Cryptology ePrint Archive: Report 2014/998

Hierarchical deterministic Bitcoin wallets that tolerate key leakage

Gus Gutoski and Douglas Stebila

Abstract: A Bitcoin wallet is a set of private keys known to a user and which allow that user to spend any Bitcoin associated with those keys. In a hierarchical deterministic (HD) wallet, child private keys are generated pseudorandomly from a master private key, and the corresponding child public keys can be generated by anyone with knowledge of the master public key. These wallets have several interesting applications including Internet retail, trustless audit, and a treasurer allocating funds among departments. A specification of HD wallets has even been accepted as Bitcoin standard BIP32.

Unfortunately, in all existing HD wallets---including BIP32 wallets---an attacker can easily recover the master private key given the master public key and any child private key. This vulnerability precludes use cases such as a combined treasurer-auditor, and some in the Bitcoin community have suspected that this vulnerability cannot be avoided.

We propose a new HD wallet that is not subject to this vulnerability. Our HD wallet can tolerate the leakage of up to m private keys with a master public key size of O(m). We prove that breaking our HD wallet is at least as hard as the so-called ``one more'' discrete logarithm problem.

Category / Keywords: applications / Bitcoin

Original Publication (in the same form): Financial Cryptography 2015

Date: received 15 Dec 2014, last revised 31 Aug 2015

Contact author: ggutoski at perimeterinstitute ca

Available format(s): PDF | BibTeX Citation

Note: add citation to relevant work

Version: 20150831:212802 (All versions of this report)

Short URL: ia.cr/2014/998

Discussion forum: Show discussion | Start new discussion