If the attacker a single private key and the same key's chaincode, m/i/j/k, he can only determine m/i/j/k/X. You can't reverse the chain or get to other chains, or even determine "brothers" in the same chain. You can only traverse down a separate chain specific to that key (which is not ever used in BIP 32 wallets, by default)
So what is this about? Conclusion: In a scenario where derived secret keys are handed over to subbranches, the derived public keys MUST not be generated on the fly on "hot" machines. Instead, even Kpar must be stored "cold". To some extend this contradicts the original idea of hierarchical deterministic wallets.
Thanks for noticing this. I must admit that I never considered this scenario. I understood this to mean if the attacker knows the extended public key (which includes the chain code) of a node, and any one of the associated private keys, then the attacker can also recover all the sibling private keys. Is this not correct?
|
|
|
I'm still not sure about the answer to my original question. As BIP34 is currently written, if an attacker knows the chain code associated with m/0/0 and knows one of the private keys in the series m/0/0/0...k series can also he recover the private key of any other branch in the tree, or does m/1, m/2, etc use a different chain code that can't be derived from the m/0 chain code alone?
|
|
|
Part 4 added to OP.
He's being unusually productive with regards to the podcasts recently.
|
|
|
It seems like it should be possible to compartmentalize the risk. Accidentally revealing one private key will compromise the entire branch but it should be possible to limit the damage to that branch without affecting others.
|
|
|
I'm trying to understand the full implications of accidentally revealing a individual private key. Suppose I gave Mt Gox the extended public key m/0/0. They would then be able to generate m/0/0/0...k themselves in order to send each future BTC withdrawal to a unique address without further interaction from me. If I accidentally reveal private key m/0/1/42 this means they can generate all private keys in the m/0/1/0...k series as well. What does that mean for other branches like m/1, m/2, etc?
|
|
|
OP updated to include part 3.
|
|
|
If I were in your position I'd choose whatever program allowed me to borrow as much money as possible, and use that money to load up on Bitcoins. I'd also learn a second or third language, get at least one passport and to my best to develop skills which are marketable internationally. Then I'd try to spend at least one semester studying abroad for networking. Then upon graduation, appearance of a great job opportunity, or the breakdown of civil order in the US (whichever comes first) I'd exit the country and being a new career somewhere else using bitcoin-based savings to help with the transition.
|
|
|
So a business which is willing to mine for free because their entire business depends on the success of bitcoin will CHOOSE to include massive quantities of spam which would damage the very network their are mining for free to protect? We don't know. In 10 years Walmart might be operating their business via Bitcoin, and the transaction volume they will deal with might make any spam a regular person could generate look like a rounding error. A lot can change in 10 years.
|
|
|
Fast forward 10 years 10 years from now we have no idea who is going to be mining and for what motivation. It's possible that all mining will be done by businesses that depend on bitcoin instead of by pools of individuals. They might not even charge fees because operating the mining rigs is just rolled into the cost of doing business.
|
|
|
I would never maintain a large balance on a hosted wallet, no matter how nice, but for small purchases or for a first time user I think blockchain.info is perfect. It's very easy to use and has a lot of polish.
However people who move on to managing larger sums should learn how to use cold storage and offline transactions for security, which means a standalone client.
|
|
|
I created a new wallet and then imported a single private key into it without sweeping funds.
After rescanning the blockchain the Balance shown in the "Available Wallets" area is correct, but on the Transactions tab every transaction is shown twice, and the "Spendable Funds" displays double the value it should.
Closing and restarting Armory fixes the problem.
|
|
|
I'm having a hard time wrapping my brain around that growth rate. I had no idea that many new wallets are being created there each day. Hopefully it represents entirely new Bitcoin users and not conversions from stand alone clients to web wallets.
|
|
|
It would also be good if you would use git's tag signing feature so those who compile Armory would also have the ability to use your public PGP key to verify the sources.
|
|
|
There's no reason that an underground business needs to be a scam. Hypothetically speaking one could start a business which had the effect of lowering its customers' tax liabilities in a way that was lawful (or at least in which any unlawful effect was plausibly deniable). A business like that would do well to be circumspect in its structure and operation.
|
|
|
Start it using your reputation, build it up to be viable, then give it to an anonymous entity when you start to feel the heat? Start it in an anonymous way and get someone well known to vouch for you? The best way is to build a business model in which minimal or no trust is required and stay anonymous the entire time.
|
|
|
This is how an intelligent adversary would destroy Bitcoin: https://bitcointalk.org/index.php?topic=128900.msg1374756#msg1374756The process works like this: First, use a deceptive narrative to create the illusion of a crisis then use the false crisis as an excuse to push a protocol change which reverses Bitcoin's fundamental nature. In this case the narrative is that blockchain bloat is a problem that can't be solved without a protocol change, and that a reference client implementation detail like anti-spam rules are impossible to change. The proposed solution is to change the protocol to allow outputs to be spent without a signed transaction. If that ever happens Bitcoin as we know it is dead. Miners would the means and the economic incentive to claim unspent output for their own use without the consent of their owners (otherwise known as stealing). A smart adversary would combine this tactic with the appropriate carrot and stick incentives applied to key individuals to either neuter or destroy Bitcoin.
|
|
|
"THOU ART VIOLATING THE TENETS OF OUR GOOD LORD SATOSHI, PRAISED BE HIS NAME! THOU SHALT BE PUT UPON THE WALL TO RECEIVE THE BLESSING OF COLD METAL ROUNDS! LET THIS BE A LESSON TO ALL HERETICS! DO NOT CHANGE THE WORD OF THE HOLY PAPER LEST YE BE CHANGED TO BREATHE NO MORE!" It's less pleasant to step off of some straight and narrow paths than others.
|
|
|
If this is going to change, the next day we will probably NOT be able to connect to any websites that has Bitcoin/Satoshi on URL. Would they block github for hosting the source code for the reference client?
|
|
|
And I know that people can put their location if they want. However, I think most people just never get to that. Including you, apparently.
|
|
|
A 51% hardware-based attack would cost 10000x more than a simple network-based or data-based attack.
...which is why the US government would go that route. The middle and upper level management in the government aren't particularly competent, but the contractors who sell them things are (at getting them to spend money). Atruk accurately described how it would play out.
|
|
|
|