This research was conducted by Conor Deegan (CTO), David Nugent (R&D Lead), and James Fitzwater (Researcher) at Project Eleven, with Kamil Doruk Gür (PhD, Independent Researcher).
Blockchain wallets need key pairs; a private key to sign transactions and a public key to receive funds and prove ownership. In the simplest design, each address requires an independently generated key pair, and each key pair needs to be securely stored. BIP32 hierarchical deterministic (HD) wallets replaced this model. With BIP32, a single master seed deterministically generates an entire tree of key pairs. One backup recovers everything.
.png%3F2026-03-04T23%3A22%3A36.845Z&w=3840&q=100)
*Source: BIP 32 (Hierarchical Deterministic Wallets) - https://river.com/learn/terms/b/bip-32/*
BIP32 defines two types of child key derivation: hardened and non-hardened. Hardened derivation requires the parent private key to produce a child key pair. Non-hardened derivation does not, child public keys can be derived from the parent public key alone. The parent public key is often referred to as the extended public key or xpub. Importantly, these child public keys can be generated without the private key being present at all.
This is very useful. Consider a payment processor that needs to generate a fresh receiving address for every customer transaction. With non-hardened derivation, a server holds only the xpub and produces new public key and addresses on demand. The private key stays offline in cold storage, never exposed to the internet-facing infrastructure. This separation of generating addresses in one place, and signing transactions in another, is the basis of watch-only wallets. The server has full visibility over incoming funds but zero signing authority.
Without non-hardened derivation, every new address requires access to the private key. The private key must be online, or at minimum accessible to the address generation system. This collapses the separation between address generation and signing that BIP32 was designed to provide.
Non-hardened derivation depends on a specific mathematical property of elliptic curve cryptography.
In ECC, a private key is a scalar, a large number k. The corresponding public key is a point on the curve, computed as K = kG, where G is a fixed generator point that everyone agrees on. The critical property is that this relationship is linear: if you add two private keys together, the corresponding public key is the sum of the two public keys.
This is exactly what BIP32 exploits. To derive a child key from a parent, the protocol computes a deterministic offset (just some other number). The child private key is the parent private key plus this offset. The child public key is the parent public key plus the offset times the generator: K_child = K_parent + offset · G. Because the math is exact, no rounding, no approximation, no noise, anyone with the xpub computes the same child public key that the private key holder would.
Two properties make this work. First, the derivation is deterministic and exact: public key derivation and private key derivation always produce matching key pairs. Second, the child public key is indistinguishable from one generated independently. An observer cannot tell whether two public keys share a common parent. This property is called unlinkability, and it is essential – without it, an attacker who sees two addresses can determine they belong to the same wallet.
Post-quantum signature schemes based on lattices do not have these properties. There are two distinct obstacles.
Rounding destroys linearity. ML-DSA, the NIST-standardized post-quantum signature scheme (FIPS 204), applies a rounding step to the public key during key generation. This rounding drops low-order bits to reduce key sizes, an optimization that saves bandwidth and storage. But rounding is lossy and non-linear. If you round two numbers and add them, you do not get the same result as adding them first and then rounding. Applied to public keys, this means: given a rounded parent public key, there is no way to compute the correct rounded child public key by adding an offset. The operation that BIP32 depends on, add an offset to the parent public key and get a valid child public key, is undefined. This is a structural barrier inherent to any scheme that rounds its public keys.
Noise accumulation breaks unlinkability. Even in lattice schemes where the public key retains its full algebraic structure (no rounding), a second problem remains. A lattice public key takes the form t = As + e. The important part of this equation is e which is a small amount of noise added to each public key for security reasons (you can read more about how ML-DSA works here).
When you derive a child key, you add a fresh secret and fresh noise. After one derivation, the noise is slightly larger. After several, it is measurably different from the noise in a freshly generated key. An observer who can distinguish the noise profile of a signature generated using a derived key from one generated using a fresh key can determine that the key was derived, breaking unlinkability. The deeper the derivation tree, the worse this gets.
How much worse depends on the sampling distributions used by the scheme. ML-DSA and other lattice schemes sample their secrets and noise from bounded uniform or sums-of-uniform distributions. These distributions are not stable under addition, they change shape when combined. Consider a single die: each face (1 through 6) is equally likely, a uniform distribution. Now roll two dice and sum them. The result ranges from 2 to 12, but the outcomes are no longer equally likely. There is only one way to roll a 2 (1+1) and one way to roll a 12 (6+6), but there are six ways to roll a 7 (1+6, 2+5, 3+4, 4+3, 5+2, 6+1). The distribution has changed shape, it peaks in the middle. Roll three dice and it clusters further. The same thing happens with the sampling distributions used in these schemes. After several rounds of key derivation, the secret and noise components follow distributions that look nothing like those of a freshly generated key. For non-hardened derivation to preserve unlinkability, the scheme needs sampling distributions that remain in the same family under addition.
Prior post-quantum HD wallet proposals either abandon non-hardened derivation entirely (requiring the private key for every child key) or attempt it with significant limitations; complex auxiliary proofs for unlinkability, or no formal security analysis at all.
We constructed two post-quantum HD wallets, proved their security under standard lattice assumptions, and implemented both in Rust.
ML-DSA HD Wallet. This construction uses ML-DSA and provides deterministic seed-based key derivation with formal proofs of unlinkability and unforgeability and full security analysis. Because ML-DSA rounds its public keys, it is limited to hardened derivation; the private key is required for every child key derivation.
Raccoon-G HD Wallet. This is the primary contribution. Raccoon-G is a variant of the Raccoon signature scheme that uses Gaussian-distributed secrets. It addresses both obstacles listed above.
For the linearity problem: we publish the full, unrounded public key. Raccoon's base specification rounds the public key (like ML-DSA), but the rounding is not inherent to the scheme's security, it is a size optimization. By skipping this step and publishing the full public key, we retain the additive structure needed for child key derivation.
For the noise accumulation problem: Gaussian distributions are stable under addition. If you add two independent Gaussian random variables, the result is another Gaussian with a wider standard deviation, but still a Gaussian. This is a well-known statistical property, and it is exactly what we need. Each round of key derivation adds Gaussian noise. The derived key's secret has a wider Gaussian distribution than the parent's, but it is still drawn from the same distributional family. This means derived public keys remain statistically close to independently generated ones, preserving unlinkability as long as the derivation depth stays within a bound where the widening remains controlled.
Together, these two properties enable non-hardened public key derivation: child public keys derived from a parent xpub alone.
The post-quantum transition for blockchains is often framed as a primitive replacement: swap ECDSA for ML-DSA. HD wallets show that this is incomplete. The ecosystem depends on extended properties like non-hardened derivation, watch-only wallets, hierarchical key management which rely on algebraic structure that does not survive the transition to lattices without new constructions and new proofs. A complete post-quantum blockchain requires not only secure primitives but secure compositions of those primitives with the functionality that deployed infrastructure depends on.
To our knowledge, this is the first post-quantum HD wallet construction that recovers BIP32's full public key derivation functionality with provable security under standard assumptions.
The full paper is available on IACR and Rust implementation is available on Github.