Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1We9jO-0000LG-L4 for bitcoin-development@lists.sourceforge.net; Sat, 26 Apr 2014 21:01:54 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.192.54 as permitted sender) client-ip=209.85.192.54; envelope-from=etotheipi@gmail.com; helo=mail-qg0-f54.google.com; Received: from mail-qg0-f54.google.com ([209.85.192.54]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1We9jN-0006AZ-Nt for bitcoin-development@lists.sourceforge.net; Sat, 26 Apr 2014 21:01:54 +0000 Received: by mail-qg0-f54.google.com with SMTP id q107so4796678qgd.13 for ; Sat, 26 Apr 2014 14:01:48 -0700 (PDT) X-Received: by 10.229.58.68 with SMTP id f4mr21931748qch.18.1398546108275; Sat, 26 Apr 2014 14:01:48 -0700 (PDT) Received: from [192.168.1.85] (c-76-111-96-126.hsd1.md.comcast.net. [76.111.96.126]) by mx.google.com with ESMTPSA id n105sm15128265qgd.7.2014.04.26.14.01.47 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 26 Apr 2014 14:01:47 -0700 (PDT) Message-ID: <535C1EBB.5070402@gmail.com> Date: Sat, 26 Apr 2014 17:01:47 -0400 From: Alan Reiner User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: bitcoin-development@lists.sourceforge.net References: In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: multipart/alternative; boundary="------------050104090905060704030801" X-Spam-Score: -0.6 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (etotheipi[at]gmail.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [209.85.192.54 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1We9jN-0006AZ-Nt Subject: Re: [Bitcoin-development] New BIP32 structure for P2SH multisig wallets X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Apr 2014 21:01:54 -0000 This is a multi-part message in MIME format. --------------050104090905060704030801 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On 04/26/2014 04:33 PM, Mike Hearn wrote: > > Let's assume we use one shared branch for everyone. Then two > cosigners could need a new receiving address at the same time, and > get the next unused address on that branch. > > This is the part I struggle to understand. There is no shared branch > because each user/cosigner has their own unique seed and thus unique > key hierarchy, right? What you described above could be an issue if > all co-signers shared the same seed but then the scheme wouldn't work. > Consider two people with phones, using 2-of-2, using private seeds k1 and k2. Every address generated by either party is: 2-of-2(K1/a'/b/c, K2/a'/b/c) So for any a, b and c you end up with a 2-of-2 address. The seeds/branches will not be used for single-sig receiving... it's always a multisig 2-of-2. In fact it behaves much like a regular wallet, you give an a, b, and c value, and you get an address -- it's just that this wallet always gives you a P2SH multisig address. The problem is that if you follow BIP32 in the the most obvious way, both devices will generate receiving addresses along the last index, i.e. K/a'/b/0, K/a'/b/1, K/a'/b/2,... If I am at one store and my wife at another, we might both give out 2-of-2(K1/a'/b/382, K2/a'/b/382) at the same time not realizing the other one has distributed that address. There's not a good way to coordinate the devices well enough to avoid it. But we don't have to. The solution is to use two separate branches -- both phones will follow/watch both branches, but each only only distributes payment addresses from one such branch. The original proposal here suggested adding a level to the tree using the "cosigner index" as a branch point for doing this... I recommended simply having 2*N values for "b", so that each participant has a receiving line and change line, that won't conflict with other devices. However, all devices will still watch all 2*N branches to know the total balance of the wallet, and will use UTXOs from those branches when constructing spending transactions/proposals. --------------050104090905060704030801 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
On 04/26/2014 04:33 PM, Mike Hearn wrote:

Let's assume we use one shared branch for everyone. Then two cosigners could need a new receiving address at the same time, and get the next unused address on that branch.

This is the part I struggle to understand. There is no shared branch because each user/cosigner has their own unique seed and thus unique key hierarchy, right? What you described above could be an issue if all co-signers shared the same seed but then the scheme wouldn't work.

Consider two people with phones, using 2-of-2,  using private seeds k1 and k2.  Every address generated by either party is:

2-of-2(K1/a'/b/c, K2/a'/b/c) 

So for any a, b and c you end up with a 2-of-2 address.  The seeds/branches will not be used for single-sig receiving... it's always a multisig 2-of-2.  In fact it behaves much like a regular wallet, you give an a, b, and c value, and you get an address -- it's just that this wallet always gives you a P2SH multisig address.

The problem is that if you follow BIP32 in the the most obvious way, both devices will generate receiving addresses along the last index,  i.e.   K/a'/b/0, K/a'/b/1, K/a'/b/2,...  If I am at one store and my wife at another, we might both give out 2-of-2(K1/a'/b/382, K2/a'/b/382) at the same time not realizing the other one has distributed that address.  There's not a good way to coordinate the devices well enough to avoid it.  But we don't have to.

The solution is to use two separate branches -- both phones will follow/watch both branches, but each only only distributes payment addresses from one such branch.

The original proposal here suggested adding a level to the tree using the "cosigner index" as a branch point for doing this...  I recommended simply having 2*N values for "b", so that each participant has a receiving line and change line, that won't conflict with other devices.  However, all devices will still watch all 2*N branches to know the total balance of the wallet, and will use UTXOs from those branches when constructing spending transactions/proposals.
--------------050104090905060704030801--