Code Monkey home page Code Monkey logo

Comments (6)

GriffGreen avatar GriffGreen commented on July 29, 2024

Yes, from what i understand, there might be a false sense of privacy.... that if a send is made from the root address, the public key can be found and that can be linked to all other accounts generated by the public key... so if i have 20 accounts on metamask, effectively they can all be linked... this is unnecessary and can be fixed with a small change to this library.

I would love to see that happen.

Would not using the root address at all be enough to avoid this privacy leak? Talking with my buddy Polto, I assume that is how it is done now... the master pub key is just never exposed to the network?

from eth-hd-keyring.

MicahZoltu avatar MicahZoltu commented on July 29, 2024

Worth noting that my understanding above was incorrect. You still need a shareable secret from the keyholder to link un-hardened accounts.

from eth-hd-keyring.

seresistvanandras avatar seresistvanandras commented on July 29, 2024

Thanks for the clarification, Micah! Although this does not hold anymore, if the group is pairing-friendly. In that case one could easily deduct whether two derived child public keys belong to the same root public key or not (assuming that they were derived in a non-hardened way). Let's assume that we have , a pairing friendly group and a symmetric pairing . Let g \land g_T be the generators of the corresponding groups.

Furthermore let's assume that the root public key is Q=g^{sk} and we have two public keys (e.g. obtained from two different transactions) Q_1=g^{sk+h_{1}} and Q_2=g^{sk+h_{2}}, where h_{i}=hash(i,Q) for the sake of brevity. From these two public keys we can also obtain the following auxiliary variables: g^{h_1-h_2},g^{h_2-h_1} using the available group operation in .

Then we can decide whether the public keys belong to the same root public key WITHOUT knowing the root public key. We need to calculate the following 3 pairings:
e(g^{sk+h_1},g^{h_2-h_1})=g_{T}^{sk\cdot h_2+h_1 \cdot h_2 -h^{2}_1-sk\cdot h_1}

e(g^{sk+h_2},g^{h_1-h_2})=g_{T}^{sk\cdot h_1+h_1 \cdot h_2 -h^{2}_2-sk\cdot h_2}

e(g^{h_1-h_2},g^{h_2-h_1})=g_{T}^{2\cdot h_1\cdot h_2-h^{2}_2-h^{2}_1 }

If we denote the results of the previous pairings in the target group as A,B and C correspondingly, then we just need to check whether: A\cdot B\cdot C^{-1}=1_{T}

Clearly this relation for two randomly chosen addresses would hold with negligible probability.

Do you have any insights @MicahZoltu how this would affect ZCash privacy model, or whether this linkage is relevant for ZCash or not? Do they use non-hardened key derivation?

from eth-hd-keyring.

MicahZoltu avatar MicahZoltu commented on July 29, 2024

ZCash's privacy system is not rooted in HD Wallets, it is quite different (uses zkSNARKs IIRC).

If you believe that you have a mechanism for associating two public keys from an HD Wallet without an extended key then you should probably bring that up with some cryptographic experts (certainly above my pay grade). https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#security indicates that such a thing should not be possible and being able to do that would mean having cracked the HD Wallet's security guarantees.

from eth-hd-keyring.

seresistvanandras avatar seresistvanandras commented on July 29, 2024

You're certainly right, although this simple trick would allow one to nullify the privacy benefits of zkSNARKs by allowing them to link t- and/or z-addresses, if they were generated using non-hardened key derivation.

I think in the original BIP they did not have in mind a pairing-friendly group. The added capabilities of a pairing changes the picture significantly (if my calculation above was correct).

from eth-hd-keyring.

seresistvanandras avatar seresistvanandras commented on July 29, 2024

Sean Bowe (@ebfull) has just clarified to me that "the curve we use for keying material in zcash is not pairing-friendly"

from eth-hd-keyring.

Related Issues (10)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.