2
Deterministic wallets generate a key space following established standards, using a random passphrase as seed. I have a couple of questions:
2
How many keys can be generated by a deterministic wallet?
Effectively infinitely many. The same as a non-deterministic wallet which just keeps generating random private keys. There is a limit, 2^256, but you are never going to reach that. It is effectively infinite.
Is it possible to list all keys (public keys, to avoid leaking critical information) in such a wallet?
It depends. If you are using hardened derivation, then no.
Also, because there are effectively infinitely many addresses, this would be impossible to do. You could reasonably generate enough addresses that you would ever use in your lifetime though.
1
Andrew answered well, but let me add a few details.
You can generate so many private keys that you will die before you exhaust the pool available to you.
The popular android wallet has made a handy tool that will generate all the private keys from a word seed and display them. You can keep generating keys, hundreds at a time until your browser crashes.
You can save this online tool to your computer and run it locally, which is recommended if you're going to use a real word seed. Here's directions on how to use it.
Ok, I start to get this. My understandig now is: BIP44 wallets generate the whole address space, but depending on passphrase follow a different path. I can use any BIP44 wallet (or even a manual algorithm according to BIP44), and I will always follow the same path in the address space. This is important, because I would not want to manually select an address in a deterministic wallet that can not be easily (that is, fast) reached on another deterministic wallet using the same seed. – dangonfast – 2017-11-29T10:31:44.273
@dangonfast Yes. When I write seed words, I also write the wallet software, version number, and BIP number too. This will allow you to backtrack if they're doing something different in 5 years. – 4276 – 2017-11-29T10:34:19.693
Infinitely many? Surely not, since the whole address space is 2^256. The whole address space? I thought the point of deterministic wallets was that they generate a subset of the address space, and that a given deterministic wallet can not collide with another deterministic wallet (they partition the address space) – dangonfast – 2017-11-29T07:07:15.253
1No, there is no such guarantee that a deterministic wallet will not generate addresses that collide with other deterministic wallets. The collision resistance is the same as with random generation. – Andrew Chow – 2017-11-29T07:11:58.430
Something does not seem right: say I have this shiny deterministic wallet, and I have used a trillion addresses already. Now I lose it but I have properly stored my passphrase, and I am able to regenerate it using another deterministic wallet (say a hardware wallet). How does the new wallet know my balance? Goes through all keys (including the trillion keys I have already used)? If what you say is true ("a deterministic wallet generates the whole address space"), then all deterministic wallets would have the same balance, namely the full bitcoin balance. – dangonfast – 2017-11-29T07:48:11.083
a theoretical approach... infinite in the sense, that you cannot spend enough computing power, to generte the addresses. There is a link where the actual implementation is discussed: https://bitcoin.stackexchange.com/questions/50538/how-does-the-client-know-the-number-of-keys-and-coins-when-recovering-from-a-see, so looks like BIP44 has a 20 address limit. On infinity: another limitation comes from the int64_t specification for the maximum addresses in a wallet - only 2^(64-1)-1 adddresses :-)
– pebwindkraft – 2017-11-29T08:17:52.683@dangonfast Because there are effectively infinite keys, your wallet cannot generate them all in a reasonable amount of time. The wallet just generates a lot of keys, and those are the keys that you use. When you restore a wallet, it just generates a lot of keys until it sees several that do not have any transactions associated with them. Because of the improbability of collisions, it is safe to assume that the coins it does find belongs to you and it is unlikely to generate private keys that belong to someone else. – Andrew Chow – 2017-11-29T15:32:08.197