From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 72ACB15A9 for ; Sun, 4 Oct 2015 15:18:24 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from relay1.ox.registrar-servers.com (relay1.ox.registrar-servers.com [199.188.203.171]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 1B6FC2BE for ; Sun, 4 Oct 2015 15:18:24 +0000 (UTC) Received: from imap11-3.ox.privateemail.com (imap11-3.ox.privateemail.com [198.187.29.245]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay.ox.registrar-servers.com (Postfix) with ESMTPS id 15DDFB00B5 for ; Sun, 4 Oct 2015 11:18:23 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by imap11.ox.privateemail.com (Postfix) with ESMTP id C4FAB8800D2 for ; Sun, 4 Oct 2015 11:18:19 -0400 (EDT) X-Virus-Scanned: Debian amavisd-new at imap11.ox.privateemail.com Received: from imap11.ox.privateemail.com ([127.0.0.1]) by localhost (imap11.ox.privateemail.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 0j4DqJKiyo-2 for ; Sun, 4 Oct 2015 11:18:19 -0400 (EDT) Received: from [192.168.1.2] (86-41-36-97-dynamic.b-ras2.dbn.dublin.eircom.net [86.41.36.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by imap11.ox.privateemail.com (Postfix) with ESMTPSA id A52EE880039 for ; Sun, 4 Oct 2015 11:18:16 -0400 (EDT) To: bitcoin-dev@lists.linuxfoundation.org References: <560FCD30.9020902@haskoin.com> From: Jean-Pierre Rupp X-Enigmail-Draft-Status: N1110 Message-ID: <5611432F.5070209@haskoin.com> Date: Sun, 4 Oct 2015 16:18:07 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <560FCD30.9020902@haskoin.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] [Bitcoin-development] New BIP32 structure for P2SH multisig wallets [BIP-45] X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Oct 2015 15:18:24 -0000 I have a possible solution: Take all public keys encoded in the purpose-specific extended public keys (m/45') of all cosigners and sort them lexicographically, according to BIP-45. Serialize this information and calculate its HASH160 (RIPEMD160 ∘ HASH256). Split the output in five 32-bit chunks, setting the MSB on all of them to 0. Use these 32-bit chunks to build a derivation path from the purpose-specific extended public keys. Treat this derivation path as if it was the purpose-specific extended public key in BIP-45. This scheme will avoid public key sharing, and as long as you share your purpose-specific extended public key only with your cosigners, it should be relatively hard for a passive observer to link activity between different cosigning accounts. On 03/10/15 13:42, Jean-Pierre Rupp via bitcoin-dev wrote: > Hello, > > I have been reviewing BIP-45 today. There is a privacy problem with it > that should at least be mentioned in the document. > > When using the same extended public key for all multisig activity, and > dealing with different cosigners in separate multisig accounts, reuse of > the same set of public keys means that all cosigners from all accounts > will be able to monitor multisig activity from every other cosigner, in > every other account. > > Besides privacy considerations, HD wallet's non-reuse of public keys > provide some defence against wallets that do not implement deterministic > signing, and use poor entropy for signature nonces. > > Unless users are expected to establish a single cosigning account, this > scheme will result in reuse of public keys, and degradation of privacy. > > I understand that for convenience it is useful to have a single extended > public key that can be handed to every cosigner. This makes setting up > accounts or recovering from data loss a easier. > > I suggest that privacy & potential security degradation due to increased > public key reuse in the case of users with multiple multisig accounts > should get a mention in the BIP-45 document. > > Greetings