Cryptology ePrint Archive: Report 2021/1287

The Exact Security of BIP32 Wallets

Poulami Das and Andreas Erwig and Sebastian Faust and Julian Loss and Siavash Riahi

Abstract: In many cryptocurrencies, the problem of key management has become one of the most fundamental security challenges. Typically, keys are kept in designated schemes called 'Wallets', whose main purpose is to store these keys securely. One such system is the BIP32 wallet (Bitcoin Improvement Proposal 32), which since its introduction in 2012 has been adopted by countless Bitcoin users and is one of the most frequently used wallet system today. Surprisingly, very little is known about the concrete security properties offered by this system. In this work, we propose the first formal analysis of the BIP32 system in its entirety and without any modification. Building on the recent work of Das et al. (CCS `19), we put forth a formal model for hierarchical deterministic wallet systems (such as BIP32) and give a security reduction in this model from the existential unforgeability of the ECDSA signature algorithm that is used in BIP32. We conclude by giving concrete security parameter estimates achieved by the BIP32 standard, and show that by moving to an alternative key derivation method we can achieve a tighter reduction offering an additional 20 bits of security (111 vs. 91 bits of security) at no additional costs.

Category / Keywords: cryptographic protocols / Wallets, cryptocurrencies, foundations, BIP32

Original Publication (in the same form): ACM CCS 2021

Date: received 24 Sep 2021, last revised 27 Sep 2021

Contact author: poulami das at tu-darmstadt de, andreas erwig at tu-darmstadt de, sebastian faust at tu-darmstadt de, lossjulian at gmail com, siavash riahi at tu-darmstadt de

Available format(s): PDF | BibTeX Citation

Version: 20210927:160952 (All versions of this report)

Short URL: ia.cr/2021/1287


[ Cryptology ePrint archive ]