public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: "Peter D. Gray" <peter@coinkite.com>
To: Christopher Allen <ChristopherA@lifewithalacrity.com>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Proposal: Bitcoin Secure Multisig Setup
Date: Fri, 12 Feb 2021 08:48:16 -0500	[thread overview]
Message-ID: <20210212134816.GM47135@coinkite.com> (raw)
In-Reply-To: <CACrqygAMG67dajktTcq9hgyhfu2u1NRSHzkM345=jc6NLDUsbg@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 3534 bytes --]

Hard no to this idea:

On Thu, Feb 11, 2021 at 02:29:46PM -0800, Christopher Allen proposed:
...
> /48'/0'/0'/3'/PBKDF(complex string)'

As someone who has helped people find UTXO at key paths they didn't
know/want, this is a terrible idea. Key derivation paths should be
small, sequential integers, so they can be searched in reasonable time.

Of course when things are working it doesn't matter, but the stakes
can be very high when they stop working.

This is true for multisig and single signer.

---
Peter D. Gray  ||  Founder, Coinkite  ||  Twitter: @dochex  ||  GPG: A3A31BAD 5A2A5B10

On Thu, Feb 11, 2021 at 02:29:46PM -0800, Christopher Allen wrote:
> I think the key issue here is avoiding xpub key reuse in multisig. Not only
> in the future with Schnorr, but we need it today!
> 
> Current common practice by hardware wallets is the 48'/0'/0'/2' derivation
> for segwit multsig ( e.g.
> [90081696/48'/0'/0'/2']xpub6DYLEkDfCdHzh5FHGHDJksQvFqu6kYANa1sfo6fA8n5ZWkSwyCRVVzyq9LY2eNGB6T9BKDeGJp2ZarjRZHd7WB95nSaFEDhFMK6zSV6D49b
> ) is the only one used for ALL multisigs offered by that hardware wallet.
> 
> As Pieter said, leveraging a HD path parameters can help, but we need a
> better, less reusable path for the index.
> 
> I personally suggest a simpler solution, which is to create an index using
> a PBKDF of the Account Policy (a descriptor with all xpubs and keys
> removed), plus optional notes. (BTW, I think double sha256 or HMAC is
> overkill).
> 
> Example: for the reference bit descriptor that might result in:
> 
> ```
> wsh(sortedmulti(2,xpub661MyMwAqRbcFW31YEwpkMuc5THy2PSt5bDMsktWQcFF8syAmRUapSCGu8ED9W6oDMSgv6Zz8idoc4a6mr8BDzTJY47LJhkJ8UB7WEGuduB/1/0/*,xpub69H7F5d8KSRgmmdJg2KhpAK8SR3DjMwAdkxj3ZuxV27CprR9LgpeyGmXUbC6wb7ERfvrnKZjXoUmmDznezpbZb7ap6r1D3tgFxHmwMkQTPH/0/0/*))
> ```
> 
> What Blockchain Commons (and the Airgapped Wallet Community) call a policy
> map would be
> 
> ```
> wsh(sortedmulti(1,,,))
> ```
> 
> A PBKDF of that as would be unique for all 2 of 3 segwig transactions. With
> the addition of the addition of the Policy Map creators optional note, it
> would be truly unique. The Policy Map and/or PBKDF are small and could
> easily added to existing APIs.
> 
> So for legacy hardware, we can use existing 48' subtree, but 3' as the
> format for this form (2' is segwit), then the desktop can just ask for the
> /48'/0'/0'/3'/PBKDF' when it requests a new xpub from the hardware token.
> More sophisticated Airgapped apps you can send
> "wsh(sortedmulti(1,,,))"+label and let the cosigner app do the PBKDF, and
> optionally allow it return something different in a full keyset (i.e.
> "[90081696/48'/0'/0'/3'/af3948cg…'/]xpub6DYLEk…", and then the requesting
> app, knowing that it is different from the PBKDF can know what to do if it
> needs to what to ask for in the future.
> 
> The other advantage of this technique is that the cosigner app can know
> what policy it is participating in, before the descriptor is completed. It
> may decide it doesn't want to participate in some funky 4:9 with a weird
> script, and not return an xpub at all.
> 
> Long term I think a commitment scheme should be used, so that you don't
> reveal what xpub you offered until all the parties xpubs are shared, but as
> Pieter said, we can do that at the same time we do the musig. But we need
> to prevent xpub reuse NOW, and I think my proposal easy and could the job.
> 
> -- Christopher Allen, Blockchain Commons



[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

  parent reply	other threads:[~2021-02-12 13:56 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-08 23:14 [bitcoin-dev] Proposal: Bitcoin Secure Multisig Setup Hugo Nguyen
2021-02-09  9:33 ` Craig Raw
     [not found] ` <CACrqygA1JRA293joYOxxpSepiuFD=uVvQQy3wpuosYyLQHff-A@mail.gmail.com>
2021-02-09  9:38   ` Christopher Allen
2021-02-09 10:05   ` Hugo Nguyen
     [not found]     ` <CACrqygDhuateDtJMBSWd9sGRu1yzrZBw2yZ75OyKD1Xmzix3Cw@mail.gmail.com>
2021-02-09 10:58       ` Hugo Nguyen
2021-02-11 13:25         ` Pavol Rusnak
2021-02-11 13:45           ` Hugo Nguyen
2021-02-11 16:29             ` Dmitry Petukhov
2021-02-11 19:11               ` Hugo Nguyen
2021-02-11 19:11                 ` Hugo Nguyen
2021-02-11 22:29                   ` Christopher Allen
2021-02-12 12:31                     ` Hugo Nguyen
2021-02-12 13:48                     ` Peter D. Gray [this message]
2021-02-12 16:55               ` Hugo Nguyen
2021-02-12 17:42                 ` Dmitry Petukhov
2021-02-12 17:48                   ` Dmitry Petukhov
2021-02-12 17:54                   ` Hugo Nguyen
2021-02-14 10:37                     ` Dmitry Petukhov
2021-02-14 11:28                       ` Dmitry Petukhov
     [not found] ` <CAPR5oBNWGLcnw97yPJBCgrj=EwoNdxz_RS9HM6EMpuX2-90JnQ@mail.gmail.com>
2021-02-09  9:45   ` Hugo Nguyen
2021-02-15  8:44 ` Hugo Nguyen
2021-02-15 13:53   ` Craig Raw
2021-02-15 14:19     ` Hugo Nguyen
2021-02-15 16:45       ` Hugo Nguyen
2021-04-05  7:02 ` Hugo Nguyen
2021-04-09 12:07   ` Sjors Provoost
2021-04-09 14:09     ` Hugo Nguyen
2021-04-09 14:54     ` Hugo Nguyen
2021-04-09 15:33       ` Sjors Provoost
2021-04-10 19:32         ` Robert Spigler
2021-04-11  2:34   ` Michael.flaxman
2021-04-11 16:45     ` Hugo Nguyen
2021-04-12 15:03       ` Salvatore Ingala
2021-04-12 17:55         ` Hugo Nguyen
2021-04-12 18:45         ` Christopher Allen
2021-04-12 20:43           ` Robert Spigler
2021-04-10 13:53 ` Erik Aronesty

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210212134816.GM47135@coinkite.com \
    --to=peter@coinkite.com \
    --cc=ChristopherA@lifewithalacrity.com \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox