From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id BAEA3BA0 for ; Tue, 13 Aug 2019 14:15:39 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from outmail148100.authsmtp.co.uk (outmail148100.authsmtp.co.uk [62.13.148.100]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 1589D8D for ; Tue, 13 Aug 2019 14:15:38 +0000 (UTC) Received: from mail-c233.authsmtp.com (mail-c233.authsmtp.com [62.13.128.233]) by punt17.authsmtp.com. (8.15.2/8.15.2) with ESMTP id x7DEFaYJ021600; Tue, 13 Aug 2019 15:15:36 +0100 (BST) (envelope-from user@petertodd.org) Received: from petertodd.org (ec2-52-5-185-120.compute-1.amazonaws.com [52.5.185.120]) (authenticated bits=0) by mail.authsmtp.com (8.15.2/8.15.2) with ESMTPSA id x7DEFY8a022371 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 13 Aug 2019 15:15:35 +0100 (BST) (envelope-from user@petertodd.org) Received: from [127.0.0.1] (localhost [127.0.0.1]) by petertodd.org (Postfix) with ESMTPSA id DA6B540160; Tue, 13 Aug 2019 14:15:33 +0000 (UTC) Received: by localhost (Postfix, from userid 1000) id B45F421A53; Tue, 13 Aug 2019 10:15:32 -0400 (EDT) Date: Tue, 13 Aug 2019 10:15:32 -0400 From: Peter Todd To: Bryan Bishop Message-ID: <20190813141532.zv5n5ghii5e44qsf@petertodd.org> References: <20190812150110.yf76pq47e5oszx62@petertodd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="yjxrtbbgvuymbxoa" Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170113 (1.7.2) X-Server-Quench: d15f82da-bdd4-11e9-8757-84349711df28 X-AuthReport-Spam: If SPAM / abuse - report it at: http://www.authsmtp.com/abuse X-AuthRoute: OCd2Yg0TA1ZIVwkA IjsJECJaVQIpKltL GxAVKBZePFsRUQkR aAdMdwEUGUATAgsB Am8bWlFeUVh7WmY7 bghPaBtcak9QXgdq T0pMXVMcXAIcdGpo Dk8eUBtxcAQIfnl0 Ywg2X3UNVEYuJFsv FhpQCGwHMG59YGca V11QcwBQeQRLf0sT aFgxNiYHcQ5VPz4z GA41ejw8IwAXAiVJ SQYMKxoMSFsPAiV0 WBEeHX0mG1EEAjkz IhI6YkQRF0EPP18j dlAlUE0SOhQRaEVb EkpNCSlYPFwaL/// X-Authentic-SMTP: 61633532353630.1021:706 X-AuthFastPath: 0 (Was 255) X-AuthSMTP-Origin: 52.5.185.120/25 X-AuthVirus-Status: No virus detected - but ensure you scan with your own anti-virus system. X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Bitcoin vaults with anti-theft recovery/clawback mechanisms X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Aug 2019 14:15:39 -0000 --yjxrtbbgvuymbxoa Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Aug 12, 2019 at 09:09:43PM -0500, Bryan Bishop wrote: > > > Multisig gated by ECDSA pubkey recovery for provably-unknown keys > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > > > > A group can participate in a multisig scheme with provably-unknown EC= DSA > > keys. > > > Instead of deleting the key, the idea is to agree on a blockheight and > > then > > > select the blockhash (or some function of the chosen blockhash like > > > H(H(H(blockhash)))) as the signature. Next, the group agrees on a > > transaction > > > and they recover the public key from the signature using ECDSA pubkey > > recovery. > > > > Could you explain in more detail why you're deriving this from a blockh= ash? > > >=20 > Well you need to pick an entropy source, and I wouldn't want to tell peop= le > to just trust the first party to tell you a good sequence of bytes. But why does this specifically need to be entropy? If I understand the scheme correctly, the important thing is for the ECDSA private key to be unknown. Under the standard assumption that hash functions are random oracles, hashing anything should be sufficient to create a pubkey whose private key is unknown. Secondly, there's probably better slightly privacy if a random nonce is cho= sen (perhaps by concatenating a nonce from each party) rather than picking pubk= eys unique to this use-case. --=20 https://petertodd.org 'peter'[:-1]@petertodd.org --yjxrtbbgvuymbxoa Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEFcyURjhyM68BBPYTJIFAPaXwkfsFAl1SxgAACgkQJIFAPaXw kfsZ8wf9EGAyzVxPI5ywhq2aSQbvuvCXMiZUq17D8z9clqgzKcpaB0CLfRD16Nbc k/fngjyFQyGbmN4iJRHX1CP3E/Rv34UzL+9ahcqBqnZYiJoo8wAyxUj8sTrKwZUu syEDMQwSlMXe7+ZegAjkM3jucJvpsrQFjEz3iJ5/yxpjW64wted/Df3dNli4gQGV jiw2wi9hFjbubIutuk4rOvWfgzOVJt2nwsIgh29FOw94086LuKTkMkxMGtXicJei CnxQ3QPjRAvwIz4JbG0zT8hPdGp6N/SrX+1Pf1j0FIogl1wDVYdMYLQS7eQ51iuV 9tJ1GaNQnMVOoPSk17YT9cBzRfAX1A== =gGP1 -----END PGP SIGNATURE----- --yjxrtbbgvuymbxoa--