Author

Topic: Bitcoin's extended private masterkey derivation path? (Read 1582 times)

member
Activity: 80
Merit: 14
I ran some tests on a new wallet:

1) No password
http://pastebin.com/MZ6FHcNV

2) Added a password
http://pastebin.com/CMzAw4bF

3) Changed the password (was not allowed by the GUI or debug console to remove it)
http://pastebin.com/kJQzykNW

Basically, adding a password changes the xprv, but changing it does not.
Also, all the keys from the pool are added to the new wallet file after changing the password.

So basically, if you change the password, in order to restore you need to either:

- Keep the wallet file
- Only keep the xprv, as long as you are sure you are not going to receive to the addresses derived from the previous xprv

If I'm wrong, please correct me.
staff
Activity: 3458
Merit: 6793
Just writing some code
So this means that the xprivkey is not deleted, but is rather disregarded for calculating new addresses (and a new xprivkey used for future receiving/change addresses), correct? This would make more sense verses deleting the xprivkey and saving the used private keys because the wallet size could suddenly explode if thousands of addresses were used with the "old" xprivkey, and might cause issues if you change the password to a cold storage wallet.
No. Whether the xprivkey is deleted or disregarded for new address generation does not matter. When a new address is generated, the public and private keys are immediately written to the file, just as Core does with the non-HD wallets. The private keys are not generated on the fly, instead the private keys are written to the file upon creation. This means that the keys are already in the file when the password is changed, and just the unused keys (from the lookahead keypool) are deleted.

If this is not already the case, then I think a prominent warning that a wallet will need to be re-backed up when the wallet's password is changed, as other HD wallet programs do not change the xprivkey when a wallet's password is changed.  
Yes, there should be warnings, but I don't think there is even anything telling you to backup in the first place.
copper member
Activity: 2996
Merit: 2374
C) You calculate 10 addresses that are associated with your xprivkey, but do not do anything to let Core know that you have given these addresses out (eg you never click on "receive" -- or whatever it is called), and change your password. You subsequently receive bitcoin to those 10 addresses. Would you be able to spend those 10 inputs? If so under what mechanism?
I don't think you actually would be able to spend those 10 inputs because Core does not keep keys that it has not marked as used. However, they might actually be spendable from Core because Core should still be tracking transactions related to those addresses. I will have to look at the code.

Edit: It looks like those inputs would be spendable because checking whether a transaction is part of the wallet does not care whether the addresses is used or not.
So this means that the xprivkey is not deleted, but is rather disregarded for calculating new addresses (and a new xprivkey used for future receiving/change addresses), correct? This would make more sense verses deleting the xprivkey and saving the used private keys because the wallet size could suddenly explode if thousands of addresses were used with the "old" xprivkey, and might cause issues if you change the password to a cold storage wallet.

If this is not already the case, then I think a prominent warning that a wallet will need to be re-backed up when the wallet's password is changed, as other HD wallet programs do not change the xprivkey when a wallet's password is changed. 
staff
Activity: 3458
Merit: 6793
Just writing some code
A) You receive 10 payments to 10 different addresses, and spend 5 of those payments, then subsequently change your password. Would you still be able to spend the 5 unspent inputs? If so, with what mechanism?

B) You receive 10 payments to 10 different addresses, and spend all 10 of those payments, then subsequently change your password. Subsequent to changing your password, you receive an additional payment to a previously used address. Would you still be able to spend that input? If so with what mechanism?
For both of the above, you would still be able to spend the Bitcoin. The previously derived and used private keys and their related transactions remains in the wallet file. Unlike some other wallets, and much like most wallets, Bitcoin Core does not generate the private keys on the fly, it generates them and then stores the private keys and all related transactions. Those previously derived and used private keys are kept. However, the master private key is deleted (IIRC), or at the very least, no longer used, once the password has changed.

C) You calculate 10 addresses that are associated with your xprivkey, but do not do anything to let Core know that you have given these addresses out (eg you never click on "receive" -- or whatever it is called), and change your password. You subsequently receive bitcoin to those 10 addresses. Would you be able to spend those 10 inputs? If so under what mechanism?
I don't think you actually would be able to spend those 10 inputs because Core does not keep keys that it has not marked as used. However, they might actually be spendable from Core because Core should still be tracking transactions related to those addresses. I will have to look at the code.

Edit: It looks like those inputs would be spendable because checking whether a transaction is part of the wallet does not care whether the addresses is used or not.

I guess my broader question is what happens to your xprivkey when you change your wallet password with Core?
The extended master private key is deleted, or at the very least, no longer used. The previously derived and used private keys remain in the wallet as well as their related transactions.
copper member
Activity: 2996
Merit: 2374
So... if I have a wallet without a password and create one or change the password, why does it change the master private HD key?
In order to protect future keys in case you were compromised. If an attacker somehow got your wallet at some time, they would be able to access all of your private keys generated previously and in the future. By changing the password, you then make it impossible for someone to be able to steal all of your Bitcoin in the future.

The same is done with non-HD wallets. When you change the password, the look-ahead keypool is refilled to prevent people from being able to steal future Bitcoin.
What happens in these three scenarios:

A) You receive 10 payments to 10 different addresses, and spend 5 of those payments, then subsequently change your password. Would you still be able to spend the 5 unspent inputs? If so, with what mechanism?

B) You receive 10 payments to 10 different addresses, and spend all 10 of those payments, then subsequently change your password. Subsequent to changing your password, you receive an additional payment to a previously used address. Would you still be able to spend that input? If so with what mechanism?

C) You calculate 10 addresses that are associated with your xprivkey, but do not do anything to let Core know that you have given these addresses out (eg you never click on "receive" -- or whatever it is called), and change your password. You subsequently receive bitcoin to those 10 addresses. Would you be able to spend those 10 inputs? If so under what mechanism?

I guess my broader question is what happens to your xprivkey when you change your wallet password with Core?
staff
Activity: 3458
Merit: 6793
Just writing some code
Got it. So if I request a payment after changing the password, since the pool was modified, I'd get a different that the hypothetical attacker?
Thanks.
Assuming that the attacker had a copy of your wallet before you changed the password, then yes. The attacker would get a different address than you.
member
Activity: 80
Merit: 14
So... if I have a wallet without a password and create one or change the password, why does it change the master private HD key?
In order to protect future keys in case you were compromised. If an attacker somehow got your wallet at some time, they would be able to access all of your private keys generated previously and in the future. By changing the password, you then make it impossible for someone to be able to steal all of your Bitcoin in the future.

The same is done with non-HD wallets. When you change the password, the look-ahead keypool is refilled to prevent people from being able to steal future Bitcoin.

Given it had already derived private keys and addresses that might already been used, what happen to them?
Are they added as independent keys? So if I don't back them up, I wouldn't have access to funds, correct?
Yes. Those keys are marked as used once the address is used (either requested a new address or an address received Bitcoin). Those are kept individually after a password change.

Got it. So if I request a payment after changing the password, since the pool was modified, I'd get a different that the hypothetical attacker?
Thanks.
staff
Activity: 3458
Merit: 6793
Just writing some code
So... if I have a wallet without a password and create one or change the password, why does it change the master private HD key?
In order to protect future keys in case you were compromised. If an attacker somehow got your wallet at some time, they would be able to access all of your private keys generated previously and in the future. By changing the password, you then make it impossible for someone to be able to steal all of your Bitcoin in the future.

The same is done with non-HD wallets. When you change the password, the look-ahead keypool is refilled to prevent people from being able to steal future Bitcoin.

Given it had already derived private keys and addresses that might already been used, what happen to them?
Are they added as independent keys? So if I don't back them up, I wouldn't have access to funds, correct?
Yes. Those keys are marked as used once the address is used (either requested a new address or an address received Bitcoin). Those are kept individually after a password change.
member
Activity: 80
Merit: 14
Hi, the dumpwallet command throws the private keys and a xprv.
Can I use it to derive all future addresses from the wallet?
So long as you do not change your password or set one. If you do, the xprv will change.

I'm a bit out of sync, I didn't know the reference client implemented HD keys.
Only in 0.13.0+

If so, could anyone tell me the derivation path used?
It uses the standard paths as defined by BIP 32. That is m/0/0/k for addresses you get from the wallet, and m/0/1/k for change addresses.

Thank you for the reply, I was able to derive correctly.

So... if I have a wallet without a password and create one or change the password, why does it change the master private HD key?
Given it had already derived private keys and addresses that might already been used, what happen to them?
Are they added as independent keys? So if I don't back them up, I wouldn't have access to funds, correct?
staff
Activity: 3458
Merit: 6793
Just writing some code
Hi, the dumpwallet command throws the private keys and a xprv.
Can I use it to derive all future addresses from the wallet?
So long as you do not change your password or set one. If you do, the xprv will change.

I'm a bit out of sync, I didn't know the reference client implemented HD keys.
Only in 0.13.0+

If so, could anyone tell me the derivation path used?
It uses the standard paths as defined by BIP 32. That is m/0/0/k for addresses you get from the wallet, and m/0/1/k for change addresses.
member
Activity: 80
Merit: 14
Hi, the dumpwallet command throws the private keys and a xprv.
Can I use it to derive all future addresses from the wallet? I'm a bit out of sync, I didn't know the reference client implemented HD keys.

If so, could anyone tell me the derivation path used?

Thanks!
Jump to: