Author

Topic: Deterministic wallets (Read 438 times)

newbie
Activity: 13
Merit: 0
May 16, 2013, 05:29:39 AM
#3
I hate being stuck on newbie board Sad

Don't we all.
newbie
Activity: 6
Merit: 0
May 16, 2013, 04:11:13 AM
#2
ok so i found the way to do it:
when deriving key Ki from (Kpar,cpar) you actually calculate IL and since ki=IL+kpar then you can easily get kpar=ki-IL

I hate being stuck on newbie board Sad
newbie
Activity: 6
Merit: 0
May 15, 2013, 01:38:41 PM
#1
In BIP 0032 two key derivation functions are introduced. These functions can be used to derive deterministically private keys ki knowing an extended private key denoted (kpar, cpar) and correspondingly public keys Ki from extended public key (Kpar, cpar).

Knowing extended public key it is not possible to generate private keys however this BIP briefly mentions that knowing extended public key (Kpar, cpar) and a derived private key ki (could be at any depth since public keys can be derived to any depth but let's say it's at depth 1) allows recovering private key kpar which is terrible (security-wise).

I tried analyzing how is that possible and i can't see how (isn't the HMAC-SHA512 function supposed to make it impossible to go 'back the chain')?

On a side note how can we teach a random newbie (apart from posting on newbie board) about that security risk before they start using deterministic wallets? (or should we even care?)
Jump to: