Topic: Possible to say that deterministic public addresses are from the same seed? (Read 599 times)
April 27, 2014, 03:24:43 AM
Lovely!
April 26, 2014, 06:13:53 PM
This is why deterministic wallets are being so widely embraced. It is all upside, and no practical downsides except in community-unsupported use-cases where people want to reveal some of their private keys but not others.
Given any subset of private keys or public keys in a deterministic wallet, no matter how many, there is no way to know they are related, an extra piece of metadata stored in the wallet file called the "chaincode". Without the chaincode, it's all perfectly private.
This applies to Armory deterministic wallets, as well as BIP 32 wallet (which Armory will be migrating to, soon). In fact, BIP 32 has an additional, related feature that we plan to leverage for identity verification / webs-of-trust: you can give out your root public key (such as on your business card), and then provide a piece of metadata with each address you distribute, which proves that address is linked to the root public key on your business card. However, this proof does nothing more: it doesn't now allow them to prove any other addresses are related, it doesn't not let the sender generate any more of my own addresses. And I, as the receiver, don't have to provide the proof if I don't want them to know it's related to my root public key. So I can remain anonymous if I want to, or I can prove identity if I want to. They would need to have the chaincode in the wallet to learn any more-- and if they have access to my wallet, they have all that info anyway.
Given any subset of private keys or public keys in a deterministic wallet, no matter how many, there is no way to know they are related, an extra piece of metadata stored in the wallet file called the "chaincode". Without the chaincode, it's all perfectly private.
This applies to Armory deterministic wallets, as well as BIP 32 wallet (which Armory will be migrating to, soon). In fact, BIP 32 has an additional, related feature that we plan to leverage for identity verification / webs-of-trust: you can give out your root public key (such as on your business card), and then provide a piece of metadata with each address you distribute, which proves that address is linked to the root public key on your business card. However, this proof does nothing more: it doesn't now allow them to prove any other addresses are related, it doesn't not let the sender generate any more of my own addresses. And I, as the receiver, don't have to provide the proof if I don't want them to know it's related to my root public key. So I can remain anonymous if I want to, or I can prove identity if I want to. They would need to have the chaincode in the wallet to learn any more-- and if they have access to my wallet, they have all that info anyway.
April 26, 2014, 04:36:11 AM
Can an outsider, just by looking at any number of public addresses determine if they have been derived from the same seed/private key?
Or is there any other privacy related weakness of using deterministic wallets?
Or is there any other privacy related weakness of using deterministic wallets?
Jump to: