Confirm that all BIP32 key derivation uses full entropy

Question

Confirm that all BIP32 key derivation uses full entropy

Closed this issue 24 days ago · 1 comments

In order to provide compatibility with Ledger interfaces, key derivation is performed by forming a BIP32 path and securely hashing it.

This approach requires that two u64 values, an account and an index, are supplied. As a result, the technique is only secure if both inputs were produced by secure uniform sampling that provides 64 bits of entropy each. Otherwise, the result does not provide a key with 128 bits of effective entropy.

All uses of this derivation should be carefully checked.

Answer 1 · 2024-08-20T15:18:36.000Z

It turns out that I misunderstood the code path, and assumed the BIP32 path itself was being formed using existing output that needed to be of high entropy. This is not the case, and the construction is secure.