Bitcoin Forum

Hi all,

In another thread, it seemed that not many people are aware (even though there is a warning message when you export a private key from a seeded address) of the (MPK + privkey_n = Master Private Key (mpk)) quirk.

I'm here to explain it.

First, some clarification.

Your seed is not your Master Private Key. Your seed is "stretched" out 100,000 times by hashing it against itself and subsequent hashes. The final hash that arises from this process is your "Master Private Key" or Extended Private Key. This is the private key to your Master Public Key.

Now that you understand this, here's some basic ECC math:

For a private-public keypair d = private, P = Public, the formula that calculates the public key from the private key is P = dG... where G is the "generator point" on the curve that Bitcoin uses for Elliptic Curve calculations. All keypairs in Bitcoin use the same Generator point G.

This relationship of P = dG is important to understand how the attack takes place.


First let's learn about Electrum's address derivation.

Well, the address derivation formula works something like this:

1. We first create an "s" which is = Hash( n:c:MPK ) where n = the index number of the address (0 = first address, 1 = second address, etc.) and c = Change addresses or not. (1 = change, 0 = regular) and MPK = your master public key.
2. Then we take that hash, use it as a private key against the generator point to get a public key R = sG
3. Then we take the master public key and add it to the sequence public key. This gives us a 3rd public key without needing to know its private key or the master private key, we will call this P_n = d_nG

Notice how nowhere in that process did I use the master private key or the private key to P_n.

Now, how do I spend bitcoins for the address at P_n?

1. I stretch the seed 100,000 times to get the Master private key.
2. Since P_n = MPK + R... we can also write the equation as d_nG = mpkG + sG.... G cancels out to get d_n = mpk + s
3. We add the master private key to the Sequence "s" (and mod by the curve order) to get d_n... with this, we can sign for the address at P_n

......

Ok, now that we understand what's going on, how are we vulnerable?

First, what does the attacker need?

1. Your Master Public Key.
2. Any one of the private keys from an individual address derived from your Master Public(/private) Key.

How do they attack you?

I know 100% that your MPK is correct, I know 100% that the private key I obtained is from that MPK's address. Normally people don't use a lot of addresses on Electrum, so even if we don't know the sequence number, we could try about 100 times and most likely find the right sequence.

Here's what I do:
1. I calculate the Bitcoin address from your private key, public key is X.
2. I attempt to guess, let's say I get it right that your number was Hash( 0:0:MPK ). Because I know your MPK and I guessed the index of your private key, I now have the sequence secret.
3. I created the public key for the sequence secret, and add it to your Master Public Key. If the end result is X, I have correctly found the sequence secret. If not, just keep guessing, its fast.
4. As we said before, private key derivation is d₀ = mpk + s... so we change it around to mpk = s - d₀
5. We know the sequence secret now, and the Bitcoin address private key. we subtract the private key from the sequence secret, modding by the curve order, we get the master private key.
6. Just in case, check if MPK = mpk * G. If it does, now you can solve any sequence address's private key.


So everyone, please treat every single individual private key on your seed's wallet as carefully as you would treat your seed.


BIP32 has the same problem, however, it also has something called "hardened keys." Which are supposed to break the chain (so you can only derive it one way) but at the expense of utility. (You won't be able to derive deeper chains from that child)


That being said. Electrum's offline signing ability and its lightweight client make it my favorite Bitcoin client to date. Just be sure to educate yourself. The same can be said with anything in life, especially Bitcoin related things, but it always helps to learn.


I hope this helps prevent theft. Please take care of your private keys.

Thank you.

Thanks Debura.

Btw, 10,000 or 100,000?

Thanks for the explanation.

I've seen you mention this topic many times around here lately, so it's great to finally be able to be able to quantify why this occurs.

I feel like keys simply should never be exported because of this, why would anyone ever want to take this risk?

The only valid reason I can think of, would be to do an off chain transaction.  But in that case, it should be the only coins in the electrum wallet, and therefore, why not simply give someone the seed?

https://github.com/spesmilo/electrum/blob/master/lib/account.py#L148

Nice catch. Fixed the OP.

http://bitcoinmagazine.com/8396/deterministic-wallets-advantages-flaw/

What do you guys think of this solution? How feasible is this?

Solution to what?  Trying to combine deterministic wallets with multisig?  Why would you even need to do that?

The solution to a more secure internal control structure, so you can leverage the utility of the master public key.

There's nothing wrong with how electrum does it.  He's talking about some convoluted scenario that doesn't have any real life application as far as I'm concerned.

Actually, the "solution" that JonCD was talking about was more geared towards BIP32.

Electrum (in its current 1.9.8 version) would not be able to generate the 3 separate key chains for a deterministic 2of3 P2SH chain wallet.


However, the method JonCD describes is actually what ThomasV is implementing into Electrum 2.0 right as we speak. (in fact current git HEAD already has 2 of 3 and 2 of 2 BIP32 deterministic chains already.)

The idea is that since your bitcoins are not attributed to any 1 specific master public key and master private key, even if you exported one of the private keys and someone calculated your master private key, they would still need one more master private key, AND they would need all three master public keys (so that they could create the redeemscripts)...

It adds a level of obfuscation that protects the user. Not to mention that if your wallet is 2 of 3, you probably won't be exporting keys anyways.

In general, if you want to have exportable private keys in BIP32, you must use hardened keys. The downside to this is that you will not be able to generate those public keys from a Master Public Key. (hardened keys do not have a master public key, which is how they are hardened) But they will still be attached to your chain, so recoverable from seed.

I was referring to the quote from Vitalik. I don't see the point to implement a complex scheme like that just to allow an auditor to search the blockchain when you could set up a watch only wallet.  Doesn't make sense, maybe I'm missing something.

The idea is that if you give the auditor the watch only wallet, he could conspire with one of the holders of the private keys below it to create the master private key and run away with all the money.

M = master public key
m = master private key

m/ = CEO holds it

M/ = Auditor holds it. With it, they can view all company funds, but not spend.

m/m₁ = Department A head holds it, and can generate further chains with it.
m/m₂ = Department B head holds it, and can generate further chains with it.
m/m₃ = Department C head holds it, and can generate further chains with it.

combining M/ with m/m_x would give me m/ ... so an auditor would have to conspire with one corrupt department head to run away with the company's entire finances.


With the solution provided says that the CEO would make

m₁/
m₂/
m₃/

Then

Dept A:
m₁/m₁
m₂/m₁
m₃/m₁

Dept B:
m₁/m₂
m₂/m₂
m₃/m₂

Dept C:
m₁/m₃
m₂/m₃
m₃/m₃

Each dept using the three public keys generated by those chains to generate deterministic 2of3 chains.

The Auditor would ONLY receive:

M₁/

Then they could check the blockchain for redeemscripts that included
M₁/M₁
M₁/M₂
M₁/M₃

Then they would know how much money each department SPENT without being able to collude to get 2 private keys.

Downside: They could only find SPENT funds, as the redeemscript is only revealed on the blockchain when funds are spent from the multi-sig address.

imo, the best way to do an audit for business would be to use a dual-key Stealth Address, and give the scan_privkey to the auditor... but this is a topic slightly unrelated to BIP32.

You could set up so your company's stealth addresses are generate on a per-department basis, but that all scan_keypairs are generated by a separate BIP32 chain.

Give that master private key to the auditor, as that keypair is only used to generate shared secrets to discover funds, not to spend it.

What about create 1000 receive and change addresses and not give public key to auditor ?

Right so there is a weakness in the internal control structure if a department head, who controls a single private key related to the funds of his department, colludes with the auditor, who holds the master public key.





Great explanation. Finding what was spent is useful for transaction reconciliations, although a lot of what auditors do is reconciliation of balances as well, so not having that ability is definitely a pretty big downside.

I am not too familiar with stealth addresses yet, I am reading up on this.

I suppose you could do this. As long as the accounts all balanced with the keys provided.

The problem with this is the current structure of the client. You can easily obtain the Master Public Key from it without having to input your encryption password. The MPK is required in order to create a watch-only wallet. So the level of safety a watch-only wallet could provide would be completely eliminated, as any wallet you created would become a hot wallet.

In the scenario provided, where single private keys are given to department heads, it would require the Master Public Key be treated with the same level of attention and security as you would a private key. And it's not.. it's a public key. I feel like it is intended to be made public, so you can leverage it for services like watch-only service providers and POS systems. So having to treat it like a private key would mitigate it's usefulness.

I'm in a sort of a crisis.

What's the best way to obtain the private keys of a "Receiving" address that appears in Electrum after creating a seedless/watch-only wallet with a Master Public Key.
In addition to knowing that address I also know the following data generated in an Armory wallet with the same MPK:

 a) Root chain
 b) public key/address
 c) and its private key

 I have a bit of BTC that I had sent to that receiving address and can't take it out  :(

Please advise!

Thanks,

can you just create an offline transaction and sign it to move the funds out of that address?

better than to be exporting private keys, as private key+ MPK can expose your whole wallet.  not sure why you're mixing electrum and armory???sounds like a mess.

Thanks for the feedback.
I did attempt to do that first but Armory simply doesn't understand the transaction format created by Electrum in their latest version and if you ask why Armory, it's  because it has excellent security measures that I absolutely love. Why not Armory in my online wallet, too? I don't like to download a never-ending file that needs my PC to be online all the time. So it was absolute the perfect combination.

Anyway...that was just a dummy account so I don't mind importing the private key to my online wallet as long as I quickly move the btc out of it. However, if I try to import the Armory private key (which belongs to a different address than the one I have my coins at), Electrum shows an import error regardless of whether I provide it in Base58 or the other format. Now why would that happen when I'm using exactly the same MPK (I concatenated Armory's PublicX and PublicY and entered them into Electrum) ?

Is importing any private key of my offline wallet into Electrum the only solution?

Is there any way I could add the Electrum "receiving" address into Armory without asking me its private key? At least I could connect it online to get the blockchain and move out the btc quickly.

You're really mixing 2 different systems, (which sounds like it doesn't really work)
but, it sounds like you really want to be using Armory but still want that
one address out of your electrum wallet.

If so, then I assume you can import the address into Armory.

Go to your offline electrum wallet and you can export the private
key from the address.

Does that work for you?

Sigh. A few clarifications:

- Armory and electrum are two different wallets. They're deterministic wallet implementations are mutually incompatible. You cannot combine an armory offline wallet with an electrum watch only online one.

- Watch only wallets don't have private keys

- MPK stands for master public key. You can't derive a private key from a public key not even if it is a master public key.

So now can you tell us what you are trying to do again?

 I'll definitely stop mixing the 2 systems as soon as I get my btc back. In the meantime....
 
(BTW, I don't have any offline Electurm wallet, just an offline Armory and an online, seedless Electrum one, which by nature can't do private key exports)..

Really? Is there not any process to convert/translate those two wallets at all??

 I read somewhere that with a Master Public key and a private key associated to a public key derived from it would allow me to obtain the Master Private Key. And that that Master Private key would help me get the private key I'm looking for. Is there such formula?
 
Ok, I'm tipping 0.15 BTC to whoever provides me with a method that actually allows me to recover my BTC. If it exists... ;D

see this:

https://bitcointalk.org/index.php?topic=19137.msg7894811#msg7894811

I'll gladly take that that .15 and put it toward bit coin adoption rewards.

Thanks. Unfortunately I'm not a developer.  I have a very general idea of what that means but I'm not that advanced to any material degree to make any practical use of those concepts ...  

 Is there any "priv key generator" webpage that allows me to plug in those values? (the last formula seems to imply that I'd need to try thousands of times until I get lucky and get the priv key that I'm looking?) I tried brainwallet but that doesn't seem to provide that functionality.

This is sadly still very low level info for me to break it down   :(

i'll see if i can write a script for you later tonight.

I think you have a fundamental misunderstanding of how Electrum and Armory work.

Right now, you are not making any sense.

I can most likely help you, but tell me exactly what you have, and separate it by Electrum and Armory:

ie.

I believe I can help you. What operating system are you using? Are you comfortable using the command line?

EDIT:

To others that will vouch for my executable:
https://github.com/dabura667/help_arorts
Here's the source.

I will upload an exe file to make things easier.
https://github.com/dabura667/help_arorts/releases/download/0.1/arms.exe

Although, if you take this exe and just run it on an offline computer you can keep your armory wallet safe.
but either way there's the source and instructions on how to recreate the build.

(To anyone who checks my source: fyi including the ripemd160 library in there was a workaround for the website I linked below. They didn't support ripemd160 hashing for some reason.)

^^^^^^^^^^^^^^^^^^^^^^^^

There are two ways you can go about this:

1. You can do this all online. But this will cause you do type your backup phrase on an online computer. As you must go to a website that can not be downloaded locally.

Go to http://www.compileonline.com/execute_python_online.php (http://www.compileonline.com/execute_python_online.php)

In the left hand side of the window (Where it says "print "Hello World"" etc.) delete all the stuff written there, then paste in the code at the following site.

http://0bin.net/paste/+JXKiGgA1dJdBLaI#yXV7WhIlhpCpIcGieW0ibIThcYczSF7u-UxUF8dYC5P (http://0bin.net/paste/+JXKiGgA1dJdBLaI#yXV7WhIlhpCpIcGieW0ibIThcYczSF7u-UxUF8dYC5P)
(There's a button at the top of the page to "Copy whole text to Clipboard". It will make it easier)

Once you pasted into the left side of the first site... scroll down to the bottom of the code. You will see lots of green # symbols and an explanation.


Follow the instructions and replace the backup phrase that is in there with your backup Armory phrase (should be 9 words x 2 lines) and separate the two lines with <>

Then go into Electrum. The one that you accidentally made the watch-only wallet with your bitcoins.

Click "Wallet" > "Master Public Key" and copy the long number there. paste it in the second area in place of the '5a09...0c87' stuff (remember to keep the ' ' around it tho.)

Once you've entered these two things. Click the "Execute Script" button on the upper left corner.


2. If you don't want to do this online. You must have an offline computer with python 2.7 or later installed.

Copy the text from http://0bin.net/paste/+JXKiGgA1dJdBLaI#yXV7WhIlhpCpIcGieW0ibIThcYczSF7u-UxUF8dYC5P (http://0bin.net/paste/+JXKiGgA1dJdBLaI#yXV7WhIlhpCpIcGieW0ibIThcYczSF7u-UxUF8dYC5P)

Paste it into a new text file, Change the two items near the bottom like in option 1, save the text file as "All Files" type and in the filename box, call it "arms.py" (remember to put in the .py )

Open the terminal or Python console to the folder in which you have arms.py saved.

Run arms.py


---------------------

If you do either of these, and you actually used the Armory MPK correctly in Electrum (stripping the 04 at the beginning and removing the chain code if any) then you should see the 5 receiving and 3 change addresses that are in your electrum watch-only wallet, along with their respective WIF private keys.

Find the address that you accidentally sent to and copy down its WIF private key.

Then you can import that to whatever client you wish to restore your bitcoins.


Possible errors:

1. If it says "Your MPK doesn't match..." and doesn't show you any addresses... sorry... your bitcoins are gone.

2. If it says "Checksum error" then you mis-typed in your Armory backup phrase.

3. If it says anything else, or the addresses don't match what you accidentally sent to, then let me know.

<bump> Because I edited my post with an exe file I would like people to build and verify to vouch for it.

I would publish the hash signed by my pgp key, but I am not sure whether py2exe will create a deterministically identical exe...

If anyone knows a lot about py2exe I would appreciate advice on a way to guarantee the same hash.

arorts hasn't replied but if anyone else is in this situation it's actually pretty simple to get the address specific private keys.


So if the "master private key" corresponding to the "master public key" used to create the watch only wallet is f45xxxx...xe3c and you want the private key for the first address in the wallet:


If you need to convert between hex encoded private keys and WIF ones just use encode_privkey. So again:


You can then import that into whatever wallet you like.

arorts had PMed me and I figured out his exact situation.

1. in armory, there is an ability to export the Master Public Key of the deterministic wallet.

2. He exported armory's MPK and used it to generate a watch-only wallet on Electrum.

3. He sent bitcoins to his watch-only wallet, and since there is no methodology in Electrum that directly allows use of the stretched Master Private Key... I basically slapped a script together that converts the Armory paper backup into the Master Private Key and does exactly what you said, except without any dependencies. (I had originally planned for him to copy/paste into an online python compiler or something... so I didn't want dependencies that weren't default contained in Python.)

Anywho, there is an example case within arms.py (it's commented out, the Armory backup seed is on two lines, one without spaces just to make it easier to copy. and the MPK that corresponds.)

Try compiling it, or just running the script in python directly. Any errors should show the error and pause (using raw_input() to wait for Enter to be pressed before closing)... also pressing enter after address gen closes as well.

Hello everyone,

I had to take some time off so I haven't recovered my coins yet. Just to make sure I follow the right process here are some clarifications:

- My offline Armory wallet is a Windows one
- My online Electrum wallet is in a Mac computer (latest OS X version)
- The MPK I entered as the seedless Electrum wallet was exactly a concatenation of the 2 publicX and PublicY keys listed in Armory, NOT a decoded version of the paper backup/root key
-  I didn't remove any initial or ending characters before entering it in Electrum

Having said that, what should be the right process that can be safely run offline? Seems like dabura667's last post?

Thanks

Yes.

I would recommend running the exe on your offline Windows machine, though. If you run the script on your online Mac, then your offline Armory wallet's private keys have touched the internet.

From the sounds of it, you will restore all of your bitcoins. You only sent to one of the first addresses that was shown, correct?

Right now the script only generates 5 receiving addresses and 3 change addresses. This is the default number of keys shown for a new Electrum wallet.

I have explained how to run the script in Windows here, and on Mac via PM. Either way you choose, you should have the WIF private keys you need to recover your funds.

Let me know how it goes :-D

Unfortunately, I got a "Your MPK and the backup phrase MPK don't match"

BTW, what I entered as the Master Public Key in Electrum was NOT a decoded version of Armory's root key/paper backup but a concatenation of PublicX and PublicY entries shown in Armory so I never saw any "04" prefix to even think to remove it.

Any thoughts?

Are the PublicX and PublicY values in hex format?

Are each of them a 64 character string consisting only of 0-9a-f?
Concatenated it should be a 128 character string consisting only of hex digits.

Is that what you placed into electrum? Is that also what shows up in your Master Public Key area in Electrum?

Electrum's MPK is just the Public x value and the Public Y value in 32 byte hex format concatenated.

What exactly did you input into Electrum when creating the watch-only wallet? Perhaps could you PM me what you inputted and also what your Electrum is saying is the MPK?

Yes to all your questions above. I just checked again and Armory's MPK is the same exact string as the MPK in Electrum.

In armory:

- Double click on the wallet
- Click on 'backup this wallet'
- Select 'export key lists' radio button, click on button 'export key list'
- In the next window check 'public key(be)'
- Find the public key you entered into electrum and note down the corresponding private key (hex or wif).

The private key in armory is broken up by spaces. Remove the spaces and combine it into one long string and follow the instructions above:

https://bitcointalk.org/index.php?topic=657205.msg8258543#msg8258543

Alternatively, if you are willing to trust me, you could PM me the private key and I'll send the btc to an address you control.

He did that essentially with my script. But the Public X and the Public Y he used as his MPK in Electrum were NOT from his master seed.

I am currently working with him to figure out where his Public X and Public Y came from.

Perhaps a different wallet? (Maybe he has multiple and is mixing them up?)

The instructions I gave have nothing to do with his master seed. They are for dumping address specific priv keys.

Edit: To clarify he is using the public key of an ordinary bitcoin address in his armory wallet. Not the armory MPK or anything like that. Just the pub key of an ordinary address. The instructions above are for getting the corresponding priv key and going from there.

Oh ok, I just downloaded Armory and I see what you mean now.


> arorts

I updated all the scripts and the exe to do what Abdussamad mentioned.

Please follow his instructions to find the "PublicX" and "PublicY" that you used in Electrum... then just above it you will see "PrivHexBE"

The new script will ask you for PrivHexBE and NOT the paper backup phrase.

You will get your bitcoins back! yay!

Here's the exe
https://github.com/dabura667/help_arorts/releases/download/0.1/arms.exe

Here's the scripts (use arms_mac.py if you're doing it on your mac)
https://github.com/dabura667/help_arorts/archive/master.zip

Thanks all.

So the publicX and publicY  I used correspond to a **regular receiving address I created in Armory**  , for which I do have its private key as well.

 I'm getting the feeling that I should have used Armory's root key/paper backup (2 text lines) when I created my Electrum wallet (after necessarily removing the "04" and using only the next 128 chars), is that correct?

Will go ahead and use the updated scripts above...not before crossing my fingers. :-)

NO

That is NOT correct!

Armory and Electrum use fundamentally different algorithms to generate keys, so using the SAME MPK and SAME root seed will generate DIFFERENT addresses.

If you would like to use Electrum, install Electrum on your offline computer and create a new wallet.

Electrum and Armory are NOT compatible.

I am 100% certain your bitcoins will be recovered this time, but next time you might not be so lucky.

Success!!!!   :D
Thanks a lot!!

Ok, so to summarize. I know that those two wallets are currently not compatible. However, if I do again exactly what I did before but derive the private key using the script you provided in an offline computer BEFORE I send any coins to its public address, I should be in good shape.

I had requested Armory to create a light client but I believe they indicated some time ago that that goes against their security principles (someone might impersonate/hack the torrent/servers holding the blockchain , like the model Electrum does).

Alternatively, I can create a watch-only wallet with Blockchain.info offline, dump the transaction history from sending address from bitcoinexplorer, run a local copy of Brainwallet HTML code in an offline computer to create and sign the transaction offline. And finally, I'll just broadcast it in blockchain.info. In this case, there would be no need to use Electrum at all.
In the offline computer I can have Armory import the private key and back up all using paper backup method. This is the most secure and still light wallet model I can think of.  Bye Bye Electrum...

Why are you using armory to begin with? If you want an offline cold wallet with watch-only compononet, Electrum is just as secure as Armory. Armory is only more secure on the online component, as it has the blockchain locally. But you seem to be wanting a light client. So Electrum sounds good for you, if you'd just use it normally.

First of all, my script is not cryptographically secure. I slapped it together so that hopefully it would generate your address. However, there is NO GUARANTEE that every private key listed will definitely correspond to the address listed. Be warned.

Also, the addresses being generated, even if you use Armory's paper backup seed, will NOT be the same as Armory. ALSO, if you decode the paper backup into hex and input it as a restore seed for electrum, you will get COMPLETELY DIFFERENT ADDRESSES from my script AND Armory.

So in summary, either switch to Electrum and send your bitcoins there, or just download the blockchain in Armory. Don't mix the two systems.


I am very glad to have helped!

You can pay the bounty to my tipping address in my sig or the address I pasted in my post a little while back.

Stay safe!

Yes, I'm definitely going to stick with a single Client wallet because you are right: otherwise I'd have to test sending out some mBTC to see if the private key is really working for that address but that'd be messy and tedious and dangerous.

Is the blockchain.info wallet I was referring before also incompatible with Armory? If yes, then I'd do all in Electrum. But if it's compatible, I'd like to learn from you if that's viable alternative or I should forget about that, too.

The only reason I'm leaning towards Armory is that in the unlikely event my offline PC crashes, I still can have a paper backup, which can be further split into 2 out of 3 paper sheets or electronic fragments required with a SecurePrint code, which is not even printed in the backup sheets to recover the seed. Electrum only has a phrase-based recovery method but that's about it.

Thanks for your suggestions!

blockchain.info is not compatible with armory. For your purposes the only thing compatible with armory is armory, only thing compatible with electrum is electrum and so on.

Choose:

a) Offline armory + online armory

Or

b) offline electrum + online electrum

Don't mix and match wallets.