Return-Path: <root@haskoin.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 72ACB15A9
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun,  4 Oct 2015 15:18:24 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from relay1.ox.registrar-servers.com
	(relay1.ox.registrar-servers.com [199.188.203.171])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 1B6FC2BE
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun,  4 Oct 2015 15:18:24 +0000 (UTC)
Received: from imap11-3.ox.privateemail.com (imap11-3.ox.privateemail.com
	[198.187.29.245])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by relay.ox.registrar-servers.com (Postfix) with ESMTPS id 15DDFB00B5
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun,  4 Oct 2015 11:18:23 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
	by imap11.ox.privateemail.com (Postfix) with ESMTP id C4FAB8800D2
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun,  4 Oct 2015 11:18:19 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at imap11.ox.privateemail.com
Received: from imap11.ox.privateemail.com ([127.0.0.1])
	by localhost (imap11.ox.privateemail.com [127.0.0.1]) (amavisd-new,
	port 10024)
	with LMTP id 0j4DqJKiyo-2 for <bitcoin-dev@lists.linuxfoundation.org>; 
	Sun,  4 Oct 2015 11:18:19 -0400 (EDT)
Received: from [192.168.1.2] (86-41-36-97-dynamic.b-ras2.dbn.dublin.eircom.net
	[86.41.36.97])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by imap11.ox.privateemail.com (Postfix) with ESMTPSA id A52EE880039
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun,  4 Oct 2015 11:18:16 -0400 (EDT)
To: bitcoin-dev@lists.linuxfoundation.org
References: <CABQSq2Q98K5zbUbQAqSE4OYez2QuOaWTt+9n5iZmSR2boynf_Q@mail.gmail.com>
	<560FCD30.9020902@haskoin.com>
From: Jean-Pierre Rupp <root@haskoin.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <5611432F.5070209@haskoin.com>
Date: Sun, 4 Oct 2015 16:18:07 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
	Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <560FCD30.9020902@haskoin.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] [Bitcoin-development] New BIP32 structure for
 P2SH multisig wallets [BIP-45]
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Development Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Oct 2015 15:18:24 -0000

I have a possible solution:

Take all public keys encoded in the purpose-specific extended public
keys (m/45') of all cosigners and sort them lexicographically, according
to BIP-45.  Serialize this information and calculate its HASH160
(RIPEMD160 ∘ HASH256).  Split the output in five 32-bit chunks, setting
the MSB on all of them to 0. Use these 32-bit chunks to build a
derivation path from the purpose-specific extended public keys.  Treat
this derivation path as if it was the purpose-specific extended public
key in BIP-45.

This scheme will avoid public key sharing, and as long as you share your
purpose-specific extended public key only with your cosigners, it should
be relatively hard for a passive observer to link activity between
different cosigning accounts.

On 03/10/15 13:42, Jean-Pierre Rupp via bitcoin-dev wrote:
> Hello,
> 
> I have been reviewing BIP-45 today.  There is a privacy problem with it
> that should at least be mentioned in the document.
> 
> When using the same extended public key for all multisig activity, and
> dealing with different cosigners in separate multisig accounts, reuse of
> the same set of public keys means that all cosigners from all accounts
> will be able to monitor multisig activity from every other cosigner, in
> every other account.
> 
> Besides privacy considerations, HD wallet's non-reuse of public keys
> provide some defence against wallets that do not implement deterministic
> signing, and use poor entropy for signature nonces.
> 
> Unless users are expected to establish a single cosigning account, this
> scheme will result in reuse of public keys, and degradation of privacy.
> 
> I understand that for convenience it is useful to have a single extended
> public key that can be handed to every cosigner.  This makes setting up
> accounts or recovering from data loss a easier.
> 
> I suggest that privacy & potential security degradation due to increased
> public key reuse in the case of users with multiple multisig accounts
> should get a mention in the BIP-45 document.
> 
> Greetings