Hierarchical deterministic wallets question?

Coin-Keeper

hero member

Activity: 761

Merit: 606

Quote from: lukaexpl on August 18, 2017, 03:30:27 PM

One question concerns privacy:
Can someone who knows that a particular addresss belongs to you deduce other addresses (up or down the tree) that also belong to you?

Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?

Thanks!

I understand your second question clearly. The answers above are helpful and accurate, but in what case would you leak a private key? Your general OPSec should mean using an online computer in a fashion where NO private keys, master or single address, are ever exposed to the computer. A cold wallet or hardware wallet approach eliminates such concerns. Just encouraging you to make your questions theoretical and not real world experience. Trying to help nothing more.

achow101

staff

Activity: 3458

Merit: 6793

Just writing some code

Quote from: cdb1690 on August 20, 2017, 11:09:49 AM

When you say master public key do you mean extended master public key or "simple" master public key without a chain code?

The extended master public key.

cdb1690

full member

Activity: 266

Merit: 101

Quote from: achow101 on August 20, 2017, 10:05:30 AM

Knowing the master public key along with a child private key makes it possible to find the corresponding master private key. That then makes it possible for someone to figure out all of your private keys and thus steal your funds. So if you leak a child private key, you had better keep the master public key secret. This only applies to keys generated without hardening.

When you say master public key do you mean extended master public key or "simple" master public key without a chain code?

Quote from: achow101 on August 20, 2017, 10:05:30 AM

The Key is literally the string "Bitcoin Seed". S is the actual random number you just generated.

Thanks.

achow101

staff

Activity: 3458

Merit: 6793

Just writing some code

Quote from: cdb1690 on August 20, 2017, 02:52:38 AM

Knowledge of the private key alone does not make it possible to find neither siblings, nor parent (nor other ancestors), nor children of that private key. The reason being that child key derivation function actually combines three values: private/public key, index number and key chain code. Without the knowledge of the chain code, you can't find children of compromised private key.

Knowing the master public key along with a child private key makes it possible to find the corresponding master private key. That then makes it possible for someone to figure out all of your private keys and thus steal your funds. So if you leak a child private key, you had better keep the master public key secret. This only applies to keys generated without hardening.

Quote from: cdb1690 on August 20, 2017, 02:52:38 AM

• calculate I = HMAC-SHA512(Key = "Bitcoin seed", Data = S) => QUESTION: What's the difference between Bitcoin seed and S?

The Key is literally the string "Bitcoin Seed". S is the actual random number you just generated.

cdb1690

full member

Activity: 266

Merit: 101

Quote from: lukaexpl on August 18, 2017, 03:30:27 PM

Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?

Knowledge of the private key alone does not make it possible to find neither siblings, nor parent (nor other ancestors), nor children of that private key. The reason being that child key derivation function actually combines three values: private/public key, index number and key chain code. Without the knowledge of the chain code, you can't find children of compromised private key.

Though, I have one (probably trivial) question about master key/master chain code generation algorithm. BIP0032 defines this process as follows:
• generate a seed byte sequence S of a chosen length (between 128 and 512 bits; 256 bits is advised) from a (P)RNG.
• calculate I = HMAC-SHA512(Key = "Bitcoin seed", Data = S) => QUESTION: What's the difference between Bitcoin seed and S?
• split I into two 32-byte sequences, IL and IR.
• use parse256(IL) as master secret key, and IR as master chain code

ranochigo

legendary

Activity: 3038

Merit: 4418

Crypto Swap Exchange

Quote from: lukaexpl on August 18, 2017, 03:30:27 PM

Can someone who knows that a particular addresss belongs to you deduce other addresses (up or down the tree) that also belong to you?

There is no risk with outsiders that see the two addresses being generated from the same master key/seed. It looks completely normal from other addresses.

Quote from: lukaexpl on August 18, 2017, 03:30:27 PM

Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?

Thanks!

No. However, if you leak your master public key for unhardened seed, Electrum (as far as I remember) uses unhardened seed and it is relatively easy for people to derive your master private key as long as they have one of your private key and the master public key.

Swagtoshi

full member

Activity: 261

Merit: 102

Quote from: lukaexpl on August 18, 2017, 03:30:27 PM

One question concerns privacy:
Can someone who knows that a particular addresss belongs to you deduce other addresses (up or down the tree) that also belong to you?

If you check the balance of your addresses with the same ip, it is possible to infer with some confidence that the addresses come from the same person unless you are using a public wifi. Also, if you send coins between each addresses (like with change addresses), it's possible to deduce that the addresses are from the same wallet.

Quote from: lukaexpl on August 18, 2017, 03:30:27 PM

Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?

No, the other addresses are safe.

lukaexpl

full member

Activity: 148

Merit: 106

One question concerns privacy:
Can someone who knows that a particular addresss belongs to you deduce other addresses (up or down the tree) that also belong to you?

Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?

Thanks!

Topic: Hierarchical deterministic wallets question? (Read 738 times)