Bitcoin Forum
November 25, 2017, 10:09:42 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Master public key is quantum proof?  (Read 845 times)
RealBitcoin
Hero Member
*****
Offline Offline

Activity: 854


JAYCE DESIGNS - http://bit.ly/1tmgIwK


View Profile
October 18, 2016, 04:24:01 PM
 #1

I am referring to  BIP 32, and the deterministic wallets. Is the master public key quantum proof in the sense that can a quantum computer reverse engineer the child private keys from the master public key?

I am specifically interested if this holds true for Electrum wallet as well. (But I posted in this board, since it is a general question about BTC security).

Quote
Public parent key → private child key

This is not possible.

The bip documentation says it's impossible, but does it hold true from quantum computers as well?

1511604582
Hero Member
*
Offline Offline

Posts: 1511604582

View Profile Personal Message (Offline)

Ignore
1511604582
Reply with quote  #2

1511604582
Report to moderator
1511604582
Hero Member
*
Offline Offline

Posts: 1511604582

View Profile Personal Message (Offline)

Ignore
1511604582
Reply with quote  #2

1511604582
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511604582
Hero Member
*
Offline Offline

Posts: 1511604582

View Profile Personal Message (Offline)

Ignore
1511604582
Reply with quote  #2

1511604582
Report to moderator
buhrmi
Newbie
*
Offline Offline

Activity: 2


View Profile
October 18, 2016, 06:02:59 PM
 #2

With a powerful enough quantum computer, nothing holds true.
achow101
Moderator
Legendary
*
Offline Offline

Activity: 1232


17kKQppUsngUiByDsce4JXoZEjjpvX9bpR


View Profile WWW
October 18, 2016, 06:09:03 PM
 #3

BIP 32 keys are still ECDSA keys. Therefore they have the same problems that all ECDSA keys have, which is to say they are not quantum resistant.

          ▄█████▄
        ▄█████████▄
      ▄████▀   ▀████▄
    ▄████▀   ▄ ▄█▀████▄
  ▄████▀   ▄███▀   ▀████▄
▄████▀   ▄███▀   ▄   ▀████▄
█████   ███▀   ▄███   █████
▀████▄   ▀██▄▄███▀   ▄████▀
  ▀████▄   ▀███▀   ▄████▀
    ▀████▄       ▄████▀
      ▀████▄   ▄████▀
        ▀███  ████▀
          ▀█▄███▀
.
|
.
|
          ▄█████▄
        ▄█████████▄
      ▄████▀   ▀████▄
    ▄████▀   ▄ ▄█▀████▄
  ▄████▀   ▄███▀   ▀████▄
▄████▀   ▄███▀   ▄   ▀████▄
█████   ███▀   ▄███   █████
▀████▄   ▀██▄▄███▀   ▄████▀
  ▀████▄   ▀███▀   ▄████▀
    ▀████▄       ▄████▀
      ▀████▄   ▄████▀
        ▀███  ████▀
          ▀█▄███▀
unthy
RealBitcoin
Hero Member
*****
Offline Offline

Activity: 854


JAYCE DESIGNS - http://bit.ly/1tmgIwK


View Profile
October 18, 2016, 07:08:39 PM
 #4

BIP 32 keys are still ECDSA keys. Therefore they have the same problems that all ECDSA keys have, which is to say they are not quantum resistant.

Well i have done some research and most experts say that in the context of child keys:

Unspent addresses are safe against quantum hackers -> Because the public key is not revealed,so unless somebody posts his public key on facebook, it should hold, because it has another layer of RIPEMD protecting it. That should hold against quantum computers.

However I want to see what is the context of this theory in the BIP32 wallets ,where we are talking about master public keys.


achow101
Moderator
Legendary
*
Offline Offline

Activity: 1232


17kKQppUsngUiByDsce4JXoZEjjpvX9bpR


View Profile WWW
October 18, 2016, 07:51:27 PM
 #5

BIP 32 keys are still ECDSA keys. Therefore they have the same problems that all ECDSA keys have, which is to say they are not quantum resistant.

Well i have done some research and most experts say that in the context of child keys:

Unspent addresses are safe against quantum hackers -> Because the public key is not revealed,so unless somebody posts his public key on facebook, it should hold, because it has another layer of RIPEMD protecting it. That should hold against quantum computers.

However I want to see what is the context of this theory in the BIP32 wallets ,where we are talking about master public keys.
The Extended public keys are not hashed. Otherwise it would not be possible to actually get the public key and derive the non-hardened child addresses. This means that once QCs are viable, you should not hand out your xpub because then the public key can be gotten and the corresponding private key can be retrieved. Then the attacker can derive all of your address's private keys and steal your Bitcoin.

          ▄█████▄
        ▄█████████▄
      ▄████▀   ▀████▄
    ▄████▀   ▄ ▄█▀████▄
  ▄████▀   ▄███▀   ▀████▄
▄████▀   ▄███▀   ▄   ▀████▄
█████   ███▀   ▄███   █████
▀████▄   ▀██▄▄███▀   ▄████▀
  ▀████▄   ▀███▀   ▄████▀
    ▀████▄       ▄████▀
      ▀████▄   ▄████▀
        ▀███  ████▀
          ▀█▄███▀
.
|
.
|
          ▄█████▄
        ▄█████████▄
      ▄████▀   ▀████▄
    ▄████▀   ▄ ▄█▀████▄
  ▄████▀   ▄███▀   ▀████▄
▄████▀   ▄███▀   ▄   ▀████▄
█████   ███▀   ▄███   █████
▀████▄   ▀██▄▄███▀   ▄████▀
  ▀████▄   ▀███▀   ▄████▀
    ▀████▄       ▄████▀
      ▀████▄   ▄████▀
        ▀███  ████▀
          ▀█▄███▀
unthy
RealBitcoin
Hero Member
*****
Offline Offline

Activity: 854


JAYCE DESIGNS - http://bit.ly/1tmgIwK


View Profile
October 18, 2016, 07:54:07 PM
 #6

BIP 32 keys are still ECDSA keys. Therefore they have the same problems that all ECDSA keys have, which is to say they are not quantum resistant.

Well i have done some research and most experts say that in the context of child keys:

Unspent addresses are safe against quantum hackers -> Because the public key is not revealed,so unless somebody posts his public key on facebook, it should hold, because it has another layer of RIPEMD protecting it. That should hold against quantum computers.

However I want to see what is the context of this theory in the BIP32 wallets ,where we are talking about master public keys.
The Extended public keys are not hashed. Otherwise it would not be possible to actually get the public key and derive the non-hardened child addresses. This means that once QCs are viable, you should not hand out your xpub because then the public key can be gotten and the corresponding private key can be retrieved. Then the attacker can derive all of your address's private keys and steal your Bitcoin.

This is what I feared, so basically BIP 32 is useless then, and better keep bitcoin in 1 unspent address.

achow101
Moderator
Legendary
*
Offline Offline

Activity: 1232


17kKQppUsngUiByDsce4JXoZEjjpvX9bpR


View Profile WWW
October 18, 2016, 08:12:01 PM
 #7

This is what I feared, so basically BIP 32 is useless then, and better keep bitcoin in 1 unspent address.
No, it isn't useless. Just don't give out your Master public key. It is still useful for deterministic backups.

One thing to remember is that the keys are not derived off of each other. The keys are derived from the master public key, not the child key that came before it. So it is still safe to use BIP 32 wallets, just don't give out your Master public key and don't derive child keys based on addresses you already used.

          ▄█████▄
        ▄█████████▄
      ▄████▀   ▀████▄
    ▄████▀   ▄ ▄█▀████▄
  ▄████▀   ▄███▀   ▀████▄
▄████▀   ▄███▀   ▄   ▀████▄
█████   ███▀   ▄███   █████
▀████▄   ▀██▄▄███▀   ▄████▀
  ▀████▄   ▀███▀   ▄████▀
    ▀████▄       ▄████▀
      ▀████▄   ▄████▀
        ▀███  ████▀
          ▀█▄███▀
.
|
.
|
          ▄█████▄
        ▄█████████▄
      ▄████▀   ▀████▄
    ▄████▀   ▄ ▄█▀████▄
  ▄████▀   ▄███▀   ▀████▄
▄████▀   ▄███▀   ▄   ▀████▄
█████   ███▀   ▄███   █████
▀████▄   ▀██▄▄███▀   ▄████▀
  ▀████▄   ▀███▀   ▄████▀
    ▀████▄       ▄████▀
      ▀████▄   ▄████▀
        ▀███  ████▀
          ▀█▄███▀
unthy
RealBitcoin
Hero Member
*****
Offline Offline

Activity: 854


JAYCE DESIGNS - http://bit.ly/1tmgIwK


View Profile
October 18, 2016, 08:19:52 PM
 #8

This is what I feared, so basically BIP 32 is useless then, and better keep bitcoin in 1 unspent address.
No, it isn't useless. Just don't give out your Master public key. It is still useful for deterministic backups.

One thing to remember is that the keys are not derived off of each other. The keys are derived from the master public key, not the child key that came before it. So it is still safe to use BIP 32 wallets, just don't give out your Master public key and don't derive child keys based on addresses you already used.

Yeah but you cannot use it as watching only, since the master pub key is exposed. Yeah its still good for normal use but not the "ultimate security" i was expecting.

Any chance the BIP32 will be uppgraded to quantum resistance and make master public keys hardened?

achow101
Moderator
Legendary
*
Offline Offline

Activity: 1232


17kKQppUsngUiByDsce4JXoZEjjpvX9bpR


View Profile WWW
October 18, 2016, 08:22:53 PM
 #9

This is what I feared, so basically BIP 32 is useless then, and better keep bitcoin in 1 unspent address.
No, it isn't useless. Just don't give out your Master public key. It is still useful for deterministic backups.

One thing to remember is that the keys are not derived off of each other. The keys are derived from the master public key, not the child key that came before it. So it is still safe to use BIP 32 wallets, just don't give out your Master public key and don't derive child keys based on addresses you already used.

Yeah but you cannot use it as watching only, since the master pub key is exposed. Yeah its still good for normal use but not the "ultimate security" i was expecting.

Any chance the BIP32 will be uppgraded to quantum resistance and make master public keys hardened?
The only way to get quantum resistance is to move off of ECDSA altogether. In that case, everything would move to a quantum resistance signing algorithm. Once QCs start becoming more viable, I think that there is a very high chance that there will be a fork to move Bitcoin to a quantum resistant algo.

          ▄█████▄
        ▄█████████▄
      ▄████▀   ▀████▄
    ▄████▀   ▄ ▄█▀████▄
  ▄████▀   ▄███▀   ▀████▄
▄████▀   ▄███▀   ▄   ▀████▄
█████   ███▀   ▄███   █████
▀████▄   ▀██▄▄███▀   ▄████▀
  ▀████▄   ▀███▀   ▄████▀
    ▀████▄       ▄████▀
      ▀████▄   ▄████▀
        ▀███  ████▀
          ▀█▄███▀
.
|
.
|
          ▄█████▄
        ▄█████████▄
      ▄████▀   ▀████▄
    ▄████▀   ▄ ▄█▀████▄
  ▄████▀   ▄███▀   ▀████▄
▄████▀   ▄███▀   ▄   ▀████▄
█████   ███▀   ▄███   █████
▀████▄   ▀██▄▄███▀   ▄████▀
  ▀████▄   ▀███▀   ▄████▀
    ▀████▄       ▄████▀
      ▀████▄   ▄████▀
        ▀███  ████▀
          ▀█▄███▀
unthy
RealBitcoin
Hero Member
*****
Offline Offline

Activity: 854


JAYCE DESIGNS - http://bit.ly/1tmgIwK


View Profile
October 18, 2016, 08:27:08 PM
 #10

This is what I feared, so basically BIP 32 is useless then, and better keep bitcoin in 1 unspent address.
No, it isn't useless. Just don't give out your Master public key. It is still useful for deterministic backups.

One thing to remember is that the keys are not derived off of each other. The keys are derived from the master public key, not the child key that came before it. So it is still safe to use BIP 32 wallets, just don't give out your Master public key and don't derive child keys based on addresses you already used.

Yeah but you cannot use it as watching only, since the master pub key is exposed. Yeah its still good for normal use but not the "ultimate security" i was expecting.

Any chance the BIP32 will be uppgraded to quantum resistance and make master public keys hardened?
The only way to get quantum resistance is to move off of ECDSA altogether. In that case, everything would move to a quantum resistance signing algorithm. Once QCs start becoming more viable, I think that there is a very high chance that there will be a fork to move Bitcoin to a quantum resistant algo.

Ok but I was referring to as using a bitcoin address without public key, unspent, viewing it from a block explorer

VS

Using a BIP32 wallet, where you have to expose the master pub key to use it watch only.


So a BIP32 wallet has inferior security than 1 single address.

achow101
Moderator
Legendary
*
Offline Offline

Activity: 1232


17kKQppUsngUiByDsce4JXoZEjjpvX9bpR


View Profile WWW
October 18, 2016, 08:30:15 PM
 #11

Ok but I was referring to as using a bitcoin address without public key, unspent, viewing it from a block explorer

VS

Using a BIP32 wallet, where you have to expose the master pub key to use it watch only.


So a BIP32 wallet has inferior security than 1 single address.

In that regard, yes it is less secure. It would be impossible to hide the public key while still being able to derive all of the addresses for lookup.

          ▄█████▄
        ▄█████████▄
      ▄████▀   ▀████▄
    ▄████▀   ▄ ▄█▀████▄
  ▄████▀   ▄███▀   ▀████▄
▄████▀   ▄███▀   ▄   ▀████▄
█████   ███▀   ▄███   █████
▀████▄   ▀██▄▄███▀   ▄████▀
  ▀████▄   ▀███▀   ▄████▀
    ▀████▄       ▄████▀
      ▀████▄   ▄████▀
        ▀███  ████▀
          ▀█▄███▀
.
|
.
|
          ▄█████▄
        ▄█████████▄
      ▄████▀   ▀████▄
    ▄████▀   ▄ ▄█▀████▄
  ▄████▀   ▄███▀   ▀████▄
▄████▀   ▄███▀   ▄   ▀████▄
█████   ███▀   ▄███   █████
▀████▄   ▀██▄▄███▀   ▄████▀
  ▀████▄   ▀███▀   ▄████▀
    ▀████▄       ▄████▀
      ▀████▄   ▄████▀
        ▀███  ████▀
          ▀█▄███▀
unthy
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!