From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 85FD58A1 for ; Mon, 21 Aug 2017 21:36:28 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wr0-f171.google.com (mail-wr0-f171.google.com [209.85.128.171]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 3601D3D5 for ; Mon, 21 Aug 2017 21:36:28 +0000 (UTC) Received: by mail-wr0-f171.google.com with SMTP id p14so40948144wrg.1 for ; Mon, 21 Aug 2017 14:36:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=B8nSr5yH47J58Idhm2Vq96BX/cYgBchBWCLbgaz5i60=; b=p4tviGs+Jnrga2YsutRZGWNtUR+GawXfF9TZMePqWHXjWKRiIxJ27Ub7nYXncN+Xaq av8SwxSlH2rOjHtYaPl8aRxL8qYvAq1tdRNvzp2bFpMAqRmjU/D1QHLbuABnSBdw1q4U gurp/GKX4CjhaCZR4nAD4a6G4rXL9gIWAYLaw3hbQttdaSN0qEZxHDWkIAOJ0a02sbGW GM2rn5VmQiA7sVV4PRuQrCGIyGKaC6yrcHEtHJJtvT1qUSsXc5kj8BEDWt0QFmVkGvBg tCd14/hU1gjanOvSCA8HCR6CDJ/NC4E+H2pYlCQw5afmH9eeiOfZw0kD1wH4IdL7EdvO mKPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=B8nSr5yH47J58Idhm2Vq96BX/cYgBchBWCLbgaz5i60=; b=ZXmAy/ZoXNQUSMsJtKOJaIzj8MUuZRZXivBgBhWw57TerhVxoVlJx3PA0uPrk6VXHk 5mXPHQYc8fWA1PYWmrMfmF7xUvduE13MOyxWgQtpm7qJJ2jngG/YBVjfd5MgLXcborzI pfiEut4qLVMjvHRmXQR+8MBzd4x50bEX9/qmEpZ9bxLAngBb37ikZCAHyurH6DBuRpbV e66VtHIpOsis15rCh0+vglKoyaotVXNup1G0hvPG/1cQB9tukYiqgC4HarWjJHHYIEZg HdkImDMdRfjGRm5g0Gpf+oG/L6jEz/m3Q+T8vUcLM0xym21f3Mrv67jKtS4DvyWACDlI ZKzg== X-Gm-Message-State: AHYfb5j/B1JiDr5B1XubXp8UQYqrt64YeZCuicXE+X6pyLcbelXhMUlS R23Al58LhCdCwA7KYRo= X-Received: by 10.223.146.228 with SMTP id 91mr7153014wrn.15.1503351386614; Mon, 21 Aug 2017 14:36:26 -0700 (PDT) Received: from [192.168.179.103] (HSI-KBW-109-192-185-113.hsi6.kabel-badenwuerttemberg.de. [109.192.185.113]) by smtp.googlemail.com with ESMTPSA id j81sm782995wmd.21.2017.08.21.14.36.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 21 Aug 2017 14:36:25 -0700 (PDT) To: Greg Sanders , Bitcoin Protocol Discussion References: From: Jochen Hoenicke Message-ID: <5f67d70d-a432-7826-22df-4207580aa1d2@gmail.com> Date: Mon, 21 Aug 2017 23:36:24 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Subject: Re: [bitcoin-dev] [BIP Proposal] Partially Signed Bitcoin Transaction (PSBT) format X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2017 21:36:28 -0000 On 21.08.2017 20:12, Greg Sanders via bitcoin-dev wrote: > To fix this I consulted with andytoshi and got something we think works > for both cases: > > 1) When a signing device receives a partially signed transaction, all > inputs must come with a ownership proof: > - For the input at address A, a signature over H(A || x) using the key > for A. 'x' is some private fixed key that only the signing device > knows(most likely some privkey along some unique bip32 path). > - For each input ownership proof, the HW wallet validates each signature > over the hashed message, then attempts to "decode" the hash by applying > its own 'x'. If the hash doesn't match, it cannot be its own input. > - Sign for every input that is yours Interesting, basically a proof of non-ownership :), a proof that the hardware wallet doesn't own the address. But shouldn't x be public, so that the device can verify the signature? Can you expand on this, what is exactly signed with which key and how is it checked? One also has to make sure that it's not possible to reuse signatures as ownership proof that were made for a different purpose. Jochen