From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1V3Fep-00018u-Nt for bitcoin-development@lists.sourceforge.net; Sun, 28 Jul 2013 01:20:23 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of petertodd.org designates 62.13.148.113 as permitted sender) client-ip=62.13.148.113; envelope-from=pete@petertodd.org; helo=outmail148113.authsmtp.com; Received: from outmail148113.authsmtp.com ([62.13.148.113]) by sog-mx-3.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1V3Fem-0000eq-5z for bitcoin-development@lists.sourceforge.net; Sun, 28 Jul 2013 01:20:23 +0000 Received: from mail-c233.authsmtp.com (mail-c233.authsmtp.com [62.13.128.233]) by punt10.authsmtp.com (8.14.2/8.14.2/Kp) with ESMTP id r6S1KEEp086095 for ; Sun, 28 Jul 2013 02:20:14 +0100 (BST) Received: from savin (76-10-178-109.dsl.teksavvy.com [76.10.178.109]) (authenticated bits=128) by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id r6S1K8jV091224 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Sun, 28 Jul 2013 02:20:11 +0100 (BST) Date: Sat, 27 Jul 2013 21:20:08 -0400 From: Peter Todd To: Bitcoin Dev Message-ID: <20130728012008.GA19958@savin> References: <20130727234918.GA11635@savin> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="CE+1k2dSO48ffgeK" Content-Disposition: inline In-Reply-To: <20130727234918.GA11635@savin> User-Agent: Mutt/1.5.21 (2010-09-15) X-Server-Quench: d96f4dd6-f723-11e2-a49c-0025907707a1 X-AuthReport-Spam: If SPAM / abuse - report it at: http://www.authsmtp.com/abuse X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVJwpGK10IU0Fd P1hXKl1LNVAaWXld WiVPGEoXDxgzCjYj NEgGOBsDNw4AXQ11 Kg0VXVBSFQZ4AR4L BB4UUxg8cANYeX5u ZEFqQHFbVVt/fUFi QwAWEw4HHm86DmAW UUJac01VcApMelER Y1YpUCdZZ3hRYXhj WlZqMmp0NGkOI2EN GltQfApNHh5UF2cq fR1QVQYFHFEOQCQ1 ahArNFMYG14UP0Mu BBMdRlVQPRYZFgpE V15EBCtUOxEeRjYr RQRcUAsCEThQBD9V GQY3JQVEGVQA X-Authentic-SMTP: 61633532353630.1021:706 X-AuthFastPath: 0 (Was 255) X-AuthSMTP-Origin: 76.10.178.109/587 X-AuthVirus-Status: No virus detected - but ensure you scan with your own anti-virus system. X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1V3Fem-0000eq-5z Subject: Re: [Bitcoin-development] Two factor wallet with one-time-passwords X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Jul 2013 01:20:23 -0000 --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jul 27, 2013 at 07:49:18PM -0400, Peter Todd wrote: > Implementation > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > Savings use P2SH outputs matching the following scriptPubKey form: >=20 > HASH160 EQUALVERIFY CHECKSIG >=20 > spent with: >=20 > FWIW with some minor scripting language additions such as access to txin and txout contents, along with merklized abstract syntax tree (MAST) support, we can even implement a version where scriptPubKey's can be reused: CHECKSIGVERIFY // Verify we aren't spending more than the maximum spend amount 0 GET-TXIN-VALUE // relative indexing 0 GET-TXOUT-VALUE SUB LESSTHAN VERIFY // If the txout is greater than the maximum spend amount force it to // also follow these same rules. 0 GET-TXOUT-VALUE LESSTHAN IFNOT GET-THIS-SCRIPT MAST-HASH CAT GET-TXOUT-SCRIPT EQUALVERIFY ENDIF // Hash the provided oracle nonce, saving original for later. DUP HASH160 // Use the txid:vout nonce as an index to a table, embedded with MAST // script compression. 0 GET-TXIN-TXID 0 GET-TXIN-VOUT CAT HASH160 // The table, n=3D64 levels deep, not all levels shown for brevity. DUP 1 AND IF 1 RSHIFT DUP 1 AND IF 1 RSHIFT DUP 1 AND IF ELSE 1 RSHIFT DUP 1 AND IF // Lowest level contains the following pushdata, // with 0 <=3D i < 2^64 ELSE ENDIF ELSE ENDIF ELSE ENDIF // Drop the txid:vout nonce SWAP DROP // Verify that the hash of the nonce and the pre-committed value in // the H(nonce) table match. EQUALVERIFY // Stack now only contains the nonce preceeded by a merkle path linking // that nonce to the tip of a merkle tree over all nonces. // // Verify that path. SWAP // Move direction flag to the top IF SWAP ENDIF HASH160 (repeat above five lines 63 more times) EQUAL The scriptPubKey is spent by the following scriptSig: ... (note that I've left off a number of possible optimizations for clarity) Now when the user wishes to spend a txout greather than their spending limit their wallet software will first give them a short 6 word string calculated from the last 64-bits of H(txid:vout). They simply enter this string into their phone, ideally via convenient qr-code or voice/thought recognition, and their phone provides a second short 6 word string to enter into the wallet software on their computer, authorizing the payment. If they opt for a paper-based one-time-password table they simply use the 6 word string as an index to their pre-printed OTP encyclopedia set. Like the previously described version the security level is still a healthy 2^64 - again the attacker needs to find a 64-bit pre-image, considered to be a highly difficult task for any attacker unable to count from 0 to 2^64 or store a table containing 2^64 values. There is the disadvantage of the large storage requirements for both wallets, however because of the double hashed construction, H(H(nonce-secret+i)), neither table needs to be kept secret. Thus without loss of security both tables can be easily stored in a distributed hash table in the cloud and queried as needed. --=20 'peter'[:-1]@petertodd.org 0000000000000012199fe3f1f54921e8e11c0b0d318ed6245dee22a4ad55bc65 --CE+1k2dSO48ffgeK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBCAAGBQJR9HHHAAoJECSBQD2l8JH76HUH/0wNA5122jnqJ1Gkpp8dyz5j jZMZoOxbxkb+K8srxBhvTSGLl4OaZSqw07SK/3aYUzDta0HhtfiEGpX0bTOTJUYp csOXQC+ZITzcDHvP3LPIXnaEkQbEYOLXjy/rZ9reQDIm5n5BptA62PLIr0bu64LX KFGdYyXlJpcFbiYcKb8rHx8Yo3E0/gX1qim7OHrkiNq2sWnGqTXRY/YyWLOcNQ3x xj2L1zzImBtqYWH5optDaKVut+AxX0zoOKFm5gDIWTsMyBaxEDwfMBzaTbMQ01HW F9Fowvym9ANJ/DzldgWA7RdN5/QxMIioMd0uk+RHnHKDZf/+buF+AE46P/Va1ik= =58uZ -----END PGP SIGNATURE----- --CE+1k2dSO48ffgeK--