Return-Path: Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 2E5DEC000A for ; Mon, 12 Apr 2021 15:03:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 29E4460A95 for ; Mon, 12 Apr 2021 15:03:28 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: 0.602 X-Spam-Level: X-Spam-Status: No, score=0.602 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: smtp3.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7RRjju402p7f for ; Mon, 12 Apr 2021 15:03:26 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) by smtp3.osuosl.org (Postfix) with ESMTPS id 3F51760658 for ; Mon, 12 Apr 2021 15:03:26 +0000 (UTC) Received: by mail-lf1-x12c.google.com with SMTP id e14so9162244lfn.11 for ; Mon, 12 Apr 2021 08:03:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Jxry+R0k+MVOP+oZIaJt86UH+o24vqYV3czQ/btshOs=; b=gBAtKMJbjjudNrf9FIZzfKy+Ey5VQ66+Armr9cbAXYhKFrbI9LIZbMyYNDwNAnOeVo tUr0vfWTb7itzxt6TAti4a03EWOH3Fi7e4f8uThUk9o0YFnMmyZurATA/Q8MnktrSJBc R/mV82vO66ublcWLhp0yWpWwG+wX3c0lNhepjT7RIO089WNlOcP9RL9gL4/9UGICi2X4 8C6wi65wQQzjU5BK2SdIRyfpY1pDDgNLeVuyzUCBSCD056zFehAaUTNZKIIRM4aFL+JZ Buj0RRDJUic4J2cdrYj8FYtNBR+/QmQhhqtEH1cveISxz/JlTECgy0ZHTekOImNPeBNq lbNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Jxry+R0k+MVOP+oZIaJt86UH+o24vqYV3czQ/btshOs=; b=eGoQnbQw49rrmsx7EFTFUKAj4RLGo2ZPNG3MPfU1SqFJ2uV/hKvX8T4PY9ioY528m8 IpksRD9u4wEWw/E8RyUWJcHKhGmQt+kwRBhBYuEs8H8XBpBKSrTxren//Y/uJFC+SnZq SDXcDgnuQ6WFQ12irHeV0B5QznJOWLaD9ncauLLge1vw575bvLElIVBOcuFrjl9P4/VP jbCyJbfM4y8zV22adfjViH/ufpAsZzgaQgIFSCC/kJiR6K4yqzmYoRPmfasI0ou3Qzqo 3AOMZ2HKK2PTXoojvGf7qK7FHCYHamYOTJn0unkXcynckghddbQaD2yQed5DhT1jFoJW NeFw== X-Gm-Message-State: AOAM533BDoLbkMIXriTNWBGmFoRFnfP2P2CYbhVLsJB8xO+VDdp43tzq T0NiovLVibIXl8kM5NqIw9TWepybFFNfYC259kc= X-Google-Smtp-Source: ABdhPJw2gg3rf3D9IglV2DddrH04fZKXZ1WIQOdqOIoXsRAMD3j02/gMuoxy6S8/FLXJKTkIRfPXSFgibvBJBd5daPI= X-Received: by 2002:a19:b94:: with SMTP id 142mr12051989lfl.309.1618239804090; Mon, 12 Apr 2021 08:03:24 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Salvatore Ingala Date: Mon, 12 Apr 2021 17:03:12 +0200 Message-ID: To: Hugo Nguyen , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="000000000000af2c2705bfc7d014" X-Mailman-Approved-At: Mon, 12 Apr 2021 15:45:31 +0000 Subject: Re: [bitcoin-dev] Proposal: Bitcoin Secure Multisig Setup X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2021 15:03:28 -0000 --000000000000af2c2705bfc7d014 Content-Type: text/plain; charset="UTF-8" Hi Hugo, First of all, thank you for the impressive work on leading the standardization efforts! I believe one ought to more clearly distinguish the "Signer" (as in: one of the parties in the multisig setup), from the "*Signing device*" (which is likely a hardware wallet). BSMS defines a "Signer" as "a participating member in the multisig", therefore a person/entity who is likely using both a hardware wallet and some BSMS-friendly software wallet (e.g. the next version of Specter Desktop). It is therefore relevant to discuss which parts of the BSMS mechanism are implemented in the Signer's software wallet, and which should be in the Signer's hardware wallet. From the discussion, it appears to me that different people might have different expectations on what the signing device/HWW should do, so I would like to comment on this point specifically (while I reckon that it mostly falls within the realm of concerns #4 and #5 of the motivation paragraph, which are explicitly left out of scope). I fully agree that a *Signer* must persist the full wallet's description, and should also create physical backups which include the full descriptor and the cosigner's information. I would disagree, however, if any standards were to force *hardware wallets* to persist any substantial amount of state other than the seed, as I believe that it gives no substantial advantage over externally stored signed data for many use cases. The following is the *wallet registration flow* I am currently working on (in the context of adding support to multisig wallets at Ledger). The goal is to allow a *Signer* (the person) to persist a multisig setup in its storage, while achieving a similar level of security you would have if you were storing it on the hardware wallet itself (note that the following flow would happen as part of Round 2): 1) The desktop wallet of the requests the HWW to register a new multisig wallet. The request includes the full multisig wallet description, and some extra metadata (e.g.: a name to be associated to this multisig wallet). 2) The HWW validates the wallet and verifies it with the user with the trusted screen (as per BSMS Round 2); on confirmation, it returns a wallet id (which is a vendor-specific hash of all the wallet description + metadata) and signature 3) The desktop wallet stores the full wallet description/id/signature. (Optionally, a backup could be stored elsewhere). Whenever an operation related to the multisig wallet is required (verifying a receiving address, or signing a spending transaction), the HWW first receives and verifies all the data stored at step 3 above (without any user interaction). Then it proceeds exactly the same way as if it had always stored the multisig wallet in their own storage. I think this is basically the same flow Michael Flaxman is suggesting here: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-April/018775.html (Note that none of this is flow specific to Multisig wallet, as the same flow would be unchanged for any arbitrary supported script that needs to be "registered" on a stateless device, and can be generalized for MPC protocols) The only caveat I can think of is that the script registration is never revocable if a signing key derived from the seed is used in step (2), which might or might not be desirable. One could instead prefer to use a different signing key that is destroyed if the device is wiped, which would therefore need to be stored on the device. Note that the only thing that is lost is the on-device multisig wallet registration, which could easily be repeated from a backup. On Sun, 11 Apr 2021 at 19:11, Hugo Nguyen via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > I reiterate that I strongly disagree that going stateless is the direction > we want to pursue when it comes to multisig. > > In a multisig or any type of MPC smart contract, any Signer in the > contract must know who the other co-Signers are at all times. You can > choose to do this verification once at setup and persist this info on the > Signer, or you'd have to re-do the verification for every single > transaction. There is no other choice. > > Signing the descriptor record is insufficient, while also introducing a > great deal of complexity. Here are the problems: > 1) The signature needs to be stored somewhere. Who stores it if it's not > the Signer itself? What if it gets lost? (If the Signer stores its own > signature, then the scheme is no longer stateless. You might as well store > the full descriptor). > In the flow I describe above, the desktop wallet would indeed store the signed descriptor record and wallet metadata. So yes, the *Signer* as in *the party in the protocol* stores it, but not the signing device*. *The same method could be used to store state temporarily between round 1 and 2, where the only *state* on the hardware wallet would be the TOKEN, while everything else is stored (encrypted and signed) on the Signer's desktop. > 2) When the signature is "played back" to the Signer, a copy of the > original descriptor must be included. Who stores the descriptor? What if it > gets lost? This is an under-appreciated aspect of the stateful approach: > every participant in the multisig has a full copy of the original contract, > which adds resilience to the wallet backup / recovery process. > "Playing back" the signature and wallet's setup data to the hardware wallet would indeed happen transparently from the Signer's wallet software. If the Signer lost this data due to malware, faulty hardware, etc., the user would indeed have to recover from backup, which seems ok to me. > 3) Because the full descriptor must be "played back" for every single > transaction, this means every detail of the contract must be shared again > and again, indefinitely. Not only does this add overhead (engineering and > cognitive) to the spending process, it has massive privacy implications, > since the descriptor contains everything you need to know about the wallets > and its participants. > I agree with some of these concerns, but I observe: - The engineering overhead in handling externally-stored-signed-data is paid once, and would mostly fall on the hardware wallet vendor. External software only cares about storing certain data and sending it back later. - Storing xpubs/descriptors in the desktop software that interacts with the HWW is already common practice, and necessary for using any watch-only wallet. Summarizing, I argue that the stateful/stateless characteristic of a hardware wallet does not really affect (modulo some extra work) the ability to participate in the BSMS ceremony, whose *Signers* should indeed be stateful. Some more clarifications on the trust assumptions might help at clarifying the best possible software/hardware implementation tradeoffs, either in this or a follow-up BIP. Best, Salvatore Ingala --000000000000af2c2705bfc7d014 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Hugo,

First of all, thank= =C2=A0you for the impressive work on leading the standardization efforts!

I believe one ought to more clearly disti= nguish the "Signer" (as in: one of the parties in the multisig se= tup), from the "Signing device" (which is likely a hardwar= e wallet). BSMS defines a "Signer" as "a participating membe= r in the multisig",=C2=A0 therefore a person/entity who is likely usin= g both a hardware wallet and some BSMS-friendly software wallet (e.g. the n= ext version of Specter Desktop). It is therefore relevant to discuss which = parts of the BSMS mechanism are implemented in the Signer's software wa= llet, and which should be in the Signer's hardware wallet.
Fr= om the discussion, it appears to me that different people might have differ= ent expectations on what the signing device/HWW should do, so I would like = to comment on this point specifically (while I reckon that it mostly falls = within the realm of concerns #4 and #5 of the motivation paragraph, which a= re explicitly left out of scope).

I fully agree th= at a Signer=C2=A0must persist the full wallet's description, and= should also create physical backups which include the full descriptor and = the cosigner's information. I would disagree, however, if any standards= were to force hardware wallets to persist any substantial amount of= state other than the seed, as I believe that it gives no substantial advan= tage over externally stored signed data for many use cases.

The following is the wallet registration=C2=A0flow I= am currently working on (in the context of adding support to multisig wall= ets at Ledger). The goal is to allow a=C2=A0Signer=C2=A0(the person)= to persist a multisig setup in its storage, while achieving a similar=C2= =A0level of security you would have if you were storing it on the hardware = wallet itself (note that the following flow would happen as part of Round 2= ):

1) The desktop wallet of the requests the HWW t= o register a new multisig wallet. The request includes the full multisig wa= llet description, and some extra metadata (e.g.: a name to be associated to= this multisig wallet).
2) The HWW validates the wallet and verif= ies it with the user with the trusted screen (as per BSMS Round 2); on conf= irmation, it returns a wallet id (which is a vendor-specific hash of all th= e wallet description=C2=A0+ metadata) and signature
3) The deskto= p wallet stores the full wallet description/id/signature. (Optionally, a ba= ckup could be stored elsewhere).

Whenever an opera= tion related to the multisig wallet is required (verifying a receiving addr= ess, or signing a spending transaction), the HWW first receives and verifie= s all the data stored at step 3 above (without any user interaction). Then = it proceeds exactly the same way as if it had always stored the multisig wa= llet in their own storage. I think this is basically the same flow Michael = Flaxman is suggesting here:=C2=A0https://lists.linuxfoundat= ion.org/pipermail/bitcoin-dev/2021-April/018775.html

(Note that none of this is flow specific to Multisig wallet, as the = same flow would be unchanged for any arbitrary supported script that needs = to be "registered" on a stateless device, and can be generalized = for MPC protocols)

The only caveat I can think of = is that the script registration is never revocable if a signing key derived= from the seed is used in step=C2=A0(2), which might or might not be desira= ble. One could instead prefer to use a different=C2=A0signing key that=C2= =A0is destroyed if the device is wiped, which would therefore need to be st= ored on the device. Note that the only thing that is lost is the on-device = multisig wallet registration, which could easily be repeated=C2=A0from a ba= ckup.


Signing the=C2=A0descriptor record is insufficient, while al= so=C2=A0introducing a great deal of complexity. Here are the problems:
1= ) The signature needs to be stored somewhere. Who stores it if it's not= the Signer itself? What if it gets lost? (If the Signer stores its own sig= nature, then the scheme is no longer stateless. You might as well store the= =C2=A0full descriptor).

In the flow I describe above, the desktop wallet would indeed store the = signed descriptor record and wallet metadata. So yes, the Signer=C2= =A0as in the party in=C2=A0the protocol=C2=A0stores it,=C2=A0but not= the signing device. The same method could be used to store state te= mporarily between round 1 and 2, where the only state=C2=A0on the ha= rdware wallet would be the TOKEN, while everything else is stored (encrypte= d and signed) on the Signer's desktop.
2) When the signature is "played back" to the S= igner, a copy of the original descriptor must be included. Who stores the d= escriptor? What if it gets lost? This is an under-appreciated aspect of the= stateful approach: every participant in the multisig has a full copy of th= e original contract, which adds resilience to the wallet backup / recovery = process.

"Playin= g back" the signature and wallet's setup data to the hardware wall= et would indeed happen transparently from the Signer's wallet software.= If the Signer lost this data due to malware, faulty hardware, etc., the=C2= =A0user would indeed have to recover from backup, which seems ok to me.
=C2=A0
3) Because the full descriptor m= ust be "played back" for every single transaction, this means eve= ry detail of the contract must be shared again and again,=C2=A0indefinitely= . Not only does this add overhead (engineering and cognitive) to the spendi= ng process, it has massive privacy implications, since the descriptor conta= ins everything you need to know about the wallets and its participants.
=

I agree with some of the= se concerns, but I observe:
- The engineering overhead in handlin= g externally-stored-signed-data is paid once, and would mostly fall on the = hardware wallet vendor. External software only cares about storing certain = data and sending it back later.
- Storing xpubs/descriptors in th= e desktop software that interacts with the=C2=A0HWW is already common pract= ice,=C2=A0and necessary for using any watch-only wallet.

Summarizing, I argue that the stateful/stateless characteristic of a= hardware wallet does not really affect (modulo some extra work) the abilit= y to participate in the BSMS ceremony, whose Signers=C2=A0should ind= eed be stateful.
Some more clarifications on the trust assumption= s might help at clarifying the best possible software/hardware implementati= on tradeoffs, either in this or a follow-up BIP.

B= est,
Salvatore Ingala
--000000000000af2c2705bfc7d014--