Paper 2014/998
Hierarchical deterministic Bitcoin wallets that tolerate key leakage
Gus Gutoski and Douglas Stebila
Abstract
A Bitcoin wallet is a set of private keys known to a user and which allow that user to spend any Bitcoin associated with those keys. In a hierarchical deterministic (HD) wallet, child private keys are generated pseudorandomly from a master private key, and the corresponding child public keys can be generated by anyone with knowledge of the master public key. These wallets have several interesting applications including Internet retail, trustless audit, and a treasurer allocating funds among departments. A specification of HD wallets has even been accepted as Bitcoin standard BIP32. Unfortunately, in all existing HD wallets---including BIP32 wallets---an attacker can easily recover the master private key given the master public key and any child private key. This vulnerability precludes use cases such as a combined treasurer-auditor, and some in the Bitcoin community have suspected that this vulnerability cannot be avoided. We propose a new HD wallet that is not subject to this vulnerability. Our HD wallet can tolerate the leakage of up to m private keys with a master public key size of O(m). We prove that breaking our HD wallet is at least as hard as the so-called ``one more'' discrete logarithm problem.
Note: add citation to relevant work
Metadata
- Available format(s)
-
PDF
- Category
- Applications
- Publication info
- Published elsewhere. Financial Cryptography 2015
- Keywords
- Bitcoin
- Contact author(s)
- ggutoski @ perimeterinstitute ca
- History
- 2015-08-31: revised
- 2014-12-18: received
- See all versions
- Short URL
- https://ia.cr/2014/998
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2014/998,
author = {Gus Gutoski and Douglas Stebila},
title = {Hierarchical deterministic Bitcoin wallets that tolerate key leakage},
howpublished = {Cryptology {ePrint} Archive, Paper 2014/998},
year = {2014},
url = {https://eprint.iacr.org/2014/998}
}
