Author: Pieter Wuille 2020-10-16 21:41:07
Published on: 2020-10-16T21:41:07+00:00
In an email sent to the bitcoin-dev mailing list, Leonardo Comandini questions whether the chain code is necessary in BIP32. He argues that the additional 256 bits of entropy provided by the chain code are not needed and he intends to show a schematic of BIP32 operations to demonstrate this. In response, Pieter Wuille provides some historical context on how the chain code ended up being included in BIP32. He explains that BIP32 was inspired by Alan Reiner's Armory software, which had a different homomorphic key derivation scheme that included something called a chain code. The chain code enabled multiple "chains" of keys to be derived from the same key pair. BIP32 made two improvements to this: allowing efficient random access into the derived keys and permitting hierarchical derivation by constructing a sub-"chain code" along with every subkey.Pieter Wuille goes on to explain his rationale for keeping the chain code in BIP32. He states that xpubs demand more protection than just public keys, and that an xpub consisting of more than just a public key adds an additional layer of protection. Additionally, repeated hashing reduces entropy at every step, so using a chain code to maintain extra entropy prevents this from happening. However, he admits that from a cryptographic point of view, the chain code is not needed and only has some qualitative advantage in practice.
Updated on: 2023-05-21T00:01:55.117297+00:00