Author

Topic: Zpub safety (Read 405 times)

legendary
Activity: 2268
Merit: 18748
May 30, 2023, 08:48:04 AM
#23
Yes I've already consulted SLIP-0132 for my library at least 10 times (no offense).
My bad, I misunderstood.

What's not clear to me is how they choose the version bit hex characters so that they align with the base58 characters, because as you know, 58 is not divisible by 16 so there will be some spillover into the 5th Base58 extended key byte.
The spillover is accounted for within the prefix bytes, so it doesn't spill out beyond this.

For example, if you take an xpub an decode to hex, your first 8 characters will be 0x0488B21E. This is the lower limit. Decrease by 1 to 0x0488B21D and your resulting string will start with "xpua". However, you can increase all the way up to 0x0488B224 and still have an "xpub". So any string which starts with "0x0488B21E" will always be "xpub", since even if every other byte is 0x00 or 0xFF, it still falls within the necessary range. Note that this works only because these strings are of fixed lengths. If you start adding or subtracting bytes, then the process fails.

So let's say I wanted to come up with a hex string which would have a prefix which encoded "oeLeo", followed by 14 bytes. I set my 14 bytes as all zeroes, and arrive at the following string:

Code:
046491a9c30000000000000000000000000000
oeLeo23QDxsqTT6RprgBHmFWP

If I increment my prefix by one, I get the following:

Code:
046491a9c40000000000000000000000000000
oeLeo3fWrUmEpNpaLkZLLXcHu

So I can use the prefix 0x046491a9c3, knowing that every possible value of the following 14 bytes still falls within the necessary range.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
May 30, 2023, 07:20:45 AM
#22
However, I'm not quite sure how the hex characters correspond to these base58 prefixes.
You can find a list of all the extended key prefixes for both public and private keys here: https://github.com/satoshilabs/slips/blob/master/slip-0132.md#registered-hd-version-bytes

Yes I've already consulted SLIP-0132 for my library at least 10 times (no offense).

What's not clear to me is how they choose the version bit hex characters so that they align with the base58 characters, because as you know, 58 is not divisible by 16 so there will be some spillover into the 5th Base58 extended key byte.

Another trapdoor is whether stuff is encoded into base58 starting at the beginning of the string or the end of the string. If only there were an online tool for autogenerating this stuff.
legendary
Activity: 2268
Merit: 18748
May 30, 2023, 06:21:11 AM
#21
However, I'm not quite sure how the hex characters correspond to these base58 prefixes.
You can find a list of all the extended key prefixes for both public and private keys here: https://github.com/satoshilabs/slips/blob/master/slip-0132.md#registered-hd-version-bytes
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
May 30, 2023, 02:09:06 AM
#20
I just fixed my misquote, really suck on this thing.

xpub is xpub, it should stick to bip32 and that's it. The others? let descriptor to handle them.

I hate all the flying around ypub Ypub, zpub, Zpub, different wallets are doing things differently. This create huge problesm when one wants to move from one wallet to another.

Electrum also does that.. which is a bad move...

I believe that if Electrum and other wallets have an option to select the extended version bytes manually in an advanced setting, then the problem will be alleviated. However, I'm not quite sure how the hex characters correspond to these base58 prefixes.
member
Activity: 162
Merit: 65
May 29, 2023, 10:02:35 PM
#19
zpubs or Zpubs are bad ideas. They should not have been created. And there are plenty of misunderstandings out there.
Since zpubs or Zpubs are already for P2WPKH or P2WSH, then what's the alphabets for taproot?
People should always use xpub and descriptor.
I do agree it would have been easier to just stick to xprvs/xpubs and then specify derivation path/script type/etc. separately in order to generate the correct type of addresses, which is exactly what Core is doing with descriptors. It would avoid scenarios like this one where you have to convert Zprvs from Electrum to xprvs in order to import them in to Core.

As specified in BIP86, Taproot should use xprvs/xpubs, but there is nothing stopping software using zprvs/zpubs for Taproot. Although given that Taproot addresses can be key path or script path, then the whole Z/z separation for script hash/pubkey hash falls apart.



Would you mind editing your post to fix your misquote?



xpub is for generating the legacy 1 addresses
This is a common misconception. xprvs/xpubs are defined in BIP32, which says nothing about what type of addresses they should be used to generate. They are simply extended keys, and can be used for any address type, which is exactly what Bitcoin Core does. You are obviously right in saying that a lot of software treats xprvs/xpubs as meaning legacy addresses, but this is not strictly correct.

As I've linked to above, BIP86 uses xprvs/xpubs for Taproot, not zprvs/zpubs as you suggest.


I just fixed my misquote, really suck on this thing.

xpub is xpub, it should stick to bip32 and that's it. The others? let descriptor to handle them.

I hate all the flying around ypub Ypub, zpub, Zpub, different wallets are doing things differently. This create huge problesm when one wants to move from one wallet to another.

Electrum also does that.. which is a bad move...
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
May 28, 2023, 03:37:48 AM
#18
As I've linked to above, BIP86 uses xprvs/xpubs for Taproot, not zprvs/zpubs as you suggest.

Got it. It's a bit annoying though that the bech32 addresses do not use consistent extended version bytes, as if the vast array of bytes is not inconsistent enough currently, and it makes for a kind of frustrating experience in coding wallet software.
legendary
Activity: 2268
Merit: 18748
May 28, 2023, 02:59:00 AM
#17
zpubs or Zpubs are bad ideas. They should not have been created. And there are plenty of misunderstandings out there.
Since zpubs or Zpubs are already for P2WPKH or P2WSH, then what's the alphabets for taproot?
People should always use xpub and descriptor.
I do agree it would have been easier to just stick to xprvs/xpubs and then specify derivation path/script type/etc. separately in order to generate the correct type of addresses, which is exactly what Core is doing with descriptors. It would avoid scenarios like this one where you have to convert Zprvs from Electrum to xprvs in order to import them in to Core.

As specified in BIP86, Taproot should use xprvs/xpubs, but there is nothing stopping software using zprvs/zpubs for Taproot. Although given that Taproot addresses can be key path or script path, then the whole Z/z separation for script hash/pubkey hash falls apart.



Would you mind editing your post to fix your misquote?



xpub is for generating the legacy 1 addresses
This is a common misconception. xprvs/xpubs are defined in BIP32, which says nothing about what type of addresses they should be used to generate. They are simply extended keys, and can be used for any address type, which is exactly what Bitcoin Core does. You are obviously right in saying that a lot of software treats xprvs/xpubs as meaning legacy addresses, but this is not strictly correct.

As I've linked to above, BIP86 uses xprvs/xpubs for Taproot, not zprvs/zpubs as you suggest.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
May 27, 2023, 11:23:51 PM
#16
Throughout this thread, people are using Zpub and zpub interchangeably. They are not the same thing. zpubs are for P2WPKH addresses, Zpubs are for P2WSH addresses. See here for more info: https://github.com/satoshilabs/slips/blob/master/slip-0132.md

zpubs or Zpubs are bad ideas. They should not have been created. And there are plenty of misunderstandings out there.
Since zpubs or Zpubs are already for P2WPKH or P2WSH, then what's the alphabets for taproot?
People should always use xpub and descriptor.

xpub is for generating the legacy 1 addresses and various altcoin addresses like doge, dash that didn't implement Segwit.

Taproot doesn't have its own extended version bytes because Taproot UTXOs also are P2WPKH just like native segwit, so they use the same "zpub"/"zprv".

On the other hand, if you are using Taproot leaf spending feature, that's also an extension of P2WSH bc1q script addresses and so you should also be using "Zpub"/"Zprv" extended version bytes.
member
Activity: 162
Merit: 65
May 27, 2023, 09:53:05 PM
#15

Throughout this thread, people are using Zpub and zpub interchangeably. They are not the same thing. zpubs are for P2WPKH addresses, Zpubs are for P2WSH addresses. See here for more info: https://github.com/satoshilabs/slips/blob/master/slip-0132.md

zpubs or Zpubs are bad ideas. They should not have been created. And there are plenty of misunderstandings out there.
Since zpubs or Zpubs are already for P2WPKH or P2WSH, then what's the alphabets for taproot?
People should always use xpub and descriptor.
newbie
Activity: 7
Merit: 2
September 13, 2021, 05:20:31 PM
#14
I'd like to understand this completely in reference to a multisig setup.  Let's use a 2 of 3 multisig as an example.  If someone were to have all 3 of the Zpubs and then you accidentally leaked one of your private keys.  Is it possible to derive the 2nd private key?  And if so then the attacker can sign a transaction from this wallet.
No. The private key only allows you to derive the master private key for that specific Zpub in question, it does not compromise the other Zpubs. However, since the attacker has one of your Zpriv (master private key), the attacker can use that master private key to sign for transactions, assuming another person is willing to sign it too. A single compromised Zpub and private key doesn't affect the other signers.

Ok yes that was always my understanding.  I just misunderstood The previous commenter's point.  Thanks!
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
September 13, 2021, 12:07:03 PM
#13
I'd like to understand this completely in reference to a multisig setup.  Let's use a 2 of 3 multisig as an example.  If someone were to have all 3 of the Zpubs and then you accidentally leaked one of your private keys.  Is it possible to derive the 2nd private key?  And if so then the attacker can sign a transaction from this wallet.
No. The private key only allows you to derive the master private key for that specific Zpub in question, it does not compromise the other Zpubs. However, since the attacker has one of your Zpriv (master private key), the attacker can use that master private key to sign for transactions, assuming another person is willing to sign it too. A single compromised Zpub and private key doesn't affect the other signers.
newbie
Activity: 7
Merit: 2
September 13, 2021, 10:08:13 AM
#12
I'm a little confused about how we have gotten to the leaking of a private key?
Because the combination of a Zpub plus any one individual private key is enough to derive the Zprv and all the associated individual private keys.

I'd like to understand this completely in reference to a multisig setup.  Let's use a 2 of 3 multisig as an example.  If someone were to have all 3 of the Zpubs and then you accidentally leaked one of your private keys.  Is it possible to derive the 2nd private key?  And if so then the attacker can sign a transaction from this wallet.
legendary
Activity: 2268
Merit: 18748
September 12, 2021, 09:27:16 AM
#11
I'm a little confused about how we have gotten to the leaking of a private key?
Because the combination of a Zpub plus any one individual private key is enough to derive the Zprv and all the associated individual private keys.

It 100% impossible to obtain A private key from a Zpub(or any derivation of a master public key).
Correct.

And to my original question...In the case of a multisig wallet if someone stores all of their Zpubs in an unsecure place, the only risk is privacy, correct?  You are just giving someone the ability to create a watching-only wallet, correct?
Mostly correct. There is a hypothetical security risk in the scenario described above where you have accidentally leaked a private key, and there is the also the concern that if someone can recreate your watch only wallet and see how much bitcoin you own, that they may target you specifically for further attacks.
newbie
Activity: 7
Merit: 2
September 12, 2021, 08:58:34 AM
#10
Publishing (or leaking) a derived address/privkey pair allows anybody to use the master-zpubs to generate the master-zprivs and with that, any private key that can be derived by the master private keys.
Leaking a single private key would only allow an attacker to use that private key and the corresponding master public key to derive a single master private key. In the case of a multi-sig wallet, funds would still be safe since the attacker would only have one master private key, and not the threshold number of master private keys. For the coins to be at risk, OP would have to leak multiple private keys derived from different master private keys, which is very unlikely if his multi-sig wallets are all stored separately (as they should be) and he takes reasonable security precautions.



Throughout this thread, people are using Zpub and zpub interchangeably. They are not the same thing. zpubs are for P2WPKH addresses, Zpubs are for P2WSH addresses. See here for more info: https://github.com/satoshilabs/slips/blob/master/slip-0132.md

I'm only talking about Zpubs. I'm a little confused about how we have gotten to the leaking of a private key?  It 100% impossible to obtain A private key from a Zpub(or any derivation of a master public key).  And to my original question...In the case of a multisig wallet if someone stores all of their Zpubs in an unsecure place, the only risk is privacy, correct?  You are just giving someone the ability to create a watching-only wallet, correct?
legendary
Activity: 2268
Merit: 18748
September 11, 2021, 02:42:57 PM
#9
Publishing (or leaking) a derived address/privkey pair allows anybody to use the master-zpubs to generate the master-zprivs and with that, any private key that can be derived by the master private keys.
Leaking a single private key would only allow an attacker to use that private key and the corresponding master public key to derive a single master private key. In the case of a multi-sig wallet, funds would still be safe since the attacker would only have one master private key, and not the threshold number of master private keys. For the coins to be at risk, OP would have to leak multiple private keys derived from different master private keys, which is very unlikely if his multi-sig wallets are all stored separately (as they should be) and he takes reasonable security precautions.



Throughout this thread, people are using Zpub and zpub interchangeably. They are not the same thing. zpubs are for P2WPKH addresses, Zpubs are for P2WSH addresses. See here for more info: https://github.com/satoshilabs/slips/blob/master/slip-0132.md
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
September 10, 2021, 08:07:08 AM
#8
You already got the correct answer from BitMaxz: zpub is a public key; people that have it can see your addresses, but can't spend your funds.
It's a master public key if someone has access to this then they can only see all of your addresses on that zpub but they can't make any transaction.

This is not entirely correct - See ranochigo's reply above and also this thread.

Publishing (or leaking) a derived address/privkey pair allows anybody to use the master-zpubs to generate the master-zprivs and with that, any private key that can be derived by the master private keys.
Oh well I was under the assumption that nothing except that master public key was leaked. I know about that unfortunate bug; anyone should sweep their whole wallet if they know a single private key got leaked (though I don't see how leaking a private key should happen if you have your opsec in check).
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
September 10, 2021, 12:41:14 AM
#7
You already got the correct answer from BitMaxz: zpub is a public key; people that have it can see your addresses, but can't spend your funds.
It's a master public key if someone has access to this then they can only see all of your addresses on that zpub but they can't make any transaction.

This is not entirely correct - See ranochigo's reply above and also this thread.

Publishing (or leaking) a derived address/privkey pair allows anybody to use the master-zpubs to generate the master-zprivs and with that, any private key that can be derived by the master private keys.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
September 09, 2021, 04:27:14 PM
#6
Probably not the best idea even if your need more than one of them to spend.

If your going to the trouble of using Multi-Sig then why keep the keys online?

Seems pretty stupid.

Im only talking about keeping the Zpubs online, you can't spend with just Zpubs.  you also need the private keys which of course would not be stored online.  Im curious if there are risk involved with storing public keys(Zpubs in this example) online.
You already got the correct answer from BitMaxz: zpub is a public key; people that have it can see your addresses, but can't spend your funds.
It's a master public key if someone has access to this then they can only see all of your addresses on that zpub but they can't make any transaction.

The one risk you are running here, is your privacy. By knowing your public keys, it can be traced who you pay (e.g. if you send funds to coinbase or gambling sites etc).
newbie
Activity: 7
Merit: 2
September 09, 2021, 07:53:58 AM
#5
Probably not the best idea even if your need more than one of them to spend.

If your going to the trouble of using Multi-Sig then why keep the keys online?

Seems pretty stupid.

Im only talking about keeping the Zpubs online, you can't spend with just Zpubs.  you also need the private keys which of course would not be stored online.  Im curious if there are risk involved with storing public keys(Zpubs in this example) online.
legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
September 08, 2021, 06:19:06 PM
#4
It's a master public key if someone has access to this then they can only see all of your addresses on that zpub but they can't make any transaction.

If it was from multisig wallet then even you have them you won't be able to make transactions because it is just a master public key.
You can make an unsigned transaction from zpub but you won't be able to broadcast them so if you want it to become valid you will need to sign them.

What exactly do you want to achieve here?
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
September 08, 2021, 06:13:51 PM
#3
Unhardened keys will let an adversary be able to obtain your master private key with your master public key and any individual public private key from that keypair. This shouldn't be a problem because you are not supposed to expose any of your addresses anyways.

The far greater concern is with the privacy. Any attacker with all of the master public keys, will know all of the possible addresses generated that can be generated with your multisig, provided that they also know your derivation path. The latter should be a given, any complex and non-standard derivation path could result in the user lose all their funds if they don't save it properly.
hero member
Activity: 1220
Merit: 612
OGRaccoon
September 08, 2021, 05:41:45 PM
#2
Probably not the best idea even if your need more than one of them to spend.

If your going to the trouble of using Multi-Sig then why keep the keys online?

Seems pretty stupid.
newbie
Activity: 7
Merit: 2
September 08, 2021, 01:24:59 PM
#1
For multisig you have to have all Zpubs in order to spend.  What are the risk associated with savings your list of Zpubs on google drive or the likes so that you can access them from anywhere.
Jump to: