Comments (6)
Yes, from what i understand, there might be a false sense of privacy.... that if a send is made from the root address, the public key can be found and that can be linked to all other accounts generated by the public key... so if i have 20 accounts on metamask, effectively they can all be linked... this is unnecessary and can be fixed with a small change to this library.
I would love to see that happen.
Would not using the root address at all be enough to avoid this privacy leak? Talking with my buddy Polto, I assume that is how it is done now... the master pub key is just never exposed to the network?
from eth-hd-keyring.
Worth noting that my understanding above was incorrect. You still need a shareable secret from the keyholder to link un-hardened accounts.
from eth-hd-keyring.
Thanks for the clarification, Micah! Although this does not hold anymore, if the group is pairing-friendly. In that case one could easily deduct whether two derived child public keys belong to the same root public key or not (assuming that they were derived in a non-hardened way). Let's assume that we have , a pairing friendly group and a symmetric pairing
. Let
be the generators of the corresponding groups.
Furthermore let's assume that the root public key is and we have two public keys (e.g. obtained from two different transactions)
and
, where
for the sake of brevity. From these two public keys we can also obtain the following auxiliary variables:
using the available group operation in
.
Then we can decide whether the public keys belong to the same root public key WITHOUT knowing the root public key. We need to calculate the following 3 pairings:
If we denote the results of the previous pairings in the target group as A,B and C correspondingly, then we just need to check whether:
Clearly this relation for two randomly chosen addresses would hold with negligible probability.
Do you have any insights @MicahZoltu how this would affect ZCash privacy model, or whether this linkage is relevant for ZCash or not? Do they use non-hardened key derivation?
from eth-hd-keyring.
ZCash's privacy system is not rooted in HD Wallets, it is quite different (uses zkSNARKs IIRC).
If you believe that you have a mechanism for associating two public keys from an HD Wallet without an extended key then you should probably bring that up with some cryptographic experts (certainly above my pay grade). https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#security indicates that such a thing should not be possible and being able to do that would mean having cracked the HD Wallet's security guarantees.
from eth-hd-keyring.
You're certainly right, although this simple trick would allow one to nullify the privacy benefits of zkSNARKs by allowing them to link t- and/or z-addresses, if they were generated using non-hardened key derivation.
I think in the original BIP they did not have in mind a pairing-friendly group. The added capabilities of a pairing changes the picture significantly (if my calculation above was correct).
from eth-hd-keyring.
Sean Bowe (@ebfull) has just clarified to me that "the curve we use for keying material in zcash is not pairing-friendly"
from eth-hd-keyring.
Related Issues (10)
- Action required: Greenkeeper could not be activated 🚨
- Standardize error codes
- Hex prefix addresses
- Add LICENSE file
- Use shared ESLint config
- Question on expected time for browser computation
- Improve unit test coverage HOT 4
- Migrate to TypeScript HOT 1
- How to add native address for some uncommon tokens to MetaMask wallet?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from eth-hd-keyring.