MIME-Version: 1.0
In-Reply-To: <5f67d70d-a432-7826-22df-4207580aa1d2@gmail.com>
References: <CAP6ruDR0GrLRNb4TTub+wqpwVPyzHggbomV48kLZU3tvubH73Q@mail.gmail.com>
	<CABaSBaxjGLmiM0+zTk2PoGTt1zEao-k0ADLkT47vx+mcnPACJw@mail.gmail.com>
	<CAB3F3Dv1kuJdu8veNUHa4b58TvWy=BT6zfxdhqEPBQ8rjDfWtA@mail.gmail.com>
	<5f67d70d-a432-7826-22df-4207580aa1d2@gmail.com>
From: Greg Sanders <gsanders87@gmail.com>
Date: Tue, 22 Aug 2017 12:26:30 -0700
Message-ID: <CAB3F3Dt6zo_SHAUL72czPZTkh6T9sA3G93wC52Agfd1e3+kKXQ@mail.gmail.com>
To: Jochen Hoenicke <hoenicke@gmail.com>
Content-Type: multipart/alternative; boundary="f403045c1b50c60e4a05575c931b"
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] [BIP Proposal] Partially Signed Bitcoin
 Transaction (PSBT) format
Precedence: list

--f403045c1b50c60e4a05575c931b
Content-Type: text/plain; charset="UTF-8"

If 'x' is public, that makes it identifiable and privacy-losing across
inputs.

To avoid "re-use" I suppose you'd want to sign some message like
`HMAC("ownership proof", H(A || x) )` instead. Otherwise any signature you
make using `A` ends up being used as a proof you don't know the input(this
seems like just details but to be more clear)...

To reiterate:

Sign `HMAC("ownership proof", H(A || x) )` using `A`. Public verifiers see
`HMAC("ownership proof", some_random_hash_connected_to_A )` and the HWW
that owns that input can recreate `some_random_hash_connected_to_A` by `H(A
|| x) )`

On Mon, Aug 21, 2017 at 2:36 PM, Jochen Hoenicke <hoenicke@gmail.com> wrote:

> On 21.08.2017 20:12, Greg Sanders via bitcoin-dev wrote:
> > To fix this I consulted with andytoshi and got something we think works
> > for both cases:
> >
> > 1) When a signing device receives a partially signed transaction, all
> > inputs must come with a ownership proof:
> > - For the input at address A, a signature over H(A || x) using the key
> > for A. 'x' is some private fixed key that only the signing device
> > knows(most likely some privkey along some unique bip32 path).
> > - For each input ownership proof, the HW wallet validates each signature
> > over the hashed message, then attempts to "decode" the hash by applying
> > its own 'x'. If the hash doesn't match, it cannot be its own input.
> > - Sign for every input that is yours
>
> Interesting, basically a proof of non-ownership :), a proof that the
> hardware wallet doesn't own the address.
>
> But shouldn't x be public, so that the device can verify the signature?
> Can you expand on this, what is exactly signed with which key and how is
> it checked?
>
> One also has to make sure that it's not possible to reuse signatures as
> ownership proof that were made for a different purpose.
>
>   Jochen
>

--f403045c1b50c60e4a05575c931b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">If &#39;x&#39; is public, that makes it identifiable and p=
rivacy-losing across inputs.<div><div><br></div><div>To avoid &quot;re-use&=
quot; I suppose you&#39;d want to sign some message like `HMAC(&quot;owners=
hip proof&quot;, H(A || x) )` instead. Otherwise any signature you make usi=
ng `A` ends up being used as a proof you don&#39;t know the input(this seem=
s like just details but to be more clear)...</div></div><div><br></div><div=
>To reiterate:</div><div><br></div><div>Sign `HMAC(&quot;ownership proof&qu=
ot;, H(A || x) )` using `A`. Public verifiers see `HMAC(&quot;ownership pro=
of&quot;, some_random_hash_connected_to_A )` and the HWW that owns that inp=
ut can recreate `some_random_hash_connected_to_A` by `H(A || x) )`</div></d=
iv><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Mon, Aug 21=
, 2017 at 2:36 PM, Jochen Hoenicke <span dir=3D"ltr">&lt;<a href=3D"mailto:=
hoenicke@gmail.com" target=3D"_blank">hoenicke@gmail.com</a>&gt;</span> wro=
te:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-=
left:1px #ccc solid;padding-left:1ex"><span class=3D"">On <a href=3D"tel:21=
.08.2017%2020" value=3D"+12108201720">21.08.2017 20</a>:12, Greg Sanders vi=
a bitcoin-dev wrote:<br>
&gt; To fix this I consulted with andytoshi and got something we think work=
s<br>
&gt; for both cases:<br>
&gt;<br>
&gt; 1) When a signing device receives a partially signed transaction, all<=
br>
&gt; inputs must come with a ownership proof:<br>
&gt; - For the input at address A, a signature over H(A || x) using the key=
<br>
&gt; for A. &#39;x&#39; is some private fixed key that only the signing dev=
ice<br>
&gt; knows(most likely some privkey along some unique bip32 path).<br>
&gt; - For each input ownership proof, the HW wallet validates each signatu=
re<br>
&gt; over the hashed message, then attempts to &quot;decode&quot; the hash =
by applying<br>
&gt; its own &#39;x&#39;. If the hash doesn&#39;t match, it cannot be its o=
wn input.<br>
&gt; - Sign for every input that is yours<br>
<br>
</span>Interesting, basically a proof of non-ownership :), a proof that the=
<br>
hardware wallet doesn&#39;t own the address.<br>
<br>
But shouldn&#39;t x be public, so that the device can verify the signature?=
<br>
Can you expand on this, what is exactly signed with which key and how is<br=
>
it checked?<br>
<br>
One also has to make sure that it&#39;s not possible to reuse signatures as=
<br>
ownership proof that were made for a different purpose.<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
=C2=A0 Jochen<br>
</font></span></blockquote></div><br></div>

--f403045c1b50c60e4a05575c931b--