Question on public keys

[Oshosondy]

I think I have known little about bitcoin for now, I know it is very important not to reuse addresses for privacy reasons, it is not also good to let anyone know your public key because it can be used to link all transactions on addresses that was used to make transactions that the public keys generate. But, I want to know one thing, if supposing an hacker knows the public key, can he make use of the public key to brute force the private key? Or, assuming if the private key is lost, can I use the public key to brute force the private key?

I am not a hacker, but what to know more about bitcoin.

[jackg]

No they can't, not currently.

Bitcoin uses a popular algorithm that's used as a signature algorithm in a lot of other places, if it got hacked, banking operations would also probably be interfered with too afaik.

The private key is like a public key multiplied by a random prime up to 256 bits, it'd be hard to severs (the prime part is just an example).

[o_e_l_e_o]

Firstly, you appear to be mixing up two concepts. There are individual public keys and there are master public keys. Individual public keys only generate a single address (or more specifically, can generate three addresses - a "1", a "3", and a "bc1" - but this is a very uncommon use). Master public keys can generate all the individual public keys in your entire wallet, and therefore, every address in your wallet.

It is not possible at the moment to brute force a private key from a public key. Such an attack may become possible in the coming decades with the ongoing development of quantum computers, but if such an attack was an impending possibility, bitcoin could fork to implement a quantum resistant address type.

There is one special case worth mentioning, and that is the case of if you have accidentally revealed any single private key from your wallet. If an attacker knows your master public key and any single private key, they can bruteforce all your private keys.

[tranthidung]

But, I want to know one thing, if supposing an hacker knows the public key, can he make use of the public key to brute force the private key? Or, assuming if the private key is lost, can I use the public key to brute force the private key?

If people can do it, your bitcoin is not safe! It is impossible for now and with the developments of quantum computers, it might take a long period forwards. Even when it will become possible technically, it will still be impossible commercially.

The process from Private key -- Public key -- Bitcoin address is visually expressed as below

Chapter 4 - Key, Addresses, in Mastering Bitcoin 2^nd
How Hard Is It to Brute Force a Bitcoin Private Key?
I don't believe Quantum Computing will ever threaten Bitcoin (that topic is a very informative and interesting topic on quantum computing and potential threats on Bitcoin)

[The Cryptovator]

If an attacker knows your master public key and any single private key, they can bruteforce all your private keys.

I am quite curious about that part. To brute force my all private keys an attacker should have both key master public key + a private key? Or if he gains access one of them then you could bruit-force all of my private keys.

For example, I have a wallet and there are 50 addresses and private keys. If an attacker knows one of my private keys there is any chance that he could bruit force my other private keys? Although I believe it's not possible, but curious to know more briefly.

Although its noob question but need to learn.

[o_e_l_e_o]

To brute force my all private keys an attacker should have both key master public key + a private key?

Correct. An attacker would need access to both.

You should obviously never purposefully share any of your private keys, but people will often export their master public key to either create watch only wallets, or to import in to some services to generate a new receiving address each time. Should you accidentally leak a single private key from this wallet, the combination of one private key and the master public key is enough to derive all the private keys in that wallet.

If an attacker knows one of my private keys there is any chance that he could bruit force my other private keys?

Not without also having your master public key.


A slightly more technical explanation follows. Let:

k = private key
K = public key
c = chain code
i = index
n = order of the secp256k1 curve

The steps for calculating an unhardened child key are

Calculate HMAC-SHA512(K_parent, c_parent, i)
Take the left 256 bits of the result, and add to k_parent (modulo n)

In simple English, this means to calculate a child private key, you first concatenate (join together) the parent public key, the parent chain code and the address index, hash the result, take the left 256 bits of the result, and add it to the parent private key.

We can simplify that equation to essentially the following:

Child private key = Hash calculation + Parent private key

In this scenario, an attacker knows a child private key, and can work out the "Hash calculation" from the master public key (which includes the parent public key and the parent chain code; the index can be brute forced). The only thing he doesn't know is the parent private key. So he rearranges the equation to:

Parent private key = Child private key - Hash calculation

Once he knows the parent private key, it is trivial to calculate every child private key in your wallet.

[Oshosondy]

.
You should obviously never purposefully share any of your private keys, but people will often export their master public key to either create watch only wallets, or to import in to some services to generate a new receiving address each time. Should you accidentally leak a single private key from this wallet, the combination of one private key and the master public key is enough to derive all the private keys in that wallet.

Yes, you are right, sharing even a single private key is not good, it is known that it is better for not a single private key to be shared, it can be linked to other private keys. I even prefer hd wallets which I believe it display master private key, which is the one displayed by the wallet even if it generates child private keys, but the wallet only display master private key, your post is very useful for me.

[pooya87]

There is one special case worth mentioning, and that is the case of if you have accidentally revealed any single private key from your wallet. If an attacker knows your master public key and any single private key, they can bruteforce all your private keys.

it is worth adding here that this case is only possible for BIP-32 derivation paths that don't use hardened indices. even if one index is hardened (eg. 3 in m/1/2/3'/4/5) the attack can not happen anymore.

Calculate HMAC-SHA512(Kparent, cparent, i)

changes to HMAC-SHA512(0, k_parent, c_parent, i) where k_parent is the master private key.

it is also not a brute force, it is a simple computation and has one step as you already outlined in your other comment. but that's just me nitpicking...

[o_e_l_e_o]

I even prefer hd wallets which I believe it display master private key, which is the one displayed by the wallet even if it generates child private keys, but the wallet only display master private key, your post is very useful for me.

So hierarchical deterministic wallets (HD wallets) create a master private key by passing the seed number through a HMAC-SHA512 function, and taking the left 256 bits of the result (with the seed number itself being created by passing your seed phrase plus any additional passphrase through 2048 rounds of HMAC-SHA512). That master private key is the "m" that you see at the beginning of derivation paths such as m/44'/0'/0'/0/0. At each level, that master private key is used to create child private keys to work down the derivation path. In the case of hardened derivation paths, denoted by the symbol ' following the number, the private key is used with the chain code and index, and in the case of unhardened derivation paths, the public key is also used.

In most HD wallets you can extract individual private keys, and you can also extract what is called the extended private key or account private key for that account (which in the example above, would be at path m/44'/0'/0'). Some will let you extract your ultimate master private key (at path m).

-snip-

I was trying to keep things simple

Still, in my example above where people are exporting their "master" public key to create a watch only wallet, in reality they aren't - they are actually exporting their account extended public key at path m/x'/0'/0'. Since all the addresses in that account use unhardened derivation, the point holds true that this key plus a child private key will lead to compromise of all their addresses in that wallet. What it won't lead to is compromise of addresses in other wallets using the same seed phrase (for example other address types or altcoins).

[Oshosondy]

it is also not a brute force, it is a simple computation and has one step as you already outlined in your other comment. but that's just me nitpicking...

I think I gained from this statement, that means in brute force, the person will have tools to reverse back the process used to generate public keys and addresses, but this can not happen for now. So far one private key is known already, it can not be called brute force. Please, correct if I am wrong.

[pooya87]

it is also not a brute force, it is a simple computation and has one step as you already outlined in your other comment. but that's just me nitpicking...

I think I gained from this statement, that means in brute force, the person will have tools to reverse back the process used to generate public keys and addresses, but this can not happen for now. So far one private key is known already, it can not be called brute force. Please, correct if I am wrong.

generally speaking brute force means you try a large number of cases to find the correct solution to a problem. for example if you wanted to solve x for x+5=23 and started from x=0 and incremented x each time to find the result (18) that would be brute forcing. (0+5!=23, 1+5!=23, 2+5!=23,..., 18+5==23).
but if you find a mathematical solution to solve the same problem it would be breaking the problem (ie. bringing 5 to the other side of the function and negating it x=23-5).

in case of private key to public key conversion, if you start using different private keys and compute public keys to find the math, that would be brute forcing (even if the process is optimized or simplified).
but if you find a mathematical solution to solve the ECDLP that would be breaking the algorithm.
neither of these two are possible so far. first one because the key size is so huge that brute forcing takes millions of years. and second is impossible because so far there has been no mathematical solution to solve ECDLP within reasonable time (ie. reverse and convert a public key to private key).

from address to private key will always remain impossible because an address is 2 hashes of the public key so there are 2 impossible-to-reverse processes added there.

the case with HD wallets and BIP32 is that when the non-hardened keys are used, revealing 1 private key + the master public key is simply making the parent private key computable which reveals the entire child keys.

[bigvito19]

I think I have known little about bitcoin for now, I know it is very important not to reuse addresses for privacy reasons, it is not also good to let anyone know your public key because it can be used to link all transactions on addresses that was used to make transactions that the public keys generate. But, I want to know one thing, if supposing an hacker knows the public key, can he make use of the public key to brute force the private key? Or, assuming if the private key is lost, can I use the public key to brute force the private key?

I am not a hacker, but what to know more about bitcoin.

I see more and more people posting about this topic. The difficulty to find a private key with its public key is 2^128 since having the public key will half the search space of 2^256.

see this topic for more information https://bitcointalk.org/index.php?topic=5244940.0