Skip to main content
Wallets, keys, seed phrases

Key Derivation and HD Wallets

Pomegra Learn

Key Derivation and HD Wallets?

A single seed phrase can generate millions of unique cryptocurrency addresses. This is the genius of hierarchical deterministic (HD) wallets: instead of backing up a thousand private keys, you back up one seed phrase and derive as many addresses as you need. Each address is mathematically independent but cryptographically linked to the original seed. This separation—between the master secret and the derived addresses—gives you privacy and organizational flexibility while keeping the backup burden manageable.

Quick Definition

Key derivation is the cryptographic process of generating multiple private keys from a single master seed. A hierarchical deterministic (HD) wallet standardizes this process so that a single seed phrase can generate an entire family tree of addresses, each serving a different purpose (receiving payments, change addresses, alternate accounts), across multiple blockchains. The derivation process is deterministic: the same seed always produces the same set of keys in the same order.

Key Takeaways

  • A single seed phrase can generate over 4 billion unique addresses for the same blockchain
  • HD wallets use a tree structure (hence "hierarchical") where each key can derive child keys, extending the tree infinitely
  • The derivation path is a standardized notation (e.g., m/44'/0'/0'/0/0) that describes where in the tree each address sits
  • Different derivation paths from the same seed produce completely different address sets, allowing multiple accounts from one backup
  • Derivation is one-way: you cannot reverse-engineer a parent key from a child key, maintaining security even if a child key is compromised
  • Public keys can be derived without the private key, allowing you to generate receiving addresses on an internet-connected device while the private key stays offline

The Hierarchical Deterministic (HD) Wallet Tree

Imagine your seed phrase as the root of a tree. Each branch extends into smaller branches, and each twig is a unique address. The tree structure is standardized (BIP32), so the same seed planted in different software generates the same tree.

The Master Key

When your wallet creates a seed phrase, the first step in HD derivation is generating a master key from the seed. This master key is rarely used directly; instead, it is the parent of all other keys.

Seed Phrase (12 or 24 words)
        ↓ BIP39 derivation

   Master Seed (512 bits)
        ↓ HMAC-SHA512

 Master Private Key + Chain Code

The master key and a data structure called a chain code together form the root of the tree.

Child Keys: The First Level of Derivation

From the master key, the wallet derives child keys using the chain code and a counter (0, 1, 2, 3...). Each child key is a valid private key that can sign transactions independently.

Master Key (m)
  ├─ Child 0 (m/0) - First address
  ├─ Child 1 (m/1) - Second address
  ├─ Child 2 (m/2) - Third address
  └─ Child 3 (m/3) - Fourth address

You could create a wallet using only m/0 as your private key. But this wastes the tree structure. HD wallets use deeper levels of derivation.

The BIP32 Derivation Path Notation

The path notation m/44'/0'/0'/0/0 describes exactly where in the tree a key sits. Each number represents a choice at a level of the tree.

Path Structure: m / purpose / coin_type / account / change / index

m: Master key (the root of the tree)

purpose: A constant describing the version of the HD derivation standard. 44 is the most common (BIP44 standard). 49 and 84 are used for different wallet types (Segwit compatibility).

coin_type: Which blockchain this address is for. 0 = Bitcoin, 1 = Bitcoin testnet, 60 = Ethereum, 2 = Litecoin, 44 = Monero, etc. This is why the same seed phrase can generate Bitcoin, Ethereum, and Litecoin addresses—each uses a different coin type.

account: Which logical account within the wallet. 0 = first account, 1 = second account, etc. You can have multiple accounts from the same seed, allowing organization (business account vs. personal account, hot wallet vs. cold wallet).

change: 0 for receiving addresses (addresses you give to others), 1 for change addresses (addresses where transaction change is returned).

index: Which specific address within the change type. 0 is the first receiving address, 1 is the second, etc. Wallets typically generate 20–100 addresses ahead of time.

Example Paths

  • m/44'/0'/0'/0/0 - Bitcoin, first account, first receiving address
  • m/44'/0'/0'/0/1 - Bitcoin, first account, second receiving address
  • m/44'/0'/0'/1/0 - Bitcoin, first account, first change address
  • m/44'/0'/1'/0/0 - Bitcoin, second account, first receiving address
  • m/44'/60'/0'/0/0 - Ethereum, first account, first receiving address
  • m/44'/2'/0'/0/0 - Litecoin, first account, first receiving address

The apostrophe (') after the purpose, coin type, and account numbers indicates hardened derivation, a special type of derivation that adds extra security (discussed below).

The Key Derivation Diagram

The tree grows downward. Each node can be expanded to create child nodes. The path notation tells you exactly where in the tree to find a specific address.

Hardened vs. Non-Hardened Derivation

The HD derivation standard includes a crucial feature: hardened derivation. This distinction determines whether a child public key can be derived without knowing the parent private key.

Non-Hardened Derivation

In non-hardened derivation, you can derive a child's public key using only the parent's public key. You do not need the parent's private key.

Why this matters:

  • You can generate a list of receiving addresses on an internet-connected device (like a smartphone) using only the public key
  • You can hand someone a "public key" and they can generate addresses, but they cannot spend the funds
  • The private key remains on an offline device (hardware wallet)

This is the basis for watch-only wallets: a device that can see your balances and generate addresses but cannot spend coins.

Paths without apostrophes use non-hardened derivation:

  • m/44'/0'/0'/0/0 - Last two numbers (0/0) are non-hardened
  • Anyone with access to the public key can derive future addresses

Hardened Derivation

In hardened derivation, you cannot derive a child public key using only the parent public key. You must use the parent private key.

Why this matters:

  • If someone obtains your extended public key (for non-hardened paths), they can see all your past and future addresses
  • Hardened paths prevent this: someone with your extended public key cannot determine your child keys
  • The disadvantage is that you cannot use a hardware wallet's public key on a smartphone; you must derive addresses on the hardware wallet itself

Paths with apostrophes use hardened derivation:

  • m/44'/0'/0'/0/0 - First three numbers are hardened (the apostrophes)
  • An attacker cannot derive future addresses even with access to the extended public key

The Hybrid Approach

Most wallets use:

  • Hardened derivation at the top levels (purpose, coin_type, account) to prevent an attacker who sees the extended public key from deriving accounts
  • Non-hardened derivation at the bottom levels (change, index) to allow watch-only wallets to generate receiving addresses

This balance provides both privacy (hardened account level) and convenience (non-hardened address generation on internet-connected devices).

Why Derivation Paths Matter for Cross-Wallet Recovery

If you export your seed phrase from one wallet and import it into another, you expect to see the same addresses and balances. This works only if both wallets use the same derivation path.

Compatible Wallets

Hardware wallets (Ledger, Trezor) and software wallets (Metamask, Electrum) all follow the BIP44 standard with standardized coin type numbers. A Bitcoin wallet using m/44'/0'/0'/0/0 on one device will see the same addresses on another device.

Incompatible Wallets

Older wallets or non-standard wallets may use different derivation paths:

  • Bitcoin Core: Uses a non-standard path m/0/0/0/0...
  • Some altcoin wallets: Use custom paths that are not BIP44 compliant

If you import a seed into an incompatible wallet, you see no balance. The addresses derived are different. This is not because your funds are lost—they are still controlled by the original seed. The new wallet is simply looking in the wrong place.

Multi-Account Wallets

Wallets like Electrum and Metamask support multiple accounts. Switching accounts means switching to a different derivation path:

  • Account 0: m/44'/0'/0'/0/0...
  • Account 1: m/44'/0'/1'/0/0...
  • Account 2: m/44'/0'/2'/0/0...

Each account is a completely separate set of addresses, all derived from the same seed. You can have separate accounts for work and personal use, or separate accounts across different hardware wallets, all from one backup.

Public Key Derivation: The Watch-Only Wallet

One of the most powerful features of HD wallets is the ability to derive public keys without having access to the private key. This enables watch-only wallets.

Use Case: Cold Storage with Hot Monitoring

You store your private key on an offline device (hardware wallet, paper wallet). You want to check your balance on your phone without exposing the private key.

Solution:

  1. Export your extended public key from the hardware wallet to your phone (this is safe—public keys are public)
  2. Your phone uses this public key to derive all receiving addresses
  3. Your phone can see incoming transactions and balances
  4. Your phone cannot sign transactions (it has no private key)
  5. To spend coins, you connect the hardware wallet to a computer, sign the transaction, and broadcast it

This workflow is secure because:

  • The private key never touches the internet-connected phone
  • The public key alone cannot derive the private key
  • Even if the phone is hacked, the attacker cannot steal coins—they can only see your balance and addresses

Implementation Example

A Ledger hardware wallet can export a "public key" (technically, an extended public key at a specific derivation path). This key is used by Ledger Live (a phone app) to monitor your balance without exposing the private key stored on the Ledger device.

Common Mistakes in Understanding Key Derivation

Mistake 1: Assuming All Wallets Use the Same Path

You generate a seed phrase in Metamask and export it to a custom wallet application. The custom wallet uses a non-standard derivation path. You see an empty wallet.

Why it happened: The custom wallet is deriving addresses using m/0/0/0... while Metamask uses m/44'/60'/0'.... The private keys are different.

Fix: Check the wallet's documentation for the derivation path. If it does not match your original wallet, you may need to restore to a compatible wallet or manually derive the correct path.

Mistake 2: Confusing the Seed with a Single Private Key

You assume that a seed phrase is just another way to store a private key. You export your seed phrase and use it as a private key in another wallet application.

Why it happened: A seed phrase is not a private key; it is the parent of millions of private keys. Treating it as a single private key will produce incorrect results or fail entirely.

Fix: Always import a seed phrase as a "seed phrase" or "recovery words," not as a private key. Do not try to use a seed phrase in a system that expects a private key.

Mistake 3: Not Knowing Your Derivation Path

You restore a wallet from a seed phrase and see no balance. You panic.

Why it happened: The restored wallet is using a different derivation path. Your funds are still there; the wallet is looking at the wrong addresses.

Fix: Check the wallet's settings for the derivation path. Most wallets allow you to change the derivation path and rescan the blockchain. Once you enter the correct path, the balance reappears.

Mistake 4: Exposing the Extended Public Key

You share your extended public key with a third party (to set up a watch-only wallet). The third party can now derive all your receiving addresses—past, present, and future.

Why it's a problem: If the derivation path used is non-hardened below the account level (the typical case), an attacker with the extended public key can see your entire transaction history. They cannot steal funds, but they can see where your money is.

Fix: Only share extended public keys with parties you trust. If you are using hardened derivation at the account level (e.g., exporting the public key at m/44'/0'/0'), the extended public key has limitations on which addresses it can derive.

Real-World Examples

Example 1: The Metamask Recovery Mystery

A user backed up his Metamask seed phrase. Years later, he tried to restore it on a different computer. The restored wallet showed a balance of zero. He panicked. In truth, Metamask had updated its derivation path, and the restored wallet was using the new path. His funds were at the old path. He had to switch the wallet's derivation path setting to recover them.

Example 2: The Ledger to Trezor Migration

A user backed up a Ledger hardware wallet's seed phrase. Later, he bought a Trezor and restored the same seed phrase. He expected to see the same addresses and balances. But Trezor uses a slightly different derivation path format (both BIP44, but with different numeric constants for the coin type). His addresses were different. His funds remained in the Ledger-derived addresses. He had to create a new seed or manually switch derivation paths on the Trezor.

Example 3: The Watch-Only Wallet Setup

A woman exported her hardware wallet's extended public key to set up a watch-only wallet on her phone. A year later, her phone was stolen. The thief had access to the extended public key but not the private key. The thief could see all her address and balances but could not steal the coins (the private key was safely on the hardware wallet). She recovered by using a new phone and re-importing the extended public key.

Example 4: The Advanced User's Multi-Account Setup

A crypto trader set up four separate accounts from one seed phrase:

  • Account 0: Cold storage (long-term holdings, never accessed)
  • Account 1: Hot wallet (daily trading, frequently accessed)
  • Account 2: Business account (client funds, separated from personal account)
  • Account 3: Test wallet (experimental DeFi, high-risk transactions)

All four accounts derive from the same 12-word backup. If the hardware wallet fails, a single seed phrase recovers all four accounts and all their funds.

Frequently Asked Questions

Q: How many addresses can a single seed phrase generate?

A: Theoretically infinite. Practically, you will generate 20–100 receiving addresses and a similar number of change addresses. The path m/44'/0'/0'/0/index can generate addresses at any index value (0, 1, 2... up to 2^31). A single seed phrase can generate over 4 billion unique addresses for a single blockchain.

Q: Can I use different accounts from the same seed phrase for different blockchains?

A: Yes. The coin type in the path (0 for Bitcoin, 60 for Ethereum, 2 for Litecoin) means a single seed phrase can have a Bitcoin account and an Ethereum account. The same seed produces different addresses on different blockchains.

Q: If someone has my extended public key, can they steal my coins?

A: No. The extended public key allows them to derive public keys and addresses, but not private keys. They can see your balances and addresses but cannot sign transactions or move coins. However, they can see your entire transaction history, which is a privacy concern.

Q: Why do wallets generate addresses ahead of time instead of on-demand?

A: To ensure that if you receive a payment and then lose your hardware wallet, you can recover using the seed phrase—even if you never explicitly created that address. Wallets typically generate 20 addresses in advance and derive more if you use them all.

Q: Can I derive a hardened child from a public key alone?

A: No. Hardened derivation requires the parent private key. This is the point of hardened derivation—it prevents someone with the extended public key from deriving all child addresses.

Q: What happens if I import a seed phrase into two different wallets and they use different derivation paths?

A: You see different addresses in each wallet. Your funds are still there—they are just at the addresses derived by the path your first wallet used. The second wallet is looking at a different part of the address tree.

Q: Can I change the derivation path after I have already created addresses?

A: Yes, but only by switching your wallet software to a new one that uses the correct path, or by manually configuring the derivation path in compatible wallets. The funds at the old addresses remain there; they are not automatically transferred to new addresses.

Summary

Hierarchical deterministic wallets transform the backup burden from thousands of private keys to a single seed phrase. Through standardized derivation paths (BIP44), one seed phrase generates millions of unique addresses, each secure and independent, yet all recoverable from the original backup.

The tree structure—purpose, coin type, account, change, and index—organizes this forest of addresses for easy management. Hardened derivation at the top levels protects your privacy, while non-hardened derivation at the bottom levels enables watch-only wallets on internet-connected devices.

Understanding derivation paths explains why the same seed phrase produces different addresses in different wallets, why you can have multiple accounts from one backup, and why public key derivation allows secure monitoring without exposing private keys.

The genius of HD wallets is that you never need to back up another private key again. One seed phrase is sufficient—for life, across multiple blockchains, across multiple accounts, across multiple devices. The entire tree grows from that single root, and derivation math ensures the growth is secure, deterministic, and infinite.

Next

Discover the practical challenges of Managing Private Keys Safely and best practices for protecting the keys derived from your seed phrase.