BIP32 Extended Keys Explained with Diagrams

Extended keys are a foundational concept in modern cryptocurrency wallets, enabling secure and scalable key management through hierarchical deterministic (HD) wallet systems. This guide breaks down BIP32 extended keys—what they are, how they work, and why they matter—with clear explanations, logical structure, and visual thinking in mind.

What Are BIP32 Extended Keys?

An extended key is either a private key or a public key paired with an additional 32 bytes of data called a chain code. This combination allows the key to generate child keys in a structured hierarchy—forming what’s known as a hierarchical deterministic (HD) wallet.

There are two types:

• Extended private key (xprv): Can derive both child private and public keys.
• Extended public key (xpub): Can only derive child public keys.

This design ensures users can generate unlimited receiving addresses without exposing their private keys—a major security advancement in Bitcoin wallet architecture.

👉 Discover how HD wallets enhance your crypto security and convenience.

Step 1: Generating the Master Key

The root of every HD wallet is the master extended key, derived from a seed—typically a 64-byte value generated from a mnemonic phrase.

To create it:

1. Input the seed into the HMAC-SHA512 function using the string "Bitcoin seed" as the key.

2. The output is 64 bytes:

   • First 32 bytes → Master private key
   • Last 32 bytes → Chain code

HMAC (Hash-based Message Authentication Code) acts like a cryptographic blender: it takes input data and a secret key to produce unpredictable, fixed-length output.

With this pair—the master private key and chain code—you now have your first extended private key.

From Private to Public: Creating the Master xpub

To get the corresponding extended public key (xpub):

• Derive the public key from the master private key using elliptic curve multiplication.
• Pair it with the same chain code.

Now you have two master keys:

• m → extended private key
• M → extended public key

These serve as the root of your entire key tree.

Step 2: Building the Extended Key Tree

Extended keys form a branching hierarchy where each node can generate children. This structure supports infinite address generation while maintaining traceability and control.

Key Derivation Paths

Each child key has an index number ranging from 0 to 2^32 - 1. These indices fall into two categories:

1. Normal (Non-Hardened) Derivation

• Index range: 0 to 2,147,483,647
• Both xprv and xpub can derive public keys at this level.
• Allows public key derivation without access to private keys—ideal for watch-only wallets.

2. Hardened Derivation

• Index range: 2,147,483,648 to 4,294,967,295
• Only the extended private key can derive hardened children.
• Prevents exposure risks if an xpub is compromised.

🔐 Best Practice: Use hardened derivation by default unless you specifically need to share public key derivation capability.

Hardened keys protect sensitive branches (like change addresses), ensuring that even if someone has your xpub, they cannot guess internal or hardened paths.

Step 3: Deriving Child Extended Keys

Let’s explore how child keys are created under BIP32.

Normal Child Private Key Derivation

To derive a normal child extended private key:

1. Compute the parent public key from the parent private key.
2. Use index i (where i < 2^31).

3. Input into HMAC-SHA512:

   • Data: Parent public key || index (concatenated)
   • Key: Parent chain code

4. Split output:

   • Left 32 bytes → tweak scalar
   • Right 32 bytes → new chain code

5. New private key = (parent private key + tweak scalar) mod n

   • Where n is the order of the secp256k1 curve.

Result: A new child extended private key with matching chain code.

Hardened Child Private Key Derivation

For hardened derivation:

• Same HMAC process, but data = parent private key || index
• Because private key material is used, xpub cannot replicate this path.

This isolation ensures that leaked xpubs cannot compromise hardened branches.

Normal Child Public Key Derivation

From an extended public key:

1. Use index i (0 ≤ i < 2^31)

2. Input into HMAC-SHA512:

   • Data: Parent public key || index
   • Key: Parent chain code

3. Output split:

   • Left 32 bytes → tweak scalar
   • Right 32 bytes → new chain code
4. New public key = parent public key + (tweak scalar × generator point)

This yields a child xpub that matches the one derived from the parent xprv—ensuring consistency across trust levels.

❌ No such thing as hardened child public key derivation
Because hardened derivation requires the parent private key, xpubs cannot generate hardened children.

Why Does This Work? The Math Behind Consistency

You might wonder: How do we know that a child public key derived from an xpub matches the one from its parent xprv?

Because both derivations use the same HMAC input when using normal derivation:

• Same parent pubkey
• Same index
• Same chain code

So the HMAC output is identical. Then:

• For private keys: Add tweak scalar to parent private key.
• For public keys: Add corresponding point (tweak × G) to parent public key.

Due to elliptic curve mathematics:

(a + t) × G = a×G + t×G

Thus, the derived child keys remain a valid pair—one from xprv, one from xpub—without ever sharing private data.

👉 Learn how advanced crypto wallets use these principles for seamless transactions.

Security Implications

While powerful, extended keys come with risks:

Risk of xpub + Child Private Key Exposure

If an attacker gains:

• Your extended public key
• Any child private key derived non-hardened

They can reverse-engineer your master private key.

Why?

• They know the tweak scalar (from HMAC inputs)
• They know the child private key
• So: parent_private_key = child_private_key - tweak_scalar

This breaks the entire wallet hierarchy.

⚠️ Never expose non-hardened child private keys if you’ve shared your xpub.

Use hardened paths (m/44', m/84', etc.) for sensitive operations.

Serialization: How Extended Keys Are Stored

Extended keys are encoded in a standardized format for easy transfer and storage. The serialized structure includes:

• Version (4 bytes): Identifies type (xprv, xpub, zprv, etc.)
• Depth (1 byte): How many levels from master
• Parent fingerprint (4 bytes): First 4 bytes of parent pubkey hash
• Index (4 bytes): Child number used in derivation
• Chain code (32 bytes): Secret entropy for deriving children
• Key (33 bytes): Either 0x00 + private key or full public key

Finally:

• Append a 4-byte checksum
• Encode with Base58Check for human readability

Example outputs:

xprv9s21ZrQH143K3QTDL4LXw2F7HEKvtvJUmuSKMbenesH6VniimYzWcr7RS9n6DpRhUuWDAyPcRJisRrYsNrT96gRVtDGGWuPf87XyLXskwUjYvJz

xpub661MyMwAqRbcFtXgS5sYJABqqG9YLmC4Q1Rdap9gSE8NqtwybGhePY2gZUDPHASPMRUtVTFGcVMs7j5LXqvyiZ5B7QEsAxySdc5L5jgkRkDwA8W

These long strings encapsulate full derivation context—making backup and recovery seamless.

Note: Fields like depth, fingerprint, and index aren’t needed for actual derivation—they help reconstruct paths during wallet recovery or auditing.

Frequently Asked Questions

What is a BIP32 extended key?

A BIP32 extended key combines a regular Bitcoin private or public key with a chain code, enabling hierarchical derivation of child keys in HD wallets.

Can an xpub generate all my receiving addresses?

Yes—but only non-hardened ones. If you use hardened derivation (common in modern wallets), some addresses won't be derivable from xpub alone.

Why can't xpubs derive hardened keys?

Hardened derivation uses the parent private key in HMAC input. Since xpubs don’t contain private data, they can’t perform this computation.

Is sharing my xpub safe?

Generally yes—for receiving funds. But avoid exposing any non-hardened child private keys, as this could allow attackers to compute your master key.

What do xprv, xpub, zprv, zpub mean?

• xprv/xpub: Legacy P2PKH paths (BIP44)
• zprv/zpub: Native SegWit (BIP84)
  Different prefixes prevent misuse across formats.

How are extended keys used in real wallets?

Wallets like Ledger, Trezor, and mobile apps use extended keys behind the scenes to generate addresses securely, back up entire wallets via seed phrases, and support multi-account structures.

👉 See how top platforms implement BIP32 for secure crypto management.

Final Thoughts

BIP32 extended keys revolutionized Bitcoin wallet design by introducing scalable, deterministic hierarchies. They enable secure address generation, simplified backups, and flexible account structures—all rooted in elegant cryptography.

Understanding how xprv, xpub, chain codes, and derivation paths work empowers you to use cryptocurrency more safely and knowledgeably—whether you're building wallets or managing personal funds.