Institutional Research Information Service
UCL Logo
Please report any queries concerning the funding data grouped in the sections named "Externally Awarded" or "Internally Disbursed" (shown on the profile page) to your Research Finance Administrator. Your can find your Research Finance Administrator at https://www.ucl.ac.uk/finance/research/rs-contacts.php by entering your department
Please report any queries concerning the student data shown on the profile page to:

Email: portico-services@ucl.ac.uk

Help Desk: http://www.ucl.ac.uk/ras/portico/helpdesk
Publication Detail
Privilege Escalation and Combination Attacks on HD Wallet Systems in Bitcoin
  • Publication Type:
  • Authors:
    Courtois N, Emirdag P, Valsorda F
  • Publisher:
    Texas Bitcoin Association
  • Publication date:
  • Published proceedings:
    Proceedings of Texas Bitcoin Conference 2015
  • Status:
  • Name of conference:
    Texas Bitcoin Conference 2015
  • Conference place:
    Ausitn, Texas
  • Conference start date:
  • Conference finish date:
  • Keywords:
    crypto currencies, e-payment, bitcoin, key management, applied cryptography, Random Number Generators (RNG), bitcoin, key management, audit capability, digital signatures, ECDSA, HD Wallets, BIP032
In this paper we survey the question of key management in bitcoin. We study the security the most widely used bitcoin HD Wallet key management solutions known as BIP032. The main goal of BIP032 is to dispose of “master public keys” for the ECDSA signature scheme which allow to derive a large number of public keys in bulk without revealing any of the private keys. Moreover, we would like the key derivation process to work seamlessly across several levels, so that the sale keys can be derived in several different ways. Such schemes are called Hierarchical Deterministic or HD wallet systems. An exact specification is standardized in bitcoin as BIP032. This BIP032 is excessively popular in bitcoin, it appears that virtually all existing bitcoin systems implement it. HD wallet systems have extensive audit capabilities but this property comes at a very high price. They are excessively fragile. One small security incident in a remote corner of the system and everything collapses, all private keys can be recovered and ALL private keys within the remit of the system can be recovered, and all bitcoins can be stolen from every account. In our recent paper (eprint.iacr.org/2014/848) we take it much further. We propose new more advanced combination attacks in which the security of keys hold in cold storage can be compromised without executing any software exploit on the cold system, but through security incidents at operation such as bad random number or related random events. In our new attacks all bitcoins over whole large security domains can be stolen by people who have the auditor keys which are typically stored in “hot” systems connected to the Internet and can be stolen easily. Classical bad random attacks typically concern only very few bitcoin accounts, and only some very lucky holders of bitcoins can actually steal other people’s bitcoins. Our recent combination attacks allow to recover private keys which none of the earlier attacks in isolation could hope to recover.
Publication data is maintained in RPS. Visit https://rps.ucl.ac.uk
 More search options
UCL Researchers
Dept of Computer Science
University College London - Gower Street - London - WC1E 6BT Tel:+44 (0)20 7679 2000

© UCL 1999–2011

Search by