blockchain – Understanding a Wallet Restore

This is my first post on block chain related programming so please excuse my ignorance. I find the terminology in the BIP32 and BIP39 specs hard to understand so I’m trying to confirm my understanding here. I hope someone can clear things up for me. Please correct me if my understanding is incorrect. Here goes.

I bought a Trezor and generated my seed using the Trezor. I understand that this is an implementation of BIP39. My understanding is that if I were not using Trezor, I could generate this key on an offline computer like Tails Linux or Bitkey.IO Live CD. My understanding is that this serves as a key for signing transactions in future. But, this does not by itself create any addresses in the block chain itself.

After creating the key, I generated some addresses. One for Bitcoin, one for Litecoin and so on. Again, merely creating addresses does not affect the block chain in any way. The only thing that is special about these addresses is that the only way to create these addresses is to have have the seed in the first place. Is this understanding correct?

After this point, currency can be sent to the addresses that I have created. This means the block chain network has to accept that the transactions were made, and then the transactions will be synced on to all the other nodes in the network which will eventually be viewable by me when I check the address on my Trezor’s software.

This is where my understanding gets a little murky. There is also something called a public key (xpub), and these can be used to view the details of my wallet and its transactions I think. Also, anyone who has the address of my wallet can see transactions in there by querying the block chain.

But, without the seed, nobody can transfer coin out of my addresses. The seed is required to sign the transactions for this. Is this correct?

Now, lets say my Trezor is lost or destroyed and all I have left is the seed. So, I buy a new Trezor and plug it in. I will now want to do a restore. So, my guess is that it will as me for the 24 word phrase. Right?

At this point, what happens? I no longer have any addresses or XPUBs written down, and I will need these to see my balances before I can sign transactions again. So, how does the Trezor software (or other deterministic wallet software) get my xpub and addresses back?

Do they:

  1. Download the entire block chain on to my computer and check each address to see if it was seeded from my original seed?
  2. Hit some API? If so, how? Does it send my seed to the API? Which API? Does Trezor maintain some kind of index of xpubs by seed? I wouldn’t think that this would be secure at all, and in fact would completely void the security of the system.
  3. Is there some kind of public key hidden in my seed that can be used to look up indexed addresses? If so, how does that work? Is there a C# library somewhere I can use to get extract this public key from my seed?
  4. Do some other thing that I have not thought of… What?

Edit: I’m currently reading through this. . It makes it sound as though the Scanner class uses BIP37 logic to filter down data from the block chain to get at the addresses that are likely to contain the transactions I need to see. So, what inputs does it need to do this? Can I derive something from my seed which is safe to use over an API?

From Mastering Bitcoin:

Generating a public key Starting with a private key in the form of a
randomly generated number k, we multiply it by a predetermined point
on the curve called the generator point G to produce another point
somewhere else on the curve, which is the corresponding public key K.
The generator point is specified as part of the secp256k1 standard
and is always the same for all keys in bitcoin.


where k is the private key, G is the generator point, and K is the
resulting public key, a point on the curve. Since the generator point
is always the same for all bitcoin users, a private key k multiplied
with G will always result in the same public key K. The rela‐tionship
between k and K is fixed, but can only be calculated in one direction,
from k to K. That’s why a bitcoin address (derived from K) can be
shared with anyone and does not reveal the user’s private key (k).

So, does this mean that in fact my seed does in fact contain a public key? And that key is the xpub? So, in other words, it is possible to generate an xpub from the seed? Is this correct?

To boil down the question:
Given my seed, how does the Trezor or other wallet retrieve all the associated addresses, xpubs, public keys, transactions, balances and so on that are derived from the seed?