Author

Topic: Hierarchical deterministic wallets question? (Read 742 times)

hero member
Activity: 761
Merit: 606
August 20, 2017, 03:08:54 PM
#8
One question concerns privacy:
Can someone who knows that a particular addresss belongs to you deduce other addresses (up or down the tree) that also belong to you?

Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?

Thanks!




I understand your second question clearly.  The answers above are helpful and accurate, but in what case would you leak a private key?  Your general OPSec should mean using an online computer in a fashion where NO private keys, master or single address, are ever exposed to the computer.  A cold wallet or hardware wallet approach eliminates such concerns.  Just encouraging you to make your questions theoretical and not real world experience.  Trying to help nothing more.
staff
Activity: 3458
Merit: 6793
Just writing some code
When you say master public key do you mean extended master public key or "simple" master public key without a chain code?
The extended master public key.
full member
Activity: 266
Merit: 101
Knowing the master public key along with a child private key makes it possible to find the corresponding master private key. That then makes it possible for someone to figure out all of your private keys and thus steal your funds. So if you leak a child private key, you had better keep the master public key secret. This only applies to keys generated without hardening.
When you say master public key do you mean extended master public key or "simple" master public key without a chain code?

The Key is literally the string "Bitcoin Seed". S is the actual random number you just generated.
Thanks.
staff
Activity: 3458
Merit: 6793
Just writing some code
Knowledge of the private key alone does not make it possible to find neither siblings, nor parent (nor other ancestors), nor children of that private key. The reason being that child key derivation function actually combines three values: private/public key, index number and key chain code. Without the knowledge of the chain code, you can't find children of compromised private key.
Knowing the master public key along with a child private key makes it possible to find the corresponding master private key. That then makes it possible for someone to figure out all of your private keys and thus steal your funds. So if you leak a child private key, you had better keep the master public key secret. This only applies to keys generated without hardening.

• calculate I = HMAC-SHA512(Key = "Bitcoin seed", Data = S) => QUESTION: What's the difference between Bitcoin seed and S?
The Key is literally the string "Bitcoin Seed". S is the actual random number you just generated.
full member
Activity: 266
Merit: 101
Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?

Knowledge of the private key alone does not make it possible to find neither siblings, nor parent (nor other ancestors), nor children of that private key. The reason being that child key derivation function actually combines three values: private/public key, index number and key chain code. Without the knowledge of the chain code, you can't find children of compromised private key.

Though, I have one (probably trivial) question about master key/master chain code generation algorithm. BIP0032 defines this process as follows:
• generate a seed byte sequence S of a chosen length (between 128 and 512 bits; 256 bits is advised) from a (P)RNG.
• calculate I = HMAC-SHA512(Key = "Bitcoin seed", Data = S) => QUESTION: What's the difference between Bitcoin seed and S?
• split I into two 32-byte sequences, IL and IR.
• use parse256(IL) as master secret key, and IR as master chain code
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
Can someone who knows that a particular addresss belongs to you deduce other addresses (up or down the tree) that also belong to you?
There is no risk with outsiders that see the two addresses being generated from the same master key/seed. It looks completely normal from other addresses.
Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?

Thanks!

No. However, if you leak your master public key for unhardened seed, Electrum (as far as I remember) uses unhardened seed and it is relatively easy for people to derive your master private key as long as they have one of your private key and the master public key.
full member
Activity: 261
Merit: 102
One question concerns privacy:
Can someone who knows that a particular addresss belongs to you deduce other addresses (up or down the tree) that also belong to you?
If you check the balance of your addresses with the same ip, it is possible to infer with some confidence that the addresses come from the same person unless you are using a public wifi. Also, if you send coins between each addresses (like with change addresses), it's possible to deduce that the addresses are from the same wallet.

Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?
No, the other addresses are safe.
full member
Activity: 148
Merit: 106
One question concerns privacy:
Can someone who knows that a particular addresss belongs to you deduce other addresses (up or down the tree) that also belong to you?

Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?

Thanks!
Jump to: