summaryrefslogtreecommitdiff
path: root/ab/a5bdd15f56e0ad66bb8a64867dd6e55d5fcca4
blob: 8e01e4af34a6e3c1cde958892e4142524e178d4d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
Return-Path: <peter@coinkite.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id B4EDC38DE
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri,  3 May 2019 13:36:47 +0000 (UTC)
X-Greylist: delayed 00:06:58 by SQLgrey-1.7.6
Received: from smtp89.iad3b.emailsrvr.com (smtp89.iad3b.emailsrvr.com
	[146.20.161.89])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id BD4C579
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri,  3 May 2019 13:36:45 +0000 (UTC)
Received: from smtp4.relay.iad3b.emailsrvr.com (localhost [127.0.0.1])
	by smtp4.relay.iad3b.emailsrvr.com (SMTP Server) with ESMTP id
	1A66720113; Fri,  3 May 2019 09:29:47 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=g001.emailsrvr.com;
	s=20190322-9u7zjiwi; t=1556890187;
	bh=kET5izGpWVahjQiuKKTOM9ZRToq9gZnFJH7oPdQknek=;
	h=Date:From:To:Subject:From;
	b=UK95znwyJsAm2D+ohrtN04YSsxK9PqAAOLN/ukZvwUQtW+0uSXFdGdBnGDwCNuZf/
	Idv5NKLLUh5cHQJWPM6W1g/Igvw7ya78hz+KQDZWp3PPZC7MsF2a9M/8LlbrPkAyUk
	0rX2Oz2TnD5GV7y7ZDhl2eTaMq59zi0i2qcWb10o=
X-Auth-ID: peter@coinkite.com
Received: by smtp4.relay.iad3b.emailsrvr.com (Authenticated sender:
	peter-AT-coinkite.com) with ESMTPSA id C95BC200F6; 
	Fri,  3 May 2019 09:29:46 -0400 (EDT)
X-Sender-Id: peter@coinkite.com
Received: from coinkite.com ([UNAVAILABLE]. [216.223.129.56])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384)
	by 0.0.0.0:465 (trex/5.7.12); Fri, 03 May 2019 09:29:47 -0400
Date: Fri, 3 May 2019 09:29:45 -0400
From: "Peter D. Gray" <peter@coinkite.com>
To: Stepan Snigirev <snigirev.stepan@gmail.com>
Message-ID: <20190503132945.GR810@coinkite.com>
Reply-To: Peter Gray <peter@coinkite.com>
References: <CACL8y1v9fpZ+gWLVHMx-bGUCaSd0=0ecHU-u4FF=LnhT7s1zTg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CACL8y1v9fpZ+gWLVHMx-bGUCaSd0=0ecHU-u4FF=LnhT7s1zTg@mail.gmail.com>
Organization: Coinkite Cryptobank (www.coinkite.com)
User-Agent: Mutt/1.6.0 (2016-04-01)
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Fri, 03 May 2019 15:55:39 +0000
Cc: bitcoin-dev@lists.linuxfoundation.org
Subject: Re: [bitcoin-dev] Adding xpub field to PSBT to make multisig more
 secure
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 03 May 2019 13:36:47 -0000

On Fri, Apr 26, 2019 at 05:21:06PM +0200, Stepan Snigirev wrote:
...
> Currently in PSBT there is no way to reliably say if the output uses the
> keys derived from the same root keys as the inputs aside from the key owned

Writing the multisig support for Coldcard, I've come to the same conclusion. I've
exchanged some helpful mail with Andrew Chow on this subject.

...
> I suggest to add the following key-value pairs to PSBT:
> Type: BIP 32 public key `PSBT_IN_BIP32_XPUB = 0x10`
...
> Type: BIP 32 public key `PSBT_OUT_BIP32_XPUB = 0x03`

I'd rather see the xpubs shared in the global section of the file,
with the restriction that they must/should only include the hardened
prefix of the path. The existing bip32 derivation path included in
individual inputs and outputs be merged in as needed.

After all in a typical PSBT, we would expect the same master keys
to be used on all inputs, and at least one output, and there might
be as many as 20 co-signers. No need to repeat all that information.

Even with this additions to the PSBT format, I think PSBT-signing
devices still need to store the xpubs of their co-signers. It's not
possible to safely show an incoming address to the user without a
full understanding of the other keys in a "multisig wallet". Also,
it represents data that should not change between PSBT instances
(ie. tomorrow's co-signers should match today's).

Having said that, the xpubs in the PSBT would allow a "trust on first
use" which I think can be a good feature.

---
Peter D. Gray  ||  Founder, Coinkite  ||  Twitter: @dochex  ||  GPG: A3A31BAD 5A2A5B10


> Hi list,
> 
> I was looking at the bip174 PSBT specs, in particular for multisignature
> setup, and I think with current spec there is a way to steal user funds in
> M of N setup with M ≤ N/2.
> 
> I made a small write-up on this:
> https://github.com/stepansnigirev/random_notes/blob/master/psbt_multisig.md
> 
> To compress:
> 
> Currently in PSBT there is no way to reliably say if the output uses the
> keys derived from the same root keys as the inputs aside from the key owned
> by the signer => there is no way to verify that the output is a change
> output in multisig setup.
> 
> Therefore an attacker can replace half of the keys in the change address by
> his own keys and still get the transaction signed.
> 
> I suggest to add an xpub field to the inputs and outputs metadata, then
> signers can verify that the same xpubs are used for public keys in inputs
> and outputs => output is indeed a change.
> 
> Normally change and receiving addresses are derived from the same xpub with
> non-hardened derivation pathes, so providing xpub after the last hardened
> index should be enough to see that public keys of inputs and change output
> are derived from the same xpub.
> 
> I suggest to add the following key-value pairs to PSBT:
> 
> Type: BIP 32 public key `PSBT_IN_BIP32_XPUB = 0x10`
> - Key: derivation path for xpub
>   `{0x10}|{master key fingerprint}|{32-bit int}|...|{32-bit int}`
> - Value: 78-byte xpub value
>   `{xpub}`
> 
> Type: BIP 32 public key `PSBT_OUT_BIP32_XPUB = 0x03`
> - Key: derivation path for xpub
>   `{0x03}|{master key fingerprint}|{32-bit int}|...|{32-bit int}`
> - Value: 78-byte xpub value
>   `{xpub}`
> 
> Derivation paths are in the key of the key-value pair as they are used for
> lookup, and xpub itself is the actual value being looked up.
> 
> I also want to mention that Trezor for example doesn't suffer from this
> problem as they use xpubs to verify change outputs. So it may make sense to
> go through the communication protocols of existing hardware /
> multisignature wallets and see if there is something else we are missing.
> 
> If everyone is happy about the proposal I would prepare a pull request to
> the bip.
> 
> Best regards,
> Stepan Snigirev.