any spend = only ecda to crack

[jubalix]

This came up

"I'm guessing D&T was talking about reusing an address once outputs have been spent. The public key is then revealed. Only ECDSA has to be cracked then.
If an address has no spent outputs the public key is unknown because it is hashed twice. SHA256 then RIPEMD160.  All three RIPEMD160, SHA256 and ECDSA have to be cracked to get private key then, making it more secure.

Most vanity addresses I assume are reused, thus weaker."



if you used electrum would any spend from any address leave the whole thing compromised, as crack that and you should/may be able to work out the deterministic bit

[1715580739]

1715580739

[1715580739]

1715580739

[1715580739]

1715580739

[1715580739]

1715580739

[jubalix]

bump....help anyone

[EagleTM]

The way I understand is as follows:

There is no way to determine (all) other public keys of a deterministic wallet from knowing a number of public keys belonging to it. You need the so called "master public key" (MPK) to do so (also known as wallet without a seed). If this becomes known and the rest of the assumption holds true then only ECDSA needs to be cracked, right.

However if the MPK and just ONE private key is leaked the other private keys can be derived.

So spending in electrum is no risk for the deterministic wallet. Leaking the MPK can become a problem - for your privacy and because only one private key is needed to break the rest.

TL;DR: using electrum to spend is no security risk for the vectors mentioned by the OP

[ThomasV]

The way I understand is as follows:

There is no way to determine (all) other public keys of a deterministic wallet from knowing a number of public keys belonging to it. You need the so called "master public key" (MPK) to do so (also known as wallet without a seed). If this becomes known and the rest of the assumption holds true then only ECDSA needs to be cracked, right.

However if the MPK and just ONE private key is leaked the other private keys can be derived.

So spending in electrum is no risk for the deterministic wallet. Leaking the MPK can become a problem - for your privacy and because only one private key is needed to break the rest.

TL;DR: using electrum to spend is no security risk for the vectors mentioned by the OP

This is correct. If you leak the MPK and a single private key from Electrum (of from any bip32 compatible wallet), then all the private keys that correspond to this bip32 branch can be derived.
This is best described here: https://en.bitcoin.it/wiki/BIP_0032#Security

The statement that "only ECDSA needs to be cracked" does suggest that cracking ECDSA is easy; I would not put it that way, especially in a thread title...

[jubalix]

so a qt-wallet/multibit, has 3 sets of codes to crack to get through if unspent (1 being ECDSA)?

is this correct?

IF i dont leak my MPK and they crack ECDSA then can this be used against unspent addresses?

[ThomasV]

so a qt-wallet/multibit, has 3 sets of codes to crack to get through if unspent (1 being ECDSA)?

is this correct?

what do you mean by "sets of codes" ?

IF i dont leak my MPK and they crack ECDSA then can this be used against unspent addresses?

not to my knowledge.
both the master public key and a leaked private key are needed.

[jubalix]

so a qt-wallet/multibit, has 3 sets of codes to crack to get through if unspent (1 being ECDSA)?

is this correct?

what do you mean by "sets of codes" ?

IF i dont leak my MPK and they crack ECDSA then can this be used against unspent addresses?

not to my knowledge.
both the master public key and a leaked private key are needed.

what I mean is
[ DO NOT POST SESC LINKS ]
 DO NOT POST SESC LINKS [/url]

"Quote from: anti-scam on September 05, 2013, 09:48:25 PM
The NSA created Bitcoin and used ECDSA in it because they already had it broken.

This risk is already mitigated for any bitcoin address that has not been used for spending (i.e. its public key is not yet known).

Even if ECDSA is broken wide open, it doesn't really matter with respect to bitcoins that have been received at addresses that have never been used for spending, because the corresponding ECDSA public key is not known and cannot be determined without also breaking both RIPEMD160 and SHA256 simultaneously."


So it Appears that RIPEMD  160 and SHA 256 Need to be cracked simultaneously if the address has not been spent from.

[Boussac]

This is crazy. If ECDSA was broken, then bitcoin would be broken and deterministic wallets would be worthless anyway because nobody would care anymore.
By definition a publc key can be made public without causing damage.
The point of using electrum is precisely to be able to sign transactions offline.

If one starts from the assumption that a private key has been leaked then yes the wallet is compromised.

Releasing the public key provides a very signfiicant security feature: the ability for the sender to verify the ownership of the destination address.
Sine the public key can be posted on many different key servers and social networks, the verifier can check all the sources and raise an alert in case it detects some insconsistency.

[jubalix]

This is crazy. If ECDSA was broken, then bitcoin would be broken and deterministic wallets would be worthless anyway because nobody would care anymore.
By definition a publc key can be made public without causing damage.
The point of using electrum is precisely to be able to sign transactions offline.

If one starts from the assumption that a private key has been leaked then yes the wallet is compromised.

Releasing the public key provides a very signfiicant security feature: the ability for the sender to verify the ownership of the destination address.
Sine the public key can be posted on many different key servers and social networks, the verifier can check all the sources and raise an alert in case it detects some insconsistency.

well no, that's why the whole change address thing is in BTC. If ECDSA is cracked and you have always used new addresses, then you coins are ok, and GAV and co can do an emergency patch, life continues, except fro those of you that had not used change addresses and possibly electrum/deterministic with and spent.