What about create 1000 receive and change addresses and not give public key to auditor ?

I was referring to the quote from Vitalik. I don't see the point to implement a complex scheme like that just to allow an auditor to search the blockchain when you could set up a watch only wallet.  Doesn't make sense, maybe I'm missing something.

The idea is that if you give the auditor the watch only wallet, he could conspire with one of the holders of the private keys below it to create the master private key and run away with all the money.

M = master public key
m = master private key

m/ = CEO holds it

M/ = Auditor holds it. With it, they can view all company funds, but not spend.

m/m₁ = Department A head holds it, and can generate further chains with it.
m/m₂ = Department B head holds it, and can generate further chains with it.
m/m₃ = Department C head holds it, and can generate further chains with it.

combining M/ with m/m_x would give me m/ ... so an auditor would have to conspire with one corrupt department head to run away with the company's entire finances.


With the solution provided says that the CEO would make

m₁/
m₂/
m₃/

Then

Dept A:
m₁/m₁
m₂/m₁
m₃/m₁

Dept B:
m₁/m₂
m₂/m₂
m₃/m₂

Dept C:
m₁/m₃
m₂/m₃
m₃/m₃

Each dept using the three public keys generated by those chains to generate deterministic 2of3 chains.

The Auditor would ONLY receive:

M₁/

Then they could check the blockchain for redeemscripts that included
M₁/M₁
M₁/M₂
M₁/M₃

Then they would know how much money each department SPENT without being able to collude to get 2 private keys.

Downside: They could only find SPENT funds, as the redeemscript is only revealed on the blockchain when funds are spent from the multi-sig address.

imo, the best way to do an audit for business would be to use a dual-key Stealth Address, and give the scan_privkey to the auditor... but this is a topic slightly unrelated to BIP32.

You could set up so your company's stealth addresses are generate on a per-department basis, but that all scan_keypairs are generated by a separate BIP32 chain.

Give that master private key to the auditor, as that keypair is only used to generate shared secrets to discover funds, not to spend it.

There is one clever way in which this might be bypassed: making three hierarchical BIP32 wallets, with every address being a 2-of-3 multisignature address between the three wallets down some particular child key derivation path. Then, an auditor can have one of the three master public keys, and search the blockchain for transactions whose script contains public keys generated from that master public key. The solution is complex, not supported by any existing client, and far from perfect, but something like it seems to be the only way to get around the issue.
-Vitalik Buterin

Thanks!

Actually, electrum isn't dependent on the servers for that.

The server are used to broadcast transactions and check your
balances.  You can still generate addresses and keys using electrum
while you are offline without any of the servers.

I wrote this script as sort of a due dilligence to fully understand
what it does and in the (hopefully unlikely) scenario where
electrum developers disregard backward compatibility.  

For me, it is peace of mind knowing I have one simple script I
can use to recover my coins from seed regardless of what happens
to the Electrum code.