Bitcoin HD Wallet and Privacy

[butka]

If I use a hierarchical deterministic (HD) wallet, like Electrum, I get a huge number of addresses.

Obviously each address has to correspond to a public key, and also each public key has to correspond to a private key.

I understand that there is a well ordered sequence of private keys and similar well ordered sequence of public keys. The child key in this sequence is derived from the previous, parent key.

They all lead back to just one original public key and just one original private key.

Now the question:

Say I pick up a random address from the pool of addresses that my wallet has generated. I use it to pay something.

Say I choose another address and use it to pay for something else.

Is there a direct way to correlate these two addresses?
Is there a way to tell that they are from the same wallet?
Is there an indirect way to do the same?
What's the best practice as far as privacy is concerned when using your HD Wallet generated addresses?
Is it enough to pick a new address every time?

Thank you in advance!

[1713914242]

1713914242

[AdolfinWolf]

If I use a hierarchical deterministic (HD) wallet, like Electrum, I get a huge number of addresses.

Obviously each address has to correspond to a public key, and also each public key has to correspond to a private key.

I understand that there is a well ordered sequence of private keys and similar well ordered sequence of public keys. The child key in this sequence is derived from the previous, parent key.

They all lead back to just one original public key and just one original private key.

Now the question:

Say I pick up a random address from the pool of addresses that my wallet has generated. I use it to pay something.

Say I choose another address and use it to pay for something else.

Is there a direct way to correlate these two addresses?
Is there a way to tell that they are from the same wallet?
Is there an indirect way to do the same?
What's the best practice as far as privacy is concerned when using your HD Wallet generated addresses?
Is it enough to pick a new address every time?

Thank you in advance!

If there is no connection between the two adresses (no linked inputs) then no, it shouldn't be possible to connect the two to each other.

If however, for example the change of adress A goes to adress B, it could indeed prove a correlation. ( Which is unlikely since change -> change adress. )( Or if the change from A and B both go to change adress C.)

Is there a way to tell that they are from the same wallet?

Without any shared inputs or outputs, i don't think so.

See https://bitcoin.stackexchange.com/questions/7447/is-it-possible-to-figure-out-whether-two-addresses-are-in-the-same-wallet?noredirect=1&lq=1

What's the best practice as far as privacy is concerned when using your HD Wallet generated addresses?

Make sure that you don't combine inputs, and use a new change adress for every transaction that you make from another "Receive" adress.


Also:

Obviously each address has to correspond to a public key, and also each public key has to correspond to a private key.

I understand that there is a well ordered sequence of private keys and similar well ordered sequence of public keys. The child key in this sequence is derived from the previous, parent key.

They all lead back to just one original public key and just one original private key.

What do you mean by all? The adresses?

From my understanding; they don't "lead" back, but are rather just generated from one keypair. I don't think it is a two way function, so there's no way to get the MPK with just a child private key.

[BitProNews]

The question can be further extanded about if we can move funds from address to another address in the same wallet (matches the same parent key). When searching, i found this thread which may not be that helpful for your asks neither for me too.
DannyHamilton explained it in an awsome way in this typical post extractedf from the same thread i mentioned.

[Thirdspace]

If I use a hierarchical deterministic (HD) wallet, like Electrum, I get a huge number of addresses.
---snip---
Say I pick up a random address from the pool of addresses that my wallet has generated. I use it to pay something.

Say I choose another address and use it to pay for something else.

1. Is there a direct way to correlate these two addresses?
2. Is there a way to tell that they are from the same wallet?
3. Is there an indirect way to do the same?
4. What's the best practice as far as privacy is concerned when using your HD Wallet generated addresses?
5. Is it enough to pick a new address every time?

1. No, no way to correlate those two addresses if you used them completely separately (different txid each)
2. No, no one can deduce those two addresses are from the same wallet
as long as you don't use them in one single transaction or use the change with another address
3. indirect way? you can use mixer service to 'somewhat' cover your coin trail
4&5. Yes I think using new address for receiving every new payment is good enough
also new change address for each transaction, and never reuse the same address
always used up all utxo from an address and spend it in one payment transaction (+change)
and try to make payment from a single address to avoid coin analyzer from grouping your addresses

[gentlemand]

2. No, no one can deduce those two addresses are from the same wallet
as long as you don't use them in one single transaction or use the change with another address

I believe that if someone obtains one private key it is possible for them to figure out the seed in which case they can link you to other addresses.

The only likely instance of that is when you're entering a private key in third party software to get a Bitcoin fork, but if you're doing that you should be abandoning all addresses linked to that seed anyway.

[ranochigo]

I believe that if someone obtains one private key it is possible for them to figure out the seed in which case they can link you to other addresses.

The only likely instance of that is when you're entering a private key in third party software to get a Bitcoin fork, but if you're doing that you should be abandoning all addresses linked to that seed anyway.

Not possible. The addresses are generated from the master private key but it probably can't be reversed using only the private key. However, the implementation of BIP32 could indeed allow someone to calculate the master private key using both the master public key and the private key. This would only be applicable for unhardened key derivations, ie. those with master public key AND master private key.

It's an irrelevant argument since the privacy would be compromised anyways if the master public key is leaked. You've got bigger problems to worry when someone has both your child private key and master public key.

[butka]

It's an irrelevant argument since the privacy would be compromised anyways if the master public key is leaked. You've got bigger problems to worry when someone has both your child private key and master public key.

I was under the impression that the safety of the Master Public Key is not so essential. After all, it is used to create a watch-only wallet.
I get it that all child private keys should be kept safe, the same way one should keep safe the master private key.
What if just the Master Public Key is leaked without a child private key?

[butka]

What do you mean by all? The adresses?

From my understanding; they don't "lead" back, but are rather just generated from one keypair. I don't think it is a two way function, so there's no way to get the MPK with just a child private key.

Thanks for the correction. I didn't mean that one could guess the parent keypair from their child pairs, however, my wording was misleading.

[ranochigo]

I was under the impression that the safety of the Master Public Key is not so essential. After all, it is used to create a watch-only wallet.
I get it that all child private keys should be kept safe, the same way one should keep safe the master private key.
What if just the Master Public Key is leaked without a child private key?

Master Public Key is definitely pretty safe to give out. The only thing that you could potentially lose is privacy since everyone can essentially know how much you own and which transaction belongs to you.

Without the child key, you can't do anything with the master public key that could give you your master private key. The theory is stated here: https://bitcointalk.org/index.php?topic=657205.msg7385160#msg7385160 and the derivation is in this BIP: https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#Child_key_derivation_CKD_functions.

[Abdussamad]

Child key is not derived from the previous key in the sequence of child keys. It's derived from the parent extended key.

You should definitely be cautious about sharing your master public key with other people. It can still be shared as long as you understand the consequences which are a) if any child private key is revealed the entire chain will be compromised and b) you loose privacy by sharing the MPK because the other person can generate all your addresses and see all your transactions.