Same recovery seed, many Bitcoin addresses, how?

[HeatBit]

I really want to know how this is possible with Bitcoin.

Just one recovery seed and you have different wallet addresses, how?
I can give my boss a bitcoin address for receiving my salary. I can also give another to my friend for one time payment, and they are all belong to that same one recovery seed.

How is this possible? Normally I have always believe that one recovery seed belongs to one bitcoin address.
I guess I still have a lot to learn and know about Bitcoin.

[Cookdata]

How is this possible? Normally I have always believe that one recovery seed belongs to one bitcoin address.
I guess I still have a lot to learn and know about Bitcoin.

I think you have to stop believing and start learning.

https://learnmeabitcoin.com/technical/keys/hd-wallets

[coinlary]

Yes a lot, with the kind of question  you just asked.
Read this : https://learnmeabitcoin.com/technical/keys/hd-wallets , that's  the answer to your question.
Cook data was quick to post that already.

You're  confusing Seed-phrase with private key, every  bitcoin address has a single private key . When you  try to recover your sats with  single address private key, it will recover just that particular address .  When you're done reading and you don't understand,  ask questions on the Bitcoin technical support board.

[hosemary]

Your seed phrase actually represents a random number and generates your master private key. Then your master private key generates your individual private keys deterministically.
All of this is done through some mathematical calcualtions and that's how make you have multiple addresses.

Note that you can also have a single private key and a single address, but it's more common to use a HD wallet with seed phrase. In this way, all you need to save is the seed phrase and you don't have to manage many private keys.

[SeriouslyGiveaway]

I think you have to stop believing and start learning.

https://learnmeabitcoin.com/technical/keys/hd-wallets

The Mastering Bitcoin book with chapter 5 - Wallets is another good resources for learning about HD wallets.

Hierarchical Deterministic (HD) Key Generation (BIP32). HD wallets are better than Deterministic wallets as it is very well-organized and helpful for users in accounting too.

Every modern Bitcoin wallet of which we’re aware uses hierarchical deterministic (HD) key generation by default. This standard, defined in BIP32, uses deterministic key generation and optional public child key derivation with an algorithm that produces a tree of keys. In this tree, any key can be the parent of a sequence of child keys, and any of those child keys can be a parent for another sequence of child keys (grandchildren of the original key). There’s no arbitrary limit on the depth of the tree.

[hmbdofficial]

How is this possible? Normally I have always believe that one recovery seed belongs to one bitcoin address.
I guess I still have a lot to learn and know about Bitcoin.

Well, is this simple on hierarchical deterministic the seed phrase will generate the seed, the seed will generate the   Master private  key which is sometimes called the extended private key.

The master private key can as well generate all the private keys ( child private key) and it’s corresponding addresses
The master private key can generate the master public key, and the master Public key can generate all the public key with its corresponding address.
You may  see the tree bellow;

Source:   https://arshbot.medium.com/hd-wallets-explained-from-high-level-to-nuts-and-bolts-9a41545f5b0

[ertil]

I really want to know how this is possible with Bitcoin.

It is possible, because you can always add, subtract, multiply or divide any known public key, by any known number.

For example: only Satoshi knows the private key to the Genesis Block: https://mempool.space/address/04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f

We can compress it, to make it shorter, and preserve the same private key:

Code:

04 678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb6 49f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f
03 678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb6

And now, we can test some operations, where some known public key can be modified. Let's test addition:

Code:

SHA-256("addition")=77f930e4b1a527037bb9daf4dd0546e592166c78f229211635ec5387afe52d8c
privateKey*G=03678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb6
(privateKey*G)+77f930e4b1a527037bb9daf4dd0546e592166c78f229211635ec5387afe52d8c=03C920F3CD3775B74110C84CCD4C3EF49085B07B0908B6762F271A22F301583755

Which means, that we can use 03C920F3CD3775B74110C84CCD4C3EF49085B07B0908B6762F271A22F301583755 as a new public key instead. And the recipient could simply add 77f930e4b1a527037bb9daf4dd0546e592166c78f229211635ec5387afe52d8c to the private key, and then get a matching key, allowing him to spend it. In the same way, we can test subtraction, by adding "n-number" to our public key:

Code:

n=fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
n-77f930e4b1a527037bb9daf4dd0546e592166c78f229211635ec5387afe52d8c=8806cf1b4e5ad8fc8446250b22fab9192898706dbd1f7f2589e60b05205113b5
03C920F3CD3775B74110C84CCD4C3EF49085B07B0908B6762F271A22F301583755+8806cf1b4e5ad8fc8446250b22fab9192898706dbd1f7f2589e60b05205113b5=03678AFDB0FE5548271967F1A67130B7105CD6A828E03909A67962E0EA1F61DEB6

And, as we can see, by starting from 03C920F3CD3775B74110C84CCD4C3EF49085B07B0908B6762F271A22F301583755 and adding 8806cf1b4e5ad8fc8446250b22fab9192898706dbd1f7f2589e60b05205113b5, we can go back to our 03678AFDB0FE5548271967F1A67130B7105CD6A828E03909A67962E0EA1F61DEB6 public key. Now, let's test multiplication in the same way:

Code:

SHA-256("multiplication")=6b8370563d27b789779ff9f2839f7575c0ad6918056d9b2b60609d6743bc0e76
03678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb6*6b8370563d27b789779ff9f2839f7575c0ad6918056d9b2b60609d6743bc0e76=027ECCA53971D9055E22148B38423D1B2F297BB027ACEE6B88200713BC47EAF2F0

As previously, we can multiply known public key 03678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb6 by known number 6b8370563d27b789779ff9f2839f7575c0ad6918056d9b2b60609d6743bc0e76 and get 027ECCA53971D9055E22148B38423D1B2F297BB027ACEE6B88200713BC47EAF2F0 as a result. The recipient can multiply its private key, which would allow him to move the coins. And finally, we can test division:

Code:

n=fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
1/6b8370563d27b789779ff9f2839f7575c0ad6918056d9b2b60609d6743bc0e76=43f2a611a0a8b11bb9a627f7d69af10e3fe71e267bfa3e7475efc4f8412c5587
027ECCA53971D9055E22148B38423D1B2F297BB027ACEE6B88200713BC47EAF2F0*43f2a611a0a8b11bb9a627f7d69af10e3fe71e267bfa3e7475efc4f8412c5587=03678AFDB0FE5548271967F1A67130B7105CD6A828E03909A67962E0EA1F61DEB6

As we can see, by starting from 027ECCA53971D9055E22148B38423D1B2F297BB027ACEE6B88200713BC47EAF2F0 and multiplying it by 43f2a611a0a8b11bb9a627f7d69af10e3fe71e267bfa3e7475efc4f8412c5587, we can get back 03678AFDB0FE5548271967F1A67130B7105CD6A828E03909A67962E0EA1F61DEB6.

So, addition, subtraction, multiplication, and division works, as long as all numbers are known. Which means, that if you have a HD wallet, then you just start from some known public key, you use that kind of operations, to reach a different public key, and then, other people could compute your new addresses, send coins there, and you can apply the same operations on your private keys, to spend these coins later. This is how non-hardened HD wallets work. For hardened HD wallets, the same operations are just applied on private keys alone.

Because there are only fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140 valid public keys, and a point at infinity. Every addition, subtraction, multiplication, and division, is always done in range from 1 to fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140. If you start from some number, and you use these operations with known numbers, then private and public keys follow each other.

And now, if you want to understand, what is a signature, then it is just a relation between two public keys. You simply start from one public key Q, and you reveal two numbers, where "(Q+a)*b=R". Then, nobody knows the private key to Q public key, or R public key. But everyone knows "a" and "b", so all nodes can check, if it is valid. And because "a=z/r" and "b=r/s", and r-value is taken as x-value of the R public key, using randomly generated "a" and "b" won't break it. Also, z-value has to match SHA-256 of the simplified transaction, which means, that even if you would get random (r,s,z) values for some public key, which would pass secp256k1 validation alone, then still, you won't get a message, which will hash to this random z-value, without breaking SHA-256.

[BlackHatCoiner]

The replies above are more than sufficient, but I will narrow it down and tell you that you can think of a recovery seed like a random number, just like a private key. The difference with the seed, is that you use one random number to create infinite pseudo-random numbers that are equally cryptographically secure.

Instead of generating a private key each time, with no cryptographic relation, and thus having to back each one up separately, you use one "private key" (the seed) and derive infinite Bitcoin private keys by a hash function and an extra field. (i.e., SHA256(seed + '1'), SHA256(seed + '2') etc.)

Obviously in practice it's more advanced with master private & public keys and children of those keys, but that is the idea.