1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
|
Return-Path: <vjudeu@gazeta.pl>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])
by lists.linuxfoundation.org (Postfix) with ESMTP id 61294C0001
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 22 Mar 2021 07:56:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp4.osuosl.org (Postfix) with ESMTP id 3AA50402C9
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 22 Mar 2021 07:56:11 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Authentication-Results: smtp4.osuosl.org (amavisd-new);
dkim=pass (1024-bit key) header.d=gazeta.pl
Received: from smtp4.osuosl.org ([127.0.0.1])
by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id qry4GmEvLYpJ
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 22 Mar 2021 07:56:09 +0000 (UTC)
X-Greylist: delayed 00:05:01 by SQLgrey-1.8.0
Received: from smtpo102.poczta.onet.pl (smtpo102.poczta.onet.pl
[213.180.149.155])
by smtp4.osuosl.org (Postfix) with ESMTPS id 3E6EF402FA
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 22 Mar 2021 07:56:09 +0000 (UTC)
Received: from pmq7v.m5r2.onet (pmq7v.m5r2.onet [10.174.35.192])
by smtp.poczta.onet.pl (Onet) with ESMTP id 4F3ms038Bkz3jDd;
Mon, 22 Mar 2021 08:51:00 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gazeta.pl; s=2013;
t=1616399460; bh=Dlt7LQV7T6+KKPiiEOk6EukapFdDB0Um3x8oyJEzZg8=;
h=From:To:Date:Subject:From;
b=GD0CE0Bw+WfqBBsp7MfF1rtgmJBoBAOaFVwtpMNamsOLy30lxPea48hzop0q2ggZA
QDX1NwsQq9gqZFhMFoSJt6mGFQjXkcTrb47Xrs6QI6tgTWTjiueYQng3u5eULzj1MH
N4ZDuG+qgLvARkxev89TizjOS5vYD9RBreric0MA=
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received: from [82.177.167.2] by pmq7v.m5r2.onet via HTTP id
202103220850106108010001; Mon, 22 Mar 2021 08:51:00 +0100
From: vjudeu <vjudeu@gazeta.pl>
X-Priority: 3
To: Tim Ruffing <crypto@timruffing.de>, "bitcoin-dev@lists.linuxfoundation.org"
<bitcoin-dev@lists.linuxfoundation.org>
Date: Mon, 22 Mar 2021 08:51:00 +0100
Message-Id: <126012152-39f82455cdb5fc18203880bbba2d7b06@pmq7v.m5r2.onet>
X-Mailer: onet.poczta
X-Onet-PMQ: <vjudeu@gazeta.pl>;82.177.167.2;PL;2
X-Mailman-Approved-At: Mon, 22 Mar 2021 08:58:37 +0000
Subject: Re: [bitcoin-dev] An alternative to BIP 32?
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 07:56:11 -0000
> I can't really answer that question because it's not specified how "nonce=
" is obtained.
Nonce depends directly on your derivation path. By default, you can just st=
art from 256-bit zero value and increment it if you want standard derivatio=
n path. But optionally it can be something else that is unique, for example=
username. So, if you have "0/0/0/0" derivation path, then you have four no=
nces with 256-bit zero each time. But if you have '0/"bitcointalk.org"/5321=
992/"coinlatte"' derivation path (as mentioned by the author of this scheme=
), then your first nonce is 256-bit zero value, your second nonce is SHA-25=
6 of "bitcointalk.org", which is f245bd5620ee79314f48d9e9641a5406bd03745f6a=
c516e2801ef6ccbfe40ced, your third nonce is 0000000000000000000000000000000=
000000000000000000000000000513508 and your fourth nonce is 314870494d3a9136=
ba0a67ceb33534cbd438e982105d20cc076204c6fc99594d. There is an example in me=
ntioned topic here: https://bitcointalk.org/index.php?topic=3D5321992.msg56=
503261#msg56503261
> the master private key is involved in the derivation of "nonce" (then "no=
nce" may be unpredictable)
It is impossible, because having some parent public key should be enough to=
derive child public keys. But even if you know the nonce, you have no idea=
what masterPublicKey was used in SHA-256 (that is the thing you are lookin=
g for if you try to link addresses together).
To see how difficult it is to get some parent key from some child key, you =
can try going up the tree in the mentioned example. SHA-256 empty string is=
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, but if u=
sed directly, that leads us to some key starting with 03 prefix, so we shou=
ld negate it and get 1c4f3bbd6703e3eb65040b37669046da93009b024aad0cef1b3cc5=
7157e388ec. Then, we have our child key 02 a34b99f22c790c4e36b2b3c2c35a36db=
06226e41c692fc82b8b56ac1c540c5bd and to break this scheme and prove that go=
ing to the parent key is possible, we have to find something like this:
masterPublicKey =3D attackerPublicKey + SHA256(attackerPublicKey || nonce)
02 a34b99f22c790c4e36b2b3c2c35a36db06226e41c692fc82b8b56ac1c540c5bd =3D att=
ackerPublicKey + SHA-256(attackerPublicKey || 00000000000000000000000000000=
00000000000000000000000000000000000)
For me, it seems that finding attackerPublicKey here is impossible. Of cour=
se the absence of solution does not mean that it is secure, but I think it =
is a good example to show how strong this scheme is.
On 2021-03-21 22:45:19 user Tim Ruffing <crypto@timruffing.de> wrote:
> On Sat, 2021-03-20 at 21:25 +0100, vjudeu via bitcoin-dev wrote:
> > So, things have to be complicated to be secure?
> =
> Not at all. But we first need to spend some thoughts on what "secure"
> means before we can tell if something is secure.
> =
> > By definition, using some private key, calculating some public key
> > from it and incrementing that key is secure (it is definitely no
> > worse than address reuse).=C2=A0
> =
> If secure means that it does not hurt the unforgeability of ECDSA, then
> I believe you're right.
> =
> > The only problem with using "privKey", "(privKey+1) mod n",
> > "(privKey+2) mod n" and so on is that all of those public keys could
> > be easily linked together. If that is the only problem, then by
> > making offset deterministic but less predictable, it should be secure
> > enough, right? So, instead of simple incrementation, we would have
> > "privKey" (parent), "(privKey+firstOffset) mod n" (first child),
> > "(privKey+secondOffset) mod n" (second child) and so on. And as long
> > as this offset is not guessed by the attacker, it is impossible to
> > link all of those keys together, right?
> =
> I believe this intuition is also a good first approach. So let's have a
> look:=C2=A0 You say that offset =3D SHA256(masterPublicKey || nonce). Is =
this
> predictable by the attacker?=C2=A0
> =
> I can't really answer that question because it's not specified how
> "nonce" is obtained.=C2=A0 Since this is supposed to be a deterministic
> scheme, I see two basic ways: Either the master private key is involved
> in the derivation of "nonce" (then "nonce" may be unpredictable) or
> it's not (then "nonce" is predictable). =
> =
> Another fact that may or not be a problem is that it may be possible to
> compute a parent private key from the a private key. Again, I can't
> tell because I don't know how nonce is obtained. =
> =
> Taking a step back, BIP 32 addresses all of these concerns. I agree it
> could be simpler but I don't see a practical necessity to invent a new
> scheme. In any application where this proposal could potentially be
> used, BIP 32 could also be used and it's just good enough.
> =
> Tim =
> =
> =
> > =
> > > On 2021-03-20 11:08:30 user Tim Ruffing <crypto@timruffing.de>
> > > wrote:
> > > > On Fri, 2021-03-19 at 20:46 +0100, vjudeu via bitcoin-dev wrote:
> > > > > is it safe enough to implement it and use in practice?
> > > > =
> > > > This may be harsh but I can assure you that a HD wallet scheme
> > > > that can
> > > > be specified in 3 lines (without even specifying what the
> > > > security
> > > > goals are) should not be assumed safe to implement.
> > > > =
> > > > Tim =
> > > > =
> > > > =
> > > =
> > =
> > =
> > =
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> =
> =
> =
|