From: Jonas Schnelli <dev@jonasschnelli.ch>
Content-Type: multipart/signed;
	boundary="Apple-Mail=_986A2EB1-ACA0-4ABE-B314-96DB8B64B688";
	protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 9 Aug 2017 21:35:26 +0200
References: <CAJJsNHsiAH3Wc_Fp-8f=5EBg8-jNH8rtEW5+u+PEC7JU+SdCGQ@mail.gmail.com>
	<CAJJsNHv_iPNnGgqqogoxGEk+5ipoELfPAnMM0obWUpTjWRZJRQ@mail.gmail.com>
	<CAJJsNHvKR+ieYaFYw_KeCmJjWTzBYH9mSSFwtOdoyYB-kA+fLQ@mail.gmail.com>
	<CAJJsNHuz17GQkKWsKc0sOJfueEyyJkPM0ErbSNB_A=9Qq9tgTQ@mail.gmail.com>
	<CAJJsNHsdcYc7WiLuBSYPfoOvjG-v10zFL1d7_ROxx1HYx-nzHA@mail.gmail.com>
	<CAJJsNHuMa9WoWm0_MZ+dDVRM6UxhOA7eNWqNX=NAVw6V7Nb0jg@mail.gmail.com>
	<CAJJsNHsn=x-EzAWvRH171uM_8hmX9=_zYrn6yyn_mMP3DQGbbw@mail.gmail.com>
	<CAJJsNHvXpeMgxLZZ6JDFX859xnYC30Xvs24=G8-pmE+GUk9prw@mail.gmail.com>
	<CAJJsNHu+Rg7-mHY7mBVL6trKAbTfyq_44KjiQjRkU99_DUyCiQ@mail.gmail.com>
	<CAJJsNHueWeocmYN7tQZ111wi6GyAf81OBpR0gaqJaq6N0RokSQ@mail.gmail.com>
	<CAJJsNHvaeOdhia9bd1b-FTobUvYPsdryRo1U7fPdf=J6Xng1Rw@mail.gmail.com>
	<CAJJsNHuWf42Pzz39oH1F+NHxPoeMdoXqT8-5F8B5OLye1o8sFQ@mail.gmail.com>
	<CAJJsNHum5CVA7HOL26__WjFAQV09mAxfvDJ3o1Yu3BYNydzdvw@mail.gmail.com>
	<CAJJsNHs_aDmuqKpetceM+t_+jQLs8m0hFgtvhCJVvNLBrn3VjQ@mail.gmail.com>
	<CAJJsNHsT0VBufwkr4Lk-yRndeKDhchrp5g-UDv-vhcyjpi3-LA@mail.gmail.com>
	<CAJJsNHt46qBoihBBojt4Fu7S7Ryrqi-1HpXGiX4_nVMDQBq1oQ@mail.gmail.com>
	<CAJJsNHtCDCaW3ZtnNutL9q-PY4b5+eS-zcyfgT1B23gKH+127A@mail.gmail.com>
	<CAJJsNHuU3NXGjZ+afUQ_Ct_3y5V7JgZQzemc9SQUGmGjrm8wfQ@mail.gmail.com>
	<CAJJsNHt08PbYvtcVbCPw383-93r-NuCV_UPjGZ+moHime4dzFw@mail.gmail.com>
	<CAJJsNHvtJ3eUNgpe8apLDoC_UOmk+0ezLiTXkhdG2tndTx=WBA@mail.gmail.com>
	<CAJJsNHu+8+42R0jMfLbNZ7K8c0kQR3Tex+xiPH6WE+w_f+ORPQ@mail.gmail.com>
	<CAJJsNHubV--c5xJQrrF6F5K5gQ2gexy3x-7pL_Gn7Oe6TpiMbw@mail.gmail.com>
	<CAJJsNHvEPWSdquKrOt5kGRFFmLJ3yq2YfxEuQUC9upmKYV4oeg@mail.gmail.com>
	<CAJJsNHsMBz06oo-miAkqUC4VenYq1+o08pi=fgDsnaq9B_+KSA@mail.gmail.com>
	<CAJJsNHun0bf-TKxOr-WVJ1Tj3zt40OZOZAtzxRhD_+ise_+7=g@mail.gmail.com>
	<CAJJsNHvurUUkysWzjbxcXhdaUbL-CRPiBBABFd2HuFD14wZLkQ@mail.gmail.com>
	<CAJJsNHsib5VRs4R1N6C6ZhynAGhJ+QxW3d2LbzojEFnwddyyhw@mail.gmail.com>
	<CAJJsNHt01LuXqD+V=++6fp_VyW7TZ_1OzrsxZ7brBiqUKHcdng@mail.gmail.com>
	<CAJJsNHuZ_iMdeV0jZ618jO7osvUk97uV9Wae9NA_dgRQT=E5uQ@mail.gmail.com>
	<CAJJsNHtZ8bEZ-5zfpjzhoxfzaOM1RuZvRx6J+Pcr=r0=zZd=Kg@mail.gmail.com>
	<CAJJsNHspUanL7Y1E9RB_4G54Fs3RUy1uqUw8aUq3XYY6os_5ww@mail.gmail.com>
	<CAJJsNHtumDA8js_kaagwDHxLy9iF7UXwb5n9yX5cLvwNDDEMaw@mail.gmail.com>
	<CAJJsNHss2bW0DqYkvf5W4CMG3gaWFcT4oqXyzT4y93FveR6k4A@mail.gmail.com>
	<CAJJsNHuHA_rksFEip9r=hKuHoM9Bag2AmFYr=2miJKzOWJC5dQ@mail.gmail.com>
	<CAJJsNHv1QtpDvw_CZKhqryCxD21jtL+MQbZgqG-0HxzBbsnvPw@mail.gmail.com>
	<CAJJsNHtNMQGiJwarobHKBau7o_hEnSMKSznKkbfa8y4e4BUA8Q@mail.gmail.com>
	<CAJJsNHsX9Za=+8LYTK8mnq8XtuMrL03U2LAXHy15qv+XEKupZA@mail.gmail.com>
	<CAJJsNHuyty=i6Mxu_sreVBkqmgDKtp3050=Hh1qy8Hfs8yV2sw@mail.gmail.com>
	<CAJJsNHvNRzd0ZCv3QX9cR=JV8eUHF0z2QWdx9CK1v42iz2fOyA@mail.gmail.com>
	<CAJJsNHsYjFj-g1RBoRMoTrfjLStCQ8SQrE7ZcM569yW0mxb1qQ@mail.gmail.com>
	<CAJJsNHvVEydafdqx7ZwG9XmdNLZzbewVpAMfnvS=ZXNzV1fQYQ@mail.gmail.com>
	<CAJJsNHtEqzEg83k_s4Kg0YiJ3tWfCPOTPmnH0D-YiKZ6K5oGGg@mail.gmail.com>
	<CAJJsNHt2WydZewhrH5XZ-mpUMGBYvfke1H6F2cORpORv=LxShQ@mail.gmail.com>
	<CAJJsNHsCQXkp2uDTMTRJ=2ZVTcUXEPCPNusncACFtGoov5cOzw@mail.gmail.com>
	<CAJJsNHusmafTVS3xTyT5hR3ZjLkQ99A9qQK33e05BRdTF7+xhQ@mail.gmail.com>
	<CAJJsNHsp8oW=C-yzO5qiF9imZf-5EO+pYUJU6yHZz1wF=nevUA@mail.gmail.com>
	<CAJJsNHvOMxE2sBa4TKaazMsRH4OJaN=eS0JDRO81=J1OzGLkcg@mail.gmail.com>
	<CAJJsNHu3EZx9c2x99gwSEUNBCEa3SirteUx8+MqWcU_ShjLDRA@mail.gmail.com>
	<CAJJsNHsBYgmTmGeqUnvjnomO10m_TXjgt5xS8rROcV2aF=PPsQ@mail.gmail.com>
	<CAJJsNHsKSE9ftorgZ4J7YLwz5rMpYq-7WpEtk61JEtxJfneKVQ@mail.gmail.com>
	<CAJJsNHuTY+ckfvujru2K4vsOkfHyp1kYMJQAF0rmSeHhv3HdaA@mail.gmail.com>
	<CAJJsNHuYfMWGjkw1_RPA5-a6p_EVsv3b4gussi9y9Mb8+WsR_A@mail.gmail.com>
	<CAJJsNHv=cEnxg=yTCiDjWRedpBLuXmAyk-mGgQbHMDxFqoiiBw@mail.gmail.com>
	<CAJJsNHs90da2u+ufLcVoqyYQ_pkAr55=gL_ZY0mAGCoDmyqMbQ@mail.gmail.com>
	<CAJJsNHtni20bBUjLd_KOLnVxnZ4_AdDumLCkWbiU4v-cgXfJcA@mail.gmail.com>
	<CAJJsNHtVQ_hSQho2yd_4n8g+sQ5mCZjrG-SALcm1Vrbb3_1oVw@mail.gmail.com>
	<CAJJsNHus+SGAfh6SR9uY_VjgSiSsqtsH0=V-ecM8pm=whwSp0g@mail.gmail.com>
	<CAJJsNHvruYORGrd--nQayYW28k=F-A9PiP9O25w_1pvR2ABvcw@mail.gmail.com>
	<CAJJsNHsTYta-e0S_VZNMHNrEYnfy57U1W_bbzvkS3gQ=qVt75g@mail.gmail.com>
	<CAJJsNHv+TyGj=Mg3t2DS5YAW5WMdjckjFZA5KTO=JDtHB9iNCg@mail.gmail.com>
	<CAJJsNHukqjvTv-2G0jM8D6c2Bmt0o_uW6cd=GXvJHOzmSRg+BA@mail.gmail.com>
	<CAJJsNHv8mnT_GUcHmZy=6=_k1PxBSpfMSTtrz9UbERzhVwSbgw@mail.gmail.com>
	<CAJJsNHtb8Zed+5jZKx3oBNP7EMV-OPbuJD9mPjryRuroM=2bnA@mail.gmail.com>
	<CAJJsNHsWjUeCUp9jHwzEMMuN9jT2CNocpLyJRJKzDvY5Q_VAaQ@mail.gmail.com>
	<CAJJsNHuLfeB_oP+98jteLyr_q=_pdWkJP1+h4fgUBoeG3shBXQ@mail.gmail.com>
	<CAJJsNHuM-k1-MKHw-TcP5RFJz7bwg=YuLvjXKzunYcUK7wYhjg@mail.gmail.com>
	<CAJJsNHvEttaWfk9FQXA34WskxqU5sTyzvK_a56voWVOb7vtbcQ@mail.gmail.com>
	<CAJJsNHukHECFiMj2PFKOMSQmkT1f8Y=N20_9bx2p_3n0ahJKmQ@mail.gmail.com>
	<CAJJsNHtZWH4Cy-kpCRrbLeA339uoC3mL0Be2MBNdbW8PqjboJg@mail.gmail.com>
	<CAJJsNHvDbPpo+31bN0eYtgARnZe_ZeoVz7=bm9HuAjUM0ztKBA@mail.gmail.com>
To: Colin Lacina <notdatoneguy@gmail.com>,
	Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
In-Reply-To: <CAJJsNHvDbPpo+31bN0eYtgARnZe_ZeoVz7=bm9HuAjUM0ztKBA@mail.gmail.com>
Message-Id: <5C198808-A3BB-413D-A793-0107095EFBE9@jonasschnelli.ch>
Subject: Re: [bitcoin-dev] Structure for Trustless Hybrid Bitcoin Wallets
 Using P2SH for Recovery Options
Precedence: list


--Apple-Mail=_986A2EB1-ACA0-4ABE-B314-96DB8B64B688
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_7920C06E-0982-44B4-8DDF-9A9DDF407611"


--Apple-Mail=_7920C06E-0982-44B4-8DDF-9A9DDF407611
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi Colin

> In case the server goes rogue and starts refusing to sign, the user =
can use their userRecoveryPrivKey to send the funds anywhere they =
choose. Because if this, the userRecoveryPrivKey is best suited to cold =
wallet storage.

Would you then assume that userWalletPubKey is a hot key (stored on the =
users computer eventually in a browser based local storage container)?
In case of an attack on the server responsible for serverWalletPubKey =
(where also the personal information of the user are stored [including =
the xpub =3D=3D amount of funds hold by the user)), wound=E2=80=99t this =
increase the users risk of being an possible target (False sense of =
multisig security, comparing to cold storage / HWW keys)?

> In the more likely event that the user forgets their password and/or =
looses access to their userWalletPrivKey as well as loses their recovery =
key, they rely on the serverRecoveryPrivKey.
>=20
> When the user first sets up their wallet, they answer some basic =
identity information, set up a recovery password, and/or set up recovery =
questions and answers. This information is explicitly NOT sent to serve =
with the exception of recovery questions (although the answers remain =
with the user, never seeing the server). What is sent to the server is =
it's 256 bit hash used to identify the recovery wallet. The server then =
creates a 1025 bit nonce, encrypts it, stores it, and transmits it to =
the user's client.

I guess this will result in protecting the funds stored in this =
transaction entirely on the users identity information and eventually =
the optional recovery password, though I guess you are adding additional =
security by protecting via the server nonce from brute-forcing.

Why 1025bit for the nonce?
Why SHA512 instead of SHA256 (I guess you need 256bit symmetric key =
material for the key encryption)?
Considered using a (H)KDF for deriving the symmetric key (even if the =
server based nonce reduces the possibility of brute-forcing)?

Your modal has probably the TORS (trust on recovery setup) weakness =
(compared to a HWW where you [should] be protected on compromised =
systems during private key creation).

</jonas>

--Apple-Mail=_7920C06E-0982-44B4-8DDF-9A9DDF407611
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">Hi Colin<div class=3D""><br class=3D""><div =
class=3D""><div><blockquote type=3D"cite" class=3D""><div class=3D""><div =
dir=3D"auto" class=3D""><div dir=3D"auto" class=3D""><span =
style=3D"font-family:sans-serif" class=3D"">In case the server goes =
rogue and starts refusing to sign, the user can use their =
userRecoveryPrivKey to send the funds anywhere they choose. Because if =
this, the userRecoveryPrivKey is best suited to cold wallet =
storage.</span></div></div></div></blockquote><div><br =
class=3D""></div>Would you then assume that&nbsp;<font face=3D"sans-serif"=
 class=3D"">userWalletPubKey is a hot key (stored on the users computer =
eventually in a browser based&nbsp;local storage =
container)?</font></div><div><font face=3D"sans-serif" class=3D"">In =
case of an attack on the server responsible for&nbsp;serverWalletPubKey =
(where also the&nbsp;personal&nbsp;information of the user are stored =
[including the xpub =3D=3D&nbsp;amount of funds hold by the user)), =
wound=E2=80=99t this increase the users risk of&nbsp;being an possible =
target (False sense of&nbsp;multisig security, comparing to cold storage =
/ HWW keys)?</font></div><div><br class=3D""><blockquote type=3D"cite" =
class=3D""><div class=3D""><div dir=3D"auto" class=3D""><div dir=3D"auto" =
class=3D""><span style=3D"font-family:sans-serif" class=3D"">In the more =
likely event that the user forgets their password&nbsp;</span><span =
style=3D"font-family:sans-serif" class=3D"">and/or looses access to =
their userWalletPrivKey&nbsp;</span><span style=3D"font-family:sans-serif"=
 class=3D"">as well as loses their recovery key, they rely on the =
serverRecoveryPrivKey.</span></div><div dir=3D"auto" class=3D""><span =
style=3D"font-family:sans-serif" class=3D""><br =
class=3D""></span></div><div dir=3D"auto" class=3D""><span =
style=3D"font-family:sans-serif" class=3D"">When the user first sets up =
their wallet, they answer some basic identity information, set up a =
recovery password, and/or set up recovery questions and answers. This =
information is explicitly NOT sent to serve with the exception of =
recovery questions (although the answers remain with the user, never =
seeing the server). What is sent to the server is it's 256 bit hash used =
to identify the recovery wallet. The server then creates a 1025 bit =
nonce, encrypts it, stores it, and transmits it to the user's =
client.</span></div></div></div></blockquote><br class=3D""></div><div>I =
guess this will result in protecting the funds stored in this =
transaction entirely on the users identity information and eventually =
the optional recovery password, though I guess you are adding additional =
security by protecting via the server nonce from =
brute-forcing.&nbsp;</div><br class=3D""></div></div><div class=3D"">Why =
1025bit for the nonce?</div><div class=3D"">Why SHA512 instead of SHA256 =
(I guess you need 256bit symmetric key material for the key =
encryption)?</div><div class=3D"">Considered using a (H)KDF for deriving =
the symmetric key (even if the server based nonce reduces the =
possibility of brute-forcing)?</div><div class=3D""><br =
class=3D""></div><div class=3D"">Your modal has probably the TORS (trust =
on recovery setup) weakness (compared to a HWW where you [should] be =
protected on compromised systems during private key creation).</div><div =
class=3D""><br class=3D""></div><div =
class=3D"">&lt;/jonas&gt;</div></body></html>=

--Apple-Mail=_7920C06E-0982-44B4-8DDF-9A9DDF407611--

--Apple-Mail=_986A2EB1-ACA0-4ABE-B314-96DB8B64B688
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEyhopCNzi8TB0xizeHrd2uwPHki0FAlmLY/4ACgkQHrd2uwPH
ki2wcg//QiQoPUO2p536Nq64Yqfiw2vJc3ZAO9tzHhUnErbJ+zqgd9F7gd+uLG8K
maWWnpHDfZqXtzjYCgsw5nlt9AmufppW2bW6hqguZvrh6q1FYG2pzFd1+sC6uBFS
7wPlazJbVzyAVyLfkTPC+yUAiBlj4REGOy5fnjF299o5c5WY6F6w6LSBKTuhitjl
opyIOTiTKQ7lwm89b2Mx6qj5MGJhcVJ33v2KUAZlX/C7Da87f+K5o5cH9PWsDiOX
y/VpqXNnIolteCU0e7CwXto8EaD6e4d6zPIOZJBhRv1orSdL+K1uvg976z5yzP9i
00V0SA1VCntfURRR+rsEKaJNGa03DItqsOtQPMK+ejvy5gmitUHpP6iMepBZjZOb
Id8vyo0ebczoiRGelPOkz37RxF3aBmFRkKxSqWlmxO5tNjQLm6b9iHc7ox96MfAC
VwiXm5AEoSImqu3TI3++MZlQ7Wu8lncphfJTHFufhiEoWwq+rpsZXg73turkufPD
i9WcbDpjcrXWyeuyXNcbxASJYDe91pdvoFRMUUulyO6T1EKnhmTbUUch1t/1ADhJ
YbUPECAl8A5gfC+dxhPzgWebn1kKFLyVeHt8TtjC0DL7mR0xMPedleOm1D9njzog
JAX9aJ5hYVK8nKIMOk4IiOgC2FDu3d0h5LpHZx23HuoH+Ea+fYs=
=Guse
-----END PGP SIGNATURE-----

--Apple-Mail=_986A2EB1-ACA0-4ABE-B314-96DB8B64B688--