📅 Original date posted:2015-10-04
📝 Original message:I have a possible solution:
Take all public keys encoded in the purpose-specific extended public
keys (m/45') of all cosigners and sort them lexicographically, according
to BIP-45. Serialize this information and calculate its HASH160
(RIPEMD160 ∘ HASH256). Split the output in five 32-bit chunks, setting
the MSB on all of them to 0. Use these 32-bit chunks to build a
derivation path from the purpose-specific extended public keys. Treat
this derivation path as if it was the purpose-specific extended public
key in BIP-45.
This scheme will avoid public key sharing, and as long as you share your
purpose-specific extended public key only with your cosigners, it should
be relatively hard for a passive observer to link activity between
different cosigning accounts.
On 03/10/15 13:42, Jean-Pierre Rupp via bitcoin-dev wrote:
> Hello,
>
> I have been reviewing BIP-45 today. There is a privacy problem with it
> that should at least be mentioned in the document.
>
> When using the same extended public key for all multisig activity, and
> dealing with different cosigners in separate multisig accounts, reuse of
> the same set of public keys means that all cosigners from all accounts
> will be able to monitor multisig activity from every other cosigner, in
> every other account.
>
> Besides privacy considerations, HD wallet's non-reuse of public keys
> provide some defence against wallets that do not implement deterministic
> signing, and use poor entropy for signature nonces.
>
> Unless users are expected to establish a single cosigning account, this
> scheme will result in reuse of public keys, and degradation of privacy.
>
> I understand that for convenience it is useful to have a single extended
> public key that can be handed to every cosigner. This makes setting up
> accounts or recovering from data loss a easier.
>
> I suggest that privacy & potential security degradation due to increased
> public key reuse in the case of users with multiple multisig accounts
> should get a mention in the BIP-45 document.
>
> Greetings
Jean-Pierre Rupp [ARCHIVE] /
npub1ym…v30qh
2023-06-07 17:42:21
in reply to nevent1q…m2uc
Author Public Key
npub1ymm7v2axmjgetkqvh6l7900qnk5za089fcu7snzsw6f5wzy55e5s3v30qhPublished at
2023-06-07 17:42:21Event JSON
{
"id": "5b232cc0954c6c06aaa14161e04bf973d7b6d9211f60f9e4a7c18fb67771b187",
"pubkey": "26f7e62ba6dc9195d80cbebfe2bde09da82ebce54e39e84c507693470894a669",
"created_at": 1686159741,
"kind": 1,
"tags": [
[
"e",
"3e46f2c62587acdbda9b227056f9de6eaf13013e7c73db7dc59fc81adea6f4b6",
"",
"root"
],
[
"e",
"e129884fce88c8fe7374cc6dd9533747941b877b7931fe2a4cc7a2f3f680d05d",
"",
"reply"
],
[
"p",
"26f7e62ba6dc9195d80cbebfe2bde09da82ebce54e39e84c507693470894a669"
]
],
"content": "📅 Original date posted:2015-10-04\n📝 Original message:I have a possible solution:\n\nTake all public keys encoded in the purpose-specific extended public\nkeys (m/45') of all cosigners and sort them lexicographically, according\nto BIP-45. Serialize this information and calculate its HASH160\n(RIPEMD160 ∘ HASH256). Split the output in five 32-bit chunks, setting\nthe MSB on all of them to 0. Use these 32-bit chunks to build a\nderivation path from the purpose-specific extended public keys. Treat\nthis derivation path as if it was the purpose-specific extended public\nkey in BIP-45.\n\nThis scheme will avoid public key sharing, and as long as you share your\npurpose-specific extended public key only with your cosigners, it should\nbe relatively hard for a passive observer to link activity between\ndifferent cosigning accounts.\n\nOn 03/10/15 13:42, Jean-Pierre Rupp via bitcoin-dev wrote:\n\u003e Hello,\n\u003e \n\u003e I have been reviewing BIP-45 today. There is a privacy problem with it\n\u003e that should at least be mentioned in the document.\n\u003e \n\u003e When using the same extended public key for all multisig activity, and\n\u003e dealing with different cosigners in separate multisig accounts, reuse of\n\u003e the same set of public keys means that all cosigners from all accounts\n\u003e will be able to monitor multisig activity from every other cosigner, in\n\u003e every other account.\n\u003e \n\u003e Besides privacy considerations, HD wallet's non-reuse of public keys\n\u003e provide some defence against wallets that do not implement deterministic\n\u003e signing, and use poor entropy for signature nonces.\n\u003e \n\u003e Unless users are expected to establish a single cosigning account, this\n\u003e scheme will result in reuse of public keys, and degradation of privacy.\n\u003e \n\u003e I understand that for convenience it is useful to have a single extended\n\u003e public key that can be handed to every cosigner. This makes setting up\n\u003e accounts or recovering from data loss a easier.\n\u003e \n\u003e I suggest that privacy \u0026 potential security degradation due to increased\n\u003e public key reuse in the case of users with multiple multisig accounts\n\u003e should get a mention in the BIP-45 document.\n\u003e \n\u003e Greetings",
"sig": "836ceb7f8d7100413d30befe3c6b6bd6490b14852cbf02035c11409ca8aecfdbd2d106f200b5d6508f9fed24beca735a8c38241318a4612fd7e4e689ad3532e4"
}