Lattice-Based HD Wallets
BIP-32 breaks under post-quantum crypto — a new paper recovers it
THE PROBLEM
BIP-32 HD wallets rely on elliptic curve linearity: a parent public key can derive child public keys without the private key (non-hardened derivation). Post-quantum schemes like ML-DSA (Dilithium) don't have this linear structure. Adopting PQ crypto naively means losing non-hardened derivation entirely.
WHAT BREAKS
• Exchanges generating unique deposit addresses per customer from an offline master key
• Payment processors (BTCPay Server) deriving addresses without holding signing keys
• Hardware wallets exporting xpubs for watch-only companions
• Any BIP-44/49/84/86 derivation path using non-hardened steps
• Payment processors (BTCPay Server) deriving addresses without holding signing keys
• Hardware wallets exporting xpubs for watch-only companions
• Any BIP-44/49/84/86 derivation path using non-hardened steps
THE AUTHORS
Conor Deegan, James Fitzwater, Kamil Doruk Gur, David Nugent from Project Eleven — a startup focused on Bitcoin quantum resistance ($20M Series A, Jan 2026). Also running the "Q-Day Prize": 1 BTC to anyone who breaks an ECC key using Shor's algorithm on a quantum computer.
The Paper: ePrint 2026/380
CONSTRUCTION 1: ML-DSA
Uses NIST-standardized ML-DSA (Dilithium). Supports only hardened derivation (private key required). Provable unlinkability and unforgeability. Practical, but loses non-hardened derivation.
CONSTRUCTION 2: RACCOON-G
First PQ scheme that recovers BIP-32's full public key derivation. Uses Gaussian-distributed secrets that are stable under addition. Provable security under standard lattice assumptions.
WHY RACCOON-G WORKS
ML-DSA uses rounding during key generation, which destroys the linear relationship between public keys. Raccoon-G's Gaussian secret distribution avoids this — the sum of two Gaussians is a Gaussian with predictable wider distribution. This preserves the key derivation property:
pk_child = pk_parent + f(chaincode, pk_parent, i) works in the lattice setting.SECURITY
Both constructions prove unlinkability (child keys cannot be linked to parent) and unforgeability under standard module-lattice assumptions — the same hardness assumptions underpinning Dilithium.
The Elephant in the Room
Post-quantum signatures are massive compared to ECDSA
| Scheme | Public Key | Signature | Notes |
|---|---|---|---|
| ECDSA (secp256k1) | 33 B | 71–73 B | Current Bitcoin |
| ML-DSA-44 | 1,312 B | 2,420 B | NIST Level 2 |
| ML-DSA-65 | 1,952 B | 3,309 B | NIST Level 3 |
| FN-DSA (FALCON) | ~897 B | ~666 B | Smaller but complex |
| SHRINCS | — | 324 B | Stateful, single-device |
| SHRIMPS | — | ~2,564 B | Stateful, multi-device |
THE WEIGHT QUESTION
ML-DSA-65 signatures are roughly 46× larger than ECDSA. This has massive implications for block space, UTXO set size, and fee economics. Whether Bitcoin can tolerate this overhead — or must wait for more compact PQ schemes — is an open question.
The PQ Roadmap
FIVE THINGS BITCOIN NEEDS
1. Signature scheme selection (ML-DSA? FALCON? Raccoon? Hybrid?)
2. HD wallet derivation standard ← this paper's contribution
3. Address format and output type (BIP-360 / P2MR)
4. Migration path for existing UTXOs
5. Block size / weight implications of 40–60× larger signatures
2. HD wallet derivation standard ← this paper's contribution
3. Address format and output type (BIP-360 / P2MR)
4. Migration path for existing UTXOs
5. Block size / weight implications of 40–60× larger signatures
PROGRESS
BIP-360 (P2MR) merged into official BIP repo Feb 2026. BTQ Technologies shipped a working testnet implementation (v0.3.0) with Dilithium opcodes in tapscript. See March slides.
TIMELINE PRESSURE
Harvest-now-decrypt-later: adversaries can record transactions today and break them when quantum computers arrive. ~6–7M BTC sit in addresses with exposed public keys. Soft fork deployment takes years.