### The Exact Security of BIP32 Wallets

Poulami Das, Andreas Erwig, Sebastian Faust, Julian Loss, and Siavash Riahi

##### Abstract

In many cryptocurrencies, the problem of key management has become one of the most fundamental security challenges. Typically, keys are kept in designated schemes called 'Wallets', whose main purpose is to store these keys securely. One such system is the BIP32 wallet (Bitcoin Improvement Proposal 32), which since its introduction in 2012 has been adopted by countless Bitcoin users and is one of the most frequently used wallet system today. Surprisingly, very little is known about the concrete security properties offered by this system. In this work, we propose the first formal analysis of the BIP32 system in its entirety and without any modification. Building on the recent work of Das et al. (CCS 19), we put forth a formal model for hierarchical deterministic wallet systems (such as BIP32) and give a security reduction in this model from the existential unforgeability of the ECDSA signature algorithm that is used in BIP32. We conclude by giving concrete security parameter estimates achieved by the BIP32 standard, and show that by moving to an alternative key derivation method we can achieve a tighter reduction offering an additional 20 bits of security (111 vs. 91 bits of security) at no additional costs.

Available format(s)
Category
Cryptographic protocols
Publication info
Published elsewhere. ACM CCS 2021
Keywords
WalletscryptocurrenciesfoundationsBIP32
Contact author(s)
lossjulian @ gmail com
History
2021-09-27: revised
See all versions
Short URL
https://ia.cr/2021/1287

CC BY

BibTeX

@misc{cryptoeprint:2021/1287,
author = {Poulami Das and Andreas Erwig and Sebastian Faust and Julian Loss and Siavash Riahi},
title = {The Exact Security of BIP32 Wallets},
howpublished = {Cryptology ePrint Archive, Paper 2021/1287},
year = {2021},
note = {\url{https://eprint.iacr.org/2021/1287}},
url = {https://eprint.iacr.org/2021/1287}
}
`
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.