Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id DE7E610D2 for ; Wed, 8 May 2019 07:54:57 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 520F01FB for ; Wed, 8 May 2019 07:54:57 +0000 (UTC) Received: by mail-wr1-f51.google.com with SMTP id v11so5722738wru.5 for ; Wed, 08 May 2019 00:54:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=satoshilabs.com; s=google; h=to:references:from:openpgp:autocrypt:subject:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=P3afVqc+yOzybUQTEB14eddXoK+2jzhuShtkoME/ii0=; b=VJeBs9sDEqby4Aa95JuWTkDZwGsrwRK+4zn71NN0zvtSw0tQSrwpY0QizQv9EzG9G/ DmjMldbxC4RYAAzpjbv5RdkNe669s4uIeO83HxQDxPPPbqXHxt/m5GLbbVXsJBqabrgH 1OusZ/ORR/gUk64OLNzqbt66qCV3YaBcQsxQTxMd6Cthy1QI/kFZHORZyRRjxoVAATXE 95tHUiq8l05VjkYDajxD4eeNZlhFXWjvIJRA9cOdPCO4cka8h79ou8P8RTEMSi7JFhGH ZFHci+iaZW/+ovtPaoaWnVZqMuIlrNAWibxfoKk3E6SIAkgUux+/cZsWYe/LHIt7Nqgy YuzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:references:from:openpgp:autocrypt:subject :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=P3afVqc+yOzybUQTEB14eddXoK+2jzhuShtkoME/ii0=; b=L44LamgHNOSaKH9che+E2j2Un2RvzS6DlvWsSdtlq2l69NdI5w18JyqngErtLe7LPz TInlrkqgZtxBOTAiy2uaeMcTGw2R2g12/f4Htot0VUe0A3U6JWvU+M7yErxpiS/X/6i2 Ng+lEjcaEJv7qwWEdkDWx36XtOR36nAv4f2Cdb8GxKJdqTS/zxXRmEXHUhVF0dPmPqZu em0o5iDwqVrXzP5RjSHtMq0sevDwgccSVdDWjaN8Dw/v1Bf0+sZkSWbuuOAjAjos4eXa ioUPOifRSn1ewcjd2A00X8KCh87gWLIWOdjno+Olt8JpLAc9DY1Drp/kWeXl1so91y6R ukOg== X-Gm-Message-State: APjAAAXaKPCmSrSZOUpFsTI1bA9xPDXCMS/Pu68qdapDfh4N3XO8WGoy bb1KnB7AZVoLNmRPYiAHlkKg/YvOOH0= X-Google-Smtp-Source: APXvYqwACqhEPI/ytIj4Whf0kyUj1omru2dz1hzfk+gcRqstHzNQSMHxMKpHHEq/BHeW23deVd4cOA== X-Received: by 2002:adf:8122:: with SMTP id 31mr15804411wrm.112.1557302095638; Wed, 08 May 2019 00:54:55 -0700 (PDT) Received: from [192.168.2.140] (ip-94-112-58-143.net.upcbroadband.cz. [94.112.58.143]) by smtp.gmail.com with ESMTPSA id r64sm6494930wmr.0.2019.05.08.00.54.54 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 May 2019 00:54:54 -0700 (PDT) To: bitcoin-dev@lists.linuxfoundation.org References: <20190503132945.GR810@coinkite.com> <20190507184034.0a72a9c7@simplexum.com> From: jan matejek Openpgp: preference=signencrypt Autocrypt: addr=jan.matejek@satoshilabs.com; keydata= mQINBFqFmVUBEADi+iKI60b0gvNokY3wxUqmZUt4ms6FPdf/oksWBbmS1JFzIpbFUims72Yd GmfAgJIkQ//Qae9rXj1BHZtZm6ag7Ts5ojOu0lOndLJg4XB4ELkEFZrmcH8DvhlFRUQb02RN ieXqbdinCNRvmqIpk6UhZ2+RF0EAnvFOBAu21E/hCemr+vGkQdaU+Gx6nc2yiDOxSF2JFbC1 jGZhEeuuBCdL9K3VDfDVcbQC5tzYJHF0yi45zu1XeCpwk/xbeJ4h49rYlbZ/O7wNGAWQzSpm JbBn/pAKKdWVJ1p5IMEKtZfjtICU30tY4SDo2bXMiY0tQHqETB0XJUAVsxG/aui6xi9ZDFDh 0HEjwVx+njqucagUdfg0uWz+lposbYHDJtVdmXR2hM6BiJP/NL9EvLfszWWFwpRiDDRNPJLM SG0f4NO8/wKYnIX0UoDldADnnLL0yQ3eOlGzlgWbzOk059Fo81si47rKdmgWlCF6CemCl3PR TdSPqQ4YMTjCwDJ0VQc0/P6wv43UZArnkD/FZBvsRcZt70o6drDv09XLu/v1BQdatCGd/CBW F0G3PyjGoOXcR+riThWaBOBCsdGzoi5Wjs/BHIfK99fv/NmcTBncn1a8Q3BpucG5QWLEkoc7 8KXY2PT/A9vvLdK7L62R6cagBYmfOhyq1uoBHBEeZvpO9iJaGQARAQABtDRKYW4gTWF0ZWpl ayAobWF0ZWpjaWspIDxqYW4ubWF0ZWpla0BzYXRvc2hpbGFicy5jb20+iQI+BBMBAgAoBQJa hZlVAhsDBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBRwZL4FqKtB9cmD/0e uxBrkQBiUFx8pgRsoy4fOJdWDmKRNN2CXL5EhPc9eMVok/VxRdKdJkZSYxS4Obt6hvdLj04Y Q/1KvXdhCThAgnP5v9uLogRn3p1OCWQAy6oCA+7VhHxGm511RFJIvIJqKSBAlN9rtSJYi6yd B+hyxliCB/zK+EWcQUknK4yfCj6Woz/AqDmwihzN88nHV2tw6aekTITpuXizGsKLXiiEkc6U tHW3HTg3H/8TSLIX34mf9UEafaCMWsvVLQMOdJlv1b9654aaHAkioXjY0qqhIfWX1cb76sgE A1WwzerpDHJCVB0Pvh1JSuTaNefNxKLFCZfg0b61TGRxN0jTmdvpbxNgklV8uBulIKuItYVI bJWhoU6CeGrMJgBp/AFtQWXCdW3jIkthm+8E3iaovIMPrHxCgVOza0dcOONkmViQu/kIDvBt F5ziTI6PsT14IFJOo4zEceLTqOTtzRWNBlYz6PGFwgSeh4stUHo82ta3NBBFVdaCerPn5Tvb hko7savRYqqfIQgZB2K/QBAVgb5u4iK5ahimWZS1KT5pZ92DfPDPsWU85SMPZZGmpdFGeVnX o484vn6CZUoQyr0OAihU44uglKGjF5xiF4B9UrONhnTNM4IfdZhK/zjTMqhK5fyLvTjknuYg HO5c71VX1SKVdlqZpUK318ew3m0z5bbaxLkCDQRahZlVARAA2fEW84P9p3BiaHbaUexLxaf9 Q8fGbW9znaZTRnFn6Vi4Zq3N6GSMWJCn9+hF6Am90bWYq8qaWZdhR8dWDyqIvDN+TpeULHCB mNEESh4qoUXiqPu3qo9zWC+z3P+0mTFFtHsljl/psqxr4CkuCGyXS/XdpXec92ZvZwbpylcx iFHCW4IKpGC6665svBZ5ddCOfDFlI/54dodSKwnFYgg29xFvkf3mXdgz0C4orenqnVn7HIK1 R5jgR2rkkiiSyGCh4CO9IoQD05a4MFUmA3pqvdf8QDvM940OYnTo/Gd5oPjZGcruzwWAqhrw rnbPxfN2AC9Wk4y4tYtO7rE2xl9p3cQu099eiiRfi5LUYXKlPOXDaXNvGkBj6LYcyvxmmpkt MBSr13+XTgxzGS4jvQaDy9TSSSoKELKZa0HHRyp+Xvk3xcAKmD6FH+qmRY3FgHBd1dby2YAY jpIxaE64+oKgv4XGA0Tu5fU9YG6cmw9U6whaQdMXOUES5uzmUudpygL0w/C+CN5Ym4WDlry9 KpIHeTmmldoHXwAKmKtIHMVpefq3d4b+gwmzd3m0uZFuI4nUh098xhPOYGpsCncozwGCHNXY cio8BueB1ADAUsQp2sdpc3kh4KmmH+S81O9CUr8PiQtTW7yRTDAMhp42M+M/yBzqX674AhrP Wm+P1gdwQ6MAEQEAAYkCJQQYAQIADwUCWoWZVQIbDAUJCWYBgAAKCRBRwZL4FqKtBy7YD/45 MwqkLF9yGakngzRLGirZDGZ8q+97PcTjcap+RhgxCCU/ZKm8mleR/gw9irDC75TTzifYAqCB 66UaKvRMrlhDFXWGKG3XQdJ/gi0YTXImiucVVWD/cTeOROh4vedxwxyCQP8dV4eUDcGuQZNi SHO2EaDjVweuhO/oHxaA96ZJ+4/GXmhjt7hDruJLEdmZgQAt/aC7G1OMV5XQSXaDzD3Otl0f +Z1uNI9RfbMitP+h1Gncm/cMvJWOkbA2ZzS4Mfgf8xxd2irR9TQKEImksSirKcUsWGK/u9ni vupZ+vbe4REXf5y5ad2ILDPzdwQQWhiyD9cxMDjT51UMMPxxNOTXLQatbVYSAGGK9PSNpEh2 IqRtf0+LeTaOnjUjVPuXTROI/TMh2Ia5U6ZuvYcPPhb+sY5OQX3mQJT2uvbiVLz5rkR6ZHq4 dx4JuP4wvuXLPeN9lE+6S/3i5G+EiqnArsmdMMgMARTLV930qyrD1RqivawBpzJKbqJ9hzuF rvSW01bGYc+Zo4lwg8zQg5c0aA9/OaygGz/anF98WbLKwMpKAnHUv8Oo0PQ3ku5Aow85baFw ekqL1UhX0Eez5Dw5gDnyWLt1oKa7D3XPYG6zmX5fcXGvj9pbxnbgUecUVN3EpkQyaT2ExVwb v5dUJDnnoT71TTMPNUTl9BNQacyH2puxZQ== Message-ID: <9e85b47c-6ba9-ab85-03f1-eb0ddf3022de@satoshilabs.com> Date: Wed, 8 May 2019 09:54:53 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <20190507184034.0a72a9c7@simplexum.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Thu, 09 May 2019 14:49:45 +0000 Subject: Re: [bitcoin-dev] Adding xpub field to PSBT to make multisig more secure X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 May 2019 07:54:58 -0000 hello, On 07. 05. 19 15:40, Dmitry Petukhov via bitcoin-dev wrote: > At the setup phase, hardware wallet can sign a message that consists of > xpubs of participants, and some auxiliary text. It can use the key > derived from the master key, with path chosen specifically for this > purpose. This seems overly complicated. What is your threat model? IIUC, each individual multisig signature also signs the set of signers (through signing redeem-script (or scriptPubKey in address-based multisig)) So if an attacker gives me bad xpubs, i will sign them, but the signature won't be valid for the given multisig output - even if the attacker manages to trick 2 of 3 signers and recombine their signatures. Therefore, the input==output check is sufficient: if I use the same set of signers for an input and an output, I can be sure that the change goes to the same multisig wallet. Or is there something I'm missing? The weak spot is the part where you generate receiving address, because that "creates" the particular multisig wallet. But that's nothing to do with PSBT. > This would allow to distinguish the trusted output even if the inputs > are not all derived from the same set of xpubs, that could happen in > more complex scenarios (batching, key rotation, etc.), and can possibly > be used to have several different types of 'trusted' outputs. This seems to be an attempt at a different, much broader problem. And it won't help if the attacker can replay a different trusted-xpub package (e.g., one that contains a revoked previously compromised key). regards m.