1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
Return-Path: <achow101-lists@achow101.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 027122907
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 1 May 2019 16:57:49 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from mail4.protonmail.ch (mail4.protonmail.ch [185.70.40.27])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 293D1889
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 1 May 2019 16:57:48 +0000 (UTC)
Date: Wed, 01 May 2019 16:57:38 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=achow101.com;
s=protonmail; t=1556729866;
bh=zc9OMmheGPh6jjsmceSwiDlFgv+8QhK+RSNxpKOR5uk=;
h=Date:To:From:Reply-To:Subject:In-Reply-To:References:Feedback-ID:
From;
b=Nv7Hbo0jagEjkJZEvpp01n4lWGd17IDLnje+R08OFfX6QKAVKLW1rHE6Fnyl9mVNP
9cq54nsUyyeMxILggubT1LcORDc3mqnM/nCCxKFibLblGUOSiYHfQqfGzcgf80xYTC
ViQxXs7uawy8IWGJYATHWyFKeLYpEy0V7Sr0zP8I=
To: bitcoin-dev@lists.linuxfoundation.org
From: Andrew Chow <achow101-lists@achow101.com>
Reply-To: Andrew Chow <achow101-lists@achow101.com>
Message-ID: <-9vv_PTO55EHqObZe3e3wBo_sNF34p0IWbK-rkrcW4q31pQwahpqy4xJw9dq_CB2UCo1FvOz6I3EMcQM_9u5Ht3y9VFYAB2uJGkZjds84nI=@achow101.com>
In-Reply-To: <CACL8y1v9fpZ+gWLVHMx-bGUCaSd0=0ecHU-u4FF=LnhT7s1zTg@mail.gmail.com>
References: <CACL8y1v9fpZ+gWLVHMx-bGUCaSd0=0ecHU-u4FF=LnhT7s1zTg@mail.gmail.com>
Feedback-ID: VjS95yl5HLFwBfNLRqi61OdL1ERZPmvMbZRH2ZcBR7SKVUVYPgv7VJsV9uoyC4vIfjYnW8hPXGuLTycZbh49Zw==:Ext:ProtonMail
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Thu, 02 May 2019 23:20:41 +0000
Subject: Re: [bitcoin-dev] Adding xpub field to PSBT to make multisig more
secure
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 01 May 2019 16:57:49 -0000
Hi Stepan,
I think that this would be a good extension.
Just for clairty, by xpub, do you mean the extended serialization format=20
defined in BIP 32 or the Base58 check encoded string of that serialization?
Andrew
On 4/26/19 11:21 AM, Stepan Snigirev via bitcoin-dev wrote:
> Hi list,
>
> I was looking at the bip174 PSBT specs, in particular for=20
> multisignature setup, and I think with current spec there is a way to=20
> steal user funds in M of N setup with M =E2=89=A4 N/2.
>
> I made a small write-up on this:=20
> https://github.com/stepansnigirev/random_notes/blob/master/psbt_multisig.=
md
>
> To compress:
>
> Currently in PSBT there is no way to reliably say if the output uses=20
> the keys derived from the same root keys as the inputs aside from the=20
> key owned by the signer =3D> there is no way to verify that the output=20
> is a change output in multisig setup.
>
> Therefore an attacker can replace half of the keys in the change=20
> address by his own keys and still get the transaction signed.
>
> I suggest to add an xpub field to the inputs and outputs metadata,=20
> then signers can verify that the same xpubs are used for public keys=20
> in inputs and outputs =3D> output is indeed a change.
>
> Normally change and receiving addresses are derived from the same xpub=20
> with non-hardened derivation pathes, so providing xpub after the last=20
> hardened index should be enough to see that public keys of inputs and=20
> change output are derived from the same xpub.
>
> I suggest to add the following key-value pairs to PSBT:
>
> Type: BIP 32 public key `PSBT_IN_BIP32_XPUB =3D 0x10`
> - Key: derivation path for xpub
> =C2=A0 `{0x10}|{master key fingerprint}|{32-bit int}|...|{32-bit int}`
> - Value: 78-byte xpub value
> =C2=A0 `{xpub}`
>
> Type: BIP 32 public key `PSBT_OUT_BIP32_XPUB =3D 0x03`
> - Key: derivation path for xpub
> =C2=A0 `{0x03}|{master key fingerprint}|{32-bit int}|...|{32-bit int}`
> - Value: 78-byte xpub value
> =C2=A0 `{xpub}`
>
> Derivation paths are in the key of the key-value pair as they are used=20
> for lookup, and xpub itself is the actual value being looked up.
>
> I also want to mention that Trezor for example doesn't suffer from=20
> this problem as they use xpubs to verify change outputs. So it may=20
> make sense to go through the communication protocols of existing=20
> hardware / multisignature wallets and see if there is something else=20
> we are missing.
>
> If everyone is happy about the proposal I would prepare a pull request=20
> to the bip.
>
> Best regards,
> Stepan Snigirev.
>
|
