Avoiding xpub+derivation reuse across wallets, in a UX-friendly manner

In the realm of cryptocurrency wallets, particularly those employing multisig and advanced wallet structures, the reuse of extended public keys (xpubs) combined with their derivation paths poses notable privacy concerns. This issue is magnified when considering the user's propensity to switch between different software wallets, potentially leading to unintentional key reuse across these platforms. The traditional methods aimed at mitigating this problem, such as prompting users to manually select an "account" number or relying on software-specific state management to track the last used account, are deemed insufficient. These approaches not only add unnecessary complexity for the user but also fail to address the core issue across various wallet software.

Understanding the limitations of current practices, the concept of utilizing output descriptors emerges as a promising solution. Output descriptors offer a way to explicitly record derivation paths, thereby rendering standard derivation paths based on BIP standards less relevant. This method aligns well with the goal of preventing xpub reuse without compromising the user experience, especially in more complex wallet configurations like multisig setups. Despite its potential, transitioning single sig wallets away from the traditional reliance on mnemonic phrases and standard derivation paths to embrace output descriptors presents a significant challenge.

To counteract the risk of xpub reuse effectively, several innovative ideas have been proposed. Among them, the use of a random path stands out for its simplicity and effectiveness, requiring no additional state management and being applicable across a wide range of scenarios, including those involving large signers or cosigners. Another noteworthy proposal is the deterministic path approach, which leverages UNIX time or a human-readable date to generate unique derivation paths. Although this method introduces a user-friendly element by providing a logical structure to the paths, it may encounter limitations when multiple xpubs are required within short timeframes. Lastly, the idea of storing state with each xpub request to a signing device has been considered. This approach necessitates synchronization across devices and potentially with a server, raising concerns about privacy and cross-vendor compatibility.

Despite these advancements, certain use cases, such as wallet rotation or migration for key replacement and timelock management, still face challenges. The need for cross-vendor compatibility and privacy preservation suggests that a combination of these strategies, possibly leaning towards randomized paths, may offer the best solution.

The dialogue surrounding the avoidance of key reuse, particularly in the context of single sig wallets, remains complex. While the proposed solutions mark a significant step forward, the adoption of output descriptors and the abandonment of standard derivation paths involve trade-offs, particularly in terms of privacy. An alternative, such as utilizing a sync server to maintain an encrypted backup of the wallet descriptor, represents a compromise but introduces new considerations.

In conclusion, addressing the issue of key reuse in cryptocurrency wallets requires a multifaceted approach that considers user experience, privacy, and technological feasibility. The exploration of new standards and practices, such as those discussed, is crucial for developing a robust framework that ensures security and privacy without imposing undue burden on the user.