Keeping the addresses generated from deterministic wallet PubKey seed secret.

[No_2]

I have the following use case: I want to generate a series of public keys from which to create Bitcoin addresses from a deterministic wallet, but I do not want anyone to know or be able to predict what my sequence of addresses will be.

So my question is: can I keep the public key seed on a cold storage machine and generate public keys on an as needed basis without revealing what the next public key or address in the sequence is likely to be?

[achow101]

Yes. There is no need for anyone to know what your master public key is.

[No_2]

I should be clearer: I don't want anyone to be able to work out what the next address in the sequence will be, e.g. if I've generated 100 addresses in sequence and used them publicly will anyone be able to guess what address 101 would be without the pubkey seed?

[shorena]

I should be clearer: I don't want anyone to be able to work out what the next address in the sequence will be, e.g. if I've generated 100 addresses in sequence and used them publicly will anyone be able to guess what address 101 would be without the pubkey seed?

isnt this given with hardened keys?

-> https://bitcoin.org/en/developer-guide#hardened-keys

Assuming you also keep the xpub key secret as knightdk suggested.

[hhanh00]

You don't need hardened keys for this scenario. If you only publish the addresses, no-one can figure out the next in sequence.

[shorena]

You don't need hardened keys for this scenario. If you only publish the addresses, no-one can figure out the next in sequence.

So you can never spend the coins because this would expose the public key which would allow to derive further addresses?

[Carlton Banks]

You don't need hardened keys for this scenario. If you only publish the addresses, no-one can figure out the next in sequence.

So you can never spend the coins because this would expose the public key which would allow to derive further addresses?

But surely the public key of a single address cannot be used to infer the value of the xpub that generated it? The link to hardened keys suggests that the public key and the corresponding chaincode need to be exposed for that to be possible, so what am I missing?

[hhanh00]

You don't need hardened keys for this scenario. If you only publish the addresses, no-one can figure out the next in sequence.

So you can never spend the coins because this would expose the public key which would allow to derive further addresses?

Well, you can also use the public key as long as you don't show the chain code.

[shorena]

For now thanks for the answers even though it was not my thread. I feel I need more time reading and thinking about it.

[fbueller]

If you return only a public key, it's impossible to derive anything else in sequence.

A key is derived as Px + H(Chaincode || Keydata). It's impossible to guess the input to this second part, so you're all good.

You probably don't need to leak more than the public key - don't reveal any extended public keys.