Huuuuge Bitcoin Security Threat! - WARNING

in #bitcoin7 years ago (edited)


There exists a huge Bitcoin security threat that affects deterministic wallets, that people don't want to talk about. I have known about this for more than a year and I have arranged my Bitcoin security accordingly, and most tech experts as well, yet many newbies or laymen don't, so let me enlighten you.

I thought this threat is obvious, but apparently it's not since people are just now talking about it on Reddit, and I bet most people don't look into cryptography to secure their Bitcoins, which is a big problem, so let me explain it to you in laymen terms.


  • It only affects deterministic wallets that are based on BIP32, like Electrum, MultiBit and others.
  • A deterministic wallet means that when you create a wallet you get a seed, which is a collection of 12-24 words that is used to generate all addresses in that wallet. So all addresses are generated from the seed.

If you have a wallet that generates individual addresses, that each have separate non-related private keys, then you are not at risk, but most popular wallet softwares are already deterministic, so make sure you check how your wallet software works!


The problem is this, and it's a big one:

One weakness that may not be immediately obvious, is that knowledge of a parent extended public key plus any non-hardened private key descending from it is equivalent to knowing the parent extended private key (and thus every private and public key descending from it). This means that extended public keys must be treated more carefully than regular public keys.

So this means that if your expose your xpub master public key, and 1 child private key, a hacker can easily steal all your money in the entire wallet !!!


  • You operate a Bitcoin business, and all your funds are in a deterministic wallet. You get incoming and outgoing transactions based on your business, and all transactions are well organized into different addresses for different purpose.
  • Your seed of the wallet is this: barrel faint exclude skin ribbon pattern melt roof answer feed tip square absent, if someone would obtain this, they can steal all your money! TOTAL LOSS OF SECURITY
  • You give out your xpub key xpub661MyMwAqRbcGmnzJDQP1iFbuAY8yHAWZdCV7GdTrLh41XNHSqZ9doKs8XuQpJvbaKZqt6jSFGLEfpoLD5FzLucpCna5jE36QaXCVQAh3BC to your boss, or your private-contractors, or regulators, to prove that you have the money and you are transparent. They can only view your transaction with this, so it's only a TOTAL LOSS OF PRIVACY!
  • Your wallet has the following 2 addresses: A: 16tN1Kx45sC1nuckwBPMRV5HPDu9GKvjnS and B: 16JxQgg41fcH6ZW2XUZJuBxBkEFFvyXTz9 . Let's imagine that address A has 500 BTC on it, and address B is empty.
  • You give out the private key of address B, in order to prove that you own this wallet which is part of the entire wallet that can be observed with the xpub key. This is in order to prove that you own this wallet, and by giving out key B you think you don't risk anything because it's empty.
  • Now the private key of B is: L5B5KNX6az4NsE8VScJ5nJNakFmbfJLXoQwk6WvU4T1Utcz13HVK, you give this out to somebody who has the xpub already and will verify your ownership of the wallet.
  • And there is the catch, if somebody has both 1 private key and the master public key, he can derive the seed, and the private key of A.
  • He will quickly calculate the private key of a which is L3r13DAvCPvmACEPSqVfMDvRRnHcM8a8XgkgBWgKV5kns8bjJMaZ, and steal the 500 hypothetical Bitcoin that would be on that address.

Yes it would be this easy to steal all your money, and not just on address A, but on every other address that was derived from that seed!


  • Don't give out both the master public key, and a child private key of the wallet. Although it's never recommended to give out private keys ever. You can always sign a transaction to prove ownership of the funds, no need to expose the private key.
  • Also it's not recommended to give out the master public keys, you can just give out Bitcoin individual addresses to show your peers your transactions, but the public key is more sensitive information.

So let me rank each information by importance / risk:

  • Master Public Key = ELEVATED SECURITY REQUIRED (it is not quantum computer resistant) , LOSS OF WALLET PRIVACY
  • Child Public Key = ELEVATED SECURITY REQUIRED (it is not quantum computer resistant) , LOSS OF ADDRESS PRIVACY
  • Bitcoin Address = NO SECURITY REQUIRED (quantum computer resistant), LOSS OF ADDRESS PRIVACY

ALSO DON'T REUSE A BITCOIN ADDRESS, spending from a bitcoin address means that the child public key is revealed!

Upvote, ReSteem & bluebutton


This is good to know, thanks for sharing. I would never give out my private keys in the first place, though. Anybody asking you to do that for "verification purposes" is probably up to no good. The easiest way to verify you own an address is just to send a small dust amount of Bitcoin from that address (although with transaction fees getting higher these days maybe that method will become cost prohibitive eventually).

You can sign an address, but that will also reveal the public key , so that wont be quantum proof.

So if you have big amounts in 1 address, you should always send back the change to another address of yours that was not used before, if you are worried about quantum stuff.

But as far as I know, quantum computers are just an abstract theoretical concept, right? I don't think there's any working ones outside of very limited laboratory tests. Certainly nothing practical in the sense of being able to do ordinary everyday computing tasks. So I'm not overly worried about that for the time being.

I admit it is a concern in the long-term. Probably the entire field of cryptography (and by extension cryptocurrencies) will have to change in some fundamental way if / when the quantum revolution finally comes.

There are some baby quantum computers with very small processing power, that they have constructed in labs, but nothing that is better than a classical supercomputer.

Yes the internet will be affected, and many online services but Bitcoin will not be if you follow the advices in this artcile and the next one:

  • Bitcoin Mining is Quantum Proof
  • Unspent Addresses are Quantum Proof
  • Spent Addresses are not Quantum proof, but ECDSA can be soft-forked and replaced with something better later on after the Segregated Witness package goes online in Bitcoin.

I shouldn't give out my private keys? slaps forehead

I'm so stupid!

And the public keys neither, since a quantum computer can reverse engineer the private key from the public.

So a bitcoin address is not recommended to be reused.

Does this mean we need to create a quantum-resistant bitcoin copy? :P

No, bitcoin is pretty much quantum resistant if you don't reuse the address.

So if you have a big stash of coins, when you send out money from that address, send back all the change money to another address of yours that was un-used.

So your address where the big money is stored should not have an outgoing transaction.

Keep it as private as your privates!

Except don't show your private key to your significant other either. :P

Great post. Clear explanation, easy to read and understand.

Wow aren't public keys revealed in their coin base transaction? Can I borrow a quantumn computer?

Public keys are revealed when an outgoing transaction happens from an address.

If you get incoming money into an address, then it's safe, and when you spend from that, you should send back the change to another address, that way the public keys are not exposed.

This post has been linked to from another place on Steem.

This post has also been linked to from Reddit.

Learn more about and upvote to support linkback bot v0.5. Flag this comment if you don't want the bot to continue posting linkbacks for your posts.

Built by @ontofractal

This post has been ranked within the top 50 most undervalued posts in the first half of Nov 14. We estimate that this post is undervalued by $8.38 as compared to a scenario in which every voter had an equal say.

See the full rankings and details in The Daily Tribune: Nov 14 - Part I. You can also read about some of our methodology, data analysis and technical details in our initial post.

If you are the author and would prefer not to receive these comments, simply reply "Stop" to this comment.