Spectivity
← Back to Bitcoin Improvement Proposals
BIP 85informationalDeployedwalletkey-management

Deterministic Entropy From BIP32 Keychains

BIP: 85 Layer: Applications Title: Deterministic Entropy From BIP32 Keychains

No reviews
Ethan Kosakovsky·Updated Mar 29, 2026·0 reviews·0 attestations·View source
Collections:BIPs — Merged

Specification

  BIP: 85
  Layer: Applications
  Title: Deterministic Entropy From BIP32 Keychains
  Authors: Ethan Kosakovsky 
           Aneesh Karve 
  Status: Deployed
  Type: Informational
  Assigned: 2020-03-20
  License: BSD-2-Clause OR OPUBL-1.0
  Version: 2.0.0

Abstract

"One Seed to rule them all,
One Key to find them,
One Path to bring them all,
And in cryptography bind them."

It is not possible to maintain one single (mnemonic) seed backup for all keychains used across various wallets because there are a variety of incompatible standards. Sharing of seeds across multiple wallets is not desirable for security reasons. Physical storage of multiple seeds is difficult depending on the security and redundancy required.

As HD keychains are essentially derived from initial entropy, this proposal provides a way to derive entropy from the keychain which can be fed into whatever method a wallet uses to derive the initial mnemonic seed or root key.

Copyright

This BIP is dual-licensed under the Open Publication License and BSD 2-clause license.

Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

The terminology related to keychains used in the wild varies widely, for example `seed` has various different meanings. In this document we define the terms

# BIP32 root key is the root extended private key that is represented as the top root of the keychain in BIP32. # BIP39 mnemonic is the mnemonic phrase that is calculated from the entropy used before hashing of the mnemonic in BIP39. # BIP39 seed is the result of hashing the BIP39 mnemonic seed.

When in doubt, assume big endian byte serialization, such that the leftmost byte is the most significant.

Motivation

Most wallets implement BIP32 which defines how a BIP32 root key can be used to derive keychains. As a consequence, a backup of just the BIP32 root key is sufficient to include all keys derived from it. BIP32 does not have a human-friendly serialization of the BIP32 root key (or BIP32 extended keys in general), which makes paper backups or manually restoring the key more error-prone. BIP39 was designed to solve this problem, but rather than serialize the BIP32 root key, it takes some entropy, encoded to a "seed mnemonic", which is then hashed to derive the BIP39 seed, which can be turned into the BIP32 root key. Saving the BIP39 mnemonic is enough to reconstruct the entire BIP32 keychain, but a BIP32 root key cannot be reversed back to the BIP39 mnemonic.

Most wallets implement BIP39, so on initialization or restoration, the user must interact with a BIP39 mnemonic. Most wallets do not support BIP32 extended private keys, so each wallet must either share the same BIP39 mnemonic, or have a separate BIP39 mnemonic entirely. Neither scenario is particularly satisfactory for security reasons. For example, some wallets may be inherently less secure, like hot wallets on smartphones, JoinMarket servers, or Lightning Network nodes. Having multiple seeds is far from desirable, especially for those who rely on split key or redundancy backups in different geological locations. Adding keys is necessarily difficult and may result in users being more lazy with subsequent keys, resulting in compromised security or loss of keys.

There is an added complication with wallets that implement other standards, or no standards at all. The Bitcoin Core wallet uses a WIF as the hdseed, and yet other wallets, like Electrum, use different mnemonic schemes to derive the BIP32 root key. Other cryptocurrencies, like Monero, use an entirely different mnemonic scheme.

Ultimately, all of the mnemonic/seed schemes start with some "initial entropy" to derive a mnemonic/seed, and then process the mnemonic into a BIP32 key, or private key. We can use BIP32 itself to derive the "initial entropy" to then recreate the same mnemonic or seed according to the specific application standard of the target wallet. We can use a BIP44-like categorization to ensure uniform derivation according to the target application type.

Specification

We assume a single BIP32 master root key. This specification is not concerned with how this was derived (e.g. directly or via a mnemonic scheme such as BIP39).

For each application that requires its own wallet, a unique private key is derived from the BIP32 master root key using a fully hardened derivation path. The resulting private key (k) is then processed with HMAC-SHA512, where the key is "bip-entropy-from-k", and the message payload is the private key k: HMAC-SHA512(key="bip-entropy-from-k", msg=k) . The result produces 512 bits of entropy. Each application SHOULD use up to the required number of bits necessary for their operation, and truncate the rest.

The HMAC-SHA512 function is specified in RFC 4231.

Test vectors

Test case 1

INPUT:
  • MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2LBWUUQRFXhucrQqBpKdRRxNVq2zBqsx8HVqFk2uYo8kmbaLLHRdqtQpUm98uKfu3vca1LqdGhUtyoFnCNkfmXRyPXLjbKb
  • PATH: m/83696968'/0'/0'
OUTPUT:
  • DERIVED KEY=cca20ccb0e9a90feb0912870c3323b24874b0ca3d8018c4b96d0b97c0e82ded0
  • DERIVED ENTROPY=efecfbccffea313214232d29e71563d941229afb4338c21f9517c41aaa0d16f00b83d2a09ef747e7a64e8e2bd5a14869e693da66ce94ac2da570ab7ee48618f7

Test case 2

INPUT:
  • MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2LBWUUQRFXhucrQqBpKdRRxNVq2zBqsx8HVqFk2uYo8kmbaLLHRdqtQpUm98uKfu3vca1LqdGhUtyoFnCNkfmXRyPXLjbKb
*PATH: m/83696968'/0'/1'

OUTPUT

  • DERIVED KEY=503776919131758bb7de7beb6c0ae24894f4ec042c26032890c29359216e21ba
  • DERIVED ENTROPY=70c6e3e8ebee8dc4c0dbba66076819bb8c09672527c4277ca8729532ad711872218f826919f6b67218adde99018a6df9095ab2b58d803b5b93ec9802085a690e

BIP85-DRNG

BIP85-DRNG-SHAKE256 is a deterministic random number generator for cryptographic functions that require deterministic outputs, but where the input to that function requires more than the 64 bytes provided by BIP85's HMAC output. BIP85-DRNG-SHAKE256 uses BIP85 to seed a SHAKE256 stream (from the SHA-3 standard). The input must be exactly 64 bytes long (from the BIP85 HMAC output).

RSA key generation is an example of a function that requires orders of magnitude more than 64 bytes of random input. Further, it is not possible to precalculate the amount of random input required until the function has completed.

drng_reader = BIP85DRNG.new(bip85_entropy) rsa_key = RSA.generate_key(4096, drng_reader.read)

Test Vectors

INPUT: xprv9s21ZrQH143K2LBWUUQRFXhucrQqBpKdRRxNVq2zBqsx8HVqFk2uYo8kmbaLLHRdqtQpUm98uKfu3vca1LqdGhUtyoFnCNkfmXRyPXLjbKb
  • MASTER BIP32 ROOT KEY: m/83696968'/0'/0'
OUTPUT
  • DERIVED KEY=cca20ccb0e9a90feb0912870c3323b24874b0ca3d8018c4b96d0b97c0e82ded0
  • DERIVED ENTROPY=efecfbccffea313214232d29e71563d941229afb4338c21f9517c41aaa0d16f00b83d2a09ef747e7a64e8e2bd5a14869e693da66ce94ac2da570ab7ee48618f7
  • DRNG(80 bytes)=b78b1ee6b345eae6836c2d53d33c64cdaf9a696487be81b03e822dc84b3f1cd883d7559e53d175f243e4c349e822a957bbff9224bc5dde9492ef54e8a439f6bc8c7355b87a925a37ee405a7502991111

Applications

The Application number defines how entropy will be used post processing. Some basic examples follow:

Derivation paths follow the format m/83696968'/{app_no}'/{index}', where {app_no} is the path for the application, and {index} is the index.

Application numbers should be semantic in some way, such as a BIP number or ASCII character code sequence.

BIP39

Application number: 39'

Truncate trailing (least significant) bytes of the entropy to the number of bits required to map to the relevant word length: 128 bits for 12 words, 256 bits for 24 words.

The derivation path format is: m/83696968'/39'/{language}'/{words}'/{index}'

Example: a BIP39 mnemonic with 12 English words (first index) would have the path m/83696968'/39'/0'/12'/0', the next key would be m/83696968'/39'/0'/12'/1' etc.

Language Table

WordlistCode
English0'
Japanese1'
Korean2'
Spanish3'
Chinese (Simplified)4'
Chinese (Traditional)5'
French6'
Italian7'
Czech8'
Portuguese9'

Words Table

WordsEntropyCode
12 words128 bits12'
15 words160 bits15'
18 words192 bits18'
21 words224 bits21'
24 words256 bits24'

12 English words

BIP39 English 12 word mnemonic seed

128 bits of entropy as input to BIP39 to derive 12 word mnemonic

INPUT:

  • MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2LBWUUQRFXhucrQqBpKdRRxNVq2zBqsx8HVqFk2uYo8kmbaLLHRdqtQpUm98uKfu3vca1LqdGhUtyoFnCNkfmXRyPXLjbKb
  • PATH: m/83696968'/39'/0'/12'/0'
OUTPUT:
  • DERIVED ENTROPY=6250b68daf746d12a24d58b4787a714b
  • DERIVED BIP39 MNEMONIC=girl mad pet galaxy egg matter matrix prison refuse sense ordinary nose

18 English words

BIP39 English 18 word mnemonic seed

192 bits of entropy as input to BIP39 to derive 18 word mnemonic

INPUT:

  • MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2LBWUUQRFXhucrQqBpKdRRxNVq2zBqsx8HVqFk2uYo8kmbaLLHRdqtQpUm98uKfu3vca1LqdGhUtyoFnCNkfmXRyPXLjbKb
  • PATH: m/83696968'/39'/0'/18'/0'
OUTPUT:
  • DERIVED ENTROPY=938033ed8b12698449d4bbca3c853c66b293ea1b1ce9d9dc
  • DERIVED BIP39 MNEMONIC=near account window bike charge season chef number sketch tomorrow excuse sniff circle vital hockey outdoor supply token

24 English words

Derives 24 word BIP39 mnemonic seed

256 bits of entropy as input to BIP39 to derive 24 word mnemonic

INPUT:

  • MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2LBWUUQRFXhucrQqBpKdRRxNVq2zBqsx8HVqFk2uYo8kmbaLLHRdqtQpUm98uKfu3vca1LqdGhUtyoFnCNkfmXRyPXLjbKb
  • PATH: m/83696968'/39'/0'/24'/0'
OUTPUT:
  • DERIVED ENTROPY=ae131e2312cdc61331542efe0d1077bac5ea803adf24b313a4f0e48e9c51f37f
  • DERIVED BIP39 MNEMONIC=puppy ocean match cereal symbol another shed magic wrap hammer bulb intact gadget divorce twin tonight reason outdoor destroy simple truth cigar social volcano

HD-Seed WIF

Application number: 2'

Uses the most significant 256 bits of entropy as the secret exponent to derive a private key and encode as a compressed WIF that will be used as the hdseed for Bitcoin Core wallets.

Path format is m/83696968'/2'/{index}'

INPUT:

  • MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2LBWUUQRFXhucrQqBpKdRRxNVq2zBqsx8HVqFk2uYo8kmbaLLHRdqtQpUm98uKfu3vca1LqdGhUtyoFnCNkfmXRyPXLjbKb
  • PATH: m/83696968'/2'/0'
OUTPUT
  • DERIVED ENTROPY=7040bb53104f27367f317558e78a994ada7296c6fde36a364e5baf206e502bb1
  • DERIVED WIF=Kzyv4uF39d4Jrw2W7UryTHwZr1zQVNk4dAFyqE6BuMrMh1Za7uhp

XPRV

Application number: 32'

Taking 64 bytes of the HMAC digest, the first 32 bytes are the chain code, and the second 32 bytes are the private key for the BIP32 XPRV value. Child number, depth, and parent fingerprint are forced to zero.

Warning: The above order reverses the order of BIP32, which takes the first 32 bytes as the private key, and the second 32 bytes as the chain code.

Applications may support Testnet by emitting TPRV keys if and only if the input root key is a Testnet key.

Path format is m/83696968'/32'/{index}'

INPUT:

  • MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2LBWUUQRFXhucrQqBpKdRRxNVq2zBqsx8HVqFk2uYo8kmbaLLHRdqtQpUm98uKfu3vca1LqdGhUtyoFnCNkfmXRyPXLjbKb
  • PATH: m/83696968'/32'/0'
OUTPUT
  • DERIVED ENTROPY=ead0b33988a616cf6a497f1c169d9e92562604e38305ccd3fc96f2252c177682
  • DERIVED XPRV=xprv9s21ZrQH143K2srSbCSg4m4kLvPMzcWydgmKEnMmoZUurYuBuYG46c6P71UGXMzmriLzCCBvKQWBUv3vPB3m1SATMhp3uEjXHJ42jFg7myX

HEX

Application number: 128169'

The derivation path format is: m/83696968'/128169'/{num_bytes}'/{index}'

`16 <= num_bytes <= 64`

Truncate trailing (least significant) bytes of the entropy after `num_bytes`.

INPUT:

  • MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2LBWUUQRFXhucrQqBpKdRRxNVq2zBqsx8HVqFk2uYo8kmbaLLHRdqtQpUm98uKfu3vca1LqdGhUtyoFnCNkfmXRyPXLjbKb
  • PATH: m/83696968'/128169'/64'/0'
OUTPUT
  • DERIVED ENTROPY=492db4698cf3b73a5a24998aa3e9d7fa96275d85724a91e71aa2d645442f878555d078fd1f1f67e368976f04137b1f7a0d19232136ca50c44614af72b5582a5c

PWD BASE64

Application number: 707764'

The derivation path format is: m/83696968'/707764'/{pwd_len}'/{index}'

`20 <= pwd_len <= 86`

Base64 encode all 64 bytes of entropy. Remove any spaces or new lines inserted by Base64 encoding process. Slice Base64 result string on index 0 to `pwd_len`. This slice is the password. As `pwd_len` is limited to 86, passwords will not contain padding.

Entropy calculation:
R = 64 (Base64 - do not count padding)
L = pwd_len
Entropy = log2(R ** L)

pwd_length(cca) entropy
20120.0
24144.0
32192.0
64384.0
86516.0

INPUT:

  • MASTER BIP32 ROOT KEY: xprv9s21ZrQH143K2LBWUUQRFXhucrQqBpKdRRxNVq2zBqsx8HVqFk2uYo8kmbaLLHRdqtQpUm98uKfu3vca1LqdGhUtyoFnCNkfmXRyPXLjbKb
  • PATH: m/83696968'/707764'/21'/0'
OUTPUT
  • DERIVED ENTROPY=74a2e87a9ba0cdd549bdd2f9ea880d554c6c355b08ed25088cfa88f3f1c4f74632b652fd4a8f5fda43074c6f6964a3753b08bb5210c8f5e75c07a4c2a20bf6e9
  • DERIVED PWD=dKLoepugzdVJvdL56ogNV

PWD BASE85

Application number: 707785'

The derivation path format is: m/83696968'/707785'/{pwd_len}'/{index}'

`10 <= pwd_len <= 80`

Base85 encode all 64 bytes of entropy. Remove any spaces or new lines inserted by Base85 encoding process. Slice Base85 result string on index 0 to `p

[Content truncatedview full spec at source]

Discussion (0 threads)

Loading discussions...