1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
Return-Path: <root@haskoin.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 72ACB15A9
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 4 Oct 2015 15:18:24 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from relay1.ox.registrar-servers.com
(relay1.ox.registrar-servers.com [199.188.203.171])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 1B6FC2BE
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 4 Oct 2015 15:18:24 +0000 (UTC)
Received: from imap11-3.ox.privateemail.com (imap11-3.ox.privateemail.com
[198.187.29.245])
(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by relay.ox.registrar-servers.com (Postfix) with ESMTPS id 15DDFB00B5
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 4 Oct 2015 11:18:23 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
by imap11.ox.privateemail.com (Postfix) with ESMTP id C4FAB8800D2
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 4 Oct 2015 11:18:19 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at imap11.ox.privateemail.com
Received: from imap11.ox.privateemail.com ([127.0.0.1])
by localhost (imap11.ox.privateemail.com [127.0.0.1]) (amavisd-new,
port 10024)
with LMTP id 0j4DqJKiyo-2 for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 4 Oct 2015 11:18:19 -0400 (EDT)
Received: from [192.168.1.2] (86-41-36-97-dynamic.b-ras2.dbn.dublin.eircom.net
[86.41.36.97])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by imap11.ox.privateemail.com (Postfix) with ESMTPSA id A52EE880039
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 4 Oct 2015 11:18:16 -0400 (EDT)
To: bitcoin-dev@lists.linuxfoundation.org
References: <CABQSq2Q98K5zbUbQAqSE4OYez2QuOaWTt+9n5iZmSR2boynf_Q@mail.gmail.com>
<560FCD30.9020902@haskoin.com>
From: Jean-Pierre Rupp <root@haskoin.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <5611432F.5070209@haskoin.com>
Date: Sun, 4 Oct 2015 16:18:07 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <560FCD30.9020902@haskoin.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] [Bitcoin-development] New BIP32 structure for
P2SH multisig wallets [BIP-45]
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Development Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Oct 2015 15:18:24 -0000
I have a possible solution:
Take all public keys encoded in the purpose-specific extended public
keys (m/45') of all cosigners and sort them lexicographically, according
to BIP-45. Serialize this information and calculate its HASH160
(RIPEMD160 ∘ HASH256). Split the output in five 32-bit chunks, setting
the MSB on all of them to 0. Use these 32-bit chunks to build a
derivation path from the purpose-specific extended public keys. Treat
this derivation path as if it was the purpose-specific extended public
key in BIP-45.
This scheme will avoid public key sharing, and as long as you share your
purpose-specific extended public key only with your cosigners, it should
be relatively hard for a passive observer to link activity between
different cosigning accounts.
On 03/10/15 13:42, Jean-Pierre Rupp via bitcoin-dev wrote:
> Hello,
>
> I have been reviewing BIP-45 today. There is a privacy problem with it
> that should at least be mentioned in the document.
>
> When using the same extended public key for all multisig activity, and
> dealing with different cosigners in separate multisig accounts, reuse of
> the same set of public keys means that all cosigners from all accounts
> will be able to monitor multisig activity from every other cosigner, in
> every other account.
>
> Besides privacy considerations, HD wallet's non-reuse of public keys
> provide some defence against wallets that do not implement deterministic
> signing, and use poor entropy for signature nonces.
>
> Unless users are expected to establish a single cosigning account, this
> scheme will result in reuse of public keys, and degradation of privacy.
>
> I understand that for convenience it is useful to have a single extended
> public key that can be handed to every cosigner. This makes setting up
> accounts or recovering from data loss a easier.
>
> I suggest that privacy & potential security degradation due to increased
> public key reuse in the case of users with multiple multisig accounts
> should get a mention in the BIP-45 document.
>
> Greetings
|