Is there a deterministic private-public keypair generator without the BIP32 private key revealing issue?

1

HD Wallets have a flaw that revealing a private key and its parent master public key will reveal its parent master private key. (Described here[1] and here[2]).

Isn't there a similar concept with master public key and master private key that does not suffer from this issue. (Does not have to be ECDSA. I just want a deterministic private-public keypair generator that can publish its master public key).

[1] https://bitcoinmagazine.com/8396/deterministic-wallets-advantages-flaw/

[2] https://eprint.iacr.org/2014/998.pdf (chapter 3)

Pavol Rusnak

Posted 2015-07-29T17:41:23.557

Reputation: 111

Answers

4

This is accounted for within the BIP32 specification, they are called 'hardened' keys. Hardened child private keys are derived from the parents' private keys, and revealing the hardened child private keys does not reveal the parents' private key.

Child indices 0...2^31-1 are reserved for regular keys (that have the problem you describe), and child indices 2^31...2^32-1 are reserved for hardened private keys.

Notation for a standard child:

m/0

Notation for a hardened child:

m/0'
m/0h

morsecoder

Posted 2015-07-29T17:41:23.557

Reputation: 12 624

This makes generating master public key useless as it is unable to generate public keys in children, which is something I want to have.Pavol Rusnak 2015-07-29T18:41:06.393

@PavolRusnak, you can't have it both ways, unfortunately. Either the parent-pub and child-pub are related by an ECC key for which the private key is known, or it's not. But you can use both hardened and standard keys in the same tree structure! Best practice is to use Hardened keys for upper levels of the tree, and non-hardened only for the lower levels.

morsecoder 2015-07-29T19:00:50.267

See Bip44: you can use m / 44'/0'/0'/0/k, where k is your key. Losing private key k together with parent/k would not reveal the whole chain because you do : m/44'/0'/0>'</0/0 (mint the >.<)Jonas Schnelli 2015-07-30T06:10:31.993