Return-Path: <user@petertodd.org>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id BAEA3BA0
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue, 13 Aug 2019 14:15:39 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from outmail148100.authsmtp.co.uk (outmail148100.authsmtp.co.uk
	[62.13.148.100])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 1589D8D
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue, 13 Aug 2019 14:15:38 +0000 (UTC)
Received: from mail-c233.authsmtp.com (mail-c233.authsmtp.com [62.13.128.233])
	by punt17.authsmtp.com. (8.15.2/8.15.2) with ESMTP id x7DEFaYJ021600;
	Tue, 13 Aug 2019 15:15:36 +0100 (BST)
	(envelope-from user@petertodd.org)
Received: from petertodd.org (ec2-52-5-185-120.compute-1.amazonaws.com
	[52.5.185.120]) (authenticated bits=0)
	by mail.authsmtp.com (8.15.2/8.15.2) with ESMTPSA id x7DEFY8a022371
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
	Tue, 13 Aug 2019 15:15:35 +0100 (BST)
	(envelope-from user@petertodd.org)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by petertodd.org (Postfix) with ESMTPSA id DA6B540160;
	Tue, 13 Aug 2019 14:15:33 +0000 (UTC)
Received: by localhost (Postfix, from userid 1000)
	id B45F421A53; Tue, 13 Aug 2019 10:15:32 -0400 (EDT)
Date: Tue, 13 Aug 2019 10:15:32 -0400
From: Peter Todd <pete@petertodd.org>
To: Bryan Bishop <kanzure@gmail.com>
Message-ID: <20190813141532.zv5n5ghii5e44qsf@petertodd.org>
References: <CABaSBawe_oF_zoso2RQBX+7OWDoCwC7T2MeKSX9fYRUQaY_xmg@mail.gmail.com>
	<20190812150110.yf76pq47e5oszx62@petertodd.org>
	<CABaSBawwSEa_dDLEXhWncsqKmsM+rdT2Npo334LEZPvcMzrzFQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="yjxrtbbgvuymbxoa"
Content-Disposition: inline
In-Reply-To: <CABaSBawwSEa_dDLEXhWncsqKmsM+rdT2Npo334LEZPvcMzrzFQ@mail.gmail.com>
User-Agent: NeoMutt/20170113 (1.7.2)
X-Server-Quench: d15f82da-bdd4-11e9-8757-84349711df28
X-AuthReport-Spam: If SPAM / abuse - report it at:
	http://www.authsmtp.com/abuse
X-AuthRoute: OCd2Yg0TA1ZIVwkA IjsJECJaVQIpKltL GxAVKBZePFsRUQkR
	aAdMdwEUGUATAgsB Am8bWlFeUVh7WmY7 bghPaBtcak9QXgdq
	T0pMXVMcXAIcdGpo Dk8eUBtxcAQIfnl0 Ywg2X3UNVEYuJFsv
	FhpQCGwHMG59YGca V11QcwBQeQRLf0sT aFgxNiYHcQ5VPz4z
	GA41ejw8IwAXAiVJ SQYMKxoMSFsPAiV0 WBEeHX0mG1EEAjkz
	IhI6YkQRF0EPP18j dlAlUE0SOhQRaEVb EkpNCSlYPFwaL/// 
X-Authentic-SMTP: 61633532353630.1021:706
X-AuthFastPath: 0 (Was 255)
X-AuthSMTP-Origin: 52.5.185.120/25
X-AuthVirus-Status: No virus detected - but ensure you scan with your own
	anti-virus system.
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Bitcoin vaults with anti-theft recovery/clawback
 mechanisms
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2019 14:15:39 -0000


--yjxrtbbgvuymbxoa
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Aug 12, 2019 at 09:09:43PM -0500, Bryan Bishop wrote:
> > > Multisig gated by ECDSA pubkey recovery for provably-unknown keys
> > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> > >
> > > A group can participate in a multisig scheme with provably-unknown EC=
DSA
> > keys.
> > > Instead of deleting the key, the idea is to agree on a blockheight and
> > then
> > > select the blockhash (or some function of the chosen blockhash like
> > > H(H(H(blockhash)))) as the signature. Next, the group agrees on a
> > transaction
> > > and they recover the public key from the signature using ECDSA pubkey
> > recovery.
> >
> > Could you explain in more detail why you're deriving this from a blockh=
ash?
> >
>=20
> Well you need to pick an entropy source, and I wouldn't want to tell peop=
le
> to just trust the first party to tell you a good sequence of bytes.

But why does this specifically need to be entropy?

If I understand the scheme correctly, the important thing is for the ECDSA
private key to be unknown. Under the standard assumption that hash functions
are random oracles, hashing anything should be sufficient to create a pubkey
whose private key is unknown.

Secondly, there's probably better slightly privacy if a random nonce is cho=
sen
(perhaps by concatenating a nonce from each party) rather than picking pubk=
eys
unique to this use-case.

--=20
https://petertodd.org 'peter'[:-1]@petertodd.org

--yjxrtbbgvuymbxoa
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEFcyURjhyM68BBPYTJIFAPaXwkfsFAl1SxgAACgkQJIFAPaXw
kfsZ8wf9EGAyzVxPI5ywhq2aSQbvuvCXMiZUq17D8z9clqgzKcpaB0CLfRD16Nbc
k/fngjyFQyGbmN4iJRHX1CP3E/Rv34UzL+9ahcqBqnZYiJoo8wAyxUj8sTrKwZUu
syEDMQwSlMXe7+ZegAjkM3jucJvpsrQFjEz3iJ5/yxpjW64wted/Df3dNli4gQGV
jiw2wi9hFjbubIutuk4rOvWfgzOVJt2nwsIgh29FOw94086LuKTkMkxMGtXicJei
CnxQ3QPjRAvwIz4JbG0zT8hPdGp6N/SrX+1Pf1j0FIogl1wDVYdMYLQS7eQ51iuV
9tJ1GaNQnMVOoPSk17YT9cBzRfAX1A==
=gGP1
-----END PGP SIGNATURE-----

--yjxrtbbgvuymbxoa--