From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 027122907 for ; Wed, 1 May 2019 16:57:49 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mail4.protonmail.ch (mail4.protonmail.ch [185.70.40.27]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 293D1889 for ; Wed, 1 May 2019 16:57:48 +0000 (UTC) Date: Wed, 01 May 2019 16:57:38 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=achow101.com; s=protonmail; t=1556729866; bh=zc9OMmheGPh6jjsmceSwiDlFgv+8QhK+RSNxpKOR5uk=; h=Date:To:From:Reply-To:Subject:In-Reply-To:References:Feedback-ID: From; b=Nv7Hbo0jagEjkJZEvpp01n4lWGd17IDLnje+R08OFfX6QKAVKLW1rHE6Fnyl9mVNP 9cq54nsUyyeMxILggubT1LcORDc3mqnM/nCCxKFibLblGUOSiYHfQqfGzcgf80xYTC ViQxXs7uawy8IWGJYATHWyFKeLYpEy0V7Sr0zP8I= To: bitcoin-dev@lists.linuxfoundation.org From: Andrew Chow Reply-To: Andrew Chow Message-ID: <-9vv_PTO55EHqObZe3e3wBo_sNF34p0IWbK-rkrcW4q31pQwahpqy4xJw9dq_CB2UCo1FvOz6I3EMcQM_9u5Ht3y9VFYAB2uJGkZjds84nI=@achow101.com> In-Reply-To: References: Feedback-ID: VjS95yl5HLFwBfNLRqi61OdL1ERZPmvMbZRH2ZcBR7SKVUVYPgv7VJsV9uoyC4vIfjYnW8hPXGuLTycZbh49Zw==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Thu, 02 May 2019 23:20:41 +0000 Subject: Re: [bitcoin-dev] Adding xpub field to PSBT to make multisig more secure X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 May 2019 16:57:49 -0000 Hi Stepan, I think that this would be a good extension. Just for clairty, by xpub, do you mean the extended serialization format=20 defined in BIP 32 or the Base58 check encoded string of that serialization? Andrew On 4/26/19 11:21 AM, Stepan Snigirev via bitcoin-dev wrote: > Hi list, > > I was looking at the bip174 PSBT specs, in particular for=20 > multisignature setup, and I think with current spec there is a way to=20 > steal user funds in M of N setup with M =E2=89=A4 N/2. > > I made a small write-up on this:=20 > https://github.com/stepansnigirev/random_notes/blob/master/psbt_multisig.= md > > To compress: > > Currently in PSBT there is no way to reliably say if the output uses=20 > the keys derived from the same root keys as the inputs aside from the=20 > key owned by the signer =3D> there is no way to verify that the output=20 > is a change output in multisig setup. > > Therefore an attacker can replace half of the keys in the change=20 > address by his own keys and still get the transaction signed. > > I suggest to add an xpub field to the inputs and outputs metadata,=20 > then signers can verify that the same xpubs are used for public keys=20 > in inputs and outputs =3D> output is indeed a change. > > Normally change and receiving addresses are derived from the same xpub=20 > with non-hardened derivation pathes, so providing xpub after the last=20 > hardened index should be enough to see that public keys of inputs and=20 > change output are derived from the same xpub. > > I suggest to add the following key-value pairs to PSBT: > > Type: BIP 32 public key `PSBT_IN_BIP32_XPUB =3D 0x10` > - Key: derivation path for xpub > =C2=A0 `{0x10}|{master key fingerprint}|{32-bit int}|...|{32-bit int}` > - Value: 78-byte xpub value > =C2=A0 `{xpub}` > > Type: BIP 32 public key `PSBT_OUT_BIP32_XPUB =3D 0x03` > - Key: derivation path for xpub > =C2=A0 `{0x03}|{master key fingerprint}|{32-bit int}|...|{32-bit int}` > - Value: 78-byte xpub value > =C2=A0 `{xpub}` > > Derivation paths are in the key of the key-value pair as they are used=20 > for lookup, and xpub itself is the actual value being looked up. > > I also want to mention that Trezor for example doesn't suffer from=20 > this problem as they use xpubs to verify change outputs. So it may=20 > make sense to go through the communication protocols of existing=20 > hardware / multisignature wallets and see if there is something else=20 > we are missing. > > If everyone is happy about the proposal I would prepare a pull request=20 > to the bip. > > Best regards, > Stepan Snigirev. >