Return-Path: Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id C11C8C013A for ; Fri, 12 Feb 2021 12:31:38 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id B18A9871F1 for ; Fri, 12 Feb 2021 12:31:38 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Ay6eDB5X+28 for ; Fri, 12 Feb 2021 12:31:37 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mail-vs1-f46.google.com (mail-vs1-f46.google.com [209.85.217.46]) by whitealder.osuosl.org (Postfix) with ESMTPS id 300BB871DA for ; Fri, 12 Feb 2021 12:31:37 +0000 (UTC) Received: by mail-vs1-f46.google.com with SMTP id u127so4688455vsc.10 for ; Fri, 12 Feb 2021 04:31:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nunchuk-io.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=raIeCFPpSnEELK1rp7QOUf3hRA1iMp5YLK1n0giIoCg=; b=jguLGce7yDoZMjyHy1n/cr2U2Wz6mwUYmqkTWpVNEajXoMTANxw7o631W5rle2EMXn JOA+TQCAmXDUXlu2WLZSUC5IoVdmM8o1+hILErHjeuuaHOtiWh0BAIFKJYtDnJYP7D7y 6GgfyR+69C/JGqSIu8dEkxx5SxHhBtdZyo8KBI35S0GlRLUMRY1+WkCBTwtKnKKR+2ry 1NwJkNaQuKarzz4XlwgFyoVIjT+DbGcBBhkGnk0Xhuy8O+akO2hHhLcdzzBXKMnTHLwq cMQXFilwb39slIWxaNE4OgIWCUbg8ooep0B/3sdpaeTZhAHZm1sV9V1AoduGsV+T7YYL N/HQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=raIeCFPpSnEELK1rp7QOUf3hRA1iMp5YLK1n0giIoCg=; b=Nbz40iH+Ct1zPCcaG+x5fIbysoHjtQ3FgklExmgdCY13Ddo4ZtDyflFEoTrpA8pPee D85WWx6RVhs9I2voxRaJWavlcivYT3HjsVSZQ/EDS0YDcRFHtZMHcqdIUZTtV6YEhwRK Fvk3j//JLDVGMFig9yCq9niJGROTjgK6WwI/37BEdV3gg7muKxmvhcaWKJlrgpqOmAo9 pV3oNXJ5IRj0dGXdQxyOMeJDdse5ZskxznMsojsPrYsYfA0CDwa5yR4xX3iFr6bgCm4i 5JcQ0MpE4QJ8M1ZtvOzKQMYL+hQNK/7gmFWHoXq4VeYIXI0BKsLAvFrSEdX1Q1CO4WBo QwKw== X-Gm-Message-State: AOAM533fLHA3cKatk9zjs5KhnPW242+dGNtOiVOdASSDYt2uEEKxWm7b F6Vox5NIIhqZMs3t6gPNtMpYLTJhtIxifT6qugof90sv+J4pMDmGLdSOlA== X-Google-Smtp-Source: ABdhPJyqo9ZCcf8AxLVnKXoq5qxnRQoIbzV2RcnLIxL3+c5XQ4j71Ezr793mhBDR+wC+XGD+JMN5qPkH2ZsLkgshkOA= X-Received: by 2002:a05:6102:7b1:: with SMTP id x17mr1109844vsg.41.1613133096061; Fri, 12 Feb 2021 04:31:36 -0800 (PST) MIME-Version: 1.0 References: <20210211172910.3b550706@simplexum.com> In-Reply-To: From: Hugo Nguyen Date: Fri, 12 Feb 2021 04:31:24 -0800 Message-ID: To: Christopher Allen , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="0000000000002a9df805bb22d1bc" X-Mailman-Approved-At: Fri, 12 Feb 2021 12:52:48 +0000 Subject: Re: [bitcoin-dev] Proposal: Bitcoin Secure Multisig Setup X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Feb 2021 12:31:38 -0000 --0000000000002a9df805bb22d1bc Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Feb 11, 2021 at 3:05 PM Christopher Allen via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > What Blockchain Commons (and the Airgapped Wallet Community) call a polic= y > map would be > > ``` > wsh(sortedmulti(1,,,)) > ``` > > A PBKDF of that as would be unique for all 2 of 3 segwig transactions. > With the addition of the addition of the Policy Map creators optional not= e, > it would be truly unique. The Policy Map and/or PBKDF are small and could > easily added to existing APIs. > > So for legacy hardware, we can use existing 48' subtree, but 3' as the > format for this form (2' is segwit), then the desktop can just ask for th= e > /48'/0'/0'/3'/PBKDF' when it requests a new xpub from the hardware token. > More sophisticated Airgapped apps you can send > "wsh(sortedmulti(1,,,))"+label and let the cosigner app do the PBKDF, and > optionally allow it return something different in a full keyset (i.e. > "[90081696/48'/0'/0'/3'/af3948cg=E2=80=A6'/]xpub6DYLEk=E2=80=A6", and the= n the requesting > app, knowing that it is different from the PBKDF can know what to do if i= t > needs to what to ask for in the future. > Thanks Christopher, very interesting ideas... A couple of thoughts: 1/ Generating the path index using the policy is clever. However, I think it has 2 problems. Number #1 is with the above scheme now you have a hard dependency on (policy map + note) - losing (policy map + note) means that you will lose access to PBKDF', and hence the funds permanently. At least with the current soluttions, you can look up what the most common derivation paths and indices are to recover funds in the worst case. 2/ Number #2 is that this wouldn't necessarily prevent XPUB reuse. It seems like the above scheme depends on (a) the Coordinator keeping track accurately of all the existing PBKDF-ed indices and (b) the Signer truthfully gives the XPUB at the path that the Coordinator asks for. In reality, neither of these conditions can be guaranteed. For example, the Signer could lie about the XPUB at /48'/0'/0'/3'/PBKDF' when it just keeps reusing the XPUB at /48'/0'/0'/2' 3/ Preventing XPUB reuse is an interesting problem, but IMHO it is beyond the scope of the current proposal. Maybe worth a separate BIP? Best, Hugo On Thu, Feb 11, 2021 at 3:05 PM Christopher Allen via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > I think the key issue here is avoiding xpub key reuse in multisig. Not > only in the future with Schnorr, but we need it today! > > Current common practice by hardware wallets is the 48'/0'/0'/2' derivatio= n > for segwit multsig ( e.g. > [90081696/48'/0'/0'/2']xpub6DYLEkDfCdHzh5FHGHDJksQvFqu6kYANa1sfo6fA8n5ZWk= SwyCRVVzyq9LY2eNGB6T9BKDeGJp2ZarjRZHd7WB95nSaFEDhFMK6zSV6D49b > ) is the only one used for ALL multisigs offered by that hardware wallet. > > As Pieter said, leveraging a HD path parameters can help, but we need a > better, less reusable path for the index. > > I personally suggest a simpler solution, which is to create an index usin= g > a PBKDF of the Account Policy (a descriptor with all xpubs and keys > removed), plus optional notes. (BTW, I think double sha256 or HMAC is > overkill). > > Example: for the reference bit descriptor that might result in: > > ``` > > wsh(sortedmulti(2,xpub661MyMwAqRbcFW31YEwpkMuc5THy2PSt5bDMsktWQcFF8syAmRU= apSCGu8ED9W6oDMSgv6Zz8idoc4a6mr8BDzTJY47LJhkJ8UB7WEGuduB/1/0/*,xpub69H7F5d8= KSRgmmdJg2KhpAK8SR3DjMwAdkxj3ZuxV27CprR9LgpeyGmXUbC6wb7ERfvrnKZjXoUmmDznezp= bZb7ap6r1D3tgFxHmwMkQTPH/0/0/*)) > ``` > > What Blockchain Commons (and the Airgapped Wallet Community) call a polic= y > map would be > > ``` > wsh(sortedmulti(1,,,)) > ``` > > A PBKDF of that as would be unique for all 2 of 3 segwig transactions. > With the addition of the addition of the Policy Map creators optional not= e, > it would be truly unique. The Policy Map and/or PBKDF are small and could > easily added to existing APIs. > > So for legacy hardware, we can use existing 48' subtree, but 3' as the > format for this form (2' is segwit), then the desktop can just ask for th= e > /48'/0'/0'/3'/PBKDF' when it requests a new xpub from the hardware token. > More sophisticated Airgapped apps you can send > "wsh(sortedmulti(1,,,))"+label and let the cosigner app do the PBKDF, and > optionally allow it return something different in a full keyset (i.e. > "[90081696/48'/0'/0'/3'/af3948cg=E2=80=A6'/]xpub6DYLEk=E2=80=A6", and the= n the requesting > app, knowing that it is different from the PBKDF can know what to do if i= t > needs to what to ask for in the future. > > The other advantage of this technique is that the cosigner app can know > what policy it is participating in, before the descriptor is completed. I= t > may decide it doesn't want to participate in some funky 4:9 with a weird > script, and not return an xpub at all. > > Long term I think a commitment scheme should be used, so that you don't > reveal what xpub you offered until all the parties xpubs are shared, but = as > Pieter said, we can do that at the same time we do the musig. But we need > to prevent xpub reuse NOW, and I think my proposal easy and could the job= . > > -- Christopher Allen, Blockchain Commons > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --0000000000002a9df805bb22d1bc Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Thu, Feb 11, 2021 at 3:05 PM Christoph= er Allen via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
=
What Blockchain Commons (and the Airgapped Wallet Communit= y) call a policy map would be

```
wsh(sortedmulti(1,,,))
```
A PBKDF of that as would be unique for all 2 of 3 segwig transactions= . With the addition of the addition of the Policy Map creators optional not= e, it would be truly unique. The Policy Map and/or PBKDF are small and coul= d easily added to existing APIs.

So for legacy hardware, we can use = existing 48' subtree, but 3' as the format for this form (2' is= segwit), then the desktop can just ask for the /48'/0'/0'/3= 9;/PBKDF' when it requests a new xpub from the hardware token. More sop= histicated Airgapped apps you can send "wsh(sortedmulti(1,,,))"+l= abel and let the cosigner app do the PBKDF, and optionally allow it return = something different in a full keyset (i.e. "[90081696/48'/0'/0= '/3'/af3948cg=E2=80=A6'/]xpub6DYLEk=E2=80=A6", and then th= e requesting app, knowing that it is different from the PBKDF can know what= to do if it needs to what to ask for in the future.
=

Thanks Christopher, very interesting ideas... A couple = of thoughts:
1/ Generating the path index using the policy is clever. Ho= wever, I think it has 2 problems. Number #1 is with the above scheme now yo= u have a hard dependency on (policy map=C2=A0+ note) - losing (policy map += note) means that you will lose access to PBKDF', and hence the funds p= ermanently. At least with the current soluttions, you can look up what the = most common derivation paths and indices are to recover funds in the worst = case.=C2=A0
2/ Number #2 is that this wouldn't necessarily prevent X= PUB reuse. It seems like the above scheme depends on (a) the Coordinator ke= eping track accurately of all the existing PBKDF-ed indices and (b) the Sig= ner truthfully gives the XPUB at the path that the Coordinator asks for. In= reality, neither of these conditions can be guaranteed. For example, the S= igner could lie about the XPUB at=C2=A0/48'/0'/0'/3'/PBKDF&= #39; when it just keeps reusing the XPUB at=C2=A0/48'/0'/0'/2&#= 39;
3/ Preventing XPUB reuse is an interesting problem, but IMHO it is b= eyond the scope of the current proposal. Maybe worth a separate BIP?
Best,
Hugo

=C2=A0

On Thu, Feb 11, 2021 at 3:05 PM Chr= istopher Allen via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
I th= ink the key issue here is avoiding xpub key reuse in multisig. Not only in = the future with Schnorr, but we need it today!

Current common practi= ce by hardware wallets is the 48'/0'/0'/2' derivation for s= egwit multsig ( e.g. [90081696/48'/0'/0'/2']xpub6DYLEkDfCdH= zh5FHGHDJksQvFqu6kYANa1sfo6fA8n5ZWkSwyCRVVzyq9LY2eNGB6T9BKDeGJp2ZarjRZHd7WB= 95nSaFEDhFMK6zSV6D49b ) is the only one used for ALL multisigs offered by t= hat hardware wallet.

As Pieter said, leveraging a HD path parameters= can help, but we need a better, less reusable path for the index.

I= personally suggest a simpler solution, which is to create an index using a= PBKDF of the Account Policy (a descriptor with all xpubs and keys removed)= , plus optional notes. (BTW, I think double sha256 or HMAC is overkill).
Example: for the reference bit descriptor that might result in:
```
wsh(sortedmulti(2,xpub661MyMwAqRbcFW31YEwpkMuc5THy2PSt5bDMsktWQcFF8= syAmRUapSCGu8ED9W6oDMSgv6Zz8idoc4a6mr8BDzTJY47LJhkJ8UB7WEGuduB/1/0/*,xpub69= H7F5d8KSRgmmdJg2KhpAK8SR3DjMwAdkxj3ZuxV27CprR9LgpeyGmXUbC6wb7ERfvrnKZjXoUmm= DznezpbZb7ap6r1D3tgFxHmwMkQTPH/0/0/*))
```

What Blockchain Common= s (and the Airgapped Wallet Community) call a policy map would be

``= `
wsh(sortedmulti(1,,,))
```

A PBKDF of that as would be uniqu= e for all 2 of 3 segwig transactions. With the addition of the addition of = the Policy Map creators optional note, it would be truly unique. The Policy= Map and/or PBKDF are small and could easily added to existing APIs.
So for legacy hardware, we can use existing 48' subtree, but 3' as= the format for this form (2' is segwit), then the desktop can just ask= for the /48'/0'/0'/3'/PBKDF' when it requests a new xp= ub from the hardware token. More sophisticated Airgapped apps you can send = "wsh(sortedmulti(1,,,))"+label and let the cosigner app do the PB= KDF, and optionally allow it return something different in a full keyset (i= .e. "[90081696/48'/0'/0'/3'/af3948cg=E2=80=A6'/]xp= ub6DYLEk=E2=80=A6", and then the requesting app, knowing that it is di= fferent from the PBKDF can know what to do if it needs to what to ask for i= n the future.

The other advantage of this technique is that the cosi= gner app can know what policy it is participating in, before the descriptor= is completed. It may decide it doesn't want to participate in some fun= ky 4:9 with a weird script, and not return an xpub at all.

Long term I think a commitment scheme should be used, so that you don= 9;t reveal what xpub you offered until all the parties xpubs are shared, bu= t as Pieter said, we can do that at the same time we do the musig. But we n= eed to prevent xpub reuse NOW, and I think my proposal easy and could the j= ob.

-- Christopher Allen, Blockchain Commons
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--0000000000002a9df805bb22d1bc--