Bitcoin Forum

Bitcoin => Development & Technical Discussion => Topic started by: lukaexpl on August 18, 2017, 08:30:27 PM



Title: Hierarchical deterministic wallets question?
Post by: lukaexpl on August 18, 2017, 08:30:27 PM
One question concerns privacy:
Can someone who knows that a particular addresss belongs to you deduce other addresses (up or down the tree) that also belong to you?

Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?

Thanks!


Title: Re: Hierarchical deterministic wallets question?
Post by: Swagtoshi on August 18, 2017, 11:01:53 PM
One question concerns privacy:
Can someone who knows that a particular addresss belongs to you deduce other addresses (up or down the tree) that also belong to you?
If you check the balance of your addresses with the same ip, it is possible to infer with some confidence that the addresses come from the same person unless you are using a public wifi. Also, if you send coins between each addresses (like with change addresses), it's possible to deduce that the addresses are from the same wallet.

Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?
No, the other addresses are safe.


Title: Re: Hierarchical deterministic wallets question?
Post by: ranochigo on August 19, 2017, 06:34:14 AM
Can someone who knows that a particular addresss belongs to you deduce other addresses (up or down the tree) that also belong to you?
There is no risk with outsiders that see the two addresses being generated from the same master key/seed. It looks completely normal from other addresses.
Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?

Thanks!

No. However, if you leak your master public key for unhardened seed, Electrum (as far as I remember) uses unhardened seed and it is relatively easy for people to derive your master private key as long as they have one of your private key and the master public key.


Title: Re: Hierarchical deterministic wallets question?
Post by: cdb1690 on August 20, 2017, 07:52:38 AM
Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?

Knowledge of the private key alone does not make it possible to find neither siblings, nor parent (nor other ancestors), nor children of that private key. The reason being that child key derivation function actually combines three values: private/public key, index number and key chain code. Without the knowledge of the chain code, you can't find children of compromised private key.

Though, I have one (probably trivial) question about master key/master chain code generation algorithm. BIP0032 defines this process as follows:
• generate a seed byte sequence S of a chosen length (between 128 and 512 bits; 256 bits is advised) from a (P)RNG.
• calculate I = HMAC-SHA512(Key = "Bitcoin seed", Data = S) => QUESTION: What's the difference between Bitcoin seed and S?
• split I into two 32-byte sequences, IL and IR.
• use parse256(IL) as master secret key, and IR as master chain code


Title: Re: Hierarchical deterministic wallets question?
Post by: achow101 on August 20, 2017, 03:05:30 PM
Knowledge of the private key alone does not make it possible to find neither siblings, nor parent (nor other ancestors), nor children of that private key. The reason being that child key derivation function actually combines three values: private/public key, index number and key chain code. Without the knowledge of the chain code, you can't find children of compromised private key.
Knowing the master public key along with a child private key makes it possible to find the corresponding master private key. That then makes it possible for someone to figure out all of your private keys and thus steal your funds. So if you leak a child private key, you had better keep the master public key secret. This only applies to keys generated without hardening.

• calculate I = HMAC-SHA512(Key = "Bitcoin seed", Data = S) => QUESTION: What's the difference between Bitcoin seed and S?
The Key is literally the string "Bitcoin Seed". S is the actual random number you just generated.


Title: Re: Hierarchical deterministic wallets question?
Post by: cdb1690 on August 20, 2017, 04:09:49 PM
Knowing the master public key along with a child private key makes it possible to find the corresponding master private key. That then makes it possible for someone to figure out all of your private keys and thus steal your funds. So if you leak a child private key, you had better keep the master public key secret. This only applies to keys generated without hardening.
When you say master public key do you mean extended master public key or "simple" master public key without a chain code?

The Key is literally the string "Bitcoin Seed". S is the actual random number you just generated.
Thanks.


Title: Re: Hierarchical deterministic wallets question?
Post by: achow101 on August 20, 2017, 04:12:42 PM
When you say master public key do you mean extended master public key or "simple" master public key without a chain code?
The extended master public key.


Title: Re: Hierarchical deterministic wallets question?
Post by: Coin-Keeper on August 20, 2017, 08:08:54 PM
One question concerns privacy:
Can someone who knows that a particular addresss belongs to you deduce other addresses (up or down the tree) that also belong to you?

Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?

Thanks!




I understand your second question clearly.  The answers above are helpful and accurate, but in what case would you leak a private key?  Your general OPSec should mean using an online computer in a fashion where NO private keys, master or single address, are ever exposed to the computer.  A cold wallet or hardware wallet approach eliminates such concerns.  Just encouraging you to make your questions theoretical and not real world experience.  Trying to help nothing more.