Bitcoin Forum
April 18, 2021, 03:07:48 AM *
News: Latest Bitcoin Core release: 0.21.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Relationship between seed and xpriv  (Read 176 times)
Teubwel
Newbie
*
Offline Offline

Activity: 13
Merit: 12


View Profile
August 26, 2018, 02:57:33 PM
 #1

Hi,

can anyone describe to me, what the relationship between the 12 word seed in Electrum and the extended private key is?

If someone were to get the master private key, or the master public key PLUS one or more private keys, should I go for

Option A: simply add one word to the seed as a password, thus totally changing the master private key and have a secure wallet once again.

Or could an attacker calculate the seed from the master public key and thus trivially brute force the one additional word? Which would mean I should opt for

Option B: make a completely new seed.

Thanks in advance.
1618715268
Hero Member
*
Offline Offline

Posts: 1618715268

View Profile Personal Message (Offline)

Ignore
1618715268
Reply with quote  #2

1618715268
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1618715268
Hero Member
*
Offline Offline

Posts: 1618715268

View Profile Personal Message (Offline)

Ignore
1618715268
Reply with quote  #2

1618715268
Report to moderator
1618715268
Hero Member
*
Offline Offline

Posts: 1618715268

View Profile Personal Message (Offline)

Ignore
1618715268
Reply with quote  #2

1618715268
Report to moderator
1618715268
Hero Member
*
Offline Offline

Posts: 1618715268

View Profile Personal Message (Offline)

Ignore
1618715268
Reply with quote  #2

1618715268
Report to moderator
Abdussamad
Legendary
*
Offline Offline

Activity: 2786
Merit: 1308



View Profile
August 27, 2018, 12:04:24 AM
Merited by escrow.ms (1)
 #2

This is similar to the question here:  https://bitcointalk.org/index.php?topic=4952844.msg44677337#msg44677337

The conversion of mnemonic > seed > xprv involves hashing at each step so you can't go from xprv to mnemonic. An attacker would still have to repeat the hashing process for each seed and compare the resulting xprv. Also why would an attacker do this? It's not likely any user is going to reuse the same mnemonic.

Regarding option A do you intend to use a custom word aka seed extension or just add a word to the end of the seed? You can't do the latter because the seed's checksum will not validate. If you do the former then the seed extension gets used as salt in the mnemonic > seed hash function.

I would just go with option b just because it's guaranteed to be safe.
Teubwel
Newbie
*
Offline Offline

Activity: 13
Merit: 12


View Profile
August 27, 2018, 12:07:50 PM
 #3

Yes, I would have used a seed extension.

What makes me question the one-way'ness of mnemonic > seed > xpriv are the functions mnemonic_encode and mnemonic_decode in https://github.com/spesmilo/electrum/blob/master/electrum/mnemonic.py.

If it's one-way, why can you freely en- and decode between the two?

But yea, mnemonic_to_seed does salt and hash the mnemonic.

The thing is, that with all the shitcoin-hardforks of bitcoin, you always have to handle individual private keys. And while I'm super caution to never let a private key and the master public key touch the same physical machine, I'm still paranoid. Especially about shitcoin clients, which may unannounced to me, leak the private key to a 3rd party, that then just waits for the corresponding xpub to emerge one day and cleans out my wallet.

I went for option B, and created a new seed.

Thanks Smiley
Abdussamad
Legendary
*
Offline Offline

Activity: 2786
Merit: 1308



View Profile
August 27, 2018, 12:18:08 PM
 #4

mnemonic_encode/decode are just used as a sanity check in the make_seed function: https://github.com/spesmilo/electrum/blob/master/electrum/mnemonic.py#L159

It is better if you move your bitcoins first before you go claiming shitcoins with the same private keys. This way your bitcoins are not at risk.
Teubwel
Newbie
*
Offline Offline

Activity: 13
Merit: 12


View Profile
August 27, 2018, 01:35:06 PM
 #5

Quote
It is better if you move your bitcoins first before you go claiming shitcoins with the same private keys. This way your bitcoins are not at risk.

Of course. I always move them first. But they're still within the same xpriv.

Maybe in the future, I just create a new xpriv using the seed extension.

What do you think about this:

Using the example mnemonic: marine annual label breeze dice organ tunnel burst mad hand success author, which produces the xpriv

xprv9s21ZrQH143K2Hene3ragUxFzuqm84Juqy5HWqa7q9MHeKXDanZ74kTuA1h8voKgCPaimDAwhtN 6zSLrEMXwAVDZrCYjK9HJSMiYtonWKtc.

Then when the time comes, I use WarpWallet [1], using as input

marine annual label breeze dice organ tunnel burst mad hand success author-1

and the resulting private key 5KSE1...C7Zv7ts as seed extension, giving me the xpriv

xprv9s21ZrQH143K3uAeNvnfBTXpeaXj9VJ7UPSr5jnfEkB9KMhiFQmUtzPRPn3mqVLmzgjyDvJCtbW hFhyEm5D6MkgjaXRYRGHn5JEqF4Ss6Vc.

Then send everything over to the new wallet, claim the fork-coins, and repeat with appended -2 the next time I do something risky involving the xpriv.



[1] https://keybase.io/warp/warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html
Abdussamad
Legendary
*
Offline Offline

Activity: 2786
Merit: 1308



View Profile
August 27, 2018, 03:36:01 PM
 #6

Creating different wallets from the same seed is actually the reason why seed extension support was added to electrum in the first place. However, you have to keep the seed secure. Don't expose it to some website or altcoin wallet. The seed extension can be as simple as 1,2,3 etc. I don't recommend an over complicated seed extension because you are likely to forget that and lose funds that way. So keep it simple and it'll be fine for the usecase you mentioned before:

The thing is, that with all the shitcoin-hardforks of bitcoin, you always have to handle individual private keys. And while I'm super caution to never let a private key and the master public key touch the same physical machine, I'm still paranoid. Especially about shitcoin clients, which may unannounced to me, leak the private key to a 3rd party, that then just waits for the corresponding xpub to emerge one day and cleans out my wallet.

Teubwel
Newbie
*
Offline Offline

Activity: 13
Merit: 12


View Profile
August 27, 2018, 03:41:43 PM
 #7

Yes, definitely, I would have done the WarpWallet thing on an airgapped machine.

The thing is, every time I create a new seed, I also have to recreate and re-test all my backups. One of those backups is memorizing the seed. If this one is the last seed I have to memorize, that's great.

Thanks so much. This really calms my mind.
HCP
Legendary
*
Offline Offline

Activity: 1666
Merit: 3419

<insert witty quote here>


View Profile
August 28, 2018, 01:10:08 AM
 #8

Quote
It is better if you move your bitcoins first before you go claiming shitcoins with the same private keys. This way your bitcoins are not at risk.

Of course. I always move them first. But they're still within the same xpriv.
Then you haven't "moved" them to a new seed/wallet... you've simply sent them to a new address.

The recommended process is to create a completely new seed, and then move the coins to an address on that new seed. The easiest way to achieve the new seed in Electrum is to simply create a new wallet and write down the new mnemonic.

However, your idea of "restoring" a new wallet with your current mnemonic and then adding the extension will work just as well to create a new seed (which gives a new xpriv)... not sure that's the most secure option tho, as you're effectively reducing your security down to however many characters in your extension, should a shitcoin wallet leak your mnemonic (like that "Electrum Plus" scam wallet was doing) Undecided Huh (assuming the attacker knows you are using mnemonic extensions of course Tongue)

Abdussamad
Legendary
*
Offline Offline

Activity: 2786
Merit: 1308



View Profile
August 28, 2018, 06:24:33 PM
 #9

Yes as long as he moves his bitcoin to a new seed/extended seed and does not use the mnemonic in altcoin wallets he'll be fine. He says above that he'll use individual address private keys to claim altcoins.

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!