3. Bytes are converted to hexadecimal representation (2 characters per byte)

4. Bytes are also converted to binary representation (8 bits per byte)

5. This entropy will serve as the foundation for generating the mnemonic phrase

16 bytes = 128 bits = 32 hex characters
1 byte = 8 bits = 2 hex characters
Example: byte 255 = FF (hex) = 11111111 (bin)

Raw Bytes (16 bytes)

0Byte 1
0Byte 2
0Byte 3
0Byte 4
0Byte 5
0Byte 6
0Byte 7
0Byte 8
0Byte 9
0Byte 10
0Byte 11
0Byte 12
0Byte 13
0Byte 14
0Byte 15
0Byte 16

Byte Conversions

Byte 1
Decimal0
Hexadecimal00
Binary00000000
Byte 2
Decimal0
Hexadecimal00
Binary00000000
Byte 3
Decimal0
Hexadecimal00
Binary00000000
Byte 4
Decimal0
Hexadecimal00
Binary00000000
Byte 5
Decimal0
Hexadecimal00
Binary00000000
Byte 6
Decimal0
Hexadecimal00
Binary00000000
Byte 7
Decimal0
Hexadecimal00
Binary00000000
Byte 8
Decimal0
Hexadecimal00
Binary00000000
Byte 9
Decimal0
Hexadecimal00
Binary00000000
Byte 10
Decimal0
Hexadecimal00
Binary00000000
Byte 11
Decimal0
Hexadecimal00
Binary00000000
Byte 12
Decimal0
Hexadecimal00
Binary00000000
Byte 13
Decimal0
Hexadecimal00
Binary00000000
Byte 14
Decimal0
Hexadecimal00
Binary00000000
Byte 15
Decimal0
Hexadecimal00
Binary00000000
Byte 16
Decimal0
Hexadecimal00
Binary00000000

Final Result

Entropy (hex)0 characters = 0 bits
Entropy (binary)0 bits

2. Checksum

Calculating checksum from SHA256 of entropy

1. The entropy (in hex) is passed through the SHA256 function

2. The result is a 256-bit hash (64 hex characters)

3. Take the first byte of the hash (first 2 hex characters)

4. Convert this byte to binary (8 bits)

5. Keep the first bits according to ENT/32 formula (4 bits for 128 bits of entropy)

ENT = 128 bits → ENT/32 = 4 checksum bits
checksum = SHA256(entropy)[0...ENT/32]
Example: If first byte = FF → 11111111 → keep 1111

Input Data

Entropy (hex)0 bits

SHA256 Calculation

Complete Hash...256 bits
First Byte of Hash
Hexadecimal00
Decimal..
Binary00000000

Final Checksum

Extracted Bits
Length0 bits

These 0 bits will be added to the entropy to form the data that will be used to generate the mnemonic phrase.

3. Mnemonic Phrase

Generating 12 BIP39 words from entropy + checksum

1. Entropy (128 bits) and checksum (4 bits) are combined to form 132 bits

2. These 132 bits are divided into 12 groups of 11 bits

3. Each 11-bit group represents a number between 0 and 2047

4. This number is used as an index in the BIP39 wordlist of 2048 words

5. The 12 selected words form the mnemonic phrase

Entropy (128 bits) + Checksum (4 bits) = 132 bits
132 bits ÷ 11 bits = 12 groups
Each group: 0 to 2047 (2¹¹ - 1)
Index → Word in wordlist[index]

Combined Bits

Entropy + Checksum...132 bits (128 + 4)

11-bit Groups

Group 1
Bits...
Index...
Word...
Group 2
Bits...
Index...
Word...
Group 3
Bits...
Index...
Word...
Group 4
Bits...
Index...
Word...
Group 5
Bits...
Index...
Word...
Group 6
Bits...
Index...
Word...
Group 7
Bits...
Index...
Word...
Group 8
Bits...
Index...
Word...
Group 9
Bits...
Index...
Word...
Group 10
Bits...
Index...
Word...
Group 11
Bits...
Index...
Word...
Group 12
Bits...
Index...
Word...

Final Mnemonic Phrase

12 Words

This 12-word phrase allows you to recreate the wallet at any time. It must be kept secure and never shared with anyone.

4. Seed

Generating seed using PBKDF2-HMAC-SHA512

1. The mnemonic phrase is used as the password

2. The salt is composed of the word 'mnemonic' and an optional passphrase

3. PBKDF2 performs 2048 iterations of HMAC-SHA512

4. Each iteration uses the previous result as input

5. The final result is a 512-bit (64 bytes) seed

salt = 'mnemonic' + passphrase
seed = PBKDF2(HMAC-SHA512, mnemonic, salt, 2048, 64)
DK = PBKDF2(PRF, Password, Salt, c, dkLen)

Input Parameters

Mnemonic Phrase (Password)

Passphrase (Additional Security)

The passphrase acts as a "13th word" secret and offers several benefits:

  • Protection against physical theft of the mnemonic phrase
  • Creation of multiple wallets from the same mnemonic phrase
  • Additional layer of security (2FA)
  • Ability to create a decoy wallet under duress

Note: The same mnemonic phrase with different passphrases will generate completely different wallets.

Salt Construction

Constant Prefixmnemonic
Passphrase(empty)
Final Saltmnemonic

PBKDF2 Process

PRF FunctionHMAC-SHA512
Iterations2048
Output64 bytes
Intermediate Values
Round 1...
Round 2048 (final)...

Final Seed

Seed (hex)512 bits (64 bytes)

This seed will be used to generate the master key and chain code.

5. Master Key & Chain Code

Generating master key and chain code using HMAC-SHA512

1. The seed is used as input message for HMAC-SHA512

2. The HMAC key is the string 'Bitcoin seed'

3. The result is a 512-bit hash split into two parts:

- First 256 bits (32 bytes) become the master private key

- Last 256 bits become the chain code

4. The private key must be a valid number (< curve order)

5. The chain code will be used for child key derivation

I = HMAC-SHA512(Key = 'Bitcoin seed', Data = seed)
master_private_key = I_L (left 256 bits)
chain_code = I_R (right 256 bits)
Validation: 0 < master_private_key < n (curve order)

Input Data

Seed (512 bits)...
HMAC KeyBitcoin seed

HMAC-SHA512 Calculation

HMAC Output (512 bits)...
First 256 bits (I_L)Becomes master private key if valid (< n)
Last 256 bits (I_R)Becomes chain code

Private Key Validation

The master private key must be a valid number for the secp256k1 curve:

  • Must be greater than 0
  • Must be less than the curve order (n)
  • n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
  • If invalid, start over with a new seed

Note: This validation is crucial for wallet security. An invalid private key could compromise the generation of child keys.

6. Extended Keys

BIP32 format for hierarchical deterministic structure

1. Extended keys combine multiple elements in a standardized format

2. The format allows deterministic derivation of child keys

3. Version indicates key type (private/public) and network

4. Depth indicates level in derivation tree

5. Parent fingerprint allows tracing hierarchy

6. Child number identifies position among siblings

Version (4 bytes) | Depth (1 byte) | Parent Fingerprint (4 bytes)
Child Number (4 bytes) | Chain Code (32 bytes) | Key (33 bytes)
Total: 78 bytes → Base58Check encoding

Extended Keys Structure

Extended Private Key (xprv)

Version (mainnet)0x0488ADE4
Depth0x00
Parent Fingerprint0x00000000
Child Index0x00000000
Chain Code...
Private Key (with 0x00)...
Base58Check

Extended Public Key (xpub)

Version (mainnet)0x0488B21E
Depth0x00
Parent Fingerprint0x00000000
Child Index0x00000000
Chain Code...
Public Key (compressed)...
Base58Check

Extended Key Versions

Mainnet
  • xprv: 0x0488ADE4
  • xpub: 0x0488B21E
Testnet
  • tprv: 0x04358394
  • tpub: 0x043587CF

7. Multi-Network Derivation

Key derivation following BIP44 standard

1. BIP44 path is structured in 5 hierarchical levels

2. Each level has a specific meaning

3. The apostrophe (') indicates hardened derivation

4. Derivation can be normal or hardened

5. Hardened indices are calculated as index + 2³¹

m / purpose' / coin' / account' / change / address
m = master key
Hardened index = index + 2³¹

BIP44 Path Structure

MastermMaster key
Purpose44'BIP44 standard
Coin Type0', 60'...Cryptocurrency type
Account0'Account number
Change0External/Internal
Index0Address number

Derivation Types

Normal Derivation

Used for change and address levels

I = HMAC-SHA512(cpar, ser256(Kpar) || ser32(i))

Hardened Derivation

Used for purpose, coin type and account levels

I = HMAC-SHA512(cpar, 0x00 || ser256(kpar) || ser32(i + 2³¹))

Note on EVM (Ethereum Virtual Machine)

Several blockchains use the EVM (Ethereum Virtual Machine) and therefore share the same address format:

EVM Address Format0x + 40 hex characters

EVM-compatible networks:

  • Ethereum (ETH) - The original network
  • BNB Smart Chain (BNB) - Optimized Ethereum fork
  • Polygon (MATIC) - L2 scaling solution
  • Avalanche (AVAX) - Modular blockchain
  • And many others...

Note: EVM compatibility allows using the same addresses and private keys across different networks, facilitating blockchain interoperability.