Bitcoin Forum
November 15, 2018, 07:43:56 AM *
News: Latest Bitcoin Core release: 0.17.0 [Torrent].
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Hierarchical deterministic wallets question?  (Read 612 times)
lukaexpl
Full Member
***
Offline Offline

Activity: 148
Merit: 100


View Profile
August 18, 2017, 08:30:27 PM
 #1

One question concerns privacy:
Can someone who knows that a particular addresss belongs to you deduce other addresses (up or down the tree) that also belong to you?

Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?

Thanks!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1542267836
Hero Member
*
Offline Offline

Posts: 1542267836

View Profile Personal Message (Offline)

Ignore
1542267836
Reply with quote  #2

1542267836
Report to moderator
Swagtoshi
Full Member
***
Offline Offline

Activity: 259
Merit: 100


View Profile
August 18, 2017, 11:01:53 PM
 #2

One question concerns privacy:
Can someone who knows that a particular addresss belongs to you deduce other addresses (up or down the tree) that also belong to you?
If you check the balance of your addresses with the same ip, it is possible to infer with some confidence that the addresses come from the same person unless you are using a public wifi. Also, if you send coins between each addresses (like with change addresses), it's possible to deduce that the addresses are from the same wallet.

Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?
No, the other addresses are safe.
ranochigo
Legendary
*
Offline Offline

Activity: 1568
Merit: 1094

Somewhat inactive.


View Profile WWW
August 19, 2017, 06:34:14 AM
 #3

Can someone who knows that a particular addresss belongs to you deduce other addresses (up or down the tree) that also belong to you?
There is no risk with outsiders that see the two addresses being generated from the same master key/seed. It looks completely normal from other addresses.
Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?

Thanks!

No. However, if you leak your master public key for unhardened seed, Electrum (as far as I remember) uses unhardened seed and it is relatively easy for people to derive your master private key as long as they have one of your private key and the master public key.

cdb1690
Full Member
***
Offline Offline

Activity: 266
Merit: 100


View Profile
August 20, 2017, 07:52:38 AM
 #4

Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?

Knowledge of the private key alone does not make it possible to find neither siblings, nor parent (nor other ancestors), nor children of that private key. The reason being that child key derivation function actually combines three values: private/public key, index number and key chain code. Without the knowledge of the chain code, you can't find children of compromised private key.

Though, I have one (probably trivial) question about master key/master chain code generation algorithm. BIP0032 defines this process as follows:
• generate a seed byte sequence S of a chosen length (between 128 and 512 bits; 256 bits is advised) from a (P)RNG.
• calculate I = HMAC-SHA512(Key = "Bitcoin seed", Data = S) => QUESTION: What's the difference between Bitcoin seed and S?
• split I into two 32-byte sequences, IL and IR.
• use parse256(IL) as master secret key, and IR as master chain code

★ ★ ★ ★ ★   DeepOnion    Anonymous and Untraceable Cryptocurrency    TOR INTEGRATED & SECURED   ★ ★ ★ ★ ★
› › › › ›  JOIN THE NEW AIRDROP ✈️        VERIFIED WITH DEEPVAULT  ‹ ‹ ‹ ‹ ‹
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬   ANN  WHITEPAPER  FACEBOOK  TWITTER  YOUTUBE  FORUM   ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 1582
Merit: 1739


bc1qshxkrpe4arppq89fpzm6c0tpdvx5cfkve2c8kl


View Profile WWW
August 20, 2017, 03:05:30 PM
 #5

Knowledge of the private key alone does not make it possible to find neither siblings, nor parent (nor other ancestors), nor children of that private key. The reason being that child key derivation function actually combines three values: private/public key, index number and key chain code. Without the knowledge of the chain code, you can't find children of compromised private key.
Knowing the master public key along with a child private key makes it possible to find the corresponding master private key. That then makes it possible for someone to figure out all of your private keys and thus steal your funds. So if you leak a child private key, you had better keep the master public key secret. This only applies to keys generated without hardening.

• calculate I = HMAC-SHA512(Key = "Bitcoin seed", Data = S) => QUESTION: What's the difference between Bitcoin seed and S?
The Key is literally the string "Bitcoin Seed". S is the actual random number you just generated.

cdb1690
Full Member
***
Offline Offline

Activity: 266
Merit: 100


View Profile
August 20, 2017, 04:09:49 PM
 #6

Knowing the master public key along with a child private key makes it possible to find the corresponding master private key. That then makes it possible for someone to figure out all of your private keys and thus steal your funds. So if you leak a child private key, you had better keep the master public key secret. This only applies to keys generated without hardening.
When you say master public key do you mean extended master public key or "simple" master public key without a chain code?

The Key is literally the string "Bitcoin Seed". S is the actual random number you just generated.
Thanks.

★ ★ ★ ★ ★   DeepOnion    Anonymous and Untraceable Cryptocurrency    TOR INTEGRATED & SECURED   ★ ★ ★ ★ ★
› › › › ›  JOIN THE NEW AIRDROP ✈️        VERIFIED WITH DEEPVAULT  ‹ ‹ ‹ ‹ ‹
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬   ANN  WHITEPAPER  FACEBOOK  TWITTER  YOUTUBE  FORUM   ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 1582
Merit: 1739


bc1qshxkrpe4arppq89fpzm6c0tpdvx5cfkve2c8kl


View Profile WWW
August 20, 2017, 04:12:42 PM
 #7

When you say master public key do you mean extended master public key or "simple" master public key without a chain code?
The extended master public key.

Coin-Keeper
Hero Member
*****
Offline Offline

Activity: 575
Merit: 502



View Profile
August 20, 2017, 08:08:54 PM
 #8

One question concerns privacy:
Can someone who knows that a particular addresss belongs to you deduce other addresses (up or down the tree) that also belong to you?

Second question concerns security:
If the private key of any address in the tree of deterministic addresses is compromised are your other private keys in the tree in danger if the perpertrator does not know your masterseed?

Thanks!




I understand your second question clearly.  The answers above are helpful and accurate, but in what case would you leak a private key?  Your general OPSec should mean using an online computer in a fashion where NO private keys, master or single address, are ever exposed to the computer.  A cold wallet or hardware wallet approach eliminates such concerns.  Just encouraging you to make your questions theoretical and not real world experience.  Trying to help nothing more.

BTC: 1PYSBbuKM3kW19xe9TXJQfq64rPhd8XorF
Staked and Verified: https://bitcointalk.org/index.php?topic=996318.msg17102755#msg17102755
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!