Bitcoin Forum

Bitcoin => Development & Technical Discussion => Topic started by: tandit on November 25, 2013, 12:28:06 AM


Title: Does revealing one private key compromise an entire deterministic wallet?
Post by: tandit on November 25, 2013, 12:28:06 AM
Does revealing one private key compromise an entire deterministic wallet? 

Title: Re: Does revealing one private key compromise an entire deterministic wallet?
Post by: justusranvier on November 25, 2013, 12:29:47 AM
Sometimes

Title: Re: Does revealing one private key compromise an entire deterministic wallet?
Post by: gmaxwell on November 25, 2013, 01:18:22 AM
If it is using the 'type-2' public derivation, e.g. as is the case for all keys in a current armory wallet (IIRC), and the attacker knows the extended public key (e.g. attacker has a watching wallet) then yes.

This is why in BIP32 the recommended top level uses the 'type-1' private derivation which doesn't have this surprising property (but also lacks the nifty ability for a untrusted party to generate addresses for the wallet).

Title: Re: Does revealing one private key compromise an entire deterministic wallet?
Post by: tandit on November 25, 2013, 03:58:08 AM
Does that mean I should create a new electrum wallet?

Title: Re: Does revealing one private key compromise an entire deterministic wallet?
Post by: justusranvier on November 25, 2013, 05:41:35 AM
Quote from: gmaxwell on November 25, 2013, 01:18:22 AM
If it is using the 'type-2' public derivation, e.g. as is the case for all keys in a current armory wallet (IIRC), and the attacker knows the extended public key (e.g. attacker has a watching wallet) then yes.

This is why in BIP32 the recommended top level uses the 'type-1' private derivation which doesn't have this surprising property (but also lacks the nifty ability for a untrusted party to generate addresses for the wallet).
That's why I think implementations should add an extra level of structure such that you create a different xpub for every entity from whom you receive funds.

I know, quadratic scaling, but it's worth it for the added safety.

Title: Re: Does revealing one private key compromise an entire deterministic wallet?
Post by: crazy_rabbit on November 25, 2013, 05:55:09 AM
Quote from: tandit on November 25, 2013, 03:58:08 AM
Does that mean I should create a new electrum wallet?

are you in some sort of situation you're not mentioning? It's hard for people to give you advice to such a vague question.


Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines