Number: SLIP-0023
Title: Cardano HD master node derivation from a master seed
Type: Standard
Status: Draft
Authors: Andrew R. Kozlik <andrew.kozlik@satoshilabs.com>
Created: 2019-07-24
This specification describes how to derive the master node, aka root node, of the key tree in Cardano hierarchical deterministic wallets.
Cryptocurrency wallets generally work by combining a BIP-0039 mnemonic or a set of SLIP-0039 mnemonics with a user-entered passphrase to generate a master seed. This master seed is then used to derive a hierarchy of cryptographic keys as defined in BIP-0032 and SLIP-0010.
Cardano hierarchical deterministic wallets use an extended private key which requires them to implement a custom adaptation of the BIP-0032 child key derivation scheme. The Cardano wallets currently in existence implement several mutually incompatible schemes for the derivation of the master node from a BIP-0039 mnemonic and passphrase. Unfortunately all of these derivation schemes fail to separate the derivation of the seed from the derivation of the key tree, making it impossible to integrate them with new seed derivation schemes. This specification aims to rectify this by defining a new scheme for the derivation of the master node from a seed. The new scheme is primarily intended for use with SLIP-0039 Shamir's Secret-Sharing for Mnemonic Codes.
This scheme adapts the master node derivation used in BIP-0032 and SLIP-0010 by defining a new curve name "ed25519 cardano seed" for the Ed25519 curve with the Cardano deterministic key hierarchy. The curve name is used as salt in BIP-0032 and SLIP-0010 when deriving the master node from the seed. This is necessary to ensure proper domain separation between different elliptic curves or different types of key hierarchies. The root extended private key (kL, kR) is computed by taking the SHA-512 hash of the root private key IL, modifying certain bits to make it a valid EdDSA key and clearing the third highest bit of kL to ensure compatibility with Cardano child key derivation.
- Let S be a seed byte sequence such as the master secret from SLIP-0039.
- Calculate I := HMAC-SHA512(Key = "ed25519 cardano seed", Data = S).
- Split I into two 32-byte sequences, IL := I[0:32] and IR := I[32:64].
- Let k := SHA-512(IL).
- Modify k by assigning k[0] := k[0] & 0xf8 and k[31] := (k[31] & 0x1f) | 0x40.
- Interpret k[0:32] as a 256-bit integer kL in little-endian byte order. Let kR := k[32:64] and use (kL, kR) as the root extended private key and c := IR as the root chain code.
The Icarus master node derivation scheme, aka V2 derivation scheme, is commonly used with BIP-0039 in Cardano wallets. Since there does not exist any specification of this scheme, its description is included below for completeness.
- Let M be a BIP-0039 mnemonic and P the passphrase entered by the user.
- Determine the initial entropy E that was used to generate M.
- Compute S := PBKDF2-HMAC-SHA512(password = P, salt = E, iterations = 4096, dkLen = 96).
- Modify S by assigning S[0] := S[0] & 0xf8 and S[31] := (S[31] & 0x1f) | 0x40.
- Interpret S[0:32] as a 256-bit integer kL in little-endian byte order. Let kR := S[32:64] and use (kL, kR) as the root extended private key and c := S[64:96] as the root chain code.
The derivation of child keys in the Cardano deterministic key hierarchy is specified in BIP32-Ed25519.
When SLIP-0039 is used as the source of the master secret the master node for the Cardano deterministic key hierarchy MUST be derived using the Cardano universal master node derivation scheme as specified above.
When BIP-0039 is used as the source of the master secret the master node for the Cardano deterministic key hierarchy SHOULD be derived using the Cardano Icarus master node derivation scheme to maintain compatibility with existing wallets.
In the following test vectors the values of S, kR, A and c are each encoded as a string containing two hexadecimal digits for each byte. The value of kL is encoded as an integer in base 10.
Let the seed be S = "578d685d20b602683dc5171df411d3e2".
Note that S is the master secret obtained from the following three SLIP-0039 share mnemonics with the passphrase "TREZOR":
- "extra extend academic bishop cricket bundle tofu goat apart victim enlarge program behavior permit course armed jerky faint language modern",
- "extra extend academic acne away best indicate impact square oasis prospect painting voting guest either argue username racism enemy eclipse",
- "extra extend academic arcade born dive legal hush gross briefing talent drug much home firefly toxic analysis idea umbrella slice".
The root extended private keys is:
kL = 38096432269777187972282727382530464140043628323029465813805073381215192153792
kR = "4064253ffefc4127489bce1b825a47329010c5afb4d21154ef949ef786204405"
The root public key is:
A = "83e3ecaf57f90f022c45e10d1b8cb78499c30819515ad9a81ad82139fdb12a90"
The root chain code is:
c = "22c12755afdd192742613b3062069390743ea232bc1b366c8f41e37292af9305"
The address for the derivation path 44'/1815'/0'/0/0 is:
Ae2tdPwUPEYxF9NAMNdd3v2LZoMeWp7gCZiDb6bZzFQeeVASzoP7HC4V9s6
The address for the derivation path 44'/1815'/0'/0/1 is:
Ae2tdPwUPEZ1TjYcvfkWAbiHtGVxv4byEHHZoSyQXjPJ362DifCe1ykgqgy
The address for the derivation path 44'/1815'/0'/0/2 is:
Ae2tdPwUPEZGXmSbda1kBNfyhRQGRcQxJFdk7mhWZXAGnapyejv2b2U3aRb
Let the seed be S = "a055b781aac0c9dc1bfb7d803bc8ffd5d4392e506db2e4a5a93f0aba958c5be7".
Note that this is the master secret obtained from the two SLIP-0039 share mnemonics with the passphrase "TREZOR":
- "hobo romp academic axis august founder knife legal recover alien expect emphasis loan kitchen involve teacher capture rebuild trial numb spider forward ladle lying voter typical security quantity hawk legs idle leaves gasoline",
- "hobo romp academic agency ancestor industry argue sister scene midst graduate profile numb paid headset airport daisy flame express scene usual welcome quick silent downtown oral critical step remove says rhythm venture aunt".
The extended private keys is:
kL =
35870817594148037193235249761081259065186522922583196642112477624627719791504
kR = "f9d99bf3cd9c7e12663e8646afa40cb3aecf15d91f2abc15d21056c6bccb3414"
The root public key is:
A = "eea170f0ef97b59d22907cb429888029721ed67d3e7a1b56b81731086ab7db64"
The root chain code is:
c = "04f1de750b62725fcc1ae1b93ca4063acb53c486b959cadaa100ebd7828e5460"
The address for the derivation path 44'/1815'/0'/0/0 is:
Ae2tdPwUPEYyDD1C2FbVJFAE3FuAxLspfMYt29TJ1urnSKr57cVhEcioSCC
The address for the derivation path 44'/1815'/0'/0/1 is:
Ae2tdPwUPEZHJGtyz47F6wD7qAegt1JNRJWuiE36QLvFzeqJPBZ2EBvhr8M
The address for the derivation path 44'/1815'/0'/0/2 is:
Ae2tdPwUPEYxD9xNPBJTzYmtFVVWEPB6KW4TCDijQ4pDwU11wt5621PyCi4
- BIP-0032: Hierarchical Deterministic Wallets
- SLIP-0010: Universal private key derivation from master private key
- BIP-0039: Mnemonic code for generating deterministic keys
- SLIP-0039: Shamir's Secret-Sharing for Mnemonic Codes
- D. Khovratovich and J. Law: BIP32-Ed25519 Hierarchical Deterministic Keys over a Non-linear Keyspace