MIME-Version: 1.0
References: <CAPKmR9uyY70MhmVCh=C9DeyF2Tyxibux1E_bLPo00aW_h+OjLw@mail.gmail.com>
 <CAPKmR9v=RK7byF0z0hKiLiA=Zm3ZZKbu3vEiuBuzQSXFwa+izw@mail.gmail.com>
 <DDAD27D6-57F5-4B39-AADB-B28E04E36D29@sprovoost.nl>
In-Reply-To: <DDAD27D6-57F5-4B39-AADB-B28E04E36D29@sprovoost.nl>
From: Hugo Nguyen <hugo@nunchuk.io>
Date: Fri, 9 Apr 2021 07:09:51 -0700
Message-ID: <CAPKmR9u+Ron1AyLjPVsqNx6bWvkJMKzcF67JgP0TEEdysj78tw@mail.gmail.com>
To: Sjors Provoost <sjors@sprovoost.nl>
Content-Type: multipart/alternative; boundary="000000000000586ed905bf8ab844"
Cc: marko <marko@shiftcrypto.ch>,
 Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>, aarondongchen@gmail.com,
 Peter Gray <peter@coinkite.com>
Subject: Re: [bitcoin-dev] Proposal: Bitcoin Secure Multisig Setup
Precedence: list

--000000000000586ed905bf8ab844
Content-Type: text/plain; charset="UTF-8"

Hi Sjors
Thanks for the feedback!

The first step is for the Coordinator to generate a TOKEN, presumably using
> its own entropy. But IIUC anyone who intercepts that token can decrypt any
> future step in the setup process. This suggests a chicken-egg problem where
> you need some pre-existing secure communications channel.
>

The exchange of the TOKEN is frequently mistaken as the chicken-and-egg
problem, but it is not so.

To understand why this isn't chicken-and-egg, and why the TOKEN actually
adds value, consider *the scale of the communication operation needed to
exchange the TOKEN*, and *the scale of the communication operation needed
to gather data for the creation of the multisig wallet *(with or without
the TOKEN):

1) The TOKEN itself is a single piece of data that is 64- or 96-bit. It is
small enough to be easily exchanged (even memorized) and entered into
various devices. It requires only a single round of communication, but can
protect as many rounds of communication as needed.

2) The data needed to create the multisig wallet, on the other hand, are
quite involving:
(a) Each Signer needs to share its XPUB, which cannot be memorized
(b) The XPUBs also come with their own metadata
(c) The creation of the wallet requires at least two rounds of
communications since the Signers need to voluntarily share their XPUBs
first, only then can a Coordinator combine the XPUBs into a single multisig
script and pass back the configuration to the Signers. (Note that without a
Coordinator, you'll need O(N^2) rounds of communication).
(d) Because Signers are typically off-line cold storage, the paths between
the Signers / the Signers <> Coordinator likely involve multiple hops
through various media, such as unsecure USB connection. This is the way
most multisig solutions are currently being implemented. It means the XPUBs
and the multisig configuration are vulnerable to leaking and/or
modifications.

Note that (d) is especially problematic for remote multisig setups. The
more remote, the more potential hops along the way, the more problematic.

So you can see that *the TOKEN ultimately reduces the problem of sharing a
large amount of sensitive data back and forth, to the sharing of a single,
small piece of data upfront.* An added advantage of this approach is that
if the parties fail to establish a shared TOKEN, the scheme fails with no
harm done.

The Coordinator, on the other hand, adds value by solving the O(n^2)
communication problem. Some minimal amount of trust is needed for the
Coordinator, but this can be greatly mitigated by a number of ways that we
have defined in the spec, such as:
* Signers must check that their XPUBs are included in the final descriptor
* Signers must display to the user the multisig configuration: M/N,
relative position(s) of XPUBs, etc.
* Signers must display the full descriptor upon user request for manual
inspection - this one is important because it means that the new scheme
cannot be worse than the status quo.
* Signers are recommended to display a preview of the first receive
address(es).

All in all, the Coordinator's role helps ease the setup process, while its
ability to pull off any shenanigans is greatly limited.

Best,
Hugo

--000000000000586ed905bf8ab844
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_quote"><div>Hi Sjors</div><div>Thanks =
for the feedback! <br><div><br></div></div><blockquote class=3D"gmail_quote=
" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);=
padding-left:1ex">The first step is for the Coordinator to generate a TOKEN=
, presumably using its own entropy. But IIUC anyone who intercepts that tok=
en can decrypt any future step in the setup process. This suggests a chicke=
n-egg problem where you need some pre-existing secure communications channe=
l.<br></blockquote><div><br>The exchange of the TOKEN is frequently mistake=
n as the chicken-and-egg problem, but it is not so.</div><div><div><br>To u=
nderstand why this isn&#39;t chicken-and-egg, and why the TOKEN actually ad=
ds value, consider <b>the scale of the communication operation needed to ex=
change the TOKEN</b>, and <b>the scale of the communication operation neede=
d to gather data for the creation of the multisig wallet </b>(with or witho=
ut the TOKEN):<br><br>1) The TOKEN itself is a single piece of data that is=
 64- or 96-bit. It is small enough to be easily exchanged (even memorized) =
and entered into various devices. It requires only a single round of commun=
ication,=C2=A0but can protect as many rounds of communication as needed.<br=
><br>2) The data needed to create the multisig wallet, on the other hand, a=
re quite involving:</div><div>(a) Each Signer needs to share its XPUB, whic=
h cannot be memorized<br>(b) The XPUBs also come with their own metadata<br=
>(c) The creation of the wallet requires at least two rounds of communicati=
ons since the Signers need to voluntarily share their XPUBs first, only the=
n can a Coordinator combine the XPUBs into a single multisig script and pas=
s back the configuration to the Signers. (Note that without a Coordinator, =
you&#39;ll need O(N^2) rounds of communication).=C2=A0<br>(d) Because Signe=
rs are typically off-line cold storage, the paths between the=C2=A0Signers =
/ the=C2=A0Signers &lt;&gt; Coordinator likely involve multiple hops throug=
h various media, such as unsecure USB connection. This is the way most mult=
isig solutions are currently being implemented. It means the XPUBs and the =
multisig configuration are vulnerable to leaking and/or modifications.<br><=
br>Note that (d) is especially problematic for remote multisig setups. The =
more remote, the more potential hops along the way, the more problematic.<b=
r><br>So you can see that <b>the TOKEN ultimately=C2=A0reduces the problem =
of sharing a large amount of sensitive data back and forth, to the sharing =
of a single, small piece of data upfront.</b> An added advantage of this ap=
proach is that if the parties fail to establish a shared TOKEN, the scheme =
fails with no harm done.<br><br>The Coordinator, on the other hand, adds va=
lue by solving the O(n^2) communication problem. Some minimal amount of tru=
st is needed for the Coordinator, but this can be greatly mitigated by a nu=
mber of ways that we have defined in the spec, such as:<br>* Signers must c=
heck that their XPUBs are included in the final descriptor<br>* Signers mus=
t display to the user the multisig configuration: M/N, relative position(s)=
 of XPUBs, etc.<br>* Signers must display the full descriptor upon user req=
uest for manual inspection - this one is important because it means that th=
e new scheme cannot be worse than the status quo.<br>* Signers are recommen=
ded to display a preview of the first receive address(es).</div><div><br>Al=
l in all, the Coordinator&#39;s role helps ease the setup process, while it=
s ability to pull off any shenanigans is greatly limited.<br><br></div></di=
v><div>Best,<br>Hugo=C2=A0</div></div></div>

--000000000000586ed905bf8ab844--