AaronFeickert
commented
3 weeks ago It turns out that I misunderstood the code path, and assumed the BIP32 path itself was being formed using existing output that needed to be of high entropy. This is not the case, and the construction is secure.
In order to provide compatibility with Ledger interfaces, key derivation is performed by forming a BIP32 path and securely hashing it.
This approach requires that two
u64values, an account and an index, are supplied. As a result, the technique is only secure if both inputs were produced by secure uniform sampling that provides 64 bits of entropy each. Otherwise, the result does not provide a key with 128 bits of effective entropy.All uses of this derivation should be carefully checked.