1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
|
Return-Path: <junderwood@bitcoinbank.co.jp>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 5B667C9E
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 29 Jun 2019 00:19:57 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-yw1-f50.google.com (mail-yw1-f50.google.com
[209.85.161.50])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 1820A2C6
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 29 Jun 2019 00:19:54 +0000 (UTC)
Received: by mail-yw1-f50.google.com with SMTP id t2so5224896ywe.10
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 28 Jun 2019 17:19:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=bitcoinbank.co.jp; s=google;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=+re3TxeDp7i1F0HCXHRWt3lZ7IJvPnfj6CYdCm5G6xQ=;
b=UVsY+GUIykFOi2CEOdABRz4ksvK5LsD1cRlB6gtQ+i44fH/eldlb/ZofcOFhWrkNq6
7A+Bgfj0ChMBkUgbbWhqDH1oDpY3Aql9TKudH1KSV2qS1S4cGWZdhSq88L/zF6cv3rG+
gISeZ6m9TVy2jsk7Ko8SMwoMMp2mT2aK79p3Bhv+ksctP5LJUHp0p9FjJBt1wSixOolT
7IXWofd6j53vb8i2vaun5jfnAOU1KI2WhNa7kObKsIG7+cqrXAgaCwiWkLk6U94OoPdj
AZK/YZs9WemnTxMR6rIovWIHHD/TjDIzfNpOQDH0sFL6URI2ZACexLnx63KzIg4QAhZh
GgHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=+re3TxeDp7i1F0HCXHRWt3lZ7IJvPnfj6CYdCm5G6xQ=;
b=iuv/MzoH6dCpWR+z/E4qpuvXN+zPjRjvcHC2cYivTPhvwKxXWeOCt1cdBi+QyTgx+V
PBUhHUIPbVCk9vOhfOWKNMPCYWrKNBqLIkNwe80l6SOMa2sGAk8K0fz0C/F+Zn859W73
3qR9OG4zRwdiJVIrkO25LpV/Go0V1eCqEG+oIbFtE0zjjLVpydGkPIFGppMb6/F6AVGU
iFHcOkNPZNBwnfwMu+rsXJLGxynDPc5fVNJ/2Rfi50MXouNPTlx4j8CI79CVyuWZ3s9x
DNsENcUs3WnB1XUCCgXLe9Frv7497ssGJfQsWL3OWv3KTXSTn5gVrcRIB8hhBBJnWuHm
Z2EA==
X-Gm-Message-State: APjAAAWqWNMjgMv7n6RdPeDOs2G76pC4YS4ilb5LyYrctanQxZyaZLOy
H3RGZLEcpwJACUBZw4aqmc4/tCss+FAQatAIy5V8
X-Google-Smtp-Source: APXvYqycxJ3qOsPTVcndpsaNd7cLgP51AYpAp0qdCo0eUBXcmxY8374G2Jnq7LSGU6LZ2JcIXK1xaV+rdWXGuWTQt+A=
X-Received: by 2002:a81:23d6:: with SMTP id j205mr8215310ywj.333.1561767593959;
Fri, 28 Jun 2019 17:19:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAMpN3mLvY+kuUGqzMW6SAMZ=h46_g=XLhDPhSY=X6xhLxvi15Q@mail.gmail.com>
<20190627095031.4d5817b8@simplexum.com>
<CAMpN3mKPkCPtYkN-JVku1r217-aBK=Rh3UEhvRPS_Y6DixJ9Dw@mail.gmail.com>
<20190627122916.3b6c2c32@simplexum.com>
<CAMpN3mL8tyP-6-nwn6dorcq7-dad6wYz8_pXinqHhgzUnrr_tg@mail.gmail.com>
<20190627181429.15dda570@simplexum.com>
<20190627202932.1cb4d727@simplexum.com>
<20190629024816.2193363e@simplexum.com>
In-Reply-To: <20190629024816.2193363e@simplexum.com>
From: Jonathan Underwood <junderwood@bitcoinbank.co.jp>
Date: Sat, 29 Jun 2019 09:19:41 +0900
Message-ID: <CAMpN3m+Oa6oPzAmhoioOkuf8__NSPPNoSEMHJwo9PhjXosMwhg@mail.gmail.com>
To: Dmitry Petukhov <dp@simplexum.com>
Content-Type: multipart/alternative; boundary="000000000000a90c50058c6b5af1"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Sat, 29 Jun 2019 06:20:23 +0000
Cc: Bitcoin development mailing list <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] BIP174 extension proposal (Global Type:
PSBT_GLOBAL_XPUB_SIGNATURE)
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jun 2019 00:19:57 -0000
--000000000000a90c50058c6b5af1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
replies in-line. Thanks!
2019=E5=B9=B46=E6=9C=8829=E6=97=A5(=E5=9C=9F) 6:46 Dmitry Petukhov <dp@simp=
lexum.com>:
> In your proposed field key format,
>
> {0x02}|{signing_pubkey}|{m}|{xpub}|...|{xpub}
>
> I think you can replace the signing pubkey with just a fingerprint of
> the master key, that would save 29 bytes per 0x02 field.
>
Good point.
> If the only entity that is concerned about the validity of the
> signature is those that possess the signing_privkey, it will check the
> signature when it sees the 0x02 field starting with its own key
> fingerprint, and will ignore the field if the signature does not match.
>
> If someone other than the signer needs to check that this xpub-package
> was signed by certain cold key, it will need to know signing_pubkey
> anyway, before it parses PSBT, as it won't have the means to check if
> certain pubkey found in 0x02 field in PSBT is related to certain
> signer, without knowing anything about the pubkey beforehand.
>
> I'm not sure if the ability of unrelated parties to verify that
> xpub-package matches its signature is useful in practice. 29 bytes per
> 0x02 field is not a big saving of space, and if this ability is actually
> useful, the saving may not be worh loosing this ability.
>
All good points, I think we'll just use the first 4 bytes of the hash160 of
the pubkey, aka fingerprint.
> Other note: you have 'unused' value of 1 for `m` in your scheme, why
> not require m=3D1 for single-sig case, and use 0 as indicator that there
> are a serlal number following it?
>
0x00 is single sig, aka, OP_CHECKSIG
0x01 is multisig, aka, 1-of-3, 1-of-2 OP_CHECKMULTISIG
> The key for the field would be encoded as
>
> {0x02}|{signing_pubkey}|{m}|{xpub}|...|{xpub}
>
> for usual case, and
>
> {0x02}|{signing_pubkey}|0x00|{serial}|{m}|{xpub}|...|{xpub}
>
> for the case when the signing scheme actually cares about different
> versions of xpub packages signed by certain cold key
>
since OP_CHECKMULTISIG only supports at most 15-of-15 due to stack item
size limitations, we could make 0xff into this serial marker.
> Going back to the idea of moving 'complex' usecases outside of BIP174:
> maybe we could have a 'BIP-specific' field, that would have the key as
>
> {0x0?}|{BIP-number}|{bip-specific-suffix-data}
>
> so that the different usecases that are not general enough to be
> included in BIP174 itself, may have their own BIPs. Vendor-specific
> fields may also be done as a separate BIP.
>
Definitely sounds good, but the currently proposed 0x01 global type is
being added to BIP174 directly under the assumption that it is useful for
all users of PSBT, and I would argue that 0x01 being an HD change verifying
method, it only seems logical to add a similar method of "verifying"
non-self keys, aka whitelisting for security purposes, and such a feature
would require this data be included into the PSBT sent into the device.
If the consensus is that this data is unneeded, 0x01 should probably also
be a separate BIP.
Though outside the scope of this BIP, one difficulty of a whitelist feature
would be revocation of signatures. If we pre-sign a revocation cert and
somehow make the wallet blacklist if seen... then the question is "if your
signer has a trustworthy store of state, why not store the whitelist
pubkeys?"
But that feature itself should be a separate BIP.
Also, POR_COMMITMENT being in BIP174 kind of set a precedent... :-/
> =D0=92 Thu, 27 Jun 2019 20:29:32 +0500
> Dmitry Petukhov <dp@simplexum.com> wrote:
>
> > Oh, I saw that you covered it in another mail:
> >
> > > The expire / revoke problem is a larger problem than this feature
> > > can handle.
> >
> > > In general, if one of the cold keys is stolen, there is rarely a
> > > situation where you are completely sure the other cold keys haven't
> > > been compromised... so the best practice would be all signers
> > > generate new keys and all funds are moved to a completely new
> > > multisig wallet (no common xpubs).
> >
> > The setup might not be 'all cold keys', but the keys with different
> > levels of exposure to possible theft. In this config, compromise of
> > one of the 'warm' keys might not necessary require changing the
> > 'cold' key.
> >
> > I'm not sure whether this usecase warrants adding extra 'serial'
> > field, but on the other hand it is rather simple change, and those who
> > does not care can always set 0.
> >
> > =D0=92 Thu, 27 Jun 2019 18:14:29 +0500
> > Dmitry Petukhov <dp@simplexum.com> wrote:
> >
> > > What do you think about adding serial number to the xpub package ?
> > >
> > > The key would be
> > >
> > > {0x02}|{signing_pubkey}|{serial}|{m}|{xpub}|...|{xpub}
> > >
> > > and if the signer have the ability to store a counter, it can reject
> > > 'outdated' xpub packages, and only accept those that was signed
> > > using the serial number that it deems recent. This would allow a
> > > limited mechanism to 'revoke' previously signed packages that have
> > > compromized keys in them.
> > >
> > > =D0=92 Thu, 27 Jun 2019 17:16:14 +0900
> > > Jonathan Underwood <junderwood@bitcoinbank.co.jp> wrote:
> > >
> > > > I see what you mean.
> > > >
> > > > What about this?
> > > >
> https://github.com/junderw/bips/commit/57a57b4fae1ae14b77a2eebd99cd719148=
e3027e?short_path=3D82656c8#diff-82656c833e31e6751a412ce5e5c70920
> > > >
> > > > Plus side: for single sig case, the key only increases by one byte
> > > > (0x00 for the {m} value)
> > > >
> > > > This way if it was 2 of 3 like before, you sign the whole "packet"
> > > > so each key only signs the packet once. Way better than n!
> > > >
> > > > Anywho. Please send your feedback. Thanks.
> > > > Jonathan
> > > >
> > > > 2019=E5=B9=B46=E6=9C=8827=E6=97=A5(=E6=9C=A8) 16:27 Dmitry Petukhov=
<dp@simplexum.com>:
> > > >
> > > > > How would signer know that there _should_ be at least 3
> > > > > signatures signed by the key owned by this signer ?
> > > > >
> > > > > If it does not know that it should enforce 2of3 multisig, for
> > > > > example, the attacker that control only one key A can fool
> > > > > signer B by sending to 1of1 single-sig that is derived from A's
> > > > > xpub, and providing only sBxA in PSBT.
> > > > >
> > > > > If the signer does not have a hardcoded configuration that
> > > > > will mandate a particular multisig scheme, it will allow sending
> > > > > to any scheme.
> > > > >
> > > > > If the signer has a rich enough state to store updatable
> > > > > configuration, it can just store the trusted xpubs directly.
> > > > >
> > > > > Alternatively, signer can sign not individual xpubs, but whole
> > > > > xpub packages that correspond to particular multisig
> > > > > configuration, and enforce that destination addresses correspond
> > > > > to this configuration.
> > > > >
> > > > > But this would not be possible with your PSBT scheme that uses
> > > > > individual key-xpub pairs.
> > > > >
> > > > > =D0=92 Thu, 27 Jun 2019 14:07:47 +0900
> > > > > Jonathan Underwood <junderwood@bitcoinbank.co.jp> wrote:
> > > > >
> > > > > > Thanks for the reply.
> > > > > >
> > > > > > The way we would do it is:
> > > > > >
> > > > > > Let's say we have 3 cold keys for multisig: A B and C
> > > > > >
> > > > > > Whose xpubs are: xA xB and xC
> > > > > >
> > > > > > We all sign each other's xpubs, whose signatures are:
> > > > > > sAxB
> > > > > > sAxC
> > > > > > sBxA
> > > > > > sBxC
> > > > > > sCxA
> > > > > > sCxB
> > > > > >
> > > > > > We can then create a wallet that says "when verifying change
> > > > > > with 0x01 global type proposed by Andrew Chow, if the change
> > > > > > is multisig, we MUST require the other pubkeys to have
> > > > > > signatures via my 0x02 proposal"
> > > > > >
> > > > > > This way, all my PSBTs for my cold will have:
> > > > > > 1. an 0x01 entry to tell me how to get my change.
> > > > > > 2. All 6 of the signatures above.
> > > > > >
> > > > > > And the signer will then look at the change, check my pubkey
> > > > > > by deriving the xpub and checking equality to the
> > > > > > BIP_DERIVATION of the output... it will then check the OTHER
> > > > > > pubkeys via BIP32_DERIVATION to master fingerprint, then link
> > > > > > that fingerprint to a 0x02 sig from MY key, verifying all
> > > > > > pubkeys.
> > > > > >
> > > > > > So this proposal of mine would not only fix the "send to
> > > > > > address verification" problem for HD, but also the multisig
> > > > > > change problem with 0x01.
> > > > > >
> > > > > > Cool.
> > > > > >
> > > > > > Only thing that is kind of sad is having to include n! (of
> > > > > > m-of-n) signatures in every PSBT... but tbh, the PSBT size is
> > > > > > not of much concern.
> > > > > >
> > > > > > Thanks for the reply.
> > > > > > - Jonathan
> > > > > >
> > > > > >
> > > > > > 2019=E5=B9=B46=E6=9C=8827=E6=97=A5(=E6=9C=A8) 13:49 Dmitry Petu=
khov <dp@simplexum.com>:
> > > > > >
> > > > > > > Hi!
> > > > > > >
> > > > > > > I wonder how your scheme handles multisig ?
> > > > > > >
> > > > > > > As I understand, you sign individual xpubs with cold keys,
> > > > > > > so that cold keys can check destination addresses are
> > > > > > > trusted.
> > > > > > >
> > > > > > > I seems to me that if you sign individual xpubs of a
> > > > > > > multisig warm wallet, and one key from that multisig is
> > > > > > > compromized, attackers can then create a single-sig
> > > > > > > destination address that they control, and move the coins
> > > > > > > in a chain of two transactions, first to this single-sig
> > > > > > > address, and then to an address that they independently
> > > > > > > control.
> > > > > > >
> > > > > > > My idea to prevent this [1] is to sign the whole 'xpub
> > > > > > > package' of the multisig wallet, but there is also an issue
> > > > > > > of 'partial compromize', where some of the keys in a
> > > > > > > multisig warm wallet is compromized, and you do not want to
> > > > > > > regard a particular 'xpub package' as trusted. My idea was
> > > > > > > [2] to use an auxiliary message that would be signed along
> > > > > > > with the 'xpub package', and that message can include
> > > > > > > specific 'epoch' word that hardware wallet can show
> > > > > > > prominently before signing, or have 'serial number' for
> > > > > > > xpub packages (but that will require to store last known
> > > > > > > serial inside hw wallet, making it stateful).
> > > > > > >
> > > > > > > I like the idea to extend PSBT to accomodate these schemes,
> > > > > > > but given that the huge number of possible schemes that each
> > > > > > > may probably require its own PSBT field type, I think that
> > > > > > > this is better dealt with outside of PSBT, as 'PSBT
> > > > > > > metainformation', or using some form of 'vendor-specific',
> > > > > > > or 'metainformation-specific' PSBT field. This way each
> > > > > > > usecase can be independently described in its own
> > > > > > > documentation, that would include the particulars of the
> > > > > > > format for the metainformation. This would also make it
> > > > > > > easier to implement PSBT for simple cases, because the
> > > > > > > 'core specification' would not grow that big.
> > > > > > >
> > > > > > > [1]
> > > > > > >
> > > > > > >
> > > > >
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-May/016917.h=
tml
>
> > > > > > >
> > > > > > > [2]
> > > > > > >
> > > > > > >
> > > > >
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-May/016926.h=
tml
>
> > > > > > >
> > > > > > >
> > > > > > > =D0=92 Thu, 27 Jun 2019 11:11:23 +0900 Jonathan Underwood via
> > > > > > > bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
> > > > > > >
> > > > > > > > Hello all,
> > > > > > > >
> > > > > > > > Just wanted to pick your brains about an idea for PSBT
> > > > > > > > extension.
> > > > > > > >
> > > > > > > > One problem we try to solve with cold -> warm and warm ->
> > > > > > > > hot sends for our exchange wallet is "How do I know that
> > > > > > > > the address I am sending to is not a hacker's address
> > > > > > > > that was swapped in between unsigned tx creation and first
> > > > > > > > signature?"
> > > > > > > >
> > > > > > > > We have a proprietary JSON based encoding system which we
> > > > > > > > are looking to move towards PSBT, but PSBT is missing this
> > > > > > > > key functionality.
> > > > > > > >
> > > > > > > > BIP32_DERIVATION does allow us to verify the address is
> > > > > > > > from a certain XPUB, but, for example, it can not allow us
> > > > > > > > to verify a signature of that xpub.
> > > > > > > >
> > > > > > > > I have made a rough draft of the proposed key value
> > > > > > > > specification.
> > > > > > >
> > > > >
> https://github.com/junderw/bips/blob/addXpubSig/bip-0174.mediawiki#specif=
ication
> > > > >
> > > > > > > >
> > > > > > > > The signing key path used in the spec is just randomly
> > > > > > > > chosen 31 x 4 bits shown as numbers with hardened paths.
> > > > > > > >
> > > > > > > > Since this issue seems similar to the change address
> > > > > > > > issue, I started from that as a base. With the HW wallet
> > > > > > > > case, I can verify the xpub by just deriving it locally
> > > > > > > > and comparing equality, however, in our case, we need to
> > > > > > > > verify an xpub that we do not have access to via
> > > > > > > > derivation from our cold key(s) (since we don't want to
> > > > > > > > import our warm private key into our cold signer)
> > > > > > > >
> > > > > > > > So the flow would be:
> > > > > > > > 1. Securely verify the xpub of the warm / hot wallet.
> > > > > > > > 2. Using the airgap signing tool, sign the xpub with all
> > > > > > > > cold keys. 3. Upload the signature/xpub pairs to the
> > > > > > > > online unsigned transaction generator.
> > > > > > > > 4. Include one keyval pair per coldkey/xpub pairing.
> > > > > > > > 5. When offline signing, if the wallet detects there is a
> > > > > > > > global keyval XPUB_SIGNATURE with its pubkey in the key,
> > > > > > > > it must verify that all outputs have BIP32_DERIVATION and
> > > > > > > > that it can verify the outputs through the derivation, to
> > > > > > > > the xpub, and to the signature.
> > > > > > > >
> > > > > > > > In my attempt to fitting this into PSBT, I am slightly
> > > > > > > > altering our current system, so don't take this as an
> > > > > > > > indication 100% of how we work in the backend.
> > > > > > > >
> > > > > > > > However, I would like to hear any feedback on this
> > > > > > > > proposal.
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > > Jonathan
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > >
> >
>
>
--000000000000a90c50058c6b5af1
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"auto"><div>replies in-line. Thanks!<br><br><div class=3D"gmail_=
quote"><div dir=3D"ltr" class=3D"gmail_attr">2019=E5=B9=B46=E6=9C=8829=E6=
=97=A5(=E5=9C=9F) 6:46 Dmitry Petukhov <<a href=3D"mailto:dp@simplexum.c=
om">dp@simplexum.com</a>>:<br></div><blockquote class=3D"gmail_quote" st=
yle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">In yo=
ur proposed field key format,<br>
<br>
{0x02}|{signing_pubkey}|{m}|{xpub}|...|{xpub}<br>
<br>
I think you can replace the signing pubkey with just a fingerprint of<br>
the master key, that would save 29 bytes per 0x02 field.<br></blockquote></=
div></div><div dir=3D"auto"><br></div><div dir=3D"auto">Good point.</div><d=
iv dir=3D"auto"><br></div><div dir=3D"auto"><div class=3D"gmail_quote"><blo=
ckquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #c=
cc solid;padding-left:1ex"><br></blockquote><blockquote class=3D"gmail_quot=
e" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
If the only entity that is concerned about the validity of the<br>
signature is those that possess the signing_privkey, it will check the<br>
signature when it sees the 0x02 field starting with its own key<br>
fingerprint, and will ignore the field if the signature does not match.<br>
<br>
If someone other than the signer needs to check that this xpub-package<br>
was signed by certain cold key, it will need to know signing_pubkey<br>
anyway, before it parses PSBT, as it won't have the means to check if<b=
r>
certain pubkey found in 0x02 field in PSBT is related to certain<br>
signer, without knowing anything about the pubkey beforehand.<br>
<br>
I'm not sure if the ability of unrelated parties to verify that<br>
xpub-package matches its signature is useful in practice. 29 bytes per<br>
0x02 field is not a big saving of space, and if this ability is actually<br=
>
useful, the saving may not be worh loosing this ability.<br></blockquote></=
div></div><div dir=3D"auto"><br></div><div dir=3D"auto">All good points, I =
think we'll just use the first 4 bytes of the hash160 of the pubkey, ak=
a fingerprint.</div><div dir=3D"auto"><br></div><div dir=3D"auto"><div clas=
s=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .=
8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Other note: you have 'unused' value of 1 for `m` in your scheme, wh=
y<br>
not require m=3D1 for single-sig case, and use 0 as indicator that there<br=
>
are a serlal number following it?<br></blockquote></div></div><div dir=3D"a=
uto"><br></div><div dir=3D"auto">0x00 is single sig, aka, OP_CHECKSIG</div>=
<div dir=3D"auto"><br></div><div dir=3D"auto">0x01 is multisig, aka, 1-of-3=
, 1-of-2 OP_CHECKMULTISIG</div><div dir=3D"auto"><br></div><div dir=3D"auto=
"><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"mar=
gin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
The key for the field would be encoded as<br>
<br>
{0x02}|{signing_pubkey}|{m}|{xpub}|...|{xpub}<br>
<br>
for usual case, and<br>
<br>
{0x02}|{signing_pubkey}|0x00|{serial}|{m}|{xpub}|...|{xpub}<br>
<br>
for the case when the signing scheme actually cares about different<br>
versions of xpub packages signed by certain cold key<br></blockquote></div>=
</div><div dir=3D"auto"><br></div><div dir=3D"auto">since OP_CHECKMULTISIG =
only supports at most 15-of-15 due to stack item size limitations, we could=
make 0xff into this serial marker.</div><div dir=3D"auto"><br></div><div d=
ir=3D"auto"><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" st=
yle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Going back to the idea of moving 'complex' usecases outside of BIP1=
74:<br>
maybe we could have a 'BIP-specific' field, that would have the key=
as<br>
<br>
{0x0?}|{BIP-number}|{bip-specific-suffix-data}<br>
<br>
so that the different usecases that are not general enough to be<br>
included in BIP174 itself, may have their own BIPs. Vendor-specific<br>
fields may also be done as a separate BIP.<br></blockquote></div></div><div=
dir=3D"auto"><br></div><div dir=3D"auto">Definitely sounds good, but the c=
urrently proposed 0x01 global type is being added to BIP174 directly under =
the assumption that it is useful for all users of PSBT, and I would argue t=
hat 0x01 being an HD change verifying method, it only seems logical to add =
a similar method of "verifying" non-self keys, aka whitelisting f=
or security purposes, and such a feature would require this data be include=
d into the PSBT sent into the device.</div><div dir=3D"auto"><br></div><div=
dir=3D"auto">If the consensus is that this data is unneeded, 0x01 should p=
robably also be a separate BIP.</div><div dir=3D"auto"><br></div><div dir=
=3D"auto">Though outside the scope of this BIP, one difficulty of a whiteli=
st feature would be revocation of signatures. If we pre-sign a revocation c=
ert and somehow make the wallet blacklist if seen... then the question is &=
quot;if your signer has a trustworthy store of state, why not store the whi=
telist pubkeys?"</div><div dir=3D"auto"><br></div><div dir=3D"auto">Bu=
t that feature itself should be a separate BIP.</div><div dir=3D"auto"><br>=
</div><div dir=3D"auto">Also, POR_COMMITMENT being in BIP174 kind of set a =
precedent... :-/</div><div dir=3D"auto"><br></div><div dir=3D"auto"><div cl=
ass=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0=
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
=D0=92 Thu, 27 Jun 2019 20:29:32 +0500<br>
Dmitry Petukhov <<a href=3D"mailto:dp@simplexum.com" target=3D"_blank" r=
el=3D"noreferrer">dp@simplexum.com</a>> wrote:<br>
<br>
> Oh, I saw that you covered it in another mail:<br>
> <br>
> > The expire / revoke problem is a larger problem than this feature=
<br>
> > can handle.=C2=A0 <br>
> <br>
> > In general, if one of the cold keys is stolen, there is rarely a<=
br>
> > situation where you are completely sure the other cold keys haven=
't<br>
> > been compromised... so the best practice would be all signers<br>
> > generate new keys and all funds are moved to a completely new<br>
> > multisig wallet (no common xpubs).=C2=A0 <br>
> <br>
> The setup might not be 'all cold keys', but the keys with diff=
erent<br>
> levels of exposure to possible theft. In this config, compromise of<br=
>
> one of the 'warm' keys might not necessary require changing th=
e<br>
> 'cold' key.<br>
> <br>
> I'm not sure whether this usecase warrants adding extra 'seria=
l'<br>
> field, but on the other hand it is rather simple change, and those who=
<br>
> does not care can always set 0. <br>
> <br>
> =D0=92 Thu, 27 Jun 2019 18:14:29 +0500<br>
> Dmitry Petukhov <<a href=3D"mailto:dp@simplexum.com" target=3D"_bla=
nk" rel=3D"noreferrer">dp@simplexum.com</a>> wrote:<br>
> <br>
> > What do you think about adding serial number to the xpub package =
?<br>
> > <br>
> > The key would be <br>
> > <br>
> > {0x02}|{signing_pubkey}|{serial}|{m}|{xpub}|...|{xpub}<br>
> > <br>
> > and if the signer have the ability to store a counter, it can rej=
ect<br>
> > 'outdated' xpub packages, and only accept those that was =
signed<br>
> > using the serial number that it deems recent. This would allow a<=
br>
> > limited mechanism to 'revoke' previously signed packages =
that have<br>
> > compromized keys in them.<br>
> > <br>
> > =D0=92 Thu, 27 Jun 2019 17:16:14 +0900<br>
> > Jonathan Underwood <<a href=3D"mailto:junderwood@bitcoinbank.c=
o.jp" target=3D"_blank" rel=3D"noreferrer">junderwood@bitcoinbank.co.jp</a>=
> wrote:<br>
> >=C2=A0 =C2=A0<br>
> > > I see what you mean.<br>
> > > <br>
> > > What about this?<br>
> > > <a href=3D"https://github.com/junderw/bips/commit/57a57b4fae=
1ae14b77a2eebd99cd719148e3027e?short_path=3D82656c8#diff-82656c833e31e6751a=
412ce5e5c70920" rel=3D"noreferrer noreferrer" target=3D"_blank">https://git=
hub.com/junderw/bips/commit/57a57b4fae1ae14b77a2eebd99cd719148e3027e?short_=
path=3D82656c8#diff-82656c833e31e6751a412ce5e5c70920</a><br>
> > > <br>
> > > Plus side: for single sig case, the key only increases by on=
e byte<br>
> > > (0x00 for the {m} value)<br>
> > > <br>
> > > This way if it was 2 of 3 like before, you sign the whole &q=
uot;packet"<br>
> > > so each key only signs the packet once. Way better than n!<b=
r>
> > > <br>
> > > Anywho. Please send your feedback. Thanks.<br>
> > > Jonathan<br>
> > > <br>
> > > 2019=E5=B9=B46=E6=9C=8827=E6=97=A5(=E6=9C=A8) 16:27 Dmitry P=
etukhov <<a href=3D"mailto:dp@simplexum.com" target=3D"_blank" rel=3D"no=
referrer">dp@simplexum.com</a>>:<br>
> > >=C2=A0 =C2=A0 =C2=A0<br>
> > > > How would signer know that there _should_ be at least 3=
<br>
> > > > signatures signed by the key owned by this signer ?<br>
> > > ><br>
> > > > If it does not know that it should enforce 2of3 multisi=
g, for<br>
> > > > example, the attacker that control only one key A can f=
ool<br>
> > > > signer B by sending to 1of1 single-sig that is derived =
from A's<br>
> > > > xpub, and providing only sBxA in PSBT.<br>
> > > ><br>
> > > > If the signer does not have a hardcoded configuration t=
hat<br>
> > > > will mandate a particular multisig scheme, it will allo=
w sending<br>
> > > > to any scheme.<br>
> > > ><br>
> > > > If the signer has a rich enough state to store updatabl=
e<br>
> > > > configuration, it can just store the trusted xpubs dire=
ctly.<br>
> > > ><br>
> > > > Alternatively, signer can sign not individual xpubs, bu=
t whole<br>
> > > > xpub packages that correspond to particular multisig<br=
>
> > > > configuration, and enforce that destination addresses c=
orrespond<br>
> > > > to this configuration.<br>
> > > ><br>
> > > > But this would not be possible with your PSBT scheme th=
at uses<br>
> > > > individual key-xpub pairs.<br>
> > > ><br>
> > > > =D0=92 Thu, 27 Jun 2019 14:07:47 +0900<br>
> > > > Jonathan Underwood <<a href=3D"mailto:junderwood@bit=
coinbank.co.jp" target=3D"_blank" rel=3D"noreferrer">junderwood@bitcoinbank=
.co.jp</a>> wrote:<br>
> > > >=C2=A0 =C2=A0 =C2=A0 <br>
> > > > > Thanks for the reply.<br>
> > > > ><br>
> > > > > The way we would do it is:<br>
> > > > ><br>
> > > > > Let's say we have 3 cold keys for multisig: A =
B and C<br>
> > > > ><br>
> > > > > Whose xpubs are: xA xB and xC<br>
> > > > ><br>
> > > > > We all sign each other's xpubs, whose signatur=
es are:<br>
> > > > > sAxB<br>
> > > > > sAxC<br>
> > > > > sBxA<br>
> > > > > sBxC<br>
> > > > > sCxA<br>
> > > > > sCxB<br>
> > > > ><br>
> > > > > We can then create a wallet that says "when v=
erifying change<br>
> > > > > with 0x01 global type proposed by Andrew Chow, if =
the change<br>
> > > > > is multisig, we MUST require the other pubkeys to =
have<br>
> > > > > signatures via my 0x02 proposal"<br>
> > > > ><br>
> > > > > This way, all my PSBTs for my cold will have:<br>
> > > > > 1. an 0x01 entry to tell me how to get my change.<=
br>
> > > > > 2. All 6 of the signatures above.<br>
> > > > ><br>
> > > > > And the signer will then look at the change, check=
my pubkey<br>
> > > > > by deriving the xpub and checking equality to the<=
br>
> > > > > BIP_DERIVATION of the output... it will then check=
the OTHER<br>
> > > > > pubkeys via BIP32_DERIVATION to master fingerprint=
, then link<br>
> > > > > that fingerprint to a 0x02 sig from MY key, verify=
ing all<br>
> > > > > pubkeys.<br>
> > > > ><br>
> > > > > So this proposal of mine would not only fix the &q=
uot;send to<br>
> > > > > address verification" problem for HD, but als=
o the multisig<br>
> > > > > change problem with 0x01.<br>
> > > > ><br>
> > > > > Cool.<br>
> > > > ><br>
> > > > > Only thing that is kind of sad is having to includ=
e n! (of<br>
> > > > > m-of-n) signatures in every PSBT... but tbh, the P=
SBT size is<br>
> > > > > not of much concern.<br>
> > > > ><br>
> > > > > Thanks for the reply.<br>
> > > > > - Jonathan<br>
> > > > ><br>
> > > > ><br>
> > > > > 2019=E5=B9=B46=E6=9C=8827=E6=97=A5(=E6=9C=A8) 13:4=
9 Dmitry Petukhov <<a href=3D"mailto:dp@simplexum.com" target=3D"_blank"=
rel=3D"noreferrer">dp@simplexum.com</a>>:<br>
> > > > >=C2=A0 =C2=A0 =C2=A0 <br>
> > > > > > Hi!<br>
> > > > > ><br>
> > > > > > I wonder how your scheme handles multisig ?<b=
r>
> > > > > ><br>
> > > > > > As I understand, you sign individual xpubs wi=
th cold keys,<br>
> > > > > > so that cold keys can check destination addre=
sses are<br>
> > > > > > trusted.<br>
> > > > > ><br>
> > > > > > I seems to me that if you sign individual xpu=
bs of a<br>
> > > > > > multisig warm wallet, and one key from that m=
ultisig is<br>
> > > > > > compromized, attackers can then create a sing=
le-sig<br>
> > > > > > destination address that they control, and mo=
ve the coins<br>
> > > > > > in a chain of two transactions, first to this=
single-sig<br>
> > > > > > address, and then to an address that they ind=
ependently<br>
> > > > > > control.<br>
> > > > > ><br>
> > > > > > My idea to prevent this [1] is to sign the wh=
ole 'xpub<br>
> > > > > > package' of the multisig wallet, but ther=
e is also an issue<br>
> > > > > > of 'partial compromize', where some o=
f the keys in a<br>
> > > > > > multisig warm wallet is compromized, and you =
do not want to<br>
> > > > > > regard a particular 'xpub package' as=
trusted. My idea was<br>
> > > > > > [2] to use an auxiliary message that would be=
signed along<br>
> > > > > > with the 'xpub package', and that mes=
sage can include<br>
> > > > > > specific 'epoch' word that hardware w=
allet can show<br>
> > > > > > prominently before signing, or have 'seri=
al number' for<br>
> > > > > > xpub packages (but that will require to store=
last known<br>
> > > > > > serial inside hw wallet, making it stateful).=
<br>
> > > > > ><br>
> > > > > > I like the idea to extend PSBT to accomodate =
these schemes,<br>
> > > > > > but given that the huge number of possible sc=
hemes that each<br>
> > > > > > may probably require its own PSBT field type,=
I think that<br>
> > > > > > this is better dealt with outside of PSBT, as=
'PSBT<br>
> > > > > > metainformation', or using some form of &=
#39;vendor-specific',<br>
> > > > > > or 'metainformation-specific' PSBT fi=
eld. This way each<br>
> > > > > > usecase can be independently described in its=
own<br>
> > > > > > documentation, that would include the particu=
lars of the<br>
> > > > > > format for the metainformation. This would al=
so make it<br>
> > > > > > easier to implement PSBT for simple cases, be=
cause the<br>
> > > > > > 'core specification' would not grow t=
hat big.<br>
> > > > > ><br>
> > > > > > [1]<br>
> > > > > ><br>
> > > > > >=C2=A0 =C2=A0 =C2=A0 <br>
> > > > <a href=3D"https://lists.linuxfoundation.org/pipermail/=
bitcoin-dev/2019-May/016917.html" rel=3D"noreferrer noreferrer" target=3D"_=
blank">https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-May/016=
917.html</a>=C2=A0 =C2=A0 =C2=A0 <br>
> > > > > ><br>
> > > > > > [2]<br>
> > > > > ><br>
> > > > > >=C2=A0 =C2=A0 =C2=A0 <br>
> > > > <a href=3D"https://lists.linuxfoundation.org/pipermail/=
bitcoin-dev/2019-May/016926.html" rel=3D"noreferrer noreferrer" target=3D"_=
blank">https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-May/016=
926.html</a>=C2=A0 =C2=A0 =C2=A0 <br>
> > > > > ><br>
> > > > > ><br>
> > > > > > =D0=92 Thu, 27 Jun 2019 11:11:23 +0900 Jonath=
an Underwood via<br>
> > > > > > bitcoin-dev <<a href=3D"mailto:bitcoin-dev=
@lists.linuxfoundation.org" target=3D"_blank" rel=3D"noreferrer">bitcoin-de=
v@lists.linuxfoundation.org</a>> wrote:<br>
> > > > > >=C2=A0 =C2=A0 =C2=A0 <br>
> > > > > > > Hello all,<br>
> > > > > > ><br>
> > > > > > > Just wanted to pick your brains about an=
idea for PSBT<br>
> > > > > > > extension.<br>
> > > > > > ><br>
> > > > > > > One problem we try to solve with cold -&=
gt; warm and warm -><br>
> > > > > > > hot sends for our exchange wallet is &qu=
ot;How do I know that<br>
> > > > > > > the address I am sending to is not a hac=
ker's address<br>
> > > > > > > that was swapped in between unsigned tx =
creation and first<br>
> > > > > > > signature?"<br>
> > > > > > ><br>
> > > > > > > We have a proprietary JSON based encodin=
g system which we<br>
> > > > > > > are looking to move towards PSBT, but PS=
BT is missing this<br>
> > > > > > > key functionality.<br>
> > > > > > ><br>
> > > > > > > BIP32_DERIVATION does allow us to verify=
the address is<br>
> > > > > > > from a certain XPUB, but, for example, i=
t can not allow us<br>
> > > > > > > to verify a signature of that xpub.<br>
> > > > > > ><br>
> > > > > > > I have made a rough draft of the propose=
d key value<br>
> > > > > > > specification.=C2=A0 =C2=A0 =C2=A0<br>
> > > > > >=C2=A0 =C2=A0 =C2=A0 <br>
> > > > <a href=3D"https://github.com/junderw/bips/blob/addXpub=
Sig/bip-0174.mediawiki#specification" rel=3D"noreferrer noreferrer" target=
=3D"_blank">https://github.com/junderw/bips/blob/addXpubSig/bip-0174.mediaw=
iki#specification</a><br>
> > > >=C2=A0 =C2=A0 =C2=A0 <br>
> > > > > > ><br>
> > > > > > > The signing key path used in the spec is=
just randomly<br>
> > > > > > > chosen 31 x 4 bits shown as numbers with=
hardened paths.<br>
> > > > > > ><br>
> > > > > > > Since this issue seems similar to the ch=
ange address<br>
> > > > > > > issue, I started from that as a base. Wi=
th the HW wallet<br>
> > > > > > > case, I can verify the xpub by just deri=
ving it locally<br>
> > > > > > > and comparing equality, however, in our =
case, we need to<br>
> > > > > > > verify an xpub that we do not have acces=
s to via<br>
> > > > > > > derivation from our cold key(s) (since w=
e don't want to<br>
> > > > > > > import our warm private key into our col=
d signer)<br>
> > > > > > ><br>
> > > > > > > So the flow would be:<br>
> > > > > > > 1. Securely verify the xpub of the warm =
/ hot wallet.<br>
> > > > > > > 2. Using the airgap signing tool, sign t=
he xpub with all<br>
> > > > > > > cold keys. 3. Upload the signature/xpub =
pairs to the<br>
> > > > > > > online unsigned transaction generator.<b=
r>
> > > > > > > 4. Include one keyval pair per coldkey/x=
pub pairing.<br>
> > > > > > > 5. When offline signing, if the wallet d=
etects there is a<br>
> > > > > > > global keyval XPUB_SIGNATURE with its pu=
bkey in the key,<br>
> > > > > > > it must verify that all outputs have BIP=
32_DERIVATION and<br>
> > > > > > > that it can verify the outputs through t=
he derivation, to<br>
> > > > > > > the xpub, and to the signature.<br>
> > > > > > ><br>
> > > > > > > In my attempt to fitting this into PSBT,=
I am slightly<br>
> > > > > > > altering our current system, so don'=
t take this as an<br>
> > > > > > > indication 100% of how we work in the ba=
ckend.<br>
> > > > > > ><br>
> > > > > > > However, I would like to hear any feedba=
ck on this<br>
> > > > > > > proposal.<br>
> > > > > > ><br>
> > > > > > > Thanks,<br>
> > > > > > > Jonathan<br>
> > > > > > >=C2=A0 =C2=A0 =C2=A0 <br>
> > > > > ><br>
> > > > > >=C2=A0 =C2=A0 =C2=A0 <br>
> > > > >=C2=A0 =C2=A0 =C2=A0 <br>
> > > ><br>
> > > >=C2=A0 =C2=A0 =C2=A0 <br>
> > >=C2=A0 =C2=A0 =C2=A0<br>
> >=C2=A0 =C2=A0<br>
> <br>
<br>
</blockquote></div></div></div>
--000000000000a90c50058c6b5af1--
|
