quick question: deterministic wallets like electrum that have a master public key from which the public addresses may be (re-)generated subsequently. does one really need the master public key in order to generate those addresses or would it be possible to generate the subsequent addresses from e.g. the first public key (address)?
Yes you do need the master key.
An address is just a hash, and even if you knew the public keys
of specific addresses, you would not be able to determine
the other elliptic curve points of other addresses without the
master key.
Ah, alright, thanks! But you would be able to do that with the master
public key, even though thats also just a
public key!?
The master public key can generate addresses but not the private keys of those addresses.
that's clear, I was just making sure that indeed the master public key is needed in order to generate subsequent addresses even though it's just a public key (is it still a hash, though? what is it compromised of?)
I can only tell you how it works in Electrum:
The master public key is not a hash. It's simply a hex-encoded
public key to the master private key, which is an elliptic curve
key based on the deterministic seed.
New addresses are generated from the master key by
generating new ECDSA coordinates, basically by
combining new sequence numbers with that master key
to create a new point.
As with a normal Bitcoin address, you can calculate
the public key from the private key, but not the
other way around. This is no different.
One consequence of the master key scheme,
is that if a single address in your wallet is compromised
(the private key becomes known), and the
attacker knows the master public key,
they can crack the entire wallet, because
they could use the one private key together
with the master public key to discover the
master private key.
For that reason, the master public key should be
kept secret. Its purpose (at least in Electrum)
is to create a watching-only wallet.