Re: New HD wallet that tolerates leakage of some child private keys
Implement a "flat" or "simulated" hierarchy, meaning that the key m/x/y/z is a linear combination of the original n master keys d1,...,dn where the coefficients are derived from the hash of (x,y,z). Note that a total of no more than n-1 private keys can be revealed from anywhere in the hierarchy. That might seem bad but it's still an improvement on BIP32, where any one (non-hardened) private key from anywhere in the hierarchy can be combined with the master public key to break the wallet.
I'm not sure exactly how this scheme would work but it's also very easy to break the public key derivation property when you start using hashes for the coefficients.
It's one of those problems were, when you solve one thing you break something else.
