Paper 2021/1287

The Exact Security of BIP32 Wallets

Poulami Das, Andreas Erwig, Sebastian Faust, Julian Loss, and Siavash Riahi


In many cryptocurrencies, the problem of key management has become one of the most fundamental security challenges. Typically, keys are kept in designated schemes called 'Wallets', whose main purpose is to store these keys securely. One such system is the BIP32 wallet (Bitcoin Improvement Proposal 32), which since its introduction in 2012 has been adopted by countless Bitcoin users and is one of the most frequently used wallet system today. Surprisingly, very little is known about the concrete security properties offered by this system. In this work, we propose the first formal analysis of the BIP32 system in its entirety and without any modification. Building on the recent work of Das et al. (CCS `19), we put forth a formal model for hierarchical deterministic wallet systems (such as BIP32) and give a security reduction in this model from the existential unforgeability of the ECDSA signature algorithm that is used in BIP32. We conclude by giving concrete security parameter estimates achieved by the BIP32 standard, and show that by moving to an alternative key derivation method we can achieve a tighter reduction offering an additional 20 bits of security (111 vs. 91 bits of security) at no additional costs.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. ACM CCS 2021
Contact author(s)
poulami das @ tu-darmstadt de
andreas erwig @ tu-darmstadt de
sebastian faust @ tu-darmstadt de
lossjulian @ gmail com
siavash riahi @ tu-darmstadt de
2021-09-27: revised
2021-09-24: received
See all versions
Short URL
Creative Commons Attribution


      author = {Poulami Das and Andreas Erwig and Sebastian Faust and Julian Loss and Siavash Riahi},
      title = {The Exact Security of {BIP32} Wallets},
      howpublished = {Cryptology ePrint Archive, Paper 2021/1287},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.