New paper accepted at ACM CCS 2021 “The Exact Security of BIP32 Wallets”

by Poulami Das, Andreas Erwig, Sebastian Faust, Julian Loss, Siavash Riahi

2021/08/05

In many cryptocurrencies, the problem of key management has become one of the most fundamental security challenges. Typically, keys are kept in designated storage devices called wallets, whose main purpose is to store these keys securely. One such system is the BIP32 wallet (Bitcoin Improvement Proposal 32), which since its introduction in 2012 has been adopted by countless Bitcoin users and is one of the most frequently used wallet system today. Surpris?ingly, very little is known about the concrete security properties offered by this system. In this work, we propose the first formal analysis of the BIP32 system in its entirety and without any modifi?cation. Building on the recent work of Das et al. (CCS ‘19), we put forth a formal model for hierarchical deterministic wallet systems (such as BIP32) and give a security reduction in this model from the existential unforgeability of the ECDSA signature algorithm that is used in BIP32. We conclude by giving concrete security parameter estimates achieved by the BIP32 standard, and show that by moving to an alternative key derivation method we can achieve a tighter reduction offering additional 20 bits of security (114 vs. 94 bits of security) at no additional costs.