Is the seed weakened if you post some private keys?

Ente

legendary

Activity: 2126

Merit: 1001

Quote from: bitpop on August 15, 2014, 10:07:01 PM

Article says public master key and public child key?? Thats guaranteed to happen and think it's safe.

The public "keys" aka addresses obviously can be published :-)
When publishing the public master key, people can calculate the whole chain of public addresses. This will of course remove all anonymity.
Still, this is (as I understand it) the proposal of those "hidden addresses" or how they were called. You publish your public seed, and customers generate their own individual payment address with the seed and a random nonce.

Ente

bitpop

legendary

Activity: 2912

Merit: 1060

Let's make a list of do nots

Obviously private master key

Expose any private child key AND public master key

Article says public master key and public child key?? Thats guaranteed to happen and think it's safe.

doug_armory

sr. member

Activity: 255

Merit: 250

Senior Developer - Armory

Quote from: Ente on August 14, 2014, 06:25:32 PM

Quote from: doug_armory on August 14, 2014, 01:18:10 PM

Anyway, the BIP32 spec explains all this.

Yes. But all that cryptomagic is so far out of "normal world expectations" that most people won't consider this. And I can't blame them.

I understand. Alas, the original question was, "Is the seed weakened if you post some private keys?" Sure, in an ideal world, one could give a layman's explanation that would satisfy everyone. In the case of BIP32, I'm not entirely sure it's possible, at least not without spending a lot of time thinking about a good analogy.

Anyway, when the original article was posted, stating that BIP32 has a massive flaw, I responded with a somewhat technical answer that partially negated it. Not as much as I'd like, granted, and certainly not in layman's terms. I still felt the need to point out that the article didn't tell the whole story. The article was somewhat technical, so I was somewhat technical. If people can read and understand an article that points out how the math in BIP32 is flawed, they can read the original spec.

Quote

All wallets should bump a fat red flashing warning explaining this in few words whenever a master key or a private key is displayed, exported, backupped or printed. Well, once at least.
I will simply not export or communicate *anything* from my wallet except public addresses.

I agree that a simple but large warning is appropriate. Any time you move private keys around, you're taking a risk. A measured risk, perhaps, but a risk nonetheless. Caveat emptor and all that.

Ente

legendary

Activity: 2126

Merit: 1001

Quote from: doug_armory on August 14, 2014, 01:18:10 PM

Anyway, the BIP32 spec explains all this.

Yes. But all that cryptomagic is so far out of "normal world expectations" that most people won't consider this. And I can't blame them.
All wallets should bump a fat red flashing warning explaining this in few words whenever a master key or a private key is displayed, exported, backupped or printed. Well, once at least.
I will simply not export or communicate *anything* from my wallet except public addresses.

OT about BIP0032 seeds, which Armory will soon support:
I wish to make a brain-seed. Like a brainwallet-address, but creating a seed instead. Would there be a standard for that, or at least an expected method (like sha(passphrase) for a single private key)?
People, be very careful when doing this and read your stuff. Many had and many will lose all their funds with this.

Ente

doug_armory

sr. member

Activity: 255

Merit: 250

Senior Developer - Armory

Quote from: Razick on August 11, 2014, 09:56:46 AM

Quote from: Ente on August 10, 2014, 05:54:06 AM

Quote from: bitpop on August 09, 2014, 11:38:47 PM

I've had to export cold storage keys

In BIP0032 compatible wallets (which Armory is not, yet), any single private key plus the non-secret "master address key" (or the like) leads to all private keys being calculateable.
Not sure how "public" that aster key really is, in the real world. Nor do I know if it's the same principle in Armorys current wallet format.

I would consider the whole wallet to be compromised when a single private key leaks.

Edit:
There's this article to HD wallets:
http://bitcoinmagazine.com/8396/deterministic-wallets-advantages-flaw/

Ente

Wow, I did not know that. This could get some people into some real trouble.

I believe this applies only to non-hardened keys, and there are limitations. With proper security precautions, BIP32 is perfectly fine. People like Greg Maxwell would probably be screaming bloody murder otherwise. (As is, to the best of my knowledge, he thinks it's acceptable if you're careful with your deployment.) Anyway, the BIP32 spec explains all this.

Razick

legendary

Activity: 1330

Merit: 1003

Quote from: Ente on August 10, 2014, 05:54:06 AM

Quote from: bitpop on August 09, 2014, 11:38:47 PM

I've had to export cold storage keys

In BIP0032 compatible wallets (which Armory is not, yet), any single private key plus the non-secret "master address key" (or the like) leads to all private keys being calculateable.
Not sure how "public" that aster key really is, in the real world. Nor do I know if it's the same principle in Armorys current wallet format.

I would consider the whole wallet to be compromised when a single private key leaks.

Edit:
There's this article to HD wallets:
http://bitcoinmagazine.com/8396/deterministic-wallets-advantages-flaw/

Ente

Wow, I did not know that. This could get some people into some real trouble.

goatpig

legendary

Activity: 3766

Merit: 1364

Armory Developer

Armory chains addresses through a multiplier based on the wallet's chaincode and the previous public key. If an attacker reveals a public key + chaincode, all public keys beyond that point can be calculated. If an attacker reveals a private key + chaincode, he can compute private and public keys past that point. This calculation cannot be reversed however so keys before the revealed entry are still safe.

The chaincode is considered a non critical part of the wallet, as WOs need it to extend their public chain. Before you ask, there is no option to encrypt public chains in current Armory wallets, and there are plans to allow users to encrypt public portion of wallets. Still discussing the implementation of this feature inhouse so I can't tell you more yet.

I haven't personally worked with BIP32 yet (ima have to soon, but im busy with other stuff atm). If I recall right however, BIP32 derives its chain from its master private/public key and the address entry's chain index. Thus revealing one BIP32 private/public address will not allow the attacker to compute any other element on the chain. Obviously, revealing the master component is a no no regardless of the wallet implementation.

Ente

legendary

Activity: 2126

Merit: 1001

Quote from: bitpop on August 09, 2014, 11:38:47 PM

I've had to export cold storage keys

In BIP0032 compatible wallets (which Armory is not, yet), any single private key plus the non-secret "master address key" (or the like) leads to all private keys being calculateable.
Not sure how "public" that aster key really is, in the real world. Nor do I know if it's the same principle in Armorys current wallet format.

I would consider the whole wallet to be compromised when a single private key leaks.

Edit:
There's this article to HD wallets:
http://bitcoinmagazine.com/8396/deterministic-wallets-advantages-flaw/

Ente

bitpop

legendary

Activity: 2912

Merit: 1060

I've had to export cold storage keys

Topic: Is the seed weakened if you post some private keys? (Read 3766 times)