Is it possible to correlate addresses generated from the same mpk?

[bitcoated]

I know there's a relationship between the public keys in an electrum wallet, but I don't understand the math behind it.

Given a bunch of addresses (that have spent coins, so you know their public keys) that you suspect are from the same electrum wallet, is it possible to determine with some degree of certainty that they are indeed from the same wallet?  And if you know they are from the same wallet, and you know the gap, is it possible to enumerate all addresses from that wallet?

If it is possible, what is the procedure, and how many public keys would you need?

[1714003839]

1714003839

[1714003839]

1714003839

[1714003839]

1714003839

[btcbot]

I know there's a relationship between the public keys in an electrum wallet, but I don't understand the math behind it.

Given a bunch of addresses (that have spent coins, so you know their public keys) that you suspect are from the same electrum wallet, is it possible to determine with some degree of certainty that they are indeed from the same wallet?  And if you know they are from the same wallet, and you know the gap, is it possible to enumerate all addresses from that wallet?

If it is possible, what is the procedure, and how many public keys would you need?

Short answer, no. 

Long answer, because of the deterministic nature of the key generation, it's possible that if you were to share your master public key (like used in watch-only wallets) and one private key - the entire set of keys could be re-created. 

[bitcoated]

Hi btcbot,

thank you for the reply.

it's possible that if you were to share your master public key (like used in watch-only wallets) and one private key - the entire set of keys could be re-created.

Indeed I'm aware of that specific attack, but my original question is not at all about private keys, nor is it concerned with the scenario where the mpk has been leaked.

To clarify, my question is essentially as follows:

given some public keys that are known or suspected to be generated from one wallet, does any information leak about other public keys in the same wallet?

[btcbot]

You probably know then that practically every transaction will expose Change Addresses and addresses that were needed to meet the total being sent in the transaction.

[bitcoated]

In case anyone comes here looking for the answer, I think I finally worked this out for myself.

It seems that it is not possible to correlate addresses that were derived from the same mpk if the mpk itself is not known.

The keys are related, but part of the input that generates the key is some kind of offset which is sha256(sha256(f(mpk, pos))) where pos is the position in the wallet, (index and whether or not it's a change address), and f is not particularly important. The point is, the position is combined with the mpk _prior_ to being hashed, so unless the mpk is known or the hash is broken, the keys (and thus addresses) cannot be correlated.