1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
|
Return-Path: <junderwood@bitcoinbank.co.jp>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id B4DD4E63
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 27 Jun 2019 09:52:42 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-yb1-f179.google.com (mail-yb1-f179.google.com
[209.85.219.179])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 19333832
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 27 Jun 2019 09:52:41 +0000 (UTC)
Received: by mail-yb1-f179.google.com with SMTP id l22so404286ybf.4
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 27 Jun 2019 02:52:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=bitcoinbank.co.jp; s=google;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=JOGIkKE/IAUgD/IROWNxwrNHEI+CpitKHc9R3/1XfN8=;
b=OBFlWXb8HM4E7xJa0GxGq909a6wCZRF3Z5gEgapw5FpA4wdTbbrH6rD/2nYdLaxTiD
zadQ17nhj1xQ9tEl9/5vQrK25NJ637epEibPdwIuWz50t9IQ/SI0uLC9Iso/kEMp5v79
v1jUxd9yVx0mEe8N5w3Lfvy/mSCZ6kJmi+3Fq/0rCgbR38EeLrj7UhN1TVI1PbjACbww
f+sqKT7YiKrdaqsq2hfuagoJJ4B76aG0+E/q2u4KDzT2UubMYKkaOQBeeMKdcFTgPJjF
wbeMUrKLIsaC3xwqtTy/FAeYvoVidXnXme9QwujlGC3dBPDzKGg+qDGl9c6xIQJ4kIuM
5ZfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=JOGIkKE/IAUgD/IROWNxwrNHEI+CpitKHc9R3/1XfN8=;
b=aDnX5tGiaUdFqH7UQDur06fDZzGMkq0KbReVbqYTdv8aHJAeP20XHX5z74tlZCRnmS
5kQSLCMY6wbQ+ho1zq+NBKKuM5CcLbUfcB7jUv2bkKS52xERLvvhGMT1mKyyo5lQsA5m
Un3P7QDlaDBkTwhObzBc0UnQ356U3zyY24kWXI0ZjXYGLnA0ABTBMXmyLTsdoN69S2Ih
97K3Xrf/lDVHSBUXpmuZdymbUBTj7ZFC2kv33anAEsFtpfnHUFVY3mEFvlXpUA300ycH
bMuUWsftvQaL3hxYKpjc0kXwzp69UBJLzAgSr77HLRPzhSLleT+ypXyBl45nEhIvtqUr
9n4g==
X-Gm-Message-State: APjAAAVwgo589voy2zFikB+7h4kJCr3CnP9PK1lkhqSv7BKLi5mGeQ1Q
ELBZFyQpgHr6k5AP9i0vQHMws1mMJM9CHRiWqJmF
X-Google-Smtp-Source: APXvYqxhwbfuQ7wdh7De7BkXmCpN4Hq7NCK71cL7hnb5JQ03tCc8c0EpcopN4iP1F07FInOuWxPLY65UXLOgb19X3cQ=
X-Received: by 2002:a25:8252:: with SMTP id d18mr1976884ybn.486.1561629159951;
Thu, 27 Jun 2019 02:52:39 -0700 (PDT)
MIME-Version: 1.0
References: <CAMpN3mLvY+kuUGqzMW6SAMZ=h46_g=XLhDPhSY=X6xhLxvi15Q@mail.gmail.com>
<20190627095031.4d5817b8@simplexum.com>
<CAMpN3mKPkCPtYkN-JVku1r217-aBK=Rh3UEhvRPS_Y6DixJ9Dw@mail.gmail.com>
<20190627122916.3b6c2c32@simplexum.com>
<CAMpN3mL8tyP-6-nwn6dorcq7-dad6wYz8_pXinqHhgzUnrr_tg@mail.gmail.com>
<20190627144852.52c6d9e1@simplexum.com>
In-Reply-To: <20190627144852.52c6d9e1@simplexum.com>
From: Jonathan Underwood <junderwood@bitcoinbank.co.jp>
Date: Thu, 27 Jun 2019 18:52:28 +0900
Message-ID: <CAMpN3mLffLPFvuuLtd1=UuDSwStuk7g9WvLCrXe8SRDdc6fUHg@mail.gmail.com>
To: Dmitry Petukhov <dp@simplexum.com>
Content-Type: multipart/alternative; boundary="00000000000059a096058c4b1f1d"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Thu, 27 Jun 2019 14:26:10 +0000
Cc: Bitcoin development mailing list <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] BIP174 extension proposal (Global Type:
PSBT_GLOBAL_XPUB_SIGNATURE)
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2019 09:52:42 -0000
--00000000000059a096058c4b1f1d
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
> By the way, why is this particular path ?
The signing key path used in the spec is just randomly chosen 31 x 4 bits
shown as numbers with hardened paths. Just wanted to make sure it wasn't a
key that people are likely to use for something else.
> It is not clear to me what public key this refers to
I just used the same sentence from the other proposal for 0x01 global tag.
It is kind of confusing, but "can be derived" implies that it is referring
to an xpub, since normal public keys can not "derive children"...
But I could change it if it would be clearer.
2019=E5=B9=B46=E6=9C=8827=E6=97=A5(=E6=9C=A8) 18:47 Dmitry Petukhov <dp@sim=
plexum.com>:
> " It should be the public key at the highest hardened derivation index
> so that the unhardened child keys used in the transaction can be
> derived."
>
> It is not clear to me what public key this refers to - does this
> refer to 'signing pubkey' ? - then the exact derivation indexes for that
> are given in the value section:
>
> m/2042083607'/959190427'/1400854130'/990526201'
>
> By the way, why is this particular path ?
>
> =D0=92 Thu, 27 Jun 2019 17:16:14 +0900
> Jonathan Underwood <junderwood@bitcoinbank.co.jp> wrote:
>
> > I see what you mean.
> >
> > What about this?
> >
> https://github.com/junderw/bips/commit/57a57b4fae1ae14b77a2eebd99cd719148=
e3027e?short_path=3D82656c8#diff-82656c833e31e6751a412ce5e5c70920
> >
> > Plus side: for single sig case, the key only increases by one byte
> > (0x00 for the {m} value)
> >
> > This way if it was 2 of 3 like before, you sign the whole "packet" so
> > each key only signs the packet once. Way better than n!
> >
> > Anywho. Please send your feedback. Thanks.
> > Jonathan
> >
> > 2019=E5=B9=B46=E6=9C=8827=E6=97=A5(=E6=9C=A8) 16:27 Dmitry Petukhov <dp=
@simplexum.com>:
> >
> > > How would signer know that there _should_ be at least 3 signatures
> > > signed by the key owned by this signer ?
> > >
> > > If it does not know that it should enforce 2of3 multisig, for
> > > example, the attacker that control only one key A can fool signer B
> > > by sending to 1of1 single-sig that is derived from A's xpub, and
> > > providing only sBxA in PSBT.
> > >
> > > If the signer does not have a hardcoded configuration that
> > > will mandate a particular multisig scheme, it will allow sending to
> > > any scheme.
> > >
> > > If the signer has a rich enough state to store updatable
> > > configuration, it can just store the trusted xpubs directly.
> > >
> > > Alternatively, signer can sign not individual xpubs, but whole xpub
> > > packages that correspond to particular multisig configuration, and
> > > enforce that destination addresses correspond to this configuration.
> > >
> > > But this would not be possible with your PSBT scheme that uses
> > > individual key-xpub pairs.
> > >
> > > =D0=92 Thu, 27 Jun 2019 14:07:47 +0900
> > > Jonathan Underwood <junderwood@bitcoinbank.co.jp> wrote:
> > >
> > > > Thanks for the reply.
> > > >
> > > > The way we would do it is:
> > > >
> > > > Let's say we have 3 cold keys for multisig: A B and C
> > > >
> > > > Whose xpubs are: xA xB and xC
> > > >
> > > > We all sign each other's xpubs, whose signatures are:
> > > > sAxB
> > > > sAxC
> > > > sBxA
> > > > sBxC
> > > > sCxA
> > > > sCxB
> > > >
> > > > We can then create a wallet that says "when verifying change with
> > > > 0x01 global type proposed by Andrew Chow, if the change is
> > > > multisig, we MUST require the other pubkeys to have signatures
> > > > via my 0x02 proposal"
> > > >
> > > > This way, all my PSBTs for my cold will have:
> > > > 1. an 0x01 entry to tell me how to get my change.
> > > > 2. All 6 of the signatures above.
> > > >
> > > > And the signer will then look at the change, check my pubkey by
> > > > deriving the xpub and checking equality to the BIP_DERIVATION of
> > > > the output... it will then check the OTHER pubkeys via
> > > > BIP32_DERIVATION to master fingerprint, then link that
> > > > fingerprint to a 0x02 sig from MY key, verifying all pubkeys.
> > > >
> > > > So this proposal of mine would not only fix the "send to address
> > > > verification" problem for HD, but also the multisig change problem
> > > > with 0x01.
> > > >
> > > > Cool.
> > > >
> > > > Only thing that is kind of sad is having to include n! (of m-of-n)
> > > > signatures in every PSBT... but tbh, the PSBT size is not of much
> > > > concern.
> > > >
> > > > Thanks for the reply.
> > > > - Jonathan
> > > >
> > > >
> > > > 2019=E5=B9=B46=E6=9C=8827=E6=97=A5(=E6=9C=A8) 13:49 Dmitry Petukhov=
<dp@simplexum.com>:
> > > >
> > > > > Hi!
> > > > >
> > > > > I wonder how your scheme handles multisig ?
> > > > >
> > > > > As I understand, you sign individual xpubs with cold keys, so
> > > > > that cold keys can check destination addresses are trusted.
> > > > >
> > > > > I seems to me that if you sign individual xpubs of a multisig
> > > > > warm wallet, and one key from that multisig is compromized,
> > > > > attackers can then create a single-sig destination address that
> > > > > they control, and move the coins in a chain of two
> > > > > transactions, first to this single-sig address, and then to an
> > > > > address that they independently control.
> > > > >
> > > > > My idea to prevent this [1] is to sign the whole 'xpub package'
> > > > > of the multisig wallet, but there is also an issue of 'partial
> > > > > compromize', where some of the keys in a multisig warm wallet is
> > > > > compromized, and you do not want to regard a particular 'xpub
> > > > > package' as trusted. My idea was [2] to use an auxiliary message
> > > > > that would be signed along with the 'xpub package', and that
> > > > > message can include specific 'epoch' word that hardware wallet
> > > > > can show prominently before signing, or have 'serial number'
> > > > > for xpub packages (but that will require to store last known
> > > > > serial inside hw wallet, making it stateful).
> > > > >
> > > > > I like the idea to extend PSBT to accomodate these schemes, but
> > > > > given that the huge number of possible schemes that each may
> > > > > probably require its own PSBT field type, I think that this is
> > > > > better dealt with outside of PSBT, as 'PSBT metainformation', or
> > > > > using some form of 'vendor-specific', or
> > > > > 'metainformation-specific' PSBT field. This way each usecase
> > > > > can be independently described in its own documentation, that
> > > > > would include the particulars of the format for the
> > > > > metainformation. This would also make it easier to implement
> > > > > PSBT for simple cases, because the 'core specification' would
> > > > > not grow that big.
> > > > >
> > > > > [1]
> > > > >
> > > > >
> > >
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-May/016917.h=
tml
>
> > > > >
> > > > > [2]
> > > > >
> > > > >
> > >
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-May/016926.h=
tml
>
> > > > >
> > > > >
> > > > > =D0=92 Thu, 27 Jun 2019 11:11:23 +0900 Jonathan Underwood via
> > > > > bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
> > > > >
> > > > > > Hello all,
> > > > > >
> > > > > > Just wanted to pick your brains about an idea for PSBT
> > > > > > extension.
> > > > > >
> > > > > > One problem we try to solve with cold -> warm and warm -> hot
> > > > > > sends for our exchange wallet is "How do I know that the
> > > > > > address I am sending to is not a hacker's address that was
> > > > > > swapped in between unsigned tx creation and first signature?"
> > > > > >
> > > > > > We have a proprietary JSON based encoding system which we are
> > > > > > looking to move towards PSBT, but PSBT is missing this key
> > > > > > functionality.
> > > > > >
> > > > > > BIP32_DERIVATION does allow us to verify the address is from a
> > > > > > certain XPUB, but, for example, it can not allow us to verify
> > > > > > a signature of that xpub.
> > > > > >
> > > > > > I have made a rough draft of the proposed key value
> > > > > > specification.
> > > > >
> > >
> https://github.com/junderw/bips/blob/addXpubSig/bip-0174.mediawiki#specif=
ication
> > >
> > > > > >
> > > > > > The signing key path used in the spec is just randomly chosen
> > > > > > 31 x 4 bits shown as numbers with hardened paths.
> > > > > >
> > > > > > Since this issue seems similar to the change address issue, I
> > > > > > started from that as a base. With the HW wallet case, I can
> > > > > > verify the xpub by just deriving it locally and comparing
> > > > > > equality, however, in our case, we need to verify an xpub
> > > > > > that we do not have access to via derivation from our cold
> > > > > > key(s) (since we don't want to import our warm private key
> > > > > > into our cold signer)
> > > > > >
> > > > > > So the flow would be:
> > > > > > 1. Securely verify the xpub of the warm / hot wallet.
> > > > > > 2. Using the airgap signing tool, sign the xpub with all cold
> > > > > > keys. 3. Upload the signature/xpub pairs to the online
> > > > > > unsigned transaction generator.
> > > > > > 4. Include one keyval pair per coldkey/xpub pairing.
> > > > > > 5. When offline signing, if the wallet detects there is a
> > > > > > global keyval XPUB_SIGNATURE with its pubkey in the key, it
> > > > > > must verify that all outputs have BIP32_DERIVATION and that
> > > > > > it can verify the outputs through the derivation, to the
> > > > > > xpub, and to the signature.
> > > > > >
> > > > > > In my attempt to fitting this into PSBT, I am slightly
> > > > > > altering our current system, so don't take this as an
> > > > > > indication 100% of how we work in the backend.
> > > > > >
> > > > > > However, I would like to hear any feedback on this proposal.
> > > > > >
> > > > > > Thanks,
> > > > > > Jonathan
> > > > > >
> > > > >
> > > > >
> > > >
> > >
> > >
> >
>
>
--=20
-----------------
Jonathan Underwood
=E3=83=93=E3=83=83=E3=83=88=E3=83=90=E3=83=B3=E3=82=AF=E7=A4=BE =E3=83=81=
=E3=83=BC=E3=83=95=E3=83=93=E3=83=83=E3=83=88=E3=82=B3=E3=82=A4=E3=83=B3=E3=
=82=AA=E3=83=95=E3=82=A3=E3=82=B5=E3=83=BC
-----------------
=E6=9A=97=E5=8F=B7=E5=8C=96=E3=81=97=E3=81=9F=E3=83=A1=E3=83=83=E3=82=BB=E3=
=83=BC=E3=82=B8=E3=82=92=E3=81=8A=E9=80=81=E3=82=8A=E3=81=AE=E6=96=B9=E3=81=
=AF=E4=B8=8B=E8=A8=98=E3=81=AE=E5=85=AC=E9=96=8B=E9=8D=B5=E3=82=92=E3=81=94=
=E5=88=A9=E7=94=A8=E4=B8=8B=E3=81=95=E3=81=84=E3=80=82
=E6=8C=87=E7=B4=8B: 0xCE5EA9476DE7D3E45EBC3FDAD998682F3590FEA3
--00000000000059a096058c4b1f1d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div>> By the way, why is this particular path ?</div><=
div><br></div>The signing key path used in the spec is just randomly chosen=
31 x 4 bits shown as numbers with hardened paths. Just wanted to make sure=
it wasn't a key that people are likely to use for something else.<br><=
div><br></div><div>> It is not clear to me what public key this refers t=
o</div><div><br></div><div>I just used the same sentence from the other pro=
posal for 0x01 global tag. It is kind of confusing, but "can be derive=
d" implies that it is referring to an xpub, since normal public keys c=
an not "derive children"...</div><div><br></div><div>But I could =
change it if it would be clearer.</div></div><br><div class=3D"gmail_quote"=
><div dir=3D"ltr" class=3D"gmail_attr">2019=E5=B9=B46=E6=9C=8827=E6=97=A5(=
=E6=9C=A8) 18:47 Dmitry Petukhov <<a href=3D"mailto:dp@simplexum.com">dp=
@simplexum.com</a>>:<br></div><blockquote class=3D"gmail_quote" style=3D=
"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-le=
ft:1ex">" It should be the public key at the highest hardened derivati=
on index<br>
so that the unhardened child keys used in the transaction can be<br>
derived."<br>
<br>
It is not clear to me what public key this refers to - does this<br>
refer to 'signing pubkey' ? - then the exact derivation indexes for=
that<br>
are given in the value section:<br>
<br>
=C2=A0 =C2=A0m/2042083607'/959190427'/1400854130'/990526201'=
;<br>
<br>
By the way, why is this particular path ?<br>
<br>
=D0=92 Thu, 27 Jun 2019 17:16:14 +0900<br>
Jonathan Underwood <<a href=3D"mailto:junderwood@bitcoinbank.co.jp" targ=
et=3D"_blank">junderwood@bitcoinbank.co.jp</a>> wrote:<br>
<br>
> I see what you mean.<br>
> <br>
> What about this?<br>
> <a href=3D"https://github.com/junderw/bips/commit/57a57b4fae1ae14b77a2=
eebd99cd719148e3027e?short_path=3D82656c8#diff-82656c833e31e6751a412ce5e5c7=
0920" rel=3D"noreferrer" target=3D"_blank">https://github.com/junderw/bips/=
commit/57a57b4fae1ae14b77a2eebd99cd719148e3027e?short_path=3D82656c8#diff-8=
2656c833e31e6751a412ce5e5c70920</a><br>
> <br>
> Plus side: for single sig case, the key only increases by one byte<br>
> (0x00 for the {m} value)<br>
> <br>
> This way if it was 2 of 3 like before, you sign the whole "packet=
" so<br>
> each key only signs the packet once. Way better than n!<br>
> <br>
> Anywho. Please send your feedback. Thanks.<br>
> Jonathan<br>
> <br>
> 2019=E5=B9=B46=E6=9C=8827=E6=97=A5(=E6=9C=A8) 16:27 Dmitry Petukhov &l=
t;<a href=3D"mailto:dp@simplexum.com" target=3D"_blank">dp@simplexum.com</a=
>>:<br>
> <br>
> > How would signer know that there _should_ be at least 3 signature=
s<br>
> > signed by the key owned by this signer ?<br>
> ><br>
> > If it does not know that it should enforce 2of3 multisig, for<br>
> > example, the attacker that control only one key A can fool signer=
B<br>
> > by sending to 1of1 single-sig that is derived from A's xpub, =
and<br>
> > providing only sBxA in PSBT.<br>
> ><br>
> > If the signer does not have a hardcoded configuration that<br>
> > will mandate a particular multisig scheme, it will allow sending =
to<br>
> > any scheme.<br>
> ><br>
> > If the signer has a rich enough state to store updatable<br>
> > configuration, it can just store the trusted xpubs directly.<br>
> ><br>
> > Alternatively, signer can sign not individual xpubs, but whole xp=
ub<br>
> > packages that correspond to particular multisig configuration, an=
d<br>
> > enforce that destination addresses correspond to this configurati=
on.<br>
> ><br>
> > But this would not be possible with your PSBT scheme that uses<br=
>
> > individual key-xpub pairs.<br>
> ><br>
> > =D0=92 Thu, 27 Jun 2019 14:07:47 +0900<br>
> > Jonathan Underwood <<a href=3D"mailto:junderwood@bitcoinbank.c=
o.jp" target=3D"_blank">junderwood@bitcoinbank.co.jp</a>> wrote:<br>
> >=C2=A0 <br>
> > > Thanks for the reply.<br>
> > ><br>
> > > The way we would do it is:<br>
> > ><br>
> > > Let's say we have 3 cold keys for multisig: A B and C<br=
>
> > ><br>
> > > Whose xpubs are: xA xB and xC<br>
> > ><br>
> > > We all sign each other's xpubs, whose signatures are:<br=
>
> > > sAxB<br>
> > > sAxC<br>
> > > sBxA<br>
> > > sBxC<br>
> > > sCxA<br>
> > > sCxB<br>
> > ><br>
> > > We can then create a wallet that says "when verifying c=
hange with<br>
> > > 0x01 global type proposed by Andrew Chow, if the change is<b=
r>
> > > multisig, we MUST require the other pubkeys to have signatur=
es<br>
> > > via my 0x02 proposal"<br>
> > ><br>
> > > This way, all my PSBTs for my cold will have:<br>
> > > 1. an 0x01 entry to tell me how to get my change.<br>
> > > 2. All 6 of the signatures above.<br>
> > ><br>
> > > And the signer will then look at the change, check my pubkey=
by<br>
> > > deriving the xpub and checking equality to the BIP_DERIVATIO=
N of<br>
> > > the output... it will then check the OTHER pubkeys via<br>
> > > BIP32_DERIVATION to master fingerprint, then link that<br>
> > > fingerprint to a 0x02 sig from MY key, verifying all pubkeys=
.<br>
> > ><br>
> > > So this proposal of mine would not only fix the "send t=
o address<br>
> > > verification" problem for HD, but also the multisig cha=
nge problem<br>
> > > with 0x01.<br>
> > ><br>
> > > Cool.<br>
> > ><br>
> > > Only thing that is kind of sad is having to include n! (of m=
-of-n)<br>
> > > signatures in every PSBT... but tbh, the PSBT size is not of=
much<br>
> > > concern.<br>
> > ><br>
> > > Thanks for the reply.<br>
> > > - Jonathan<br>
> > ><br>
> > ><br>
> > > 2019=E5=B9=B46=E6=9C=8827=E6=97=A5(=E6=9C=A8) 13:49 Dmitry P=
etukhov <<a href=3D"mailto:dp@simplexum.com" target=3D"_blank">dp@simple=
xum.com</a>>:<br>
> > >=C2=A0 <br>
> > > > Hi!<br>
> > > ><br>
> > > > I wonder how your scheme handles multisig ?<br>
> > > ><br>
> > > > As I understand, you sign individual xpubs with cold ke=
ys, so<br>
> > > > that cold keys can check destination addresses are trus=
ted.<br>
> > > ><br>
> > > > I seems to me that if you sign individual xpubs of a mu=
ltisig<br>
> > > > warm wallet, and one key from that multisig is compromi=
zed,<br>
> > > > attackers can then create a single-sig destination addr=
ess that<br>
> > > > they control, and move the coins in a chain of two<br>
> > > > transactions, first to this single-sig address, and the=
n to an<br>
> > > > address that they independently control.<br>
> > > ><br>
> > > > My idea to prevent this [1] is to sign the whole 'x=
pub package'<br>
> > > > of the multisig wallet, but there is also an issue of &=
#39;partial<br>
> > > > compromize', where some of the keys in a multisig w=
arm wallet is<br>
> > > > compromized, and you do not want to regard a particular=
'xpub<br>
> > > > package' as trusted. My idea was [2] to use an auxi=
liary message<br>
> > > > that would be signed along with the 'xpub package&#=
39;, and that<br>
> > > > message can include specific 'epoch' word that =
hardware wallet<br>
> > > > can show prominently before signing, or have 'seria=
l number'<br>
> > > > for xpub packages (but that will require to store last =
known<br>
> > > > serial inside hw wallet, making it stateful).<br>
> > > ><br>
> > > > I like the idea to extend PSBT to accomodate these sche=
mes, but<br>
> > > > given that the huge number of possible schemes that eac=
h may<br>
> > > > probably require its own PSBT field type, I think that =
this is<br>
> > > > better dealt with outside of PSBT, as 'PSBT metainf=
ormation', or<br>
> > > > using some form of 'vendor-specific', or<br>
> > > > 'metainformation-specific' PSBT field. This way=
each usecase<br>
> > > > can be independently described in its own documentation=
, that<br>
> > > > would include the particulars of the format for the<br>
> > > > metainformation. This would also make it easier to impl=
ement<br>
> > > > PSBT for simple cases, because the 'core specificat=
ion' would<br>
> > > > not grow that big.<br>
> > > ><br>
> > > > [1]<br>
> > > ><br>
> > > >=C2=A0 <br>
> > <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-de=
v/2019-May/016917.html" rel=3D"noreferrer" target=3D"_blank">https://lists.=
linuxfoundation.org/pipermail/bitcoin-dev/2019-May/016917.html</a>=C2=A0 <b=
r>
> > > ><br>
> > > > [2]<br>
> > > ><br>
> > > >=C2=A0 <br>
> > <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-de=
v/2019-May/016926.html" rel=3D"noreferrer" target=3D"_blank">https://lists.=
linuxfoundation.org/pipermail/bitcoin-dev/2019-May/016926.html</a>=C2=A0 <b=
r>
> > > ><br>
> > > ><br>
> > > > =D0=92 Thu, 27 Jun 2019 11:11:23 +0900 Jonathan Underwo=
od via<br>
> > > > bitcoin-dev <<a href=3D"mailto:bitcoin-dev@lists.lin=
uxfoundation.org" target=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</=
a>> wrote:<br>
> > > >=C2=A0 <br>
> > > > > Hello all,<br>
> > > > ><br>
> > > > > Just wanted to pick your brains about an idea for =
PSBT<br>
> > > > > extension.<br>
> > > > ><br>
> > > > > One problem we try to solve with cold -> warm a=
nd warm -> hot<br>
> > > > > sends for our exchange wallet is "How do I kn=
ow that the<br>
> > > > > address I am sending to is not a hacker's addr=
ess that was<br>
> > > > > swapped in between unsigned tx creation and first =
signature?"<br>
> > > > ><br>
> > > > > We have a proprietary JSON based encoding system w=
hich we are<br>
> > > > > looking to move towards PSBT, but PSBT is missing =
this key<br>
> > > > > functionality.<br>
> > > > ><br>
> > > > > BIP32_DERIVATION does allow us to verify the addre=
ss is from a<br>
> > > > > certain XPUB, but, for example, it can not allow u=
s to verify<br>
> > > > > a signature of that xpub.<br>
> > > > ><br>
> > > > > I have made a rough draft of the proposed key valu=
e<br>
> > > > > specification. <br>
> > > >=C2=A0 <br>
> > <a href=3D"https://github.com/junderw/bips/blob/addXpubSig/bip-01=
74.mediawiki#specification" rel=3D"noreferrer" target=3D"_blank">https://gi=
thub.com/junderw/bips/blob/addXpubSig/bip-0174.mediawiki#specification</a><=
br>
> >=C2=A0 <br>
> > > > ><br>
> > > > > The signing key path used in the spec is just rand=
omly chosen<br>
> > > > > 31 x 4 bits shown as numbers with hardened paths.<=
br>
> > > > ><br>
> > > > > Since this issue seems similar to the change addre=
ss issue, I<br>
> > > > > started from that as a base. With the HW wallet ca=
se, I can<br>
> > > > > verify the xpub by just deriving it locally and co=
mparing<br>
> > > > > equality, however, in our case, we need to verify =
an xpub<br>
> > > > > that we do not have access to via derivation from =
our cold<br>
> > > > > key(s) (since we don't want to import our warm=
private key<br>
> > > > > into our cold signer)<br>
> > > > ><br>
> > > > > So the flow would be:<br>
> > > > > 1. Securely verify the xpub of the warm / hot wall=
et.<br>
> > > > > 2. Using the airgap signing tool, sign the xpub wi=
th all cold<br>
> > > > > keys. 3. Upload the signature/xpub pairs to the on=
line<br>
> > > > > unsigned transaction generator.<br>
> > > > > 4. Include one keyval pair per coldkey/xpub pairin=
g.<br>
> > > > > 5. When offline signing, if the wallet detects the=
re is a<br>
> > > > > global keyval XPUB_SIGNATURE with its pubkey in th=
e key, it<br>
> > > > > must verify that all outputs have BIP32_DERIVATION=
and that<br>
> > > > > it can verify the outputs through the derivation, =
to the<br>
> > > > > xpub, and to the signature.<br>
> > > > ><br>
> > > > > In my attempt to fitting this into PSBT, I am slig=
htly<br>
> > > > > altering our current system, so don't take thi=
s as an<br>
> > > > > indication 100% of how we work in the backend.<br>
> > > > ><br>
> > > > > However, I would like to hear any feedback on this=
proposal.<br>
> > > > ><br>
> > > > > Thanks,<br>
> > > > > Jonathan<br>
> > > > >=C2=A0 <br>
> > > ><br>
> > > >=C2=A0 <br>
> > >=C2=A0 <br>
> ><br>
> >=C2=A0 <br>
> <br>
<br>
</blockquote></div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr"=
class=3D"gmail_signature"><div dir=3D"ltr"><div><div dir=3D"ltr"><div dir=
=3D"ltr"><div>-----------------<br></div><div>Jonathan Underwood</div><div>=
=E3=83=93=E3=83=83=E3=83=88=E3=83=90=E3=83=B3=E3=82=AF=E7=A4=BE=E3=80=80=E3=
=83=81=E3=83=BC=E3=83=95=E3=83=93=E3=83=83=E3=83=88=E3=82=B3=E3=82=A4=E3=83=
=B3=E3=82=AA=E3=83=95=E3=82=A3=E3=82=B5=E3=83=BC</div><div>----------------=
-</div><div><br></div><div>=E6=9A=97=E5=8F=B7=E5=8C=96=E3=81=97=E3=81=9F=E3=
=83=A1=E3=83=83=E3=82=BB=E3=83=BC=E3=82=B8=E3=82=92=E3=81=8A=E9=80=81=E3=82=
=8A=E3=81=AE=E6=96=B9=E3=81=AF=E4=B8=8B=E8=A8=98=E3=81=AE=E5=85=AC=E9=96=8B=
=E9=8D=B5=E3=82=92=E3=81=94=E5=88=A9=E7=94=A8=E4=B8=8B=E3=81=95=E3=81=84=E3=
=80=82</div><div><br></div><div>=E6=8C=87=E7=B4=8B: 0xCE5EA9476DE7D3E45EBC3=
FDAD998682F3590FEA3</div></div></div></div></div></div>
--00000000000059a096058c4b1f1d--
|
