@scure/bip32

What is @scure/bip32?

@scure/bip32 is a JavaScript library for working with BIP-32 hierarchical deterministic (HD) wallets. It allows developers to generate and manage HD wallets, derive child keys, and perform various cryptographic operations related to BIP-32.

What are @scure/bip32's main functionalities?

Generate a Master Key

This feature allows you to generate a master key from a mnemonic seed phrase. The code sample demonstrates how to convert a mnemonic phrase to a seed and then generate a master key from that seed.

const { mnemonicToSeedSync } = require('@scure/bip39');
const { BIP32Factory } = require('@scure/bip32');
const ecc = require('tiny-secp256k1');

const bip32 = BIP32Factory(ecc);
const seed = mnemonicToSeedSync('praise you muffin lion enable neck grocery crumble super myself license ghost');
const root = bip32.fromSeed(seed);
console.log(root.toBase58());

Derive Child Keys

This feature allows you to derive child keys from the master key using a specific derivation path. The code sample shows how to derive a child key using the BIP-44 path.

const child = root.derivePath('m/44'/0'/0'/0/0');
console.log(child.toBase58());

Get Public Key

This feature allows you to extract the public key from a derived key. The code sample demonstrates how to get the public key in hexadecimal format.

const publicKey = child.publicKey.toString('hex');
console.log(publicKey);

Sign a Message

This feature allows you to sign a message using a derived key. The code sample shows how to sign a message and get the signature in hexadecimal format.

const message = Buffer.from('Hello, world!');
const signature = child.sign(message);
console.log(signature.toString('hex'));

Verify a Signature

This feature allows you to verify a signature using a derived key. The code sample demonstrates how to verify a signature and check its validity.

const isValid = child.verify(message, signature);
console.log(isValid);

Other packages similar to @scure/bip32

bip32

The 'bip32' package is another popular library for working with BIP-32 hierarchical deterministic wallets. It provides similar functionalities such as generating master keys, deriving child keys, and performing cryptographic operations. However, it may have different dependencies and performance characteristics compared to @scure/bip32.

hdkey

The 'hdkey' package is a lightweight library for handling BIP-32 HD wallets. It offers basic functionalities like key derivation and public/private key management. While it is simpler and easier to use, it may lack some advanced features provided by @scure/bip32.

bitcoinjs-lib

The 'bitcoinjs-lib' package is a comprehensive library for Bitcoin-related operations, including BIP-32 HD wallet management. It provides a wide range of functionalities beyond just BIP-32, such as transaction creation and signing. It is more feature-rich but also more complex compared to @scure/bip32.

README

scure-bip32

Secure, audited & minimal implementation of BIP32 hierarchical deterministic (HD) wallets over secp256k1.

Compared to popular hdkey package, scure-bip32:

• Supports ESM and common.js
• Is 418KB all-bundled instead of 5.9MB
• Uses 3 dependencies instead of 24
• Had an external security audit by Cure53

Check out scure-bip39 if you need mnemonic phrases. See ed25519-keygen if you need SLIP-0010/BIP32 ed25519 hdkey implementation.

This library belongs to scure

scure — secure, independently audited packages for every use case.

• Audited by a third-party
• Releases are signed with PGP keys and built transparently with NPM provenance
• Check out all libraries: base, bip32, bip39, btc-signer

Usage

npm install @scure/bip32

This module exports a single class HDKey, which should be used like this:

const { HDKey } = require("@scure/bip32");
const hdkey1 = HDKey.fromMasterSeed(seed);
const hdkey2 = HDKey.fromExtendedKey(base58key);
const hdkey3 = HDKey.fromJSON({ xpriv: string });

// props
[hdkey1.depth, hdkey1.index, hdkey1.chainCode];
console.log(hdkey2.privateKey, hdkey2.publicKey);
console.log(hdkey3.derive("m/0/2147483647'/1"));
const sig = hdkey3.sign(hash);
hdkey3.verify(hash, sig);

Note: chainCode property is essentially a private part of a secret "master" key, it should be guarded from unauthorized access.

The full API is:

class HDKey {
  public static HARDENED_OFFSET: number;
  public static fromMasterSeed(seed: Uint8Array, versions: Versions): HDKey;
  public static fromExtendedKey(base58key: string, versions: Versions): HDKey;
  public static fromJSON(json: { xpriv: string }): HDKey;

  readonly versions: Versions;
  readonly depth: number = 0;
  readonly index: number = 0;
  readonly chainCode: Uint8Array | null = null;
  readonly parentFingerprint: number = 0;

  get fingerprint(): number;
  get identifier(): Uint8Array | undefined;
  get pubKeyHash(): Uint8Array | undefined;
  get privateKey(): Uint8Array | null;
  get publicKey(): Uint8Array | null;
  get privateExtendedKey(): string;
  get publicExtendedKey(): string;

  derive(path: string): HDKey;
  deriveChild(index: number): HDKey;
  sign(hash: Uint8Array): Uint8Array;
  verify(hash: Uint8Array, signature: Uint8Array): boolean;
  wipePrivateData(): this;
}

interface Versions {
  private: number;
  public: number;
}

The hdkey submodule provides a library for keys derivation according to BIP32.

It has almost the exact same API than the version 1.x of hdkey from cryptocoinjs, but it's backed by this package's primitives, and has built-in TypeScript types. Its only difference is that it has to be be used with a named import. The implementation is loosely based on hdkey, which has MIT License.

Security

The library has been audited by Cure53 on Jan 5, 2022. Check out the audit PDF & URL. See changes since audit.

1. The library was initially developed for js-ethereum-cryptography
2. At commit ae00e6d7, it was extracted to a separate package called micro-bip32
3. After the audit we've decided to use NPM namespace for security. Since @micro namespace was taken, we've renamed the package to @scure/bip32

License

MIT License

Copyright (c) 2022 Patricio Palladino, Paul Miller (paulmillr.com)