- How Extended Keys Work
- Construction of an Extended Key
- Extended Key Prefixes
- Details of an Extended Key's Elements
An extended key is simply the concatenation of a key (whether private or public) and its associated chain code. This chain code is essential for the derivation of child keys because, without it, it is impossible to derive child keys from a parent key, but we will discover this process more precisely in the next chapter. These extended keys thus allow aggregating all the necessary information to derive child keys, thereby simplifying account management within an HD wallet.
The extended key consists of two parts:
- The payload, which contains the private or public key as well as the associated chain code;
- The metadata, which are various pieces of information to facilitate interoperability between software and improve understanding for the user.
How Extended Keys Work
When the extended key contains a private key, it is referred to as an extended private key. It is recognized by its prefix which contains the identifier
prv. In addition to the private key, the extended private key also contains the associated chain code. With this type of extended key, it is possible to derive all types of child private keys. Therefore, by addition and doubling of points on elliptic curves, it also allows for the derivation of child public keys.When the extended key does not contain a private key, but instead a public key, it is referred to as an extended public key. It is recognized by its prefix which contains the identifier
pub. Obviously, in addition to the key, it also contains the associated chain code. Unlike the extended private key, the extended public key allows for the derivation of only "normal" child public keys (meaning it cannot derive "hardened" child keys). We will see in the following chapter what these "normal" and "hardened" qualifiers mean.In any case, the extended public key does not allow for the derivation of child private keys. Therefore, even if someone has access to an
xpub, they will not be able to spend the associated funds, as they will not have access to the corresponding private keys. They can only derive child public keys to observe the associated transactions.For the following, we will adopt the following notation:
: a parent public key; : a parent private key; : a parent chain code; : a child chain code; : a normal child public key; : a normal child private key; : a hardened child public key; : a hardened child private key.
Construction of an Extended Key
An extended key is structured as follows:
- Version: Version code to identify the nature of the key (
xprv,xpub,yprv,ypub...). We will see at the end of this chapter what the lettersx,y, andzcorrespond to. - Depth: Hierarchical level in the HD wallet relative to the master key (0 for the master key).
- Parent Fingerprint: The first 4 bytes of the HASH160 hash of the parent public key used to derive the key present in the payload.
- Index Number: Identifier of the child among sibling keys, that is, among all keys at the same derivation level that have the same parent keys.
- Chain Code: A unique 32-byte code for deriving child keys.
- Key: The private key (prefixed by 1 byte for size) or the public key.
- Checksum: A checksum calculated with the HASH256 function (double SHA256) is also added, which allows for the verification of the extended key's integrity during its transmission or storage.
The complete format of an extended key is therefore 78 bytes without the checksum, and 82 bytes with the checksum. It is then converted to Base58 to produce a representation that is easily readable by users. The Base58 format is the same as that used for Legacy receiving addresses (before SegWit).
| Element | Description | Size |
| Version | Indicates whether the key is public (xpub, ypub) or private (xprv, zprv), as well as the version of the extended key | 4 bytes |
| Depth | Level in the hierarchy relative to the master key | 1 byte |
| Parent Fingerprint | The first 4 bytes of HASH160 of the parent public key | 4 bytes |
| Index Number | Position of the key in the order of children | 4 bytes |
| Chain Code | Used to derive child keys | 32 bytes |
| Key | The private key (with a 1-byte prefix) or the public key | 33 bytes |
| Checksum | Checksum to verify integrity | 4 bytes |
If one byte is added to the private key only, it's because the compressed public key is longer than the private key by one byte. This additional byte, added at the beginning of the private key as
0x00, equalizes their size, ensuring that the payload of the extended key is of the same length, whether it's a public or a private key.Extended Key Prefixes
As we have just seen, extended keys include a prefix that indicates both the version of the extended key and its nature. The notation
pub indicates that it refers to an extended public key, and the notation prv indicates an extended private key. The additional letter at the base of the extended key helps to indicate whether the standard followed is Legacy, SegWit v0, SegWit v1, etc.
Here is a summary of the prefixes used and their meanings:| Base 58 Prefix | Base 16 Prefix | Network | Purpose | Associated Scripts | Derivation | Key Type |
xpub | 0488b21e | Mainnet | Legacy and SegWit V1 | P2PK / P2PKH / P2TR | m/44'/0', m/86'/0' | public |
xprv | 0488ade4 | Mainnet | Legacy and SegWit V1 | P2PK / P2PKH / P2TR | m/44'/0', m/86'/0' | private |
tpub | 043587cf | Testnet | Legacy and SegWit V1 | P2PK / P2PKH / P2TR | m/44'/1', m/86'/1' | public |
tprv | 04358394 | Testnet | Legacy and SegWit V1 | P2PK / P2PKH / P2TR | m/44'/1', m/86'/1' | private |
ypub | 049d7cb2 | Mainnet | Nested SegWit | P2WPKH in P2SH | m/49'/0' | public |
yprv | 049d7878 | Mainnet | Nested SegWit | P2WPKH in P2SH | m/49'/0' | private |
upub | 049d7cb2 | Testnet | Nested SegWit | P2WPKH in P2SH | m/49'/1' | public |
uprv | 044a4e28 | Testnet | Nested SegWit | P2WPKH in P2SH | m/49'/1' | private |
zpub | 04b24746 | Mainnet | SegWit V0 | P2WPKH | m/84'/0' | public |
zprv | 04b2430c | Mainnet | SegWit V0 | P2WPKH | m/84'/0' | private |
vpub | 045f1cf6 | Testnet | SegWit V0 | P2WPKH | m/84'/1' | public |
vprv | 045f18bc | Testnet | SegWit V0 | P2WPKH | m/84'/1' | private |
Details of an Extended Key's Elements
To better understand the internal structure of an extended key, let's take one as an example and break it down. Here is an extended key:
- In Base58:
xpub6CTNzMUkzpurBWaT4HQoYzLP4uBbGJuWY358Rj7rauiw4rMHCyq3Rfy9w4kyJXJzeFfyrKLUar2rUCukSiDQFa7roTwzjiAhyQAdPLEjqHT
- In hexadecimal:
0488B21E036D5601AD80000000C605DF9FBD77FD6965BD02B77831EC5C78646AD3ACA14DC3984186F72633A89303772CCB99F4EF346078D167065404EED8A58787DED31BFA479244824DF50658051F067C3A
This extended key breaks down into several distinct elements:
1.Version:
0488B21EThe first 4 bytes are the version. Here, it corresponds to an extended public key on the Mainnet with a derivation purpose of either Legacy or SegWit v1.
2.Depth:
03This field indicates the hierarchical level of the key within the HD wallet. In this case, a depth of
03 means that this key is three levels of derivation below the master key.3.Parent fingerprint:
6D5601ADThese are the first 4 bytes of the HASH160 hash of the parent public key that was used to derive this
xpub.4.Index number:
80000000This index indicates the key's position among its parent's children. The
0x80 prefix indicates that the key is derived in a hardened manner, and since the rest is filled with zeros, it indicates that this key is the first among its possible siblings.5.Chain code:
C605DF9FBD77FD6965BD02B77831EC5C78646AD3ACA14DC3984186F72633A8936.Public Key:
03772CCB99F4EF346078D167065404EED8A58787DED31BFA479244824DF50658057.Checksum:
1F067C3AThe checksum corresponds to the first 4 bytes of the hash (double SHA256) of everything else.
In this chapter, we discovered that there are two different types of child keys. We also learned that the derivation of these child keys requires a key (either private or public) and its chain code. In the next chapter, we will examine in detail the nature of these different types of keys and how to derive them from their parent key and chain code.
Quiz
Quiz1/5
cyp2015.2
What is the main function of an extended key in an HD wallet?