scure-bip32

Audited & minimal implementation of BIP32 hierarchical deterministic (HD) wallets over secp256k1.

• 🔒Audited by an independent security firm
• 🔻 Tree-shakeable: unused code is excluded from your builds
• 📦 ESM and common.js
• ➰ Only 3 audited dependencies by the same author:noble-curves,noble-hashes,andscure-base
• 🪶 18KB gzipped with all dependencies bundled

Check outscure-bip39 if you need mnemonic phrases.Seekey-producer if you need SLIP-0010/BIP32 ed25519 hdkey implementation.

This library belongs toscure

scure — audited micro-libraries.

• Zero or minimal dependencies
• Highly readable TypeScript / JS code
• PGP-signed releases and transparent NPM builds
• Check outhomepage & all libraries:base,bip32,bip39,btc-signer,starknet

Usage

npm install @scure/bip32

deno add jsr:@scure/bip32

deno doc jsr:@scure/bip32 # command-line documentation

This module exports a single classHDKey, which should be used like this:

import {HDKey }from'@scure/bip32';const hdkey1=HDKey.fromMasterSeed(seed);const hdkey2=HDKey.fromExtendedKey(base58key);const hdkey3=HDKey.fromJSON({xpriv: string });// props[hdkey1.depth, hdkey1.index, hdkey1.chainCode];console.log(hdkey2.privateKey, hdkey2.publicKey);console.log(hdkey3.derive("m/0/2147483647'/1"));const sig= hdkey3.sign(hash);hdkey3.verify(hash, sig);

Note:chainCode property is essentially a private partof a secret "master" key, it should be guarded from unauthorized access.

The full API is:

classHDKey {publicstaticHARDENED_OFFSET:number;publicstaticfromMasterSeed(seed:Uint8Array, versions:Versions):HDKey;publicstaticfromExtendedKey(base58key:string, versions:Versions):HDKey;publicstaticfromJSON(json: {xpriv:string }):HDKey;readonlyversions:Versions;readonlydepth:number=0;readonlyindex:number=0;readonlychainCode:Uint8Array|null=null;readonlyparentFingerprint:number=0;getfingerprint():number;getidentifier():Uint8Array|undefined;getpubKeyHash():Uint8Array|undefined;getprivateKey():Uint8Array|null;getpublicKey():Uint8Array|null;getprivateExtendedKey():string;getpublicExtendedKey():string;derive(path:string):HDKey;deriveChild(index:number):HDKey;sign(hash:Uint8Array):Uint8Array;verify(hash:Uint8Array, signature:Uint8Array):boolean;wipePrivateData(): this;}interfaceVersions {private:number;public:number;}

The module implementsbip32 standard:check it out for additional documentation.

The implementation is loosely based on cryptocoinjs/hdkey,which has MIT License.

Security

The library has been independently audited:

• at version 1.0.1, in Jan 2022, bycure53
  • PDFs:online,offline
  • Changes since audit.
  • The audit has been funded byEthereum Foundation with help ofNomic Labs

The library was initially developed forjs-ethereum-cryptography.At commitae00e6d7,it was extracted to a separate package calledmicro-bip32.After the audit we've decided to use@scure NPM namespace for security.

Supply chain security

• Commits are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures
• Releases are transparent and built on GitHub CI. Make sure to verifyprovenance logs
• Rare releasing is followed to ensure less re-audit need for end-users
• Dependencies are minimized and locked-down: any dependency could get hacked and users will be downloading malware with every install.
  • We make sure to use as few dependencies as possible
  • Automatic dep updates are prevented by locking-down version ranges; diffs are checked withnpm-diff
• Dev Dependencies are disabled for end-users; they are only used to develop / build the source code

For this package, there are 3 dependencies; and a few dev dependencies:

• noble-hashes provides cryptographic hashing functionality
• noble-curves provides ECDSA
• scure-base provides base58
• micro-bmark, micro-should and jsbt are used for benchmarking / testing / build tooling and developed by the same author
• prettier, fast-check and typescript are used for code quality / test generation / ts compilation. It's hard to audit their source code thoroughly and fully because of their size

Contributing & testing

• npm install && npm run build && npm test will build the code and run tests.
• npm run lint /npm run format will run linter / fix linter issues.
• npm run build:release will build single file

License

MIT License

Copyright (c) 2022 Patricio Palladino, Paul Miller (paulmillr.com)