Is it possible to guess my seed phrase if I get multiple Master Keys with it?

[PaperWallet]

Hello,
The question is: If I use the same seed phrase to create Master Public Key (so the one that creates all the addresses), for bitcoin, and also other coins, and I expose all Master Public Keys, is there a way for someone to guess my seed phrase, given all of the Master Public Keys I exposed that are related to the same seed phrase? (I mean possible in the current state of the technology)

As far as I understand how these things and hashes work, I strongly believe no. But asking the question, just in case I'm mistaken!

Thank you! This forum is the best when it comes to technical knowledge about crypto.

[Charles-Tim]

Not only your seed phrase is needed to be exposed before your coin can be spent, also your master private key too, or your private key to the address funded. So, It is good to protect your seed phrase, seed and master private key and private keys.

If anyone knows your master public key, the person would be able to know your addresses and also be able to know the addresses that are funded and the total amount on your addresses. The person can be able to track your transactions which would not help privacy. But your master private key or seed phrase can not be known.

If the child master private key is having a derivational path which is unhardened (I mean unhardened private key), knowing just a child private key and the master public key can let an attacker to know the master private key.

[hosseinimr93]

The master public key is derived from your seed phrase through a one-way function. Therefore, there is no way to derive the seed phrase from your master public key.

[PaperWallet]

If the child master private key is having a derivational path which is unhardened (I mean unhardened private key), knowing just a single private key and the master public key can let an attacker to know the master private key.

This is very interesting. The master private key is the one derived from the seed phrase by which you create all private keys of the deterministic wallet if I understand correctly.

So in fact, if you create a watch-only wallet (so exposing your Master Public Key to the internet), and then you decide to expose just one private key to sign a transaction online instead of signing it offline (because you say it's just quicker and willing to take the risk for just one key) -->you expose all of your other private keys? Because if someone knows one private key + Master Public key he will get access to all of the private keys of the deterministic wallet right? Very interesting to know, I did not know this before.


On the other hand, my question was about what if you expose multiple Master Public Keys, related to different blockchains, and someone knows that all of these Master Pubic Keys relate to the same seed, is it possible to guess the seed phrase? I know you can't possibly guess the seed phrase with just one Master Public key, but what about if you had many?

[Charles-Tim]

On the other hand, my question was about what if you expose multiple Master Public Keys, related to different blockchains, and someone knows that all of these Master Pubic Keys relate to the same seed, is it possible to guess the seed phrase? I know you can't possibly guess the seed phrase with just one Master Public key, but what about if you had many?

hosseinimr93 has already answered that.

Not possible.

You can read about elliptic curve cryptography

Public Keys
The public key is calculated from the private key using elliptic curve multiplication, which is irreversible: K = k * G, where k is the private key, G is a constant point called the generator point, and K is the resulting public key. The reverse operation, known as "finding the discrete logarithm"—calculating k if you know K—is as difficult as trying all possible values of k, i.e., a brute-force search.

It is master private key, which is m (instead of k) * G. Which means M = m * G
M is the master public key.

[BitMaxz]

Any public key like a master public key can not be able to use to guess the right seed phrase of your wallet. What you need to protect is the master private key and seed phrase(Both of them must be saved in a safe place) because these keys and phrases are your backup key for recovering your wallet.
So if your purpose is to guess the seed phrase of someone's wallet then you have 0.01% to guess a seed phrase wallet.

This link below might be helpful to learn more about other Bitcoin prefixes.
- https://en.bitcoin.it/wiki/List_of_address_prefixes

[hosseinimr93]

So if your purpose is to guess the seed phrase of someone's wallet then you have 0.01% to guess a seed phrase wallet.

I don't understand this. Are you saying that the chance of guessing someone's wallet correctly is 0.01%? Am I getting you correctly? Or I am missing something here?
To avoid any misunderstanding for a newbie reading this thread, it may be worth mentioning that the chance of guessing a seed phrase correctly is zero.
A 12 word BIP39 seed phrase provides 128 bits of entropy and can't be brute-forced or guessed.

[NotATether]

There's only one (bitcoin) master private/public key for each seed phrase. It's not possible to have two that point to the same seed phrase, or at the very least, it's cryptographically highly unlikely to achieve such a feat.

Altcoin format master private/public keys are not recognized by Bitcoin and cannot be used on the Bitcoin network.

[nc50lc]

On the other hand, my question was about what if you expose multiple Master Public Keys, related to different blockchains, and someone knows that all of these Master Pubic Keys relate to the same seed, is it possible to guess the seed phrase? I know you can't possibly guess the seed phrase with just one Master Public key, but what about if you had many?

Forget the seed phrase, all they need is your "master private key" which is derived from the "seed", and seed derived from the seed phrase.
From 'seed phrase->seed->master private key', there're already two irreversible hash functions to overcome.

Having all extended public keys from Bitcoin/Altcoin derivation paths isn't going to help since you essentially only have the public keys.
The extended public key is just a public key followed by a chain code, it's the pair of the private key part (1st 32bytes) of the extended private key with the same chain code.
As you know it, you cannot derive a private key from a public key.

Additionally, since it's brought up that it's possible if at least one child private key is exposed,
If you somehow exposed one example_coin extended public key and one example_coin child private key, then a hacker got his hands on your example_coin extended private key (xprv),
he still wont be able to derive the master private key from it since it passed through multiple child extended key derivations with different indexes per coin and derivation paths.

Given that someone has access to your extended private key at m/xx'/x'/x'/0
For the "hardened" child extended key (the numbers with ' ), it's impossible to get the parent.
For the normal child extended key (without ' ), to get the parent extended privKey, he needs the parent's extended pubKey but it's usually isn't available to the user.

Basically each of your extended key has gone through: master private key/purpose'/coin'/account'/internal or external e.g.:m/44'/0'/0'/0
Each / corresponds to a child extended key derivation which is irreversible.

[PaperWallet]

On the other hand, my question was about what if you expose multiple Master Public Keys, related to different blockchains, and someone knows that all of these Master Pubic Keys relate to the same seed, is it possible to guess the seed phrase? I know you can't possibly guess the seed phrase with just one Master Public key, but what about if you had many?

Forget the seed phrase, all they need is your "master private key" which is derived from the "seed", and seed derived from the seed phrase.
From 'seed phrase->seed->master private key', there're already two irreversible hash functions to overcome.

Having all extended public keys from Bitcoin/Altcoin derivation paths isn't going to help since you essentially only have the public keys.
The extended public key is just a public key followed by a chain code, it's the pair of the private key part (1st 32bytes) of the extended private key with the same chain code.
As you know it, you cannot derive a private key from a public key.

Additionally, since it's brought up that it's possible if at least one child private key is exposed,
If you somehow exposed one example_coin extended public key and one example_coin child private key, then a hacker got his hands on your example_coin extended private key (xprv),
he still wont be able to derive the master private key from it since it passed through multiple child extended key derivations with different indexes per coin and derivation paths.

Given that someone has access to your extended private key at m/xx'/x'/x'/0
For the "hardened" child extended key (the numbers with ' ), it's impossible to get the parent.
For the normal child extended key (without ' ), to get the parent extended privKey, he needs the parent's extended pubKey but it's usually isn't available to the user.

Basically each of your extended key has gone through: master private key/purpose'/coin'/account'/internal or external e.g.:m/44'/0'/0'/0
Each / corresponds to a child extended key derivation which is irreversible.

Thank you very much for these explanations. And thank you also for @hosseinimr93 and @Charles-Tim for meriting this post.