Bitcoin Forum
March 05, 2021, 11:23:55 AM *
News: Latest Bitcoin Core release: 0.21.0 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1] 2 3 4 5 »
1  Other / Beginners & Help / [Full Guide+Code]Seed Phrase & The Process of Deriving Bitcoin Addresses from It on: February 09, 2021, 08:57:10 PM
Earlier Bitcoin Wallet used to be a bunch of private keys. In order to use new address, user had to generate new private key which made the whole process cumbersome because user had to backup each and every private key. Hierarchical Deterministic (HD) wallet made the process easier. Deterministic wallet means the wallet uses a single starting point to derive all the addresses. That single starting point is known as 'mnemonic seed' or 'seed phrase'. Today, more than 95% non-custodial wallets generate addresses deterministically and if they aren't, you shouldn't be using those wallets.

Considering that the seed phrase has become integral part of Bitcoin Wallet, I will explain the whole process on how bitcoin addresses are derived from seed phrase along-with Javascript code so you can easily test the process in your computer without downloading or installing any utility.  

Table of Contents
1. Generate Random Sequence or Entropy
2. Create Checksum and Prepare Final Sequence
3. Convert Sequence into Mnemonic Codes
4. PBKDF2 Key-Stretching Function
5. Master Private Key, Master Public Key and Chain Code
6. Derivation Path and BIP-44
7. Child Private Key Derivation
8. Generate Bitcoin Addresses from Private Keys
9. Javascript Codes

1. Generate Random Sequence or Entropy

Earlier I said that the mnemonic (or seed phrase) is the starting point of the wallet which may not be entirely true. In order to derive mnemonic, we first need to generate entropy. In easier words, entropy is nothing but the measure of randomness. In order to secure wallet, we need it to be based on something unpredictable, hence entropy of 128-256 bits is used. The easiest way to generate entropy is by flipping the coin. Take a coin and toss it 128 times, write 0 when heads come while write 1 when tails come. After 128 flips, you will have the random sequence of 0s and 1s which is your entropy. You can do the same 256 times to increase the security of your wallet (longer the entropy, higher the security). Check the image below to understand the process better:



The 0 and 1 sequence you see above is the distinct point. This should be generated as random as possible. If weak random generator is used then hackers can easily brute-force your sequence and steal the funds.

2. Create Checksum and Prepare Final Sequence

Now, as we have the 128-bit entropy, we need to generate checksum. Checksum is nothing but a fingerprint attached at the end of something to ensure user has made no mistake is copying that thing. In our case, we will generate fingerprint of our entropy. As defined in BIP-39, we take SHA-256 hash of the entropy as the fingerprint. Before moving forward, let's convert our entropy from Base2 to Base16 or hexadecimal. Base2 means we use 2 symbols to express our number, as we saw in Step 1, those numbes are '0' and '1'. Similarly, Base16 (or hexadecimal) uses 16 symbols to express the number, those are: 0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f. Check the image below to understand how conversion works:



You can see that 0001 in Base2 is equal to 1 in hexadecimal, 0010 is equal to 2 and so on. So, our entropy in hexadecimal is represented as 91d3785bf884c639f600b3e587083265. But important point here is that both are same, just representation is different.

Back to checksum now, like I said earlier, SHA-256 of the entropy is used as checksum, let's generate the SHA-256 of our entropy:

SHA-256 hash of 0x91d3785bf884c639f600b3e587083265 = effdb98e4c4ac27c670f704c39a2e0ba8b85bc4561a7a02a6297e465ed155d30

The hash is 256-bit long number represented by 64 hexadecimal characters. In other words, each hexadecimal character represents 4 bits. As per BIP-39, instead using the whole hash, only first (entropy length / 32) bits of the hash are used as checksum. In our case, the length of entropy is 128 which when divided by 32 gives 4. So, we will only take first four bits of the hash as checksum. If the length of your entropy is 256, checksum would be 256/32 or first 8 bits of the hash.

As I said earlier, each hexadecimal character represents four bits, the first four bits of our hash in hexadecimal are represented by 'e'. So, our checksum is 'e' in hexadecimal and 1110 in Base2 (or binary). Now, we append checksum at the end of the sequence which will make our final sequence in hexadecimal as, 0x91d3785bf884c639f600b3e587083265e. Or in Base2 as:




3. Convert Sequence into Mnemonic Codes

Now the length of the sequence is 132 bits. Next step involves splitting the sequence into the chunk of 11 bits. Since, our sequence is of 132 which when divided by 11 gives 12, so we will get 12 chunks. We will get 24 chunks if 256-bit entropy is used.

Here are the chunks of our entropy:
10010001110
10011011110
00010110111
11110001000
01001100011
00011100111
11011000000
00010110011
11100101100
00111000010
00001100100
11001011110

As you can notice, each chunk is a binary number. The lowest value of the chunk can be 00000000000 which is 0 in decimal. Whereas, maximum value can be 11111111111 which is 2047 in decimal. So, each chunk is valued between 0-2047. BIP-39 defined 2048 words, each word representing one number from 0 to 2047. I have prepared a table so you can see which word is used for which value, visit the link below to view the table:


From the table, you can see that the decimal values of our chunks are: 1166, 1246, 183, 1928, 611, 231, 1728, 179, 1836, 450, 100, 1630

Picking the adjacent words from the link, we got the following mnemonic code:

Code:
mushroom orange black valve erase brother submit biology tortoise debate arrive slim


4. PBKDF2 Key-Stretching Function

Password-based Key Derivation Function 2 (or PBKDF2) is used as a security measure in the process. This function allows the use of 'passphrase' to further increase the security of our mnemonic code. You can read more about PBKDF2 function on: Wikipedia.

In our bitcoin address derivation process, PBKDF2 is used to stretch mnemonic code by using 2048 rounds of HMAC-SHA512 algorithm. The algorithm takes two parameters, one is mnemonic code and second is salt. If user decides to opt for no passphrase then salt is the string with the value - 'mnemonic'. But, if user decides, let say, 'webby' as the passphrase. Then, salt will become- 'mnemonicwebby'. We concat passphrase at the end of 'mnemonic' string in salt.

Hence, our PBKDF2 function will become:

Code:
DK = PBKDF2(PRF, Password, Salt, c, dkLen)

Putting value for: PRF, Password, Salt, c and dkLen:

DK = PBKDF2(HMAC, 'mushroom orange black valve erase brother submit biology tortoise debate arrive slim', 'mnemonic', 2048, 64)

where, PRF is pseudorandom function (here HMAC)
Password is our mnemonic code
Salt is string 'mnemonic' without any passphrase
c is the number of iteration. In our case, 2048
dkLen is the desired length of derived key (we want 512-bit seed so we selected 64 byte since 1 byte = 8 bits)

DK refers to the final key or seed we derived from the process. In our case, we will get 512-bit value as the result. The key for our mnemonic code with no passphrase is:
Code:
65729d81d461591bac7384dea43dbd44438053cd1fdc113e0769c49c5fde025ba331eed2077497634e619948437d0448e769a86c0cbbecf01b13fd53540743b3


5. Master Private Key, Master Public Key and Chain Code

As I discussed in the starting of the thread, the main purpose of using seed phrase is to get hierarchical tree like structure, where each private or public key is derived from its parent and can derive its children. Master Private Key is the top of the hierarchy. It is a private key at first level with no parent.

We have generated DK or 512-bit seed in the last step. This seed will now be used in HMAC-SHA512 function to derive private key and chain code. HMAC-SHA512 function takes two parameters - message and secret key. In our case, 512-bit seed from the last step is message and as defined in BIP-32, string 'Bitcoin seed' is used as secret key. So,

HMAC(seed, 'Bitcoin seed') = Hash

The resulting hash will be a 512-bit value. In our case, it is the following:
Code:
a0ccf14c939faa07b896cd5fb306a37fb3f9cb041196c5364d0cca9dbd82e53a5bc9d1368631ae579f02ed8e46a56dd9dd9de8ac59e3c4e18247ff96988bdf1f

Note that the length of the output is 512 bits or 128 hexadecimal characters. The first 256 bits (represented by the first 64 hexadecimal characters) will become our Master Private Key whereas next 256 bits will become our Chain Code.

Hence,
Code:
Master Private Key: a0ccf14c939faa07b896cd5fb306a37fb3f9cb041196c5364d0cca9dbd82e53a
Chain Code: 5bc9d1368631ae579f02ed8e46a56dd9dd9de8ac59e3c4e18247ff96988bdf1f

Master Public Key can be derived from Master Private Key using Elliptic Curve Cryptography. I have written detailed thread on ECC. You can follow this thread: THE THREAD and see how public key is derived from private key. Process is same for the Master Public Key as well.

Using the same logic,
Code:
our Master Public Key: 03d1cc1f6bdea4d17eb7f2573d676f9ddb087f8b784c912c4466407781d8acfe38


6. Derivation Path and BIP-44

To easily understand the meaning of derivation path, you can assume it as a map which guides us how should be go through the children from the master private key to finally reach the bitcoin address. BIP-44 defines the following path for Bitcoin Mainnet:

Code:
Path format: m / purpose' / coin_type' / account' / change / address_index

Bitcoin Main-net format: m / 44' / 0' / 0' / 0 / address_index

To understand the above, first look at the image below:



It's like we will go to the master private key and ask, who is your 45th hardened child. Then we will go to the 45th child and ask it, who is your first hardened child. Then we will go to the first hardened child of the first hardened child of the master private key and ask it who is your first child. Then we will go and catch the first child and take its children one-by-one as our private keys. First child will become our first private key which will be used to derive our first bitcoin address and so on.

Now you maybe wondering what's the difference between hardened child and normal child. When we say first hardened child, it's actually (231+1)th child. For easy understanding, we replace 231 and use the symbol of prime ( ' ). So, 231+1 or 2147483649th child of the parent is first hardened or 0' child. (Notice the sign of prime at the right top of 0)

For more serious discussion about Derivation Path, check this thread from Blue Snow: https://bitcointalk.org/index.php?topic=5243350

7. Child Private Key Derivation

Okay, now as we know which child keys are to be derived, let's see how child key is derived:

To derive the child key, again HMAC-SHA512 hashing algorithm is used. As we discussed earlier, HMAC-SHA512 algorithm requires 2 params - message and secret key. Here, message is our master private or public key concatenated with the child number (also known as child index) and secret key is the chain code. So,

Hash = HMAC(master key + index, chain code)

Important Point: When we are deriving hardened child, master private key will be used as message. Whereas, master public key will be used in case we are deriving normal child.

Now let's get started with the process:

LEVEL 1: Deriving 45th hardened child of the Master Key (Since it's hardened, Master Private Key will be used)
Code:
Master Private Key = a0ccf14c939faa07b896cd5fb306a37fb3f9cb041196c5364d0cca9dbd82e53a (taken from the fifth step)
Index = 8000002c (value of 2147483692 i.e. 2^31+44 in hexadecimal)
Chain Code = 5bc9d1368631ae579f02ed8e46a56dd9dd9de8ac59e3c4e18247ff96988bdf1f (taken from the fifth step)

So,
Message = 00a0ccf14c939faa07b896cd5fb306a37fb3f9cb041196c5364d0cca9dbd82e53a8000002c
(important thing to notice here, the length of message should be 296 bits. Since, the length of master private key is 256 bits and index is 32 bits,
we need additional 8 bits, hence we added 00 i.e. 8 empty bits in the starting)

Key = 5bc9d1368631ae579f02ed8e46a56dd9dd9de8ac59e3c4e18247ff96988bdf1f

HMAC(message, key) = 7fc9ce32a6aeffbeaf5057f266f0d6ed6383ed84f21c96d53c0c1e3838a87e2481d4b120fcd3a11837e5d035fc508bb8b31c47285fdd7506d8d264144b4d8df7

Note, we got the output of 512 bits. Similar to what we discussed in fifth step, the left 256 bits of the output will be used for the private key of our 45th hardened child and right 256 bits will become the chain code of the child. The left 256 bits are assumed as a hexadecimal number and added to the parent private key. Then we take the modulus of the addition with 'n' parameter as defined by SECG in this document: SECG Vol 2

Code:
Left 256 bits = 7fc9ce32a6aeffbeaf5057f266f0d6ed6383ed84f21c96d53c0c1e3838a87e24
Parent Private Key =  a0ccf14c939faa07b896cd5fb306a37fb3f9cb041196c5364d0cca9dbd82e53a
N = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 (n as defined)

Private Key of 45th Hardened Child of Master Private Key = ( Left 256 bits + Parent Private Key ) % N
Private Key of 45th Hardened Child of Master Private Key = 2096bf7f3a4ea9c667e7255219f77a6e5ccedba2546abbcfc9468a4925f5221d

Chain Code of 45th Hardened Child of Master Private Key = 81d4b120fcd3a11837e5d035fc508bb8b31c47285fdd7506d8d264144b4d8df7 (right 256 bits)


LEVEL 2: Deriving first hardened child of the Level 1 Child (Since it's hardened, Private Key will be used)
Code:
Private Key = 2096bf7f3a4ea9c667e7255219f77a6e5ccedba2546abbcfc9468a4925f5221d
Index = 80000000 (value of 2147483648 i.e. 2^31 in hexadecimal)
Chain Code = 81d4b120fcd3a11837e5d035fc508bb8b31c47285fdd7506d8d264144b4d8df7

So,
Message = 002096bf7f3a4ea9c667e7255219f77a6e5ccedba2546abbcfc9468a4925f5221d80000000
Key = 81d4b120fcd3a11837e5d035fc508bb8b31c47285fdd7506d8d264144b4d8df7

HMAC(message, key) = dee4c4cb625b27f231194cf3befea6e67a73122f77a748b987fded5333ca63f7d665636fd64693411687f8d4deeb8382d14deb3d9937e72635e77af48c4da4e6

Left 256 bits = dee4c4cb625b27f231194cf3befea6e67a73122f77a748b987fded5333ca63f7
Parent Private Key =  2096bf7f3a4ea9c667e7255219f77a6e5ccedba2546abbcfc9468a4925f5221d
N = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 (n as defined)

Private Key of first hardened child of Level 1 Child = ( Left 256 bits + Parent Private Key ) % N
Private Key of first hardened child of Level 1 Child = ff7b844a9ca9d1b899007245d8f62154d741edd1cc1204895144779c59bf8614

Chain Code of first hardened child of Level 1 Child: d665636fd64693411687f8d4deeb8382d14deb3d9937e72635e77af48c4da4e6

LEVEL 3: Deriving first hardened child of the Level 2 Child (Since it's hardened, Private Key will be used)
Code:
Private Key = ff7b844a9ca9d1b899007245d8f62154d741edd1cc1204895144779c59bf8614
Index = 80000000 (value of 2147483648 i.e. 2^31 in hexadecimal)
Chain Code = d665636fd64693411687f8d4deeb8382d14deb3d9937e72635e77af48c4da4e6

So,
Message = 00ff7b844a9ca9d1b899007245d8f62154d741edd1cc1204895144779c59bf861480000000
Key = d665636fd64693411687f8d4deeb8382d14deb3d9937e72635e77af48c4da4e6

HMAC(message, key) = 2839a8f276409794544cdc9f4d2748a3ea3ca988b64f82e72414d67dedaf751bfb106a1896e38ddc80b3d3b4fdaba9b003d1e6caa08c6cbbdc5d63fa6836b613

Left 256 bits = 2839a8f276409794544cdc9f4d2748a3ea3ca988b64f82e72414d67dedaf751b
Parent Private Key =  ff7b844a9ca9d1b899007245d8f62154d741edd1cc1204895144779c59bf8614
N = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 (n as defined)

Private Key of first hardened child of Level 2 Child = ( Left 256 bits + Parent Private Key ) % N
Private Key of first hardened child of Level 2 Child = 27b52d3d12ea694ced4d4ee5261d69fa06cfba73d318e734b586ef8d7738b9ee

Chain Code of first hardened child of Level 2 Child: fb106a1896e38ddc80b3d3b4fdaba9b003d1e6caa08c6cbbdc5d63fa6836b613

LEVEL 4: Deriving first normal child of the Level 3 Child (Since it's normal, Public Key will be used)
Code:
Private Key = 27b52d3d12ea694ced4d4ee5261d69fa06cfba73d318e734b586ef8d7738b9ee
Public Key = 03fc371a6939557697a438cca5c81fc899d611d41f605d1b6d1a8096fd5e3e0343 (using ECC)
Index = 00000000 (value of 0 in hexadecimal)
Chain Code = fb106a1896e38ddc80b3d3b4fdaba9b003d1e6caa08c6cbbdc5d63fa6836b613

So,
Message = 03fc371a6939557697a438cca5c81fc899d611d41f605d1b6d1a8096fd5e3e034300000000
(Since we are using Public Key which is already of 264 bits, we needn't concat additional bits in the starting)

Key = fb106a1896e38ddc80b3d3b4fdaba9b003d1e6caa08c6cbbdc5d63fa6836b613

HMAC(message, key) = bd63f3fe2daf72bd61d983477a8330e377ecc1fa664bee4a90da90003de9ef8c29a2907541b35ab602c72d52c330184a2e7908060b98acca9b17ebfaea0135a8

Left 256 bits = bd63f3fe2daf72bd61d983477a8330e377ecc1fa664bee4a90da90003de9ef8c
Parent Private Key =  27b52d3d12ea694ced4d4ee5261d69fa06cfba73d318e734b586ef8d7738b9ee
N = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 (n as defined)

Private Key of first normal child of Level 3 Child = ( Left 256 bits + Parent Private Key ) % N
Private Key of first normal child of Level 3 Child = e519213b4099dc0a4f26d22ca0a09add7ebc7c6e3964d57f46617f8db522a97a

Chain Code of first hardened child of Level 3 Child: 29a2907541b35ab602c72d52c330184a2e7908060b98acca9b17ebfaea0135a8


LEVEL 5: Deriving first 3 normal children of the Level 4 Child (Since it's normal, Public Key will be used)
Code:
Private Key = e519213b4099dc0a4f26d22ca0a09add7ebc7c6e3964d57f46617f8db522a97a
Public Key = 0321bd38eb2f97c56762b82f22e9677d6aa205a73664b93aaf8ed087bd9fc26420 (using ECC)
Index = 00000000, 00000001 and 00000002
Chain Code = 29a2907541b35ab602c72d52c330184a2e7908060b98acca9b17ebfaea0135a8

So,
Message1 = 0321bd38eb2f97c56762b82f22e9677d6aa205a73664b93aaf8ed087bd9fc2642000000000
Message2 = 0321bd38eb2f97c56762b82f22e9677d6aa205a73664b93aaf8ed087bd9fc2642000000001
Message3 = 0321bd38eb2f97c56762b82f22e9677d6aa205a73664b93aaf8ed087bd9fc2642000000002

Key = 29a2907541b35ab602c72d52c330184a2e7908060b98acca9b17ebfaea0135a8

HMAC(message1, key) = a8764acda4ebc575ff750e113353a805186febf32372deb4fab9ed180a7b4db3a3e1295ec9c664d73d77841b263d019306d914e431fdc84973cf53abaa0883cb
HMAC(message2, key) = fb58f1f53183d06aed97ba85ad30fc89d4500bb3c5d47880cc96c368f044618743a1580a9757af12b8597450ff8a5b37e9a51660b0a30e672b736464f4cdb7d0
HMAC(message3, key) = b30db2ea8ad0e61c43acf2052ecc0d3c174cf5a57655ba038ba8894f3bc2f0d8c140e5f51589c16e3d3502b08fc005e8a9acfa5a56dda2e08b520b3179c1f163

Left 256 bits of HMAC1 = a8764acda4ebc575ff750e113353a805186febf32372deb4fab9ed180a7b4db3
Left 256 bits of HMAC2 = fb58f1f53183d06aed97ba85ad30fc89d4500bb3c5d47880cc96c368f0446187
Left 256 bits of HMAC3 = b30db2ea8ad0e61c43acf2052ecc0d3c174cf5a57655ba038ba8894f3bc2f0d8

Parent Private Key =  e519213b4099dc0a4f26d22ca0a09add7ebc7c6e3964d57f46617f8db522a97a
N = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 (n as defined)

Private Key of first normal child of Level 4 Child = 8d8f6c08e585a1804e9be03dd3f442e3dc7d8b7aad8f13f881490e18ef67b5ec (to be used for deriving first bitcoin address)
Private Key of second normal child of Level 4 Child = e0721330721dac753cbe8cb24dd19768985dab3b4ff0adc45325e469d530c9c0 (to be used for deriving second bitcoin address)
Private Key of third normal child of Level 4 Child = 9826d425cb6ac22692d3c431cf6ca81adb5a952d0071ef471237aa5020af5911 (to be used for deriving third bitcoin address)



8. Generate Bitcoin Addresses from Private Keys

In the last step, we derived 3 private keys at Level 5 using index 00000000, 00000001 and 00000002. If you want to derive more private keys in the hierarchy, just keep on incrementing index by 1. So, 00000003 will be used for next private key and so on. Also, remember that this is hexadecimal number so after  00000009, next index will be 0000000a, not 00000010.

Now, let's generate the bitcoin addresses from our private key. I have already created a thread explaining how to generate Legacy addresses (starting with '1') from private key in detail here: How Bitcoin Addresses are generated? Understand the Math behind Bitcoin

You can follow the above thread and you will be able to generate first 3 Legacy Bitcoin Addresses of the hierarchy using private keys from Step 7, which will be:
Quote
1MbJqqvN8ZPYsUch45HdRAxKbH6bJeGfZi
1GMpMNYwhb7Wvu8q1Zy52MtZUGWvLgCXak
12fv5eg3kzBgZQy7ue2yYmC9xXohmKWGR3

I will use the current thread to explain how to generate P2SH Address. P2SH is very different from the P2PKH (or Legacy) address. In Legacy address, we simply generate the hash of the public key and use it as the address. But in P2SH, we first create a script, then generate hash of the script. Then, transaction is made to the script. Now, script can literally be anything. Sender of the transaction don't have to know what does the script mean. Bitcoin has its own scripting language and the script has defined many opcodes such as OP_ADD, OP_EQUAL and many more. So, I can literally create a script, let say, 'what when added to 3 makes 5'. Create hash of this script and use it as P2SH Address. Then the payment made to that P2SH address can be spent by providing original script i.e. 'what when added to 3 makes 5' and solution script i.e. '2' along with the hash.

P2SH can be used to create a lot more complex scripts but one of the most common type of P2SH is our P2WPKH-in-P2SH. It simply means using P2PKH in the P2SH script. This is the type of addresses you see while creating a wallet (the ones starting with '3'). Now, let's see, how are these created:

The scheme for P2WPKH-in-P2SH format is defined in BIP-49. In step 6, we discussed that the 45th hardened child of Master Private Key is used in the hierarchy. That's true for Legacy addresses but for P2WPKH-in-P2SH, we use the 50th hardened child, so, derivation path becomes:
Code:
m / 49' / 0' / 0' / 0 / address_index

Except this, rest of the process is same as discussed in Step 6 and 7. I have repeated the Step 7 with our Master Private Key, i.e. a0ccf14c939faa07b896cd5fb306a37fb3f9cb041196c5364d0cca9dbd82e53a and got the following three private keys as the first 3 normal child of m/49'/0'/0'/0 path i.e. Level 5:
Code:
Private Key of first normal child of Level 4 Child = 26e1061459e7961eeac018efa765339d785bd30de91f8fade64c639b275d74c4 (to be used for deriving first bitcoin address)
Private Key of second normal child of Level 4 Child = 501a42ccd834bf61c211f5277bcbebe4120eea952efc91fd71125f61a1e7eec4 (to be used for deriving second bitcoin address)
Private Key of third normal child of Level 4 Child = 13ae95a5d643b9ebe355d103679ad4bcf3863efef78873f4e4f20a57cf044a51 (to be used for deriving third bitcoin address)

Using ECC, I got the following Public Keys (second reminder, if you wanna know how public key is derived from private key, check out my thread I mentioned in Step 5):
Code:
Public Key of first normal child of Level 4 Child = 021549dd72d89cbc844bb74ab6247239cf60d184cbfb0cfc4d024150a4985412fe (to be used for deriving first bitcoin address)
Public Key of second normal child of Level 4 Child = 02e589abcbdbcf7b9746d1e2f5d97e5d2836c82b5910c5716f094801c0178ecfc2 (to be used for deriving second bitcoin address)
Public Key of third normal child of Level 4 Child = 020711fb2e08e67c13bcfb2cca60ff5ac3b7c6fb9e902722127ef776e5d2db6046 (to be used for deriving third bitcoin address)

First check the image below to understand how public key is converted into Bitcoin Address:



Now time for the explanation:

Firstly, we create SHA-256 hash of the public key:
Code:
SHA-256(public key) = Hash

SHA-256(021549dd72d89cbc844bb74ab6247239cf60d184cbfb0cfc4d024150a4985412fe) = 189a3015638daa02871973bf840b434aad92cb71775b65680acd266b81e85e3f

Then, we create ripemd160 hash of the sha256 hash:
Code:
RIPEMD160(hash) = Hash160

RIPEMD160(189a3015638daa02871973bf840b434aad92cb71775b65680acd266b81e85e3f) = 2bf545ff88c159408f5ba759f99e78566763fe1a

Then, we concat 0x0014 before the hash:
Code:
serialization = 0x0014 + Hash160

serialization = 00142bf545ff88c159408f5ba759f99e78566763fe1a
Note: 0x00 represent OP_0 and 0x14 is the size of the data to be pushed on stack in hexadecimal. Hence, OP_0 PushData<hash> represents our P2WPKH-P2SH script.

Now, as we have our script, next step involves creating hash of the script:
Code:
SHA-256(script) = Hash

SHA-256(00142bf545ff88c159408f5ba759f99e78566763fe1a) = c2d24e021347966656ed4b0312f9b3a49498c257294bd75e9bc84ba8353deb9a

Then,
RIPEMD160(hash) = Hash160

RIPEMD160(c2d24e021347966656ed4b0312f9b3a49498c257294bd75e9bc84ba8353deb9a) = 2d7193893e4143fc11bb69c7f004452198bdf6cd

Then add 0x05 before the hash160 i.e. encoding byte for script hash
Code:
serialization = 0x05 + Hash160

serialization = 052d7193893e4143fc11bb69c7f004452198bdf6cd

Creating checksum of the hash
Code:
checksum = first four bytes of SHA-256(SHA-256(hash))

SHA256(SHA256(052d7193893e4143fc11bb69c7f004452198bdf6cd)) = dcd3b30cd36dcef8265fbe414e435fc7841ced941f93ef86afd86e344c4a700e
First four bytes = dcd3b30c

Adding checksum at then end of hash and encoding it into Base58:
Code:
final serialization = 052d7193893e4143fc11bb69c7f004452198bdf6cddcd3b30c

Base58(052d7193893e4143fc11bb69c7f004452198bdf6cddcd3b30c) = 35qJPbZX23wt3uuB9nz4pxhoouUfG28zxB

Hence, 35qJPbZX23wt3uuB9nz4pxhoouUfG28zxB is our first Bitcoin Address in the hierarchy.
2  Bitcoin / Bitcoin Technical Support / Which of the two is correct order for signing the transaction? on: December 22, 2020, 05:45:04 AM
Consider the following unsigned raw transaction (just an example):

Code:
0100000001a2a3b7744d9021efaa94a08a54c385373fa9381203dabf317d9a83efecb76470000000001976a9143104a52d281de138aa47e944d1acc3288b9598c588acfdffffff0140420f00000000001976a914e84d6c709afa87d7f93315af93f0804cd08cd34b88ac00000000

The double SHA-256 hash of the above is (A):
Code:
ae6d2bc786fcafbcd39696276bb6539564eefdbc2f54099da4a273db5c467e8b

Hash with reverse bytes (B):
Code:
8b7e465cdb73a2a49d09542fbcfdee649553b66b279696d3bcaffc86c72b6dae

My question is: which of the above hash is signed for creating DER-encoded signature - A or B?
3  Other / Meta / Replies counts are wrong in Indian Section on: December 04, 2020, 06:51:42 AM
Don't know about the other sections as I haven't noticed them but the number of replies are being wrongly showed in Indian section since last several days. I am not very sure about the views count but guess views are also off for few threads.

I am attaching the screenshot here, marked the wrong reply counts with the red circles:



Some are off by 1, some are off by 2 and some even by 5 replies.
4  Economy / Service Discussion / [LIST] Exchanges which let you create multiple deposit addresses on: November 23, 2020, 06:02:46 PM
The exchange which I was preferably using to trade my bitcoin currently shifted from 'unlimited deposit addresses' to 'one address per user' model. When I contacted them for the reason, they told me the same is done for the security purpose.  Roll Eyes Anyhow, it defeated the purpose of using different bitcoin receiving addresses when I am going to send most of it to the single exchange address. (privacy-killer)

So, I researched different popular exchanges and collected the information about the exchanges which allow users to create multiple addresses.

Sr.No. Exchange - Allows the creation of more than 1 address?
1. |Binance  No - One address per user
2. KrakenYes - Can generate new addresses
3. HuobiNo - One address per user
4. BitFinexYes - Can generate new addresses
5. KuCoinNo - One address per user
6. OkexNo - One address per user
7. FTXNo - One address per user
8. BittrexNo - One address per user
9. BitMexNo - One address per user
10. BitBoxNo - One address per user
11. LiquidNo - One address per user
12. LocalBitcoinsYes - Can generate new addresses
13. PaxfulYes - Can generate new addresses
14. RemitanoYes - Can generate new addresses
15. HitBTCYes - Can generate new addresses
16. CoinexYes - One address per deposit

If you know about more exchanges, suggest in the thread. I will add those to the list.

Note: I only inquired about bitcoin deposit address.
5  Economy / Gambling discussion / Question for Casino Owners - How do you secure hashchain? on: October 19, 2020, 07:04:36 AM
As we all know, hashchain is commonly used in multiplayer games like Crash where each successive hash is a SHA256 hash of the previous hash and then hashes are used in reverse order as the server seed.

However, unlike data fields like password which are input by the players and can be encrypted using bcrypt or other encryption because encrypted data is compared with the user's input on login, the same cannot be applied to the hashchain.

So my question is for the casino owners or anyone who has knowledge about casino backend development. Please provide your insights on the following questions, it could be helpful for the community:

Q. Do you keep th entire hashchain on the live database or only a chunk for next 100-200 rounds?
Q. Do you keep bare hashes or encrypted? If encrypted then using which encryption and how is the hash decrypted before each round?
Q. How do you keep hashchain secure?
Q. Has your hashchain ever compromised? If yes, how did you tackle the hack?
Q. It may be possible that a player got hold of the hashchain. In such condition,  he may smartly use hashes and make infinite profits on games like Crash. So do you regularly check players' accounts and scrutinise whether someone making huge profits? If yes then did you replace your hashchain considering the possibility of compromise?

(self-mod to remove irrelevant answers)
6  Other / Beginners & Help / A quick guide on `How the hash of Bitcoin block is calculated?` on: September 01, 2020, 01:03:49 PM
Few days ago, a member asked about this in Bitcoin Discussion here: Mining process - SHA256 - Probability. I thought it would be better if I create a new thread for the reply I posted for him so more people who don't know the process can read it.

So if you read various beginners' guide on Bitcoin and blockchain on internet then will you surely come across a topic on Proof of Work (PoW) algorithm. Almost of all of them describes PoW as a consensus algorithm where miners try to find a solution to a mathematical puzzle and the first one to get the solution mines the block! So this thread is all about what that 'Mathematical Puzzle' is because the solution of this mathematical puzzle is what known as the hash of the block.

Finding block hash is nothing but finding a value which is less than the target value. Target value is adjusted after every 2,016 blocks. Current target value (as on 22nd August) is:

0x000000000000000000109bac0000000000000000000000000000000000000000 (hexadecimal form)
or
1590739304116800001454600275103718494518067345886281728 (decimal/integer number)


Now in order to find the block hash, you as a miner need to find an integer value less than the above number. But this is not very simple because you need to include 6 values in your computation together known as Block Header:
> Version
> Hash of previous block
> Merkle Root
> Time of mining
> Bits (difficulty in compact form)
> Nonce (an incrementing number)

So the process of mining involves calculating double SHA-256 of these 6 values in such a way that result hexadecimal hash is less than the current target. The whole process is defined here: o_e_l_e_o's reply to this post. Now let's take an example of Block: 644,731 and try to verify the solution provided by the miner:



For block 644,731, we have:
Version = 20400000 (hexadecimal)
Hash of Previous Block = 000000000000000000083d157a8a2a589a74fc2f7b91245cb3a415c23d7cc79a
Merkle Root = 9453cfc708a1cc84f3f36c2bae68202b03ad2866bb02da511d7e603a4e9d1fd1
Time = 16:42:15 as per GMT
Bits = 386,964,396 (decimal)
Nonce = 2035916310 (decimal)



Converting everything in hexadecimal form (little-endian), we will have following value,

0x000040209ac77c3dc215a4b35c24917b2ffc749a582a8a7a153d08000000000000000000d11f9d4e3a607e1d51da02bb6628ad032b2068ae2b6cf3f384cca108c7cf539467f93f5fac9b1017169e5979

(text is colored to differentiate six parameters)



The final step involves performing SHA-256 hashing twice on the above value and the result will be:
811802676f41d6aff67ad767517c466c4c8d3b87c81009000000000000000000



Converting it in big-endian, we have:
0000000000000000000910c8873b8d4c6c467c5167d77af6afd6416f67021881 which will become block hash of the block.



Now you can compare,
Target Value = 0x000000000000000000109bac0000000000000000000000000000000000000000 or 1590739304116800001454600275103718494518067345886281728

Block Hash (644,731) = 0000000000000000000910c8873b8d4c6c467c5167d77af6afd6416f67021881 or 868308124812842907393685749016650546999869456114653313



Since 868308124812842907393685749016650546999869456114653313 is smaller than 1590739304116800001454600275103718494518067345886281728, it is accepted as a correct solution and will become the block hash.
7  Local / India / GoSats - An Attempt to Promote Bitcoin in India (What's your views guys?) on: August 17, 2020, 04:11:11 PM
So I came across this website on Telegram and found it interesting: GoSats

This site is planning to start a service with which you can shop online on various merchant sites and receive cashback in the form of bitcoins. It is similar to using apps like PhonePe or Google Pay except the fact that you will receive real bitcoins as cashback instead of those 'Better luck next time' scratch cards. Cheesy

You can keep on stacking bitcoins on every transaction and can send that to your friends, family via site. Also they are planning to launch a tool which will provide instant liquidity to other altcoins.

In my view, it is good attempt to promote bitcoin in India as people can get their first units of bitcoin absolutely free. However, it would be nice if site allows people to shop with bitcoins too (which I don't think it will implement). What's your take on this guys?

PS: Website is not launched yet but accepting pre-signups and offering small bonuses in bitcoin upto 0.025 BTC
PS: This is not paid-promo or anything. I am just trying to create buzz because I think such services are good for Indian domain.
8  Economy / Gambling discussion / The reason why Crash Games usually crash at lower values on: July 31, 2020, 05:47:57 PM
So yesterday a forum member asked me why do Crash Games usually crash at lower multiples (mostly lower than 2x)? Does that mean these games are not fair? Does that mean owner of the site manipulated the game so lower multipliers appear more often than the higher multipliers? I thought other forum members may have these doubts too so I decided to create this thread.

First of all, the algorithm for Crash Game is originally developed by RHavar for his well-known site: bustabit.com

Most of the sites having Crash as a game are using one or the other version of his algorithm. Basically, crash game is based on this mathematical formula:

CRASH MULTIPLIER = [(E*100 - H)/(E-H)]/100

E is the extreme value and refers to as limit. While H is a whole number which can be any number but smaller than E. So for example, if E is 10 then H can be any number between 0 and 9. Hence, range for H is 0 to (E-1).

Now let's calculate crash multiplier value for every possibility of H when E = 10.

PossibilitiesMultiplier
H=01
H=11.11
H=21.24
H=31.42
H=41.66
H=51.99
H=62.48
H=73.31
H=84.96
H=99.91


So what do we notice above? Among 10 possible values of H, multiplier value as calculated by the formula gave value lower than 2 for 6 events! We can practically ignore H=0 case because it won't be possible practically. Hence, in 5 out of 9 case, value is lower than 2x. This is nothing but probability. By the rule of probability, there is always 50% chance that multiplier value will be lower than 2x and 50% chance for more than 2x value. However, there is another catch, did you notice that H is subtracted from the numerator in the formula before dividing it with (E-H)? This subtraction gives House Edge to casino owner.

So, apart from this catch (which is fair since casino is running business), Crash Games are 100% fair and it's due to the law of probability that multiplier crashes below 2x almost 50% of the times.

After Bustabit v2, most of the crash games started using this formula to calculate multiplier:

CRASH MULTIPLIER = 0.99*E/(E-H)


This formula is almost similar to earlier formula. Only fixed House Edge of 1% is the difference. However, sites like Roobet are still using old formula.

Note: Casino owners can practically take any value as E and then range of [0,E-1] will become H. However, since provably fair results are based on hashes which represents value in binary, E has to have value in the multiple of 2 e.g. 22,23,24 and so on. But there is inherit limitation of Javascript that it cannot precisely show floating number beyond 64 bits so most of the site uses 252 as E and range of [0,252-1] for H. With recent introduction of BigInt, it is now possible to precisely represent numbers larger than 253-1 in Javascript. Let's see if any casino will use whole hash i.e. 256 bits number as H in future which will make E = 2256.
9  Economy / Trading Discussion / How do you make `Trading` profitable? on: July 29, 2020, 03:50:44 PM
This is my long-standing question - How do you make Trading profitable?

Now let me explain the point:

I am doing trading in shares, stocks, commodities and cryptocurrencies since last few years. Most of the concepts related to trading such as Trend Analysis and Fundamental Analysis were part of my professional course which made me interested in trading since I was student. Over the years I have been able to read trends accurately many times and bought cryptocurrencies at times immediately before upward trend. But one thing is still mystery to me, when to sell?

For example, around 10-12 days ago, I accurately predicted the upcoming rally in bitcoin price and long 0.50 BTC at the leverage of 25x @ $9150. Two days later, price rose to $9350. I already made 56% return on my investment in just 2 days. Now this is critical point where I always become blank. Once I made profit, I couldn't predict whether it is good to sell or hold for more profit. No matter what I do, I always make wrong choice. Actually I sold my futures at that day but imagine if I didn't sell, my investment would be up by 538%!! Imagine the profit of 538% in just 10 days!!

Same things happen opposite too. Lots of times, I keep holding coins due to FOMO and lose the chance of making profit. Suppose if I would still be holding my futures and didn't sell them today, price may fall again tomorrow and I may have lost the chance of making 538%.

Let me rephrase my question again for better understanding: Which signals, what techniques, which movement do you consider while making selling decisions so that you always make best possible profit in the given scenario? If I chose right time to sell my futures, I would have made 10 times more profit.
10  Bitcoin / Project Development / Free open-source Dice Script with Chat Box (Provably Fair) with Admin Panel on: May 13, 2020, 08:56:51 AM
Hello Guys,
So day before yesterday (halving day), I was enjoying/chatting with other Bitcointalk members on Discord server created by Cyrus and was looking to do something else on my parallel screen. At first I started playing poker but lost first couple of bets and soon realized it wasn't my day. Then it stuck to my mind why not create a Dice Script! For next 4 hours, I created a complete dice-game with provably fair add-on and a chat box from scratch. Yesterday, I had office meeting so finally I got time today to deploy it and I created GitHub Repository too.

So guys, presenting you my Dice Game Script:

GitHub Repository: https://github.com/web-tricks/dice

Online Implementation of Script: https://casino.webtricks.website/
(I am giving away 500 BTC to everyone just for signing up so go on give it a try).  Cheesy

If you wanna test admin panel, check out this implementation: http://dummy.webtricks.website
Username for admin account is: 'admin' and password is 'admin123'

I have created the game on single-page application model. There is only one page on site: login, register, game, provably fair verification, chatting, everything can be done from home page itself. The site isn't optimized for mobile display so if you open it on mobile don't get scared.

Note: I have written the whole script in just over 4 hours and haven't tested any code except some basic validation so make sure to test each and every line of code if you plan to use any part of this script for PRODUCTION PURPOSE.

More guide can be found in README.md file in GitHub Repository.

If you liked the script and want me to add more games and deposit/withdraw functionality to the script, write down below to let me know.  Wink
11  Economy / Gambling discussion / Which of the two will you choose as a gambler? on: May 01, 2020, 07:11:05 AM
Account security and anonymity have major importance in crypto gambling industry. I will explain two authentication processes and their pros/cons that an under-development project is considering. Through this thread I want to take views/suggestions of the community on the better of the two processes. Here are the candidates:

Option 1: Email Based Authentication

Under this option, you will be asked by casino to fill username, password and email id on registration. To increase the security, you will be asked to set-up 2FA authentication. To make withdrawal, you have to confirm email id.

Pros:
Easy to use and remember system.
Easy to retrieve system if password gets compromised.

Cons:
Easy to hack and brute-force.
Identity may be linked if same email is used somewhere else on web.
Always need additional device (phone) to login (for 2FA code).


Option 2: Keys Based Authentication

Under this option, you will be asked to fill username and password on registration. Then a private code (long alphanumeric) will be generated for you and encoded with the help of password you entered in first step. Now you have to store private code somewhere safe. There onward, you have to paste private code and password to login into system.

Pros:
Complete anonymity
Highest degree of security. No one can hack or brute force your account even if database is compromised.

Cons:
Extra care needed to maintain the security of private code.
Since code is not saved anywhere on server side, losing code = losing account.
One mistake and your account is gone.
Impossible to change code. If you give away code to someone over phishing page, etc, then you cannot retrieve/secure the account again.


That's all. Which of the two systems would you prefer as a crypto gambler. Suggestions/views are welcome.
12  Other / Meta / How are these accounts living 10 seconds in one second? on: April 27, 2020, 07:34:26 AM
I was checking the Bitcointalk stats when I noticed the accounts in the 'Most Time Online' list:



Sorry if I am missing something but all these accounts have registered in August 2018 which means even if these remain online for 24 hours, maximum days can be 610 or something. How can these accounts remain online 12 times more than the possible time?
13  Economy / Currency exchange / (W) 0.10 ETH || (PAYING) $18 in BTC on: April 10, 2020, 02:42:13 PM
Looking to buy 0.10 ETH.
Paying $18 in BTC as per preev rate. Looking for a quick deal.

PM me or message me on Telegram @webtricky
14  Other / Meta / My Newbie Expedition on: March 25, 2020, 04:47:33 PM
Finally after 4 days of work from home, my company halted operations for 3 days due to recent lock down announcement which means I had 4 additional hours at my disposal today. So I decided to go on expedition and during last 3 hours, I traveled around 150 threads, reading over 1000 posts. The purpose of this expedition was to find quality newbie accounts having zero merits and give them their first merit.

The basic factor for giving merit was that either account has written a good post or has overall adequate quality. During this expedition, I checked more than 80 newbie accounts but most of them were awful, clearly spamming or clear case of account farming. Prior to starting, I had 34 sMerits at my disposal which I thought I would easily send to 34 deserving newbies in less than an hour but to my surprise, forum is seriously lacking new accounts who are genuine posters. So at the end I am hardly able to find 20 accounts after 3 hours and this is where I decided to stop for today.

Other factors considered while giving merits:
  • At least 15 posts or 15 days old account (exception if high quality post is made)
  • Due diligence is done to determine whether account is alt/farmed or not
  • One merit per account is given to cover as much newbie as I can. I will give more merits to certain posts later which I think deserved more than 1 merit.

Here are the newbies benefited from my expedition:
kpllvd
BlinkInDie
naaimmd
OGEOS
ExpressVPN
Pronzegirl
HodlerKing101
viennemariela
Mr_know_it_all000
OracolXor
Sternbinder
merc1969
kemoglo
bdbountyon
bithisach
TCW003
Scotslass
Kaonashi1993
lesjokolat
CryptoLordguru
15  Other / Beginners & Help / What is Elliptic Curve Cryptography? Understand how is it related to Bitcoin. on: March 14, 2020, 09:46:31 AM
Ever wonder why it isn't possible to guess private key from bitcoin address? How private key keeps your fund safe? How signatures can only be generated using private key but can be verified using public key? The answer to all these questions is Elliptic Curve Cryptography (ECC). Although ECC is not unique to Bitcoin and was introduced much before Bitcoin but it is one of the most important fundamental of Bitcoin. With just few lines of code, ECC ensures that funds on address remain safe and only person holding private key can access those funds.

Ok! Now let's dive deep into the topic. I will not explain the basics of Elliptic Curve Cryptography in this thread. Rather I will take essential components of ECC which are being used in Bitcoin and only explain things from Bitcoin's point of view so things remain easy to understand.

Section 1: Parameters used in ECC

Bitcoin uses specific elliptic curve known as secp256k1. SECG have defined the exact values for various parameters that are used in the calculation for secp256k1 curve. There are total 6 parameters but we only need 3 for the calculation. Let's have a look at these three parameters first:

P = 2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1

G = 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8

n = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141

These values may be bit confusing for now but let's understand them. P is a very large prime number which is used to calculate mod in the formula.

G is generator point. It has 3 parts:
(i) 04 which shows that point is in uncompressed form.
(ii) Next 64 characters are hexadecimal representation of X-axis of generator point which is when converted into integer looks like this: 55066263022277343669578718895168534326250603453777594175500187360389116729240
(iii) Next 64 characters are hexadecimal representation of Y-axis of generator point which is when converted into integer looks like this: 32670510020758816978083085130507043184471273380659243275938904335757337482424

You may have studied in mathematics that point (2,4) means point is 2 on X-axis and 4 on Y-axis. Something like this:



Similarly G point is nothing but a point on graph with very large coordinates like this:



Lastly, n represents the maximum integer value of private key. Any number between 0 and n is valid private key. n when converted into integer is this number: 115792089237316195423570985008687907852837564279074904382605163141518161494337.

Section 2: Formulas used in ECC

Basically there are three formulas that make up Elliptic Curve Cryptography namely, ECAddition, ECDouble and ECMultiplication. Although we use the terms like addition, double and multiplication but these calculations are not like general addition or multiplication. These are much more complex. As I said earlier, this thread is not about Elliptic Curve Cryptography but how is it used in Bitcoin so I won't explain these formulas and how these are derived. Let's keep this thread simple and understandable.

Section 3: ECC in Bitcoin

Now comes the most important and interesting part. How ECC is used in Bitcoin!

This is the system of applying ECC on private key to calculate public key:

1. Convert the hex of private key into Binary representation.
2. Ascertain the number of characters our Binary representation have.
3. Let's say, our Binary representation have 256 characters then we have to apply ECMultiply formula 256 times. ECMultiply involves applying ECDouble on G point and then if the binary character is 1, apply ECAdd formula on the resulting value. Else if binary character is 0, ignore ECAdd and move to next character.
4. Note: We don't have to apply ECAdd formula on the first character even if it is 1.
5. Keep on repeating this and the final point we get after 256 rounds will be our public key.

Confusing? Let's understand this with an example: Since private key can be any number between 0 and n, let's assume 145 as our private key. The hex representation of our private key will be: 0xa8.

Now according to step 1, we have to convert our private key into binary which is: 10010001
Now according to step 2, we have to ascertain the length of our binary which is: 8.
Now according to step 3, we have to do ECMultiply 8 times. Let's do it:

(I am using short form D() for ECDouble and A() for ECAdd)

RoundStarting valueBinary CharacterECDouble  ECAddValue going next round
FirstG1YesNo (read step 4)  D(G)
SecondD(G)0YesNo (0)D(D(G))
ThirdD(D(G))0YesNo (0)D(D(D(G)))
FourthD(D(D(G)))1YesYes (1)A(D(D(D(D(G)))),G)
FifthA(D(D(D(D(G)))),G)0YesNo (0)D(A(D(D(D(D(G)))),G))
SixthD(A(D(D(D(D(G)))),G))0YesNo (0)D(D(A(D(D(D(D(G)))),G)))
SeventhD(D(A(D(D(D(D(G)))),G)))0YesNo (0)D(D(D(A(D(D(D(D(G)))),G))))
EightD(D(D(A(D(D(D(D(G)))),G))))  1YesYes (1)A(D(D(D(D(A(D(D(D(D(G)))),G))))),G)

So this value: A(D(D(D(D(A(D(D(D(D(G)))),G))))),G) will be a point on graph having two coordinates (X,Y). This point will be our public key which is then converted in Bitcoin Address. D() means we are applying ECDouble formula on the value within brackets while A() means we are applying ECAddition formula on the value within brackets. Note that ECAddition requires two points for the calculcation hence the first point is our result value while the second point is G point.

Wanna see this code in action? Check out my other thread where I have created Bitcoin Address from private key from scratch: https://bitcointalk.org/index.php?topic=5223167.0 . I have provided the complete ECAdd, ECDouble and ECMultiply formula in that thread as Javascript functions. You can learn in depth about these formulas from various online resources and then check their working through my code.

Section 4: What makes ECC safe?

So we have done immense calculation in step 3. But what actually makes this calculation irreversible? Why can't be calculate private key from public key by applying ECDouble and ECAdd in reverse order (afterall we are using G as the input whose value is known to all)? The reason why ECC is so invincible is due to the use of modulus and modulus inverse in ECDouble and ECAddition formulas. So what is modulus (or mod) and modulus inverse (or mod inverse)?

Mod of any two numbers say, mod(14,6) is the remainder obtained after dividing first number with second. For example, when 14 is divided by 6 remainder is 2. So the mod of 14 and 6 is 2. Whereas mod inverse is the number which is when multiplied with first number and then divided by second number leaves the remainder of 1. For example, mod inverse of 3 and 11 is 4 because when 3 multiplied by 4 gives 12 which when divided by 11 leaves the remainder of 1.

ECC uses these two in both ECDouble and ECAdd. So after every round of ECMultiply, we are only taking remainder in next round. We are discarding any quotient obtain in calculation, which makes the reverse calculation almost impossible. For example, even if you know that the remainder is 2 and the number which divided the first number is 6, you can't certainly say that the first number is 14 because it could be 8 or 14 or 20 or so on. In ECC, we uses mod lots of times and on top of that, we are dealing with very large numbers (remember P from Section 1? P is used to calculate mod in ECDouble and ECAdd functions). So virtually it's impossible to do reverse calculation.

I hope this thread made you little more knowledgeable about Bitcoin and why it is one of the best innovation of 21st century. If you already know about ECC and think something in this thread needs to be improved, please let me know, I will make the necessary amendments.
16  Other / Meta / MOVED: BTCTALK CARDS - The Real-time Custom Cards for Bitcointalk Members on: March 12, 2020, 04:25:37 PM
This topic has been moved to Project Development because I (webtricks) think it is more appropriate there. If mods have different view then they can move the thread again to Meta section.

https://bitcointalk.org/index.php?topic=5202297.0
17  Economy / Currency exchange / Want to buy BTC for PayPal (closed) on: March 12, 2020, 01:19:22 PM
Hello Guys,
Looking to buy BTC for PayPal. If anyone wants to sell,.please send me your rate in either PM or at Telegram: @webtricky.
18  Local / India / Supreme Court of India overruled the RBI Circular (Good news for Indians) on: March 04, 2020, 01:38:47 PM
A great day for crypto users in India. Finally a favorable verdict for us from the honorary Supreme court. I would like to thank Internet and Mobile Association of India (primary petitioner) and others. It wasn't an easy task to go against the invincible financial body of the country and win the case. It is also a tight slap on the face of people who claim that government controls RBI, courts, everything. There are already two-three active threads on this topic but I decided to create another one as I feel information in this thread should be separately shared so that it can get more exposure.

It was actually surprising for me because most of us thought it won't be possible to win the case, hence I decided to read the complete judgement of the Supreme Court on this case. I must say, it was quite fruitful and interesting to read. There are many points I find very exciting in the judgement, some of which are:

1. Inefficiency of Government - Even if you are the supporter of current government, you have to agree that government proved to be horribly inefficient in dealing with the matter of cryptocurrencies. Government created committee but surprisingly two bills drafted by them were contradictory. Hence court find those inappropriate to take into consideration for this case. It weakens the position of RBI in the case.

2. Doctrine of Proportionality - This doctrine states that if state decides to take away or make any intrusion in the liberty of people, such intrusion must be legal, must be in state interest and the means of adopting such intrusion must be correlated with public interest. However, RBI decision was not considered as proportional by court and the same is set aside by the court.

3. No loss to RBI regulated entities - This is the most important aspect considered by the court. Court came to the conclusion that none of the entity regulated by RBI has suffered any loss or adverse effect due to the accounts of Crypto Exchanges maintained with it. Thus, taking the case of State of Maharashtra v. Indian Hotel and Restaurants Association, as precedent, court considered this aspect sufficient to overrule RBI's circular.

Another important decision taken in the judgement is that court obliged RBI to direct the Central Bank of India (bank with which Koinex has account) to release ₹12 crores funds of Koinex freeze by the bank. Court found that since Koinex is not carrying unlawful business and not damaged bank in any way, there is no legal ground why the funds of Koinex shall be held by the bank. This decision has two positive impact for Indians:
  • Koinex can once again come into service which they halt on 27th June, 2019.
  • Banks have no ground to freeze your bank accounts if you are buying/selling cryptocurrencies with your bank account. You now have a power to legally sue your banks if they do so and this judgement will act as a precedent for your case.

Link to the judgement: https://main.sci.gov.in/supremecourt/2018/19230/19230_2018_4_1501_21151_Judgement_04-Mar-2020.pdf
19  Economy / Gambling discussion / Do you verify every bet as a gambler? Provably Fair Guide. on: February 21, 2020, 04:56:25 PM
UPDATE (31/08/20): BTCGOSU has launched a biggest third-party provably fair verifier tool where you can verify bets for over 25 casinos in single page. Check out now: https://www.btcgosu.com/tools/provably-fair-verifier/

Provably Fair Script is one of the basic element of online gambling, especially for crypto based casinos. However, most of the gamblers don't give dime about it while some don't even know what is it and how it operates. I started crypto gambling in 2016 and didn't know about Provably Fair for most of my initial gambling days. But believe me in the absence of Provably Fair, you are not gambling, you are just being cheated by the house.

The basic idea of this thread is to share my views on PF script and how to make most out of it. I have spent few weeks developing unique logic for Provably Fair script for upcoming gambling site clubbing it with blockchain technology. While developing it, I visited around 20 casinos and tried their PF script to understand current practice. However, this thread is not about my script but about current practice.

If you are in this section, you probably have heard about Provably Fair script and may be verifying your bets too. But have you ever tried to understand the logic behind it? If not, let me give a brief explanation on how Provably Fair system works.

Different gambling sites use different Provably Fair implementation however the basic idea is to generate a random number based on three factors: client seed, server seed and nonce.

Client seed: It can be anything. It is up to player to choose anything as his client seed. For example, I can use 'webtricksClientSeed' as my client seed or 'thisIsMyRandomClientSeed'. However, while choosing client seed make sure three things:
(i) Always choose new seed for new bet (never try same client seed with new server seed).
(ii) Don't choose easily identifiable seeds like I mentioned above (close your eyes and type random numbers and alphabets. I do like this and it works Cheesy).
(iii) Site will generate random client seed for you but don't use it. Always choose your own.

Server Seed: It is generated by server. Server will choose random string of random length and convert it to sha256 hash which will provided to you. For example, if server picks 'thisIsRandomSeed' as server seed then this will be provide you: 45006cccc7e44ee0b6c0752469de2fe1ad6bff589fb789bfb60773224cf2cc0a.
Since sha256 is one-way hashing you will know sha256 hash before making bet but you cannot decipher server seed before betting. The site will show you unhashed server seed once you change your seeds. Then you can verify that the sha256 hash of server seed is similar to what was presented to you before bet.

Nonce: In context of Provably Fair, nonce is mostly regarded as the number of times you have made bet with the combination of same client and server seed. For example, if I make two bets with 'ClientSeed' as client seed and 'ServerSeed' as server seed then the result of bet will be generated on the basis of 'ClientSeed+1+ServerSeed' for first bet and 'ClientSeed+2+ServerSeed' for second bet.

Here is graphical illustration of what I just said:


(Some people say my drawings are as good as Picasso's.)

Now coming to how results are driven from these seeds. As I said earlier, different sites use different logic to determine result. However, there is one basic logic which is being used by around 80% of the casinos, notably Fortunejack, PrimeDice, Bitsler etc. This is how it works:

Step 1: First of all let's assume three variables. Server seed = 'ServerSeed', client seed = 'ClientSeed' and nonce = 1. Now we have to use hmac authentication by hashing our variables using sha512 hashing algorithm. Server seed will serve as a secret key to generate hash while client seed and nonce will be used as an input like this: 'ClientSeed-1' or 'client seed - nonce'.

Step 2: So the hash of the above seeds will look like this: 671e7387e26fa724d089521805430866b29f6849ad2928a26e5ed01101f72f57883b972f20f9464 d99ab13c2adcf37bd955863c69697739628d70969adba1ab3

Step 3: Not going into technical term and by simply sticking to layman's language, we have to take first 5 characters of hash i.e. 671e7. Now we have to convert these 5 characters from hex value to integer value which will be: 422375.

Step 4: If the integer value is between 0 and 1million (1,000,000) then it's ok. But if it is more than or equal to 1M then we will use next 5 characters from hash. But since in our case, 422375 is less than 1000000 so this number will determine the result.

Step 5: In this step, we will simply divide the value with 10000 and take the remainder for next step. In our case, 422375 when divided by 10000 will leave 2375 in remainder which will be consider for final step.

Step 6: In this step, we will simply divide the remainder by 100 and this will determine the final result. In our case it will be 23.75. This should match the dice roll. If not then site is most probably cheating you.



Now coming to the most important part. Probably this part is the main reason why I created this thread. Although, the above system is foolproof but site owners can easily fool you if you ain't paying enough attention. So here are the few points you should consider while gambling:

(i) Always copy server seed hash shown to you before betting.
(ii) After bet is complete, create new client seed. Make sure server seed is also changed along with it.
(iii) Once new client seed is created, site will show you unhashed server seed of previous bet. Copy it and convert it to sha256 hash using some third party online tool.
(iv) Match the server seed hash that you copied in step (i) to the one generated in step (iii) and make sure both are exactly same.

Two days ago, I tested my code with few people. I shown them different server seed hash before bet and after bet I kept first 6 characters same, last 3 characters same and few similar characters in the middle. It took just 30-40 seconds for my machine to generate such hash. With more powerful machine, I can speed up the process and create more matching characters. To my surprise, none of the tester noticed that they were shown different server hash before and after bet. It is human tendency that they only consider few letters (probably starting and ending ones) when presented random word like hexadecimal hash. So with bare eyes, no one was able to notice the difference. So be safe and make sure you verify every bet you make. Being a coding enthusiast, I can assure you that it is very much possible that house can easily manipulate results without player even noticing.

Another thing you can do is to use cross-casinos verification. For example, Fortunejack and Bitsler use same script, you can verify your fortunejack bets using bitsler's verification script.
20  Local / India / Binance finally integrated WazirX P2P (How good is it?) on: February 17, 2020, 06:33:45 AM
Hello guys,

So this morning I received a mail from Binance stating that they finally integrated much-awaited WazirX P2P on their site. Now it was time to test what benefits we gonna get from this hot acquisition.

So first step is to connect WazirX account with Binance account. This step is quite simple, you just have to click 'WazirX Wallet' from 'Wallet' dropdown in the menu like this image below:



Then you will be redirected to WazirX website. Here you will be asked to login with your Binance account. But since you are already logged in with Binance, you just have to click proceed and enter WazirX 2FA authentication code if you set any. That's it. First step is done.

Next step involves sending USDT from Binance to WazirX. Once again, click 'WazirX Wallet' from the menu and you will redirected to a form. You just have to mention the amount of USDT you want to send to WazirX then fill 2FA code if any and finally confirm withdrawal request email confirmation.

Here comes the magic part. You will receive exact USDT as you requested in a fraction of second (almost immediately) in your WazirX account.

So the biggest takeaway from this integration is that now we Indians can sell range of cryptos with high liquidity on Binance and then send the USD to WazirX at zero fees almost immediately where we can finally convert USDT to INR at good rates.
Pages: [1] 2 3 4 5 »
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!