Topic: Are deterministic wallets more secure than random wallets ? (Read 2900 times)

Another reason why revealing the MPK is a bad idea is that in the unfortunate event any one of your private keys is revealed all your private keys can be cracked:

https://bitcointalksearch.org/topic/any-spend-only-ecda-to-crack-303969

See the response by ThomasV.

Yes, assuming a strong passphrase, I'd think this would provide protection against compromised RNG whereas randomly generated addresses would not. A good idea for long term storage I would think.

For belt and braces, maybe part strong passphrase + random number.

Think this very question actuals

what and how secure save walet and where pc or mobile

As I see some people have done already profound analysis about deterministic usage of ECDSA in various environments because they don't need  access to a high-quality randomness source:

https://tools.ietf.org/html/rfc6979

Only a fraction of the sales data are revealed.
If bitcoin transactions represent only a fraction of the sales (like cash transaction represent only a fraction of proximity payments), the world can only see the tip of the iceberg. And maybe the world will give credit to the merchant for its transparency and increased security.

Bitcoin payments could one day represent a larger proportion of sales of digital goods.
However, with digital goods, it could be a plus if content owners can audit the sales or the donations.

If you reveal it to the entire planet, then the tax man can't over-tax you. hehehe.. full transparency has it's uses. (Also prevents corrupt tax men from extorting you.)

If you want to comply with tax regulations you reveal your sales data to the tax man not the entire planet.

And you'll get taxed for it, (as you should).

No it should not. By making your MPK public you've basically revealed to the world your entire sales data.

More about how random number generation is compromised on PC and mobile level:
http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html
http://blog.cryptographyengineering.com/2013/09/on-nsa.html

This might be off topic but a deterministic wallet is more secure thant a random wallet with respect to man-in-the-middle attacks.
If a webshop using a deterministic wallet makes its master public key public (as it should), then a paranoid shopper can verify that the payment address associated with her invoice belongs to the merchant's wallet.
I dvelopped two apps to demonstrate this use case (those are RoR apps that I intend to open source when I fidn the time to do so):
the webshop is deployed on microbitcoin.net and the address verification app (still in beta) is on bitcoinrad.io.
You can try out bitcoinrad.io with your own electrum master public key and addresses.
The bitcoinrad.io service should be duplicated so that multiple verification sources are available to merchants using deterministic wallets.
Multiple verification sources, possibly exposing a unified API, would greatly reduce the risks of a MITM attack.

1. Safer depends on what you are trying to be safe from. Most coins are lost not because of malicious individuals hacking wallets but because of a) mistakes made by the users themselves such as accidental reformats or file deletions and b) hardware failure. Deterministic wallets can be backed up once and you can restore your complete wallet from that backup at any time in the future so they are safer for most people.

2. & 3. Electrum used to allow people to enter their own seeds. But as Danny said above human beings are not very good at picking random words/numbers. So that is why computer generated random numbers/seeds are better and that is what we use now.

Yes. You have raised all valid points and the confusion was maybe because I didn't considered all possible aspects of the deterministic wallets and I have formulated my question just generally.
Especially I didn't considered cases where you generate a deterministic chain from a random passphrase(from generator suggested). I would say this is not a completely deterministic wallet.
I am considering really deterministic where you(human factor) make the passphrase input from your brain(which is unpredictable - if not using some banal words) and the keypair chain is generated from this input given by you.
So I reformulate my considerations/questions (please tell me if you don't agree):
- 1. Casual user with little knowledge is safer with a random wallet.(like Satoshi client with random generated keypairs)
(thousands of transactions on the "correct horse battery staple" passphrase, using banal or short passphrases)
- 2. Careful user with at least moderate knowledge can use full-deterministic keypairs generation with higher security than wallets with randomly generated keypairs.
You create a chain yourself using passphrase+n input or using a chaingenerator with your own unpredictable passphrase(not by the generator suggested)
Two advantages:
- resistance against eventually random number function defect/sabotage and therefore predetermined pseudorandom numbers or low level entropy
- eventually better resistance against wallet lost if automatic chain generation used (only one backup necessary), this part is heavy disputed
- 3. Users which using the deterministic wallet as brainwallet a with memorable but unpredictable and strong passphrase:
- resistance again random number function defect/sabotage as above
- used in wallet the brainwallet passphrase will be an additional backup against loosing coins

All above considerations are on PC level. The Android random function security issue was only mentioned as example.
Android cases are very wallet specific because of some reduced functionality so it wouldn't help there to make general considerations and I looked on all Android wallets but I never put Bitcoins in any of them. I used only  brainwallet with browser  on Android. So many of you know much better the Android wallet applications.
But of course you can add your Android specific considerations also.
Thank you for your inputs.

Yes, the confusion is that the OP suggested using "deterministic wallets" (which typically use a RNG to generate the seed or root key and chain code), and then suggested that the deterministic addresses be calculated by a method of "passphrase+1->(private key 1, address1)".

As such the OP blended the concept of a deterministic wallet and a brain wallet.

I'm not the one who suggested that the seed and chain code should be called a "password".

I specifically stated:


It was the OP who then confused things by suggesting that a "deterministic wallet" would not use a randomly generated seed or chain code and instead would use a passphrase:


Now, if you take a look at what the OP is suggesting, the "passphrase" serves the purpose of a "seed", and the incrementing number acts as a multiple of the "chain code".
So he is suggesting a new kind of deterministic wallet where the "seed" (or "Root Key") is no longer a randomly generated piece of data, and is instead a user chosen passphrase, and the chain code is essentially 1.

As such, to communicate with the OP using the terms that he was using so as to make sure that I addressed things the way he presented it, I stated:


This is specifically describing the OP's imaginary "deterministic wallet" that uses "passphrase+1->(private key 1, address1)" to generate an address and has absolutly nothing to do with the Andriod based wallets that you keep asking about.

I go on to state:


Notice the quotation marks around the words "secret phrase"?  This is to indicate that neither Armory nor Electrum use the words "secret phrase", but rather that they have a randomly generated secret that takes the place of the password that the OP is suggesting be used.

you may call the combination of the Armory seed and chain code a "password" but nobody else does including it's author.  that's where the confusion is.

2^64 = 18 446 744 073 709 551 616

So I think no one (and or except NSA) knows if SHA-256 is really random (in terms of 256 bits) or only some 2^64(72 or 80) permutation :-) ... no one can backtest such a big numbers.

Edit:

Q: Is there 100% good RNG
A: No, bugs are everywhere.

I did.  The entire rest of my post explains your confusion and attempts to straighten it out for you.

Specifically you say:


Which is blending the discussion about Andriod based wallets (which re-use addresses) and the discussion about password based "deterministic wallets" that don't re-use addresses.

At this point there are two completely separate discussions going on here.

One is about Android based wallets.
These reuse addresses, and are vulnerable to the possibility of a faulty RNG which can allow someone to potentially calculate the private key after multiple transactions.
These are randomly generated addresses and would not be considered "deterministic".

The other discussion is about the OP's suggestion that "deterministic wallets" would be more secure than randomly generated addresses.
In that discussion, which has nothing to do with the vulnerability that effected Android wallets, the concerns are that the source of the deterministic address could either be subject to collision due to multiple people choosing the same "password", or would not overcome RNG vulnerabilities since the deterministic "password" would be generated by a RNG (as in Electrum and Armory).

1. generating random private key using "bad RNG" can be brute forced, because "bad RNG" generates "only" 2^64 (for example) random private keys (not 2^256). => I can use brute force attack to check all possible generated addresses.

2. if your private key is really random but you sign a message using "bad RNG" then I can use brute force attack on public_key+signed_message (data are stored in the blockchain)
 - in case you are using deterministic wallet and I'm able to crack more of your private keys (even empty addresses) then it is  possible than I'll know how to compute your next addresses. (e.g.  PKey2/Pkey1=seed  => PKey2*seed=PKey3 ... but I'm not sure :-) )

please explain.

You've taken two different concepts and blended them together, creating a whole lot of confusion for yourself.


You are correct, Bitcoin Spinner (Mycelium) re-used a bitcoin address.  This is why I initially suggested that a broken RNG would be a problem for "deterministic" addresses as well.  I thought that the OP was using the Android problem as a model and suggesting that if the addresses were generated without a RNG, then they would be secure for re-use.  Since the OP later indicated that they were talking about wallets where addresses are not re-used, I'm not sure why they even brought up the Android issue.  That seems to just confuse the discussion and isn't relevant.


No.  Mycelium does not use deterministic addresses. It uses randomly generated addresses.  Therefore there is no password based private key.  The OP is talking about a "brain wallet".  Specifically they appear to be talking about the type of brain wallet where you start with a password, then generate a SHA256 hash of that password, and use the result of the hash as your private key.


Yes, it does.  It just doesn't call it a pwd.  With Armory, the deterministic addresses are calculated from a "Root Key" and a "Chain Code".  If you know both of these, then you have full access to the wallet.  That essentially makes the combination of these two pieces of information a "password".


Correct.  The problem with Android was that the wallet re-uses addresses (which is a bad idea), AND that the RNG was broken which sometimes allowed the calculation of the private key after two transactions were signed with the same private key.

Using the same pwd is a problem with "deterministic addresses" when they are determined in the way that the OP suggested: