In Bitcoin and other cryptocurrencies, the use of hierarchical deterministic wallets (HD wallets) is a widely accepted practice. Loosely speaking, such wallets work by having a single master key (or master secret) and then deriving all keys from the master key. There are two types of derivation:
- Hardened derivation: A key derived using this method is not linkable to other keys in the hierarchy, except for keys derived from it using normal derivation (see next item). Essentially, this is a method for deriving keys, such that all keys derived in this method look like independent keys generated randomly.
- Normal derivation: This is a method of deriving keys from a key in a public manner. In particular, it is possible to compute the derived public key in a normal derivation given only the public key that it is derived from. This enables the definition of addresses for different purposes that can be derived automatically by anyone wishing to make the transaction.
As described in the motivation of BIP032 derivation “the motivation for hardened derivation is to enable users to back-up a single master secret and then derive as many keys as needed without requiring any further back-up”. This is extremely important since one of the dangers of cryptocurrencies is that if a key is lost, then all assets protected by that key are permanently lost. Furthermore, the motivation for normal derivation is to enable the controlled sharing of addresses in an unlimited way. It is possible to give someone an address and have them use normal derivation many times, in order to achieve separation of accounts and the like.
When secure multiparty computation is used to carry out signing for digital assets, no single machine holds the entire private key. Rather, it is shared amongst multiple entities, and each party holds random garbage that is meaningless by itself. In this situation, HD derivation becomes problematic. It is, of course, possible to use MPC to carry out all derivations; however, this can be quite expensive. Note that special-purpose MPC protocols for signing exist that are very efficient, and although it is possible to carry out derivation completely in MPC, the protocols for these are more expensive. Indeed, with two parties, there are good protocols. However, as the number of parties increase, the MPC protocol for derivation becomes significantly more expensive.
Despite the above, there is a very simple solution to this problem of managing HD wallets in MPC in a commercial setting. We consider each type of derivation separately:
- Hardened derivation: As discussed, the motivation for hardened derivation is to solve the problem of backup. This problem is most acute for personal users’ wallets, since backing up keys is logistically very difficult for them. In contrast, in a commercial setting, backup can be built into every key generation (Unbound’s CASP has such a capability). In this case, there is no difference between just generating new keys every time versus hardened derivation. Indeed, by design, a key generated via hardened derivation is supposed to look like a brand-new key. As such, there is no practical difference between generating a new key (and backing it up) and using hardened derivation.
- Normal derivation: Unlike hardened derivation, it is not possible to achieve the same effect as normal derivation by generating new keys, since these keys will not be compatible with those derived using the public keys only. Fortunately, however, it is easily compatible with MPC. This is because it suffices for one or more of the parties to carry out a local operation in order to update a sharing of a key to a sharing of a normal derivation of the key. Thus, normal derivation is easily compatible with MPC (and Unbound’s MPC solution fully supports it).
In summary, the desired effect of hardened derivation can be supported in MPC deployments in commercial settings by using a system that supports backup of every key generated, and this behaves exactly as hardened derivation does in HD wallets. Furthermore, normal derivation is fully compatible with MPC deployments and incurs zero computational cost. Thus, MPC implementations are fully compatible with HD wallets in practice.