Deterministic private keys AND public keys weaknesses

[GreenStox]

1) In a deterministic wallet can somebody guess all the private keys from the wallet if one of them is compromised (if the one compromized is not the seed key but lets say the 2nd one)?

2) In a deterministic wallet can somebody guess the public keys of all the addresses, if one 1 public key is compromized , that is not the seed public key?

3) What if 2 private keys are compromized, can they look at the math relations between them and guess the rest of it?

4) What if 2 public  keys are compromized, can they look at the math relations between them and guess the rest of it?


The first 2 questions refer to security problems, while the other 2 to privacy problems. How does Armory resolve these problems?

[1714993716]

1714993716

[1714993716]

1714993716

[1714993716]

1714993716

[1714993716]

1714993716

[1714993716]

1714993716

[Blazr]

1) In a deterministic wallet can somebody guess all the private keys from the wallet if one of them is compromised (if the one compromized is not the seed key but lets say the 2nd one)?

No, however, if the MPK and one private key is compromised, then all of the private keys can be computed.

2) In a deterministic wallet can somebody guess the public keys of all the addresses, if one 1 public key is compromized , that is not the seed public key?

Possibly but this isn't unique to HD wallets.

Sometimes when you make a transaction, inputs from different Bitcoin addresses may be used in the same transaction which indicates that both addresses came from the same wallet. There are also more advanced techniques like trying to fingerprint your Bitcoin client, or directly connecting to your Bitcoin node and trying to determine which transactions you relay first.  You should probably assume that all Bitcoin addresses in your wallet can be linked together.

3) What if 2 private keys are compromized, can they look at the math relations between them and guess the rest of it?

4) What if 2 public  keys are compromized, can they look at the math relations between them and guess the rest of it?

No.

[GreenStox]

1) In a deterministic wallet can somebody guess all the private keys from the wallet if one of them is compromised (if the one compromized is not the seed key but lets say the 2nd one)?

No, however, if the MPK and one private key is compromised, then all of the private keys can be computed.

The master key can only be compromized if somebody hacks into your wallet physically.

However a random private key could be guessed if the signing process is flawed, so i wasnt concerned about the master key, but rather of the individual keys of addresses.

2) In a deterministic wallet can somebody guess the public keys of all the addresses, if one 1 public key is compromized , that is not the seed public key?

Possibly but this isn't unique to HD wallets.

Sometimes when you make a transaction, inputs from different Bitcoin addresses may be used in the same transaction which indicates that both addresses came from the same wallet. There are also more advanced techniques like trying to fingerprint your Bitcoin client, or directly connecting to your Bitcoin node and trying to determine which transactions you relay first.  You should probably assume that all Bitcoin addresses in your wallet can be linked together.

Yes i see its called address taint i believe, when they use different addresses that received payments from 1 address to correlate and check which address belongs to the original sender, however this one is only speculation and cannot prove beyond doubt the ownership of 1 user of an address, so i guess privacy is not destroyed here.

What if none of my addresses in 1 wallet have cross-transaction between them, and they are all receiving payments from different sources, then is it posssible to reveal privacy & identity here or link together those addresses (they are all deterministic of course)?

What is a HD wallet?

[TimS]

1) In a deterministic wallet can somebody guess all the private keys from the wallet if one of them is compromised (if the one compromized is not the seed key but lets say the 2nd one)?

No, however, if the MPK and one private key is compromised, then all of the private keys can be computed.

The master key can only be compromized if somebody hacks into your wallet physically.

However a random private key could be guessed if the signing process is flawed, so i wasnt concerned about the master key, but rather of the individual keys of addresses.

A deterministic wallet is not necessarily a physical device, like a Trezor, so your first statement can't possibly be correct.

If one of those "random private keys" is guessed/leaked, and the attacker also has your master public key (i.e. the thing to generate the list of addresses, but not spend from them), then he has something just as good as (if not equal to) your master key: the ability to know your private keys.

What if none of my addresses in 1 wallet have cross-transaction between them, and they are all receiving payments from different sources, then is it posssible to reveal privacy & identity here or link together those addresses (they are all deterministic of course)?

No, privacy should be secure here (at least until you spend, and combine inputs): there's nothing obvious that links one address to another, just because they come from the same deterministic wallet.

What is a HD wallet?

HD = Hierarchical Deterministic. https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki has details on it, but basically it means that you can have one master key create more deterministic wallets. Not all deterministic wallets are HD wallets, but I think the terms are sometimes used interchangeably anyway.