Possible? vanity AND deterministic seeds!

[flatfly]

I just had a little idea, and I think it could be implemented without too much work (perhaps as a script, or plugin) by someone more skilled than myself...

Consider this:
 
Many people like having a vanity address, but using it within electrum means having to import it, which is not cool as it somewhat defeats the purpose of a deterministic wallet. So how about writing a function that takes the vanity privkey as input and derives a regular electrum seed which has this vanity key as the first 'receive' key of the deterministic sequence?

Seems to me this would combine the benefits of both vanity and deterministic addresses and wouldn't compromise the security/randomness of the seed in a significant way at all. But I could be wrong. Thoughts?

[1714822764]

1714822764

[casascius]

I just had a little idea, and I think it could be implemented without too much work (perhaps as a script, or plugin) by someone more skilled than myself...

Consider this:
 
Many people like having a vanity address, but using it within electrum means having to import it, which is not cool as it somewhat defeats the purpose of a deterministic wallet. So how about writing a function that takes the vanity privkey as input and derives an regular electrum seed which has this vanity key as the first 'receive' key of the deterministic sequence?

Seems to me this would combine the benefits of both vanity and deterministic addresses and wouldn't compromise the security/randomness of the seed in a significant way at all. But I could be wrong. Thoughts?

It would work but would run so slowly as to be impractical for generating anything but short vanities.

I'll rephrase this: you actually can't take an arbitrary privkey that wasn't derived from a seed, and come up with a seed that can be used to derive it.  Since that's impossible, I have assumed you're simply asking about the broader case, "can I come up with a seed that generates, among other keys, an address with the prefix of my choice".

Current vanity generators depend on being able to exploit the speed gain derived from using an EC add rather than EC multiply.  Anything that takes away that improvement is going to throw performance back to the stone age.  Anything that includes derivation from a seed must be followed by an EC multiply to become a bitcoin address and therefore is an example of it.

[flatfly]

Really? Well perhaps I wasn't clear enough, but I wasn't suggesting generating a vanity address using an electrum plugin (vanitygen is just perfect for that, of course), but using such an address to build a seed around it. Is that process also resource-intensive? I'm not familiar enough with the inner workings of determistic wallets to answer that...

[flatfly]

I'll rephrase this: you actually can't take an arbitrary privkey that wasn't derived from a seed, and come up with a seed that can be used to derive it.  Since that's impossible...

I was actually asking about this
Sorry to challenge you, as you definitely understand these things much better than I do, but are you sure it's impossible/close to impossible? Then, why the warnings in electrum about not to disclose/redeem any private key part of a deterministic wallet as this "compromises the entire wallet"?

 

[casascius]

I'll rephrase this: you actually can't take an arbitrary privkey that wasn't derived from a seed, and come up with a seed that can be used to derive it.  Since that's impossible...

I was actually asking about this
Sorry to challenge you, as you definitely understand these things much better than I do, but are you sure it's impossible/close to impossible? Then, why the warnings in electrum about not to disclose/redeem any private key part of a deterministic wallet as this "compromises the entire wallet"?

 

Someone with private keys from the wallet presumably might be able to calculate other private keys from the same wallet, but they would not be able to calculate the original seed.

A quick check shows that an Electrum seed is 128 bits.  A private key is 256 bits.  If any private key could be turned into a 128 bit seed, that would also mean that any 256-bit number can be compressed into a 128-bit one with no loss.  That's not really possible, and neither is reversing whatever derivation algorithm converts it into a series of private keys.

[BkkCoins]

You could run thru index values and generate addresses from the MPK but in order for Electrum to use the address (since it stores addresses in array where the ordinal position is the index value), you would end up having to generate the matching key and importing that anyway. Which brings you right back to square 1 again.

If Electrum stored an index with each address then you could generate addresses until you found one you liked and then just import the index, allowing address and key to be generated any time.

In order to make it fast you would have to code a CUDA module to do the generation. I have no idea if that is fast or slow. It involves hashing a string and multiplying with a point and adding to another point. So presumably that's slower than the current vanitygen method if that just needs to add.