Why one would need *extended* public keys for auditing a bip32 wallet?

3

1

(I am reading the bip32 for an altcoin development.)

In the bip32 specification, it is written that listing all incoming and outgoing payments of a hierarchical deterministic wallet would required the extended public keys.

In case an auditor needs full access to the list of incoming and outgoing payments, one can share all account public extended keys. This will allow the auditor to see all transactions from and to the wallet, in all accounts, but not a single secret key.

Wouldn't the (non-extended) elliptic curve encryption's public keys work too ?

Furthermore, if I understand the spec properly, sharing an extended public key isn't really safe since knowing a descending non-hardened private key would then expose all the keys descending from this first extended public key...and sharing a non-extended public key would avoid the problem.

idkwptc

Posted 2014-11-30T18:31:25.023

Reputation: 33

Answers

1

Why one would need extended public keys for the auditing a bip32 wallet?

You don't need them. You could also just make a list of all of the addresses that have a balance, and send that to your auditor.

Auditing a Bitcoin wallet is not a very good example of what this is capable of. Here are some other uses of BIP32:

  • You could have a script on a server with an extended public key generate addresses for people to donate to, without having that same server be able to spend money sent to those addresses. Without BIP32, you'd have to make a long list of addresses, put them on your server, and replenish them whenever they ran out.
  • You could have an e-commerce app generate addresses like the above, and detect payments to those addresses without, again, having the ability to spend them.

Wouldn't the (non-extended) elliptic curve encryption's public keys work too?

No. You also need the chain code to calculate the subkeys. Collectively, these two things make up an extended public key.

Furthermore, if I understand the spec properly, sharing an extended public key isn't really safe since knowing a descending non-hardened private key would then expose all the keys descending from this first extended public key.

It's... debatably safe. I don't think there's a real-word situation where someone would compromise one of your non-hardened private keys without having access to all of them.

Nick ODell

Posted 2014-11-30T18:31:25.023

Reputation: 26 536

In my mind, you didn't need to calculate subkeys since you give all the (used) public keys (N(M/*)). But in this case you would need to store all the public keys.idkwptc 2014-11-30T19:56:54.680

you didn't need to calculate subkeys since you give all the public keys (N(M/*)) I don't understand. Could you clarify?Nick ODell 2014-11-30T20:00:05.570

Well (I'm no expert at all so I may say something totally wong) each transaction related to the wallet use a public key (point on ec) so storing the used points should be enough to perform an audit without sharing the chaincodes, isn't it ?idkwptc 2014-11-30T20:03:21.407

@idkwptc You could store the used points or the addresses. Either would work, for an audit.Nick ODell 2014-11-30T20:05:07.507

Ok, I wanted to be sure I understood the principle. Sharing the extended public keys as advised in the specs looked "debatably safe" to me given the way the keys were generated. Thank you for your time ! :)idkwptc 2014-11-30T20:08:13.587

Btw, I said something (partially) wrong earlier. The way the key are generated, the owner of the wallet "knows" the used key by the indexes (M/x/y/z) of the keys so no need to store explicitly the points/addresses sharing non-extended public keys...a great secure way to use hd wallets !idkwptc 2014-11-30T20:18:24.263

I have downloaded bitcoin core, do you happen to know where can I find the bip32 extended key for this wallet ?coding_idiot 2016-12-12T07:45:36.177

Asked: 2014-11-30T18:31:25.023

Viewed: 1 415 times

Active: 2015-08-02T01:19:04.140