Hierarchical Deterministic Bitcoin Wallets that Tolerate Key Leakage

  • Gus Gutoski
  • Douglas StebilaEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8975)


A Bitcoin wallet is a set of private keys known to a user and which allow that user to spend any Bitcoin associated with those keys. In a hierarchical deterministic (HD) wallet, child private keys are generated pseudorandomly from a master private key, and the corresponding child public keys can be generated by anyone with knowledge of the master public key. These wallets have several interesting applications including Internet retail, trustless audit, and a treasurer allocating funds among departments. A specification of HD wallets has even been accepted as Bitcoin standard BIP32.

Unfortunately, in all existing HD wallets—including BIP32 wallets—an attacker can easily recover the master private key given the master public key and any child private key. This vulnerability precludes use cases such as a combined treasurer-auditor, and some in the Bitcoin community have suspected that this vulnerability cannot be avoided.

We propose a new HD wallet that is not subject to this vulnerability. Our HD wallet can tolerate the leakage of up to m private keys with a master public key size of O(m). We prove that breaking our HD wallet is at least as hard as the so-called “one more” discrete logarithm problem.


Hash Function Discrete Logarithm Problem Security Proof Fractional Reserve Elliptic Curve Digital Signature Algorithm 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



Research at the Perimeter Institute is supported by the Government of Canada through Industry Canada and by the Province of Ontario through the Ministry of Research and Innovation. GG also acknowledges support from CryptoWorks21. DS is supported by Australian Research Council (ARC) Discovery Project DP130104304.


  1. 1.
    Electrum lightweight Bitcoin wallet, November 2011.
  2. 2.
  3. 3.
    Coinkite (2014).
  4. 4.
    Bellare, M., Palacio, A.: GQ and Schnorr identification schemes: proofs of security against impersonation under active and concurrent attacks. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 162–177. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  5. 5.
    Buterin, V.: Deterministic wallets, their advantages and their understated flaws. Bitcoin Magazine, November 2013.
  6. 6.
    Certicom Research: SEC 2: Recommended Elliptic Curve Domain Parameters, v2.0 (2000).
  7. 7.
    Koblitz, N., Menezes, A.: Another look at non-standard discrete log and Diffie-Hellman problems. J. Math. Cryptology 2(4), 311–326 (2008)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Koblitz, N., Menezes, A.: Intractable problems in cryptography. In: Proceedings of the 9th Conference on Finite Fields and Their Applications, vol. 518, pp. 279–300. Contemporary Mathematics (2010)Google Scholar
  9. 9.
    Maxwell, G.: Deterministic wallets, June 2011.
  10. 10.
    Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system (2008).
  11. 11.
    National Institute of Standards and Technology: FIPS-186-4: Digital Signature Standard (DSS), July 2013.
  12. 12.
    Wuille, P.: BIP32: Hierarchical Deterministic Wallets, February 2012.

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  1. 1.Perimeter Institute for Theoretical PhysicsWaterlooCanada
  2. 2.School of Electrical Engineering and Computer Science and School of Mathematical SciencesQueensland University of TechnologyBrisbaneAustralia

Personalised recommendations