Unfortunately, in all existing HD wallets---including BIP32 wallets---an attacker can easily recover the master private key given the master public key and any child private key. This vulnerability precludes use cases such as a combined treasurer-auditor, and some in the Bitcoin community have suspected that this vulnerability cannot be avoided.
We propose a new HD wallet that is not subject to this vulnerability. Our HD wallet can tolerate the leakage of up to m private keys with a master public key size of O(m). We prove that breaking our HD wallet is at least as hard as the so-called ``one more'' discrete logarithm problem.Category / Keywords: applications / Bitcoin Original Publication (in the same form): Financial Cryptography 2015 Date: received 15 Dec 2014, last revised 31 Aug 2015 Contact author: ggutoski at perimeterinstitute ca Available format(s): PDF | BibTeX Citation Note: add citation to relevant work Version: 20150831:212802 (All versions of this report) Short URL: ia.cr/2014/998 Discussion forum: Show discussion | Start new discussion