summaryrefslogtreecommitdiff
path: root/07/1d99c218674b034e8d949c6f99cdaf26efccb6
blob: eb5a6826c88ab059bfa2abdd1868c7803e797066 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
	helo=mx.sourceforge.net)
	by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <mh.in.england@gmail.com>) id 1Wdz8s-0006rB-MA
	for bitcoin-development@lists.sourceforge.net;
	Sat, 26 Apr 2014 09:43:30 +0000
Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmail.com
	designates 209.85.214.175 as permitted sender)
	client-ip=209.85.214.175; envelope-from=mh.in.england@gmail.com;
	helo=mail-ob0-f175.google.com; 
Received: from mail-ob0-f175.google.com ([209.85.214.175])
	by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
	(Exim 4.76) id 1Wdz8q-0001B7-UW
	for bitcoin-development@lists.sourceforge.net;
	Sat, 26 Apr 2014 09:43:30 +0000
Received: by mail-ob0-f175.google.com with SMTP id wp4so5343665obc.34
	for <bitcoin-development@lists.sourceforge.net>;
	Sat, 26 Apr 2014 02:43:23 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.60.62.34 with SMTP id v2mr11418108oer.37.1398505403570; Sat,
	26 Apr 2014 02:43:23 -0700 (PDT)
Sender: mh.in.england@gmail.com
Received: by 10.76.96.180 with HTTP; Sat, 26 Apr 2014 02:43:23 -0700 (PDT)
In-Reply-To: <CABQSq2Q98K5zbUbQAqSE4OYez2QuOaWTt+9n5iZmSR2boynf_Q@mail.gmail.com>
References: <CABQSq2Q98K5zbUbQAqSE4OYez2QuOaWTt+9n5iZmSR2boynf_Q@mail.gmail.com>
Date: Sat, 26 Apr 2014 11:43:23 +0200
X-Google-Sender-Auth: WiY3Rdgrn015a2zKodeYrxpLvik
Message-ID: <CANEZrP3EGNsOgHm0P6fiU1P7OSgTd=pBYooPBrLQGMKPT9b8Qg@mail.gmail.com>
From: Mike Hearn <mike@plan99.net>
To: Manuel Araoz <manu@bitpay.com>
Content-Type: multipart/alternative; boundary=089e0141a7cacbe04904f7eee9a8
X-Spam-Score: -0.5 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
	(mh.in.england[at]gmail.com)
	-0.0 SPF_PASS               SPF: sender matches SPF record
	1.0 HTML_MESSAGE           BODY: HTML included in message
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1Wdz8q-0001B7-UW
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] New BIP32 structure for P2SH multisig
	wallets
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Sat, 26 Apr 2014 09:43:30 -0000

--089e0141a7cacbe04904f7eee9a8
Content-Type: text/plain; charset=UTF-8

I'm not sure I understand why you need any special structure for this at
all. The way I'd do it is just use regular HD wallets for everyone, of the
regular form, and then swap the watching keys. Why do people need to be
given a cosigner index at all, given that they all have unique root keys
anyway?


On Sat, Apr 26, 2014 at 12:27 AM, Manuel Araoz <manu@bitpay.com> wrote:

> Hi, I'm part of the team building copay <https://github.com/bitpay/copay>,
> a multisignature P2SH HD wallet. We've been following the discussion
> regarding standardizing the structure for branches both on this list and on
> github (1 <https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki>,
> 2 <https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki>, 3<https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki>,
> 4 <https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki>, 5<https://github.com/bitcoin/bips/pull/52>).
> Soon, we realized the assumptions in the discussions were not true for a
> multisig hd wallet, so we wanted to share our current approach to that, to
> get feedback and see if we can arrive to a new standard (and possibly a new
> BIP)
>
> These are our assumptions:
>  - N parties want to share an m-of-n wallet.
>  - Each party must generate their master private keys independently.
>  - Use multisig P2SH for all addresses.
>  - Use BIP32 to derive public keys, then create a multisig script, and use
> the P2SH address for that.
>  - The address generation process should not require communicating with
> other parties. (Thus, all parties must be able to generate all public keys)
>  - Transaction creation + signing requires communication between parties,
> of course.
>
> -------------------------------------------------
>
> Following BIP43, we're be using:
>
>
> m / purpose' / *
>
> where *purpose* is the hardened derivation scheme based on the new BIP
> number.
> We then define the following levels:
>
>
> m / purpose' / cosigner_index / change / address_index
>
> Each level has a special meaning detailed below:
>
> *cosigner_index* <http://en.wikipedia.org/wiki/Co-signing>: the index of
> the party creating this address. The indices can be determined
> independently by lexicographically sorting the master public keys of each
> cosigner.
>
> *change*: 0 for change, 1 for receive address.
>
> *address_index*: Addresses are numbered from index 0 in sequentially
> increasing manner. We're currently syncing the max used index for each
> branch between all parties when they connect, but we're open to considering
> removing the index sync and doing the more elegant used-address discovery
> via a gap limit, as discussed in BIP44<https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki#address-gap-limit>.
> We feel 20 might be too low though.
>
> *Wallet high-level description:*
> Each party generates their own extended master keypair and shares the
> extended purpose' public key with the others, which is stored encrypted.
> Each party can generate any of the other's derived public keys, but only
> his own private keys.
>
> *General address generation procedure:*
> When generating an address, each party can independently generate the N
> needed public keys. They do this by deriving the public key in each of the
> different trees, but using the same path. They can then generate the
> multisig script and the corresponding p2sh address. In this way, each path
> corresponds to an address, but the public keys for that address come from
> different trees.
>
> *Receive address case:*
> Each cosigner generates addresses only on his own branch. One of the n
> cosigners wants to receive a payment, and the others are offline. He knows
> the last used index in his own branch, because only he generates addresses
> there. Thus, he can generate the public keys for all of the others using
> the next index, and calculate the needed script for the address.
>
> *Example: *Cosigner #2 wants to receive a payment to the shared wallet.
> His last used index on his own branch is 4. Then, the path for the next
> receive address is m/$purpose/2/1/5. He uses this same path in all of the
> cosigners trees to generate a public key for each one, and from that he
> gets the new p2sh address.
>
> *Change address case:*
> Again, each cosigner generates addresses only on his own branch. One of
> the n cosigners wants to create an outgoing payment, for which he'll need a
> change address. He generates a new address using the same procedure as
> above, but using a separate index to track the used change addresses.
>
> *Example: *Cosigner #5 wants to send a payment from the shared wallet,
> for which he'll need a change address. His last used change index on his
> own branch is 11. Then, the path for the next change address is
> m/$purpose/5/0/12. He uses this same path in all of the cosigners trees to
> generate a public key for each one, and from that he gets the new p2sh
> address.
>
>
> *Transaction creation and signing:*
> When creating a transaction, first one of the parties creates a
> Transaction Proposal. This is a transaction that spends some output stored
> in any of the p2sh multisig addresses (corresponding to any of the
> copayers' branches). This proposal is sent to the other parties, who decide
> if they want to sign. If they approve the proposal, they can generate their
> needed private key for that specific address (using the same path that
> generated the public key in that address, but deriving the private key
> instead), and sign it. Once the proposal reaches m signatures, any cosigner
> can broadcast it to the network, becoming final. The specifics of how this
> proposal is structured, and the protocol to accept or reject it, belong to
> another BIP, in my opinion.
>
> *Final comments:*
> - We're currently lexicographically sorting the public keys for each
> address separately. We've read Mike Belshe's comments about sorting the
> master public keys and then using the same order for all derived addresses,
> but we couldn't think of any benefits of doing that (I mean, the benefits
> of knowing whose public key is which).
> - We originally thought we would need a non-hardened version of purpose
> for the path, because we needed every party to be able to generate all the
> public keys of the others. With the proposed path, is it true that the
> cosigners will be able to generate them, by knowing the extended purpose
> public key for each copayer? (m/purpose')
> - The reason for using separate branches for each cosigner is we don't
> want two of them generating the same address and receiving simultaneous
> payments to it. The ideal case is that each address receives at most one
> payment, requested by the corresponding cosigner.
>
>
> Thoughts?
> Manuel
>
>
> ------------------------------------------------------------------------------
> Start Your Social Network Today - Download eXo Platform
> Build your Enterprise Intranet with eXo Platform Software
> Java Based Open Source Intranet - Social, Extensible, Cloud Ready
> Get Started Now And Turn Your Intranet Into A Collaboration Platform
> http://p.sf.net/sfu/ExoPlatform
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>

--089e0141a7cacbe04904f7eee9a8
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">I&#39;m not sure I understand why you need any special str=
ucture for this at all. The way I&#39;d do it is just use regular HD wallet=
s for everyone, of the regular form, and then swap the watching keys. Why d=
o people need to be given a cosigner index at all, given that they all have=
 unique root keys anyway?</div>
<div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Sat, Apr 2=
6, 2014 at 12:27 AM, Manuel Araoz <span dir=3D"ltr">&lt;<a href=3D"mailto:m=
anu@bitpay.com" target=3D"_blank">manu@bitpay.com</a>&gt;</span> wrote:<br>=
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
<div dir=3D"ltr"><div>Hi, I&#39;m part of the team building <a href=3D"http=
s://github.com/bitpay/copay" target=3D"_blank">copay</a>, a multisignature =
P2SH HD wallet.=C2=A0We&#39;ve been following the discussion regarding stan=
dardizing the structure for branches both on this list and on github (<a hr=
ef=3D"https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki" targe=
t=3D"_blank">1</a>, <a href=3D"https://github.com/bitcoin/bips/blob/master/=
bip-0039.mediawiki" target=3D"_blank">2</a>, <a href=3D"https://github.com/=
bitcoin/bips/blob/master/bip-0043.mediawiki" target=3D"_blank">3</a>, <a hr=
ef=3D"https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki" targe=
t=3D"_blank">4</a>, <a href=3D"https://github.com/bitcoin/bips/pull/52" tar=
get=3D"_blank">5</a>). Soon, we realized the assumptions in the discussions=
 were not true for a multisig hd wallet, so we wanted to share our current =
approach to that, to get feedback and see if we can arrive to a new standar=
d (and possibly a new BIP)</div>




<div><br></div><div>These are our assumptions:=C2=A0</div><div>=C2=A0- N pa=
rties want to share an m-of-n wallet.</div><div>=C2=A0- Each party must gen=
erate their master private keys independently.</div><div>=C2=A0- Use multis=
ig P2SH for all addresses.</div>



<div>=C2=A0- Use BIP32 to derive public keys, then create a multisig script=
, and use the P2SH address for that.</div><div>=C2=A0- The address generati=
on process should not require communicating with other parties. (Thus, all =
parties must be able to generate all public keys)</div>



<div>=C2=A0- Transaction creation + signing requires communication between =
parties, of course.</div><div><br></div><div>------------------------------=
-------------------</div><div><br></div><div>Following BIP43, we&#39;re be =
using:</div>



<div><pre style=3D"font-family:Consolas,&#39;Liberation Mono&#39;,Courier,m=
onospace;font-size:13px;margin-top:15px;margin-bottom:15px;background-color=
:rgb(248,248,248);border:1px solid rgb(221,221,221);line-height:19px;overfl=
ow:auto;padding:6px 10px;border-top-left-radius:3px;border-top-right-radius=
:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;word-wrap=
:normal;color:rgb(51,51,51)">

m / purpose&#39; / *</pre></div>where <i>purpose</i> is the hardened deriva=
tion scheme based on the new BIP number.<br><div>We then define the followi=
ng levels:</div><div><pre style=3D"font-family:Consolas,&#39;Liberation Mon=
o&#39;,Courier,monospace;font-size:13px;margin-top:15px;margin-bottom:15px;=
background-color:rgb(248,248,248);border:1px solid rgb(221,221,221);line-he=
ight:19px;overflow:auto;padding:6px 10px;border-top-left-radius:3px;border-=
top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radi=
us:3px;word-wrap:normal;color:rgb(51,51,51)">

m / purpose&#39; / cosigner_index / change / address_index</pre></div><div>=
Each level has a special meaning detailed below:</div><div><br></div><div><=
a href=3D"http://en.wikipedia.org/wiki/Co-signing" target=3D"_blank"><i>cos=
igner_index</i></a>: the index of the party creating this address. The indi=
ces can be determined independently by lexicographically sorting the master=
 public keys of each cosigner.</div>



<div><br></div><div><i>change</i>: 0 for change, 1 for receive address.</di=
v><div><br></div><div><i>address_index</i>:=C2=A0Addresses are numbered fro=
m index 0 in sequentially increasing manner. We&#39;re currently syncing th=
e max used index for each branch between all parties when they connect, but=
 we&#39;re open to considering removing the index sync and doing the more e=
legant used-address discovery via a gap limit, <a href=3D"https://github.co=
m/bitcoin/bips/blob/master/bip-0044.mediawiki#address-gap-limit" target=3D"=
_blank">as discussed in BIP44</a>. We feel 20 might be too low though.=C2=
=A0</div>



<div><br></div><div><b>Wallet high-level description:</b></div><div>Each pa=
rty generates their own extended master keypair and shares the extended pur=
pose&#39; public key with the others, which is stored encrypted. Each party=
 can generate any of the other&#39;s derived public keys, but only his own =
private keys.=C2=A0</div>



<div><br><div><b>General address generation procedure:</b></div><div>When g=
enerating an address, each party can independently generate the N needed pu=
blic keys. They do this by deriving the public key in each of the different=
 trees, but using the same path. They can then generate the multisig script=
 and the corresponding p2sh address. In this way, each path corresponds to =
an address, but the public keys for that address come from different trees.=
</div>



<div><br></div><div><b>Receive address case:</b></div><div>Each cosigner ge=
nerates addresses only on his own branch. One of the n cosigners wants to r=
eceive a payment, and the others are offline. He knows the last used index =
in his own branch, because only he generates addresses there. Thus, he can =
generate the public keys for all of the others using the next index, and ca=
lculate the needed script for the address.=C2=A0</div>



<div><br></div><div><i>Example: </i>Cosigner #2 wants to receive a payment =
to the shared wallet. His last used index on his own branch is 4. Then, the=
 path for the next receive address is m/$purpose/2/1/5. He uses this same p=
ath in all of the cosigners trees to generate a public key for each one, an=
d from that he gets the new p2sh address.</div>



<div><br></div><div><b>Change address case:</b></div><div>Again, each cosig=
ner generates addresses only on his own branch. One of the n cosigners want=
s to create an outgoing payment, for which he&#39;ll need a change address.=
 He generates a new address using the same procedure as above, but using a =
separate index to track the used change addresses.=C2=A0</div>



<div><i><br>Example:=C2=A0</i>Cosigner #5 wants to send a payment from the =
shared wallet, for which he&#39;ll need a change address. His last used cha=
nge index on his own branch is 11. Then, the path for the next change addre=
ss is m/$purpose/5/0/12. He uses this same path in all of the cosigners tre=
es to generate a public key for each one, and from that he gets the new p2s=
h address.</div>



<div><br></div><div><br></div><div><b>Transaction creation and signing:</b>=
</div><div>When creating a transaction, first one of the parties creates a =
Transaction Proposal. This is a transaction that spends some output stored =
in any of the p2sh multisig addresses (corresponding to any of the copayers=
&#39; branches). This proposal is sent to the other parties, who decide if =
they want to sign. If they approve the proposal, they can generate their ne=
eded private key for that specific address (using the same path that genera=
ted the public key in that address, but deriving the private key instead), =
and sign it. Once the proposal reaches m signatures, any cosigner can broad=
cast it to the network, becoming final. The specifics of how this proposal =
is structured, and the protocol to accept or reject it, belong to another B=
IP, in my opinion.=C2=A0</div>



<div><br></div><div><b>Final comments:</b></div><div>- We&#39;re currently =
lexicographically sorting the public keys for each address separately. We&#=
39;ve read Mike Belshe&#39;s comments about sorting the master public keys =
and then using the same order for all derived addresses, but we couldn&#39;=
t think of any benefits of doing that (I mean, the benefits of knowing whos=
e public key is which).</div>


<div>- We originally thought we would need a non-hardened version of purpos=
e for the path, because we needed every party to be able to generate all th=
e public keys of the others. With the proposed path, is it true that the co=
signers will be able to generate them, by knowing the extended purpose publ=
ic key for each copayer? (m/purpose&#39;)</div>



</div><div>- The reason for using separate branches for each cosigner is we=
 don&#39;t want two of them generating the same address and receiving simul=
taneous payments to it. The ideal case is that each address receives at mos=
t one payment, requested by the corresponding cosigner.=C2=A0</div>


<div><br></div><div><br></div><div>Thoughts?<span class=3D"HOEnZb"><font co=
lor=3D"#888888"><br>Manuel</font></span></div></div>
<br>-----------------------------------------------------------------------=
-------<br>
Start Your Social Network Today - Download eXo Platform<br>
Build your Enterprise Intranet with eXo Platform Software<br>
Java Based Open Source Intranet - Social, Extensible, Cloud Ready<br>
Get Started Now And Turn Your Intranet Into A Collaboration Platform<br>
<a href=3D"http://p.sf.net/sfu/ExoPlatform" target=3D"_blank">http://p.sf.n=
et/sfu/ExoPlatform</a><br>_______________________________________________<b=
r>
Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
<br></blockquote></div><br></div>

--089e0141a7cacbe04904f7eee9a8--