public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: jan matejek <jan.matejek@satoshilabs.com>
To: bitcoin-dev@lists.linuxfoundation.org
Subject: Re: [bitcoin-dev] Adding xpub field to PSBT to make multisig more secure
Date: Wed, 8 May 2019 09:54:53 +0200	[thread overview]
Message-ID: <9e85b47c-6ba9-ab85-03f1-eb0ddf3022de@satoshilabs.com> (raw)
In-Reply-To: <20190507184034.0a72a9c7@simplexum.com>

hello,

On 07. 05. 19 15:40, Dmitry Petukhov via bitcoin-dev wrote:
> At the setup phase, hardware wallet can sign a message that consists of
> xpubs of participants, and some auxiliary text. It can use the key
> derived from the master key, with path chosen specifically for this
> purpose.

This seems overly complicated.

What is your threat model?

IIUC, each individual multisig signature also signs the set of signers
(through signing redeem-script (or scriptPubKey in address-based multisig))
So if an attacker gives me bad xpubs, i will sign them, but the
signature won't be valid for the given multisig output - even if the
attacker manages to trick 2 of 3 signers and recombine their signatures.

Therefore, the input==output check is sufficient: if I use the same set
of signers for an input and an output, I can be sure that the change
goes to the same multisig wallet.

Or is there something I'm missing?

The weak spot is the part where you generate receiving address, because
that "creates" the particular multisig wallet. But that's nothing to do
with PSBT.

> This would allow to distinguish the trusted output even if the inputs
> are not all derived from the same set of xpubs, that could happen in
> more complex scenarios (batching, key rotation, etc.), and can possibly
> be used to have several different types of 'trusted' outputs.

This seems to be an attempt at a different, much broader problem. And it
won't help if the attacker can replay a different trusted-xpub package
(e.g., one that contains a revoked previously compromised key).

regards
m.


  reply	other threads:[~2019-05-08  7:54 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-26 15:21 [bitcoin-dev] Adding xpub field to PSBT to make multisig more secure Stepan Snigirev
2019-05-01 16:57 ` Andrew Chow
2019-05-03 13:29 ` Peter D. Gray
2019-05-07  9:23   ` Stepan Snigirev
2019-05-07 13:40     ` Dmitry Petukhov
2019-05-08  7:54       ` jan matejek [this message]
2019-05-09 17:08         ` Dmitry Petukhov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9e85b47c-6ba9-ab85-03f1-eb0ddf3022de@satoshilabs.com \
    --to=jan.matejek@satoshilabs.com \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox