Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Re: QC threat on electrum "spawnable" type wallets vs old wallet.dat
by
takuma sato
on 14/06/2025, 20:35:30 UTC
Quote from: nc50lc on Today at 05:37:46 AM
Quote from: takuma sato on June 13, 2025, 03:48:39 PM
-snip- Because if you've got someone's public keys, couldn't you use those to try to derivate the master private key?
No, a theoretical QC Computer powerful enough for that would need its pair Master Public Key.
And it's not available in watch-only nor locked wallets' descriptors but its child "extended public key" derived at m/84h/0h/0h (e.g. for bech32)

Since your concern that the entire HD wallet's keypool could be compromised if a child private key is successfully calculated by QC;
It'll only work if the hacker also knows its parent extended public key due to the weakness of unhardened derivation of child keys at 'chain_index' and 'address_index'.
For that, the attacker also needs to get access to the user's machine to succeed. (like a cold-storage set-up's online watch-only wallet)

So, I think the more interesting question is: "Would it be better to go back to hardened address derivation like the old HD wallets?"
It will prevent the case I described above but it'll limit the capabilities of the current version that utilizes those unhardened xpub like being able to create HD watch-only wallets for Cold-storage setups.
Anyways, if someone can get access to a machine like that, the owner has bigger problem than QC.

Well, from thieves (wether offline where they enter your house or online due hacks in cloud storage where you store encrypted data and potentially wallet files) or state funded actors, like being stopped in an airport or some border control and having your devices cloned, or somehow being a in a situation where they clone your files for some reason like an audit or whatever, in that case they would have access to your files since they had access to them physically. I think anything that hardens your setup is worth it. Who cares about not being able to have HD watch only wallets if that increases some attack vectors. Just generate a number of receiving addresses and add them as watch only as needed. If I have an old wallet from 2013 then im not sure you should even bother with updating. Will Bitcoin Knots also stop supporting old wallets like Core? Im migrating to Knots due the spam issue anyway.