Does revealing one private key compromise an entire deterministic wallet?

crazy_rabbit

legendary

Activity: 1204

Merit: 1002

RUM AND CARROTS: A PIRATE LIFE FOR ME

Quote from: tandit on November 24, 2013, 11:58:08 PM

Does that mean I should create a new electrum wallet?

are you in some sort of situation you're not mentioning? It's hard for people to give you advice to such a vague question.

justusranvier

legendary

Activity: 1400

Merit: 1013

Quote from: gmaxwell on November 24, 2013, 09:18:22 PM

If it is using the 'type-2' public derivation, e.g. as is the case for all keys in a current armory wallet (IIRC), and the attacker knows the extended public key (e.g. attacker has a watching wallet) then yes.

This is why in BIP32 the recommended top level uses the 'type-1' private derivation which doesn't have this surprising property (but also lacks the nifty ability for a untrusted party to generate addresses for the wallet).

That's why I think implementations should add an extra level of structure such that you create a different xpub for every entity from whom you receive funds.

I know, quadratic scaling, but it's worth it for the added safety.

tandit

newbie

Activity: 13

Merit: 0

Does that mean I should create a new electrum wallet?

gmaxwell

staff

Activity: 4242

Merit: 8672

If it is using the 'type-2' public derivation, e.g. as is the case for all keys in a current armory wallet (IIRC), and the attacker knows the extended public key (e.g. attacker has a watching wallet) then yes.

This is why in BIP32 the recommended top level uses the 'type-1' private derivation which doesn't have this surprising property (but also lacks the nifty ability for a untrusted party to generate addresses for the wallet).

justusranvier

legendary

Activity: 1400

Merit: 1013

Sometimes