Relationship between seed and xpriv

[Teubwel]

Hi,

can anyone describe to me, what the relationship between the 12 word seed in Electrum and the extended private key is?

If someone were to get the master private key, or the master public key PLUS one or more private keys, should I go for

Option A: simply add one word to the seed as a password, thus totally changing the master private key and have a secure wallet once again.

Or could an attacker calculate the seed from the master public key and thus trivially brute force the one additional word? Which would mean I should opt for

Option B: make a completely new seed.

Thanks in advance.

[1714505300]

1714505300

[1714505300]

1714505300

[1714505300]

1714505300

[Abdussamad]

This is similar to the question here:  https://bitcointalk.org/index.php?topic=4952844.msg44677337#msg44677337

The conversion of mnemonic > seed > xprv involves hashing at each step so you can't go from xprv to mnemonic. An attacker would still have to repeat the hashing process for each seed and compare the resulting xprv. Also why would an attacker do this? It's not likely any user is going to reuse the same mnemonic.

Regarding option A do you intend to use a custom word aka seed extension or just add a word to the end of the seed? You can't do the latter because the seed's checksum will not validate. If you do the former then the seed extension gets used as salt in the mnemonic > seed hash function.

I would just go with option b just because it's guaranteed to be safe.

[Teubwel]

Yes, I would have used a seed extension.

What makes me question the one-way'ness of mnemonic > seed > xpriv are the functions mnemonic_encode and mnemonic_decode in https://github.com/spesmilo/electrum/blob/master/electrum/mnemonic.py.

If it's one-way, why can you freely en- and decode between the two?

But yea, mnemonic_to_seed does salt and hash the mnemonic.

The thing is, that with all the shitcoin-hardforks of bitcoin, you always have to handle individual private keys. And while I'm super caution to never let a private key and the master public key touch the same physical machine, I'm still paranoid. Especially about shitcoin clients, which may unannounced to me, leak the private key to a 3rd party, that then just waits for the corresponding xpub to emerge one day and cleans out my wallet.

I went for option B, and created a new seed.

Thanks

[Abdussamad]

mnemonic_encode/decode are just used as a sanity check in the make_seed function: https://github.com/spesmilo/electrum/blob/master/electrum/mnemonic.py#L159

It is better if you move your bitcoins first before you go claiming shitcoins with the same private keys. This way your bitcoins are not at risk.

[Teubwel]

It is better if you move your bitcoins first before you go claiming shitcoins with the same private keys. This way your bitcoins are not at risk.

Of course. I always move them first. But they're still within the same xpriv.

Maybe in the future, I just create a new xpriv using the seed extension.

What do you think about this:

Using the example mnemonic: marine annual label breeze dice organ tunnel burst mad hand success author, which produces the xpriv

xprv9s21ZrQH143K2Hene3ragUxFzuqm84Juqy5HWqa7q9MHeKXDanZ74kTuA1h8voKgCPaimDAwhtN 6zSLrEMXwAVDZrCYjK9HJSMiYtonWKtc.

Then when the time comes, I use WarpWallet [1], using as input

marine annual label breeze dice organ tunnel burst mad hand success author-1

and the resulting private key 5KSE1...C7Zv7ts as seed extension, giving me the xpriv

xprv9s21ZrQH143K3uAeNvnfBTXpeaXj9VJ7UPSr5jnfEkB9KMhiFQmUtzPRPn3mqVLmzgjyDvJCtbW hFhyEm5D6MkgjaXRYRGHn5JEqF4Ss6Vc.

Then send everything over to the new wallet, claim the fork-coins, and repeat with appended -2 the next time I do something risky involving the xpriv.



[1] https://keybase.io/warp/warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html

[Abdussamad]

Creating different wallets from the same seed is actually the reason why seed extension support was added to electrum in the first place. However, you have to keep the seed secure. Don't expose it to some website or altcoin wallet. The seed extension can be as simple as 1,2,3 etc. I don't recommend an over complicated seed extension because you are likely to forget that and lose funds that way. So keep it simple and it'll be fine for the usecase you mentioned before:

The thing is, that with all the shitcoin-hardforks of bitcoin, you always have to handle individual private keys. And while I'm super caution to never let a private key and the master public key touch the same physical machine, I'm still paranoid. Especially about shitcoin clients, which may unannounced to me, leak the private key to a 3rd party, that then just waits for the corresponding xpub to emerge one day and cleans out my wallet.

[Teubwel]

Yes, definitely, I would have done the WarpWallet thing on an airgapped machine.

The thing is, every time I create a new seed, I also have to recreate and re-test all my backups. One of those backups is memorizing the seed. If this one is the last seed I have to memorize, that's great.

Thanks so much. This really calms my mind.

[HCP]

It is better if you move your bitcoins first before you go claiming shitcoins with the same private keys. This way your bitcoins are not at risk.

Of course. I always move them first. But they're still within the same xpriv.

Then you haven't "moved" them to a new seed/wallet... you've simply sent them to a new address.

The recommended process is to create a completely new seed, and then move the coins to an address on that new seed. The easiest way to achieve the new seed in Electrum is to simply create a new wallet and write down the new mnemonic.

However, your idea of "restoring" a new wallet with your current mnemonic and then adding the extension will work just as well to create a new seed (which gives a new xpriv)... not sure that's the most secure option tho, as you're effectively reducing your security down to however many characters in your extension, should a shitcoin wallet leak your mnemonic (like that "Electrum Plus" scam wallet was doing) (assuming the attacker knows you are using mnemonic extensions of course )

[Abdussamad]

Yes as long as he moves his bitcoin to a new seed/extended seed and does not use the mnemonic in altcoin wallets he'll be fine. He says above that he'll use individual address private keys to claim altcoins.