Understanding a Wallet Restore



This is my first post on block chain related programming so please excuse my ignorance. I find the terminology in the BIP32 and BIP39 specs hard to understand so I'm trying to confirm my understanding here. I hope someone can clear things up for me. Please correct me if my understanding is incorrect. Here goes.

I bought a Trezor and generated my seed using the Trezor. I understand that this is an implementation of BIP39. My understanding is that if I were not using Trezor, I could generate this key on an offline computer like Tails Linux or Bitkey.IO Live CD. My understanding is that this serves as a key for signing transactions in future. But, this does not by itself create any addresses in the block chain itself.

After creating the key, I generated some addresses. One for Bitcoin, one for Litecoin and so on. Again, merely creating addresses does not affect the block chain in any way. The only thing that is special about these addresses is that the only way to create these addresses is to have have the seed in the first place. Is this understanding correct?

After this point, currency can be sent to the addresses that I have created. This means the block chain network has to accept that the transactions were made, and then the transactions will be synced on to all the other nodes in the network which will eventually be viewable by me when I check the address on my Trezor's software.

This is where my understanding gets a little murky. There is also something called a public key (xpub), and these can be used to view the details of my wallet and its transactions I think. Also, anyone who has the address of my wallet can see transactions in there by querying the block chain.

But, without the seed, nobody can transfer coin out of my addresses. The seed is required to sign the transactions for this. Is this correct?

Now, lets say my Trezor is lost or destroyed and all I have left is the seed. So, I buy a new Trezor and plug it in. I will now want to do a restore. So, my guess is that it will as me for the 24 word phrase. Right?

At this point, what happens? I no longer have any addresses or XPUBs written down, and I will need these to see my balances before I can sign transactions again. So, how does the Trezor software (or other deterministic wallet software) get my xpub and addresses back?

Do they:

  1. Download the entire block chain on to my computer and check each address to see if it was seeded from my original seed?
  2. Hit some API? If so, how? Does it send my seed to the API? Which API? Does Trezor maintain some kind of index of xpubs by seed? I wouldn't think that this would be secure at all, and in fact would completely void the security of the system.
  3. Is there some kind of public key hidden in my seed that can be used to look up indexed addresses? If so, how does that work? Is there a C# library somewhere I can use to get extract this public key from my seed?
  4. Do some other thing that I have not thought of... What?

Edit: I'm currently reading through this. https://www.codeproject.com/Articles/784519/NBitcoin-How-to-scan-the-Blockchain . It makes it sound as though the Scanner class uses BIP37 logic to filter down data from the block chain to get at the addresses that are likely to contain the transactions I need to see. So, what inputs does it need to do this? Can I derive something from my seed which is safe to use over an API?

From Mastering Bitcoin:

Generating a public key Starting with a private key in the form of a randomly generated number k, we multiply it by a predetermined point on the curve called the generator point G to produce another point somewhere else on the curve, which is the corresponding public key K. The generator point is specified as part of the secp256k1 standard and is always the same for all keys in bitcoin.


where k is the private key, G is the generator point, and K is the resulting public key, a point on the curve. Since the generator point is always the same for all bitcoin users, a private key k multiplied with G will always result in the same public key K. The rela‐tionship between k and K is fixed, but can only be calculated in one direction, from k to K. That’s why a bitcoin address (derived from K) can be shared with anyone and does not reveal the user’s private key (k).

So, does this mean that in fact my seed does in fact contain a public key? And that key is the xpub? So, in other words, it is possible to generate an xpub from the seed? Is this correct?

To boil down the question: Given my seed, how does the Trezor or other wallet retrieve all the associated addresses, xpubs, public keys, transactions, balances and so on that are derived from the seed?

Christian Findlay

Posted 2017-12-04T10:44:28.820

Reputation: 145



The various private and public keys are all derived from that master seed.

David Schwartz

Posted 2017-12-04T10:44:28.820

Reputation: 48 957

Yes. I understand that they are derived. But, derived is different from being able to look them up. My question is, lets say I derive a public key, and then mint an address. Then, someone sends money to that address, and I lose all my data except for the seed, how do I get the public key back? – Christian Findlay – 2017-12-04T11:27:17.707

@MelbourneDeveloper The same way you got it in the first place -- your wallet program derives it from the seed. – David Schwartz – 2017-12-04T11:29:01.400

The public key? And when people say "public key", is this the xpub? – Christian Findlay – 2017-12-04T11:37:19.863

@MelbourneDeveloper The xpub is a step before the public key. But, as I said, it's all derived from the seed. The public key can be derived from the xpub, but there are other derivation paths you can take too -- for example, you can derive its corresponding private key and then convert it to a public key. – David Schwartz – 2017-12-04T11:38:52.913

So, then the key, along with another variable can be used to generate the public key. So, there is only one public key (xpub) per seed? – Christian Findlay – 2017-12-04T11:39:04.170

@MelbourneDeveloper You can derive any number of xpubs. Some wallets use this to support multiple currencies, each of which has multiple accounts. But every step is retraceable. – David Schwartz – 2017-12-04T11:39:37.070

OK. I think I'm pretty close to understanding this. Is there a tool somewhere that will derive my public key from my seed? – Christian Findlay – 2017-12-04T11:39:43.933

There's one here but you have to know the exact derivation rules your wallet uses.

– David Schwartz – 2017-12-04T11:40:30.737

This is the problem. If it's possible to derive an infinite number, how do I retrieve the ones that have actual used addresses associated with them from the block chain? – Christian Findlay – 2017-12-04T11:40:36.580

I don't know the rules. – Christian Findlay – 2017-12-04T11:40:58.060

@MelbourneDeveloper Your wallet knows its own rules, so using another of the same wallet will work. And if all else fails, you can look up its derivation rules -- pretty much every wallet makes them public. When you load a new wallet, the wallet follows all its derivation paths to search for any funded accounts. – David Schwartz – 2017-12-04T11:42:08.757

I believe Trezor uses m/44’/0’/0’ for BTC non-SegWit and m/49’/0’/0’ for BTC SegWit. There are some docs here.

– David Schwartz – 2017-12-04T11:43:23.887

OK. So, any wallet generation tool can generate public keys using its own algorithm. So, I'd need to know that algorithm in order to get the public keys back. But, I figure there is some degree of entropy involved in creating the keys, so I can create new keys until the cows come home. That doesn't mean that any of them will actually have funds in them. This is where my understanding is going awry. – Christian Findlay – 2017-12-04T11:45:13.657

@MelbourneDeveloper Sure, but instead of doing that, you would follow the same rules your wallet uses and produce keys/accounts in the same order it produced them. You don't have to search around randomly, you can use exactly the same mechanism you used in the first place either by using the same software or by knowing what method that software used. – David Schwartz – 2017-12-04T11:50:36.713

So, you are saying that the app (in this case Trezor) did not use entropy to generate the public keys and xpub from my seed. It would have created it in some order. So, for example, it might do something like take my seed, add one, hash it and then give it to me. The second time around, it might take my seed, add two, hash it, and then give it to me. So, this process should be reproducible. Right? So, if Trezor uses m/44’/0’/0’ , then I should be able to grab a tool, give it my seed, and that tool should be able to retrieve an xpub/public key for me right? – Christian Findlay – 2017-12-04T11:54:00.463

@MelbourneDeveloper Correct. No entropy is used. The process is deterministic. (If entropy was used, it could not be derived from the master seed.) – David Schwartz – 2017-12-04T11:55:30.540

Right, hence the "deterministic" thing. So, I've just got to find the algorithm used, and I can retrieve the addresses etc. without wiping my Trezor. – Christian Findlay – 2017-12-04T11:56:46.633