In this section, we will cover general terms – public key, private key, and an address, and how Samsung Blockchain Keystore generates and manages these keys. Samsung Blockchain Keystore is a Hierarchical Deterministic (HD) Wallet and follow the industry standards of BIP-32, BIP-39 and BIP-44. (BIP stands for Bitcoin Improvement Proposal). By implementing these standards, Samsung Blockchain Keystore aim to provide better user experience to back up the wallet, since the user only needs to keep the root seed of the private and public keys safe. It is just the 12 words generated from Samsung Blockchain Keystore that user needs to remember or write down. We will look into how this is achieved by implementing Hierarchical Deterministic Wallet in Samsung Blockchain Keystore.
The Key pair is mandatory to participate in the blockchain network. This key pair is composed of a public key and a private key. Public key is used to derive an address that is used like a user’s account in blockchain. It is safe to share the public key or the address with others. On the other hand, a private key is used to sign transactions and must be kept secret. Anyone who has access to the private key can sign transactions and spend cryptocurrency or use crypto-assets without user’s permission.
Simply put, the private key is a random number. Based on the private key, there are algorithms, like Elliptic Curve Digital Signature Algorithm (ECDSA) that derives the public key. This algorithm may differ depending on the blockchain platform. But one interesting characteristic of a public key is that it is derived from a private key, but the other way around is not possible – public key cannot derive nor predict the private key. The same relationship applies to the public key and the address. Address, which is used like a user’s account, cannot derive any public keys.
Since a private key is a random number, this implies that the randomness of a private key generation must be guaranteed. Yet, software random number generators, also known as pseudo random number generators, are known to have security vulnerabilities.
Because the public key and address format differs by blockchain platforms, user needs to have one key pair for Ethereum, another key pair for Bitcoin, and etc. If a user wants several accounts for Ethereum, then that many number of key pairs will be required. Moreover, Bitcoin uses countless number of accounts, because after a transaction has been made, any Bitcoin changes after the transaction is returned to a different account of the user’s. In other words, it becomes very complex and inconvenient if a user would have to save a key pair for every blockchain account that the user holds. Samsung Blockchain Keystore aims to reduce this by implementing Hierarchical Deterministic wallet.
Hierarchical Deterministic wallet allows these multiple key pairs to be derived from a single root seed called, “Root Seed.” Root Seed is the root of a large tree of public and private keys. This Root Seed is the only thing that user needs to store and back up. This is the key to access all of your crypto secrets, so how it is generated and stored should be kept in a secure environment.
Root Seed is between 128 and 256 bits and because the physical look of Root Seed is not very user friendly, and is a combination of “0” and “1”, there is an industry standard, to replace them with Mnemonic Words, or a group of words. For example, if the Root Seed is 128 bits, then with the checksum of 4 bits, a total of 132 bits is split into a group of 11 bits. Each group falls into a group number between 0 and 2047, which is an index to a wordlist of 2048 words. These index numbers are then converted into the corresponding words and the combination of 12 words make up “Recovery Phrase” in Samsung Blockchain Keystore.
Samsung Blockchain Keystore generates the Root Seed by Trusted App in Trusted Execution Environment, by the steps below:
① True Random Number Generator (TRNG), also known as Hardware Random Number Generator, that is embedded into Samsung device chipsets, generates an initial entropy length (ENT) of 128 random bits. Elaborating more on ENT, industry standard allows 128 to 256 bits, in multiple of 32 bits. Depending on the length of the initial entropy length, the number of words that this will be converted into will differ, from 12 to 24, in multiple of 3.
② Samsung Blockchain Keystore takes the first 4 bits of the SHA-256 hash of the 128 bits to generate something called, “checksum.” Theoretically, it is ENT/32 that is taken to generate the checksum. So for Samsung Blockchain Keystore, ENT is 128 bits, resulting in 4 bits of checksum. For other wallets that generate 24 words with the ENT of 256 bits, 8 bits are used as a checksum.
③ Samsung Blockchain Keystore appends the previously generated 4 bits of checksum to the initial entropy length, resulting in 132 bits.
④ 132 bits (combination of initial entropy length and checksum) are divided into 11 bits, resulting in 12 words, “Mnemonic Codes”. These 12 words are industry standard, and is one of the 2048 words on the BIP-39 English Wordlist.
⑤ Because the 12 words follow BIP-39 standard used in the industry, user can back up wallet on a different Samsung device that supports Samsung Blockchain Keystore, or other wallets that are BIP-39-compatible.
When a user imports a wallet in Samsung Blockchain Keystore, the user will enter the 12, 18 or 24 words into the Trusted User Interface (TUI) that will protect user’s input. This time, Samsung Blockchain Keystore will convert the Mnemonic Words entered in order to the original Root Seed. The Root Seed is the one and only source that Samsung Blockchain Keystore will save in a secure area. Likewise, this will become the source to generate countless number of public keys and sign transactions with the private keys when a request is made.
Some may raise a question on the feasibility of guessing the words among 2048 words on the Mnemonic Words list and somehow, getting access to the private key that corresponds to the Recovery Phrase. But it’s not just the words of 12 to 24 in multiple of 3, that have to correctly chosen, but the order of these words have to be correct as well.
This is because if you are using 12 words, then 128 bits must be correctly guessed, and 266 bits for 24 words. Choice between 0 and 1 on 128 bits give us 2 x 2 x 2 x … 2 = 2128 of the possible Root Seeds, and 2^256 cases for 24 words.
Moreover, the checksum of 4 bits for 12 words, and 8 bits for 24 words, protects randomly making a combination of words. When importing a wallet in Samsung Blockchain Keystore, there is a checksum check after user has entered 12, 18 or 24 words, and it will throw an error that the combination of words entered isn’t a valid recovery phrase. The user will receive absolutely no information on which words make the checksum invalid, making it even more difficult to randomly guess the Recovery Phrase.
The HD Wallet is a tree of theoretically infinite number of private and public keys. One interesting fact is that it allows derivation of a child keys from the Root Seed via a function defined in BIP-32 standard, “Child Key Derivation (CKD) functions.” This means with the Root Seed and the location of the tree, key derivation is feasible. More details on the key derivations can be found in the Appendix.
The location in the tree is called a “path” and BIP-44 standard defines the standard to unify rules for wallet’s compatibility of these HD Key Generation. Hence developers just need to specify the path to derive the address from, and whoever keeps the Root Seed will be able to calculate and return the actual key value for that specified location. Each depth is represented by “/” in the HD Path and the apostrophe (‘) implies that the depth is hardened.
The following is HD Path level standard defined in BIP-44.
purpose’ is “44” here, with the implication that it is the following BIP-44 standard.
coin_type’ tells if it is Ethereum, Bitcoin, or other coins. The algorithms to derive the public key from the private key can differ by the coin type, though both Ethereum and Bitcoin use ECDSA algorithm. The number is constant and set for each crypto, and it can be registered in SLIP-0044 (SLIP: SatoshiLabs Improvement Proposals), managed by SatoshiLabs. For example, it is “0” for Bitcoin, and “60” for Ethereum.
account‘ represents multiple accounts number and is usually ‘0’.
change is usually used in Bitcoin, using “1” for the account to receive all the changes after sending Bitcoins to other accounts. Normally, “0” is used.
address_index is the last depth, and usually starts with 0, and increases by one, when you “add” an account in a wallet.
For example, HD Path for the first account of Ethereum is: m/44’/60’/0’/0/0 and for the second account of Bitcoin is: m/44’/0’ /0’/0/1
Samsung Blockchain Keystore can be used to (1) derive an address or extended public key and (2) sign a transaction. To consume these two features, developers of DApps or wallets will need to define, where in the HD tree, they would like to derive the public key from, and use the corresponding private key to sign the transaction. HD Path is a required parameter for APIs related to the two features below.
Get address from Samsung Blockchain Keystore
If you are a DApp or wallet developer, you can use Samsung Blockchain Keystore to first get the user’s address or extended public key (public key and the chain code), and search on the blockchain ledger, transaction history and records of the user, so that user can know how much cryptocurrency or crypto-asset is remaining. Here’s a brief flow of getting the address.
① Wallet or DApps will make a request to Samsung Blockchain Keystore to derive an address or extended public key for HD Path “m/44’/60’/ 0’/0/0” (Ethereum account).
② Using Samsung Blockchain Keystore SDK, Wallet/DApp’s request will be passed to Samsung Blockchain Keystore.
③ Once Samsung Blockchain Keystore will receives the request to get the address or extended public key, it will pass onto the controller to communicate with Trusted App to derive the public key.
④ Root Seed is stored safely in a secure area, and the derivation of the extended public key (public key and the chain code) of the HD Path, is executed by Trusted Application in Trusted Execution Environment.
⑤ Derived public key will be then passed to Samsung Blockchain Keystore app to derive the address, where one more algorithm function will be executed.
⑥ After the calculation, the address that corresponds to the requested HD Path will be returned to Wallet or DApp via Samsung Blockchain Keystore SDK.
Sign a transaction by Samsung Blockchain Keystore
The user will now want to make a transaction, such as sending cryptocurrencies, that will require the user to “write” on the ledger. This change needs to be signed by the private key that corresponds to the user’s address, derived from user’s public key. Below is a diagram and explanation for each step.
① Wallet or DApps will make a request to Samsung Blockchain Keystore to sign a transaction. A correctly formatted transaction without the signature part, and HD Path to derive the private key to sign the transaction will be needed.
③ Once Samsung Blockchain Keystore will receives the request to get the public key, it will pass onto the controller to communicate with Trusted App.
④ Trusted App will first parse the transaction, and show critical information on TUI, such as recipient address, amount and fees. After user checks the transaction details, user will confirm it via PIN verification or fingerprint authentication.
⑤ After the user’s confirmation, the safely stored Root Seed will now be used to derive the private key that corresponds to the HD Path that was passed with the transaction request. Then the Trusted Application will sign the transaction with the derived private key. Likewise, these are all executed in Trusted Execution Environment.
⑥ The signed transaction will be returned to Samsung Blockchain Keystore app.
⑦ Samsung Blockchain Keystore app will return the signed transaction to Wallet/DApp via Samsung Blockchain Keystore SDK and Wallet/DApps can now submit the signed transaction to the blockchain network.
More details on the BIP-32, BIP-39 and BIP-44 can be found in the following links.
BIP-39: Mnemonic Code for generating deterministic keys
BIP-44: Multi-Account Hierarchy for Deterministic Wallets
SLIP-44: Registered coin types for BIP-0044