đź“… Original date posted:2015-10-05
đź“ť Original message:When I talk about multisig account I mean an arrangement among a set of
cosigners to be signatories of multi-signature transactions requiring a
set number of signatures, as specified in BIP-45.
Example:
Juan: xpub123...
Pedro: xpub456...
José: xpub789...
They all agree to create a 2-of-3 multisig “account” following BIP-45.
Their extended public keys are all path m/45' from their wallet’s master
private key, as per the standard.
Perhaps Pedro wants to also participate in a 2-of-2 cosigning
arrangement with a merchant that will deliver a laptop to him, so Pedro
provides this merchant with the same extended public key derived from
path m/45', and the merchant provides Pedro with his own:
Pedro: xpub456...
ElCheapoPC: xpub987...
Now, suppose that the first cosigner[1] in each of the accounts
generates a set of public keys for a multisig redeem script to obtain a
P2SH address from. The derivation path m/45'/0/0/1 is used as per
BIP-45. Pedro’s public key for that address in each account will be the
same.
Every cosigner’s address public key is obtained following the same
derivation path from the cosigner’s master key, therefore, it is easy to
know what public keys Pedro is likely to use in both 2-of-3 account
{Juan, Pedro, José} and 2-of-2 account {Pedro, ElCheapoPC}, by only
knowing Pedro’s m/45' purpose-specific extended public key. By scanning
the blockchain for Pedro’s public keys, José can see that Pedro had a
2-of-2 multi-signature arrangement with somebody else (ElCheapoPC),
although he does not necessarily know its identity, and how much money
was transacted in that arrangement, without having to know the extended
public key from ElCheapoPC.
By adopting the scheme I proposed earlier as an improvement, cosigners
with Pedro would have to know ElCheapoPC’s extended public key in order
to eavesdrop on any transaction between Pedro and ElCheapoPC.
[1] According to lexicographic order of serialized public keys contained
in each of the xpubs, as per BIP-45 specification.
On 05/10/15 07:57, Matias Alejo Garcia wrote:
>
> Hi,
>
> Sorry the late response. Going back to the original message:
>
>
> > On 03/10/15 13:42, Jean-Pierre Rupp via bitcoin-dev wrote:
> >> I have been reviewing BIP-45 today. There is a privacy problem
> with it
> >> that should at least be mentioned in the document.
> >>
> >> When using the same extended public key for all multisig
> activity, and
> >> dealing with different cosigners in separate multisig accounts,
> reuse of
> >> the same set of public keys means that all cosigners from all
> accounts
> >> will be able to monitor multisig activity from every other
> cosigner, in
> >> every other account.
>
>
> I am not completely sure what you mean by 'account' and 'mutisig
> activity'. You seem to imply
> that the same set of extended public keys will be used in more that one
> wallet, which it is
> not required (and certainly not recommended) by BIP45.
>
> According to BIP45, a singing party, in order to generate a wallet
> address, needs the extended public keys of all the other parties, so
> each party will be able to see the transaction history of the wallet
> they are sharing, but if the party has other wallets with other copayers
> the xpub should be completely different.
>
> matĂas
>
>
>
> --
> BitPay.com
Jean-Pierre Rupp [ARCHIVE] /
npub1ym…v30qh
2023-06-07 17:42:22
in reply to nevent1q…9q7g
Author Public Key
npub1ymm7v2axmjgetkqvh6l7900qnk5za089fcu7snzsw6f5wzy55e5s3v30qhSeen on
wss://relay.nostr.bandPublished at
2023-06-07 17:42:22Event JSON
{
"id": "de875c1afe890e178179e176ae36cbd2fb5daae6c978b172a947f10b9e87945f",
"pubkey": "26f7e62ba6dc9195d80cbebfe2bde09da82ebce54e39e84c507693470894a669",
"created_at": 1686159742,
"kind": 1,
"tags": [
[
"e",
"3e46f2c62587acdbda9b227056f9de6eaf13013e7c73db7dc59fc81adea6f4b6",
"",
"root"
],
[
"e",
"7d224a31a6235cfb81ea25c58808a3ee418ba9d05983a18c2bbf09239884bb5c",
"",
"reply"
],
[
"p",
"0eb969cf7bf3ad3620b8051c0827dcf8603689ba12f40779fe2516fa2782625b"
]
],
"content": "đź“… Original date posted:2015-10-05\nđź“ť Original message:When I talk about multisig account I mean an arrangement among a set of\ncosigners to be signatories of multi-signature transactions requiring a\nset number of signatures, as specified in BIP-45.\n\nExample:\n\nJuan: xpub123...\nPedro: xpub456...\nJosĂ©: xpub789...\n\nThey all agree to create a 2-of-3 multisig “account” following BIP-45.\nTheir extended public keys are all path m/45' from their wallet’s master\nprivate key, as per the standard.\n\nPerhaps Pedro wants to also participate in a 2-of-2 cosigning\narrangement with a merchant that will deliver a laptop to him, so Pedro\nprovides this merchant with the same extended public key derived from\npath m/45', and the merchant provides Pedro with his own:\n\nPedro: xpub456...\nElCheapoPC: xpub987...\n\nNow, suppose that the first cosigner[1] in each of the accounts\ngenerates a set of public keys for a multisig redeem script to obtain a\nP2SH address from. The derivation path m/45'/0/0/1 is used as per\nBIP-45. Pedro’s public key for that address in each account will be the\nsame.\n\nEvery cosigner’s address public key is obtained following the same\nderivation path from the cosigner’s master key, therefore, it is easy to\nknow what public keys Pedro is likely to use in both 2-of-3 account\n{Juan, Pedro, JosĂ©} and 2-of-2 account {Pedro, ElCheapoPC}, by only\nknowing Pedro’s m/45' purpose-specific extended public key. By scanning\nthe blockchain for Pedro’s public keys, JosĂ© can see that Pedro had a\n2-of-2 multi-signature arrangement with somebody else (ElCheapoPC),\nalthough he does not necessarily know its identity, and how much money\nwas transacted in that arrangement, without having to know the extended\npublic key from ElCheapoPC.\n\nBy adopting the scheme I proposed earlier as an improvement, cosigners\nwith Pedro would have to know ElCheapoPC’s extended public key in order\nto eavesdrop on any transaction between Pedro and ElCheapoPC.\n\n[1] According to lexicographic order of serialized public keys contained\nin each of the xpubs, as per BIP-45 specification.\n\nOn 05/10/15 07:57, Matias Alejo Garcia wrote:\n\u003e \n\u003e Hi,\n\u003e \n\u003e Sorry the late response. Going back to the original message:\n\u003e \n\u003e \n\u003e \u003e On 03/10/15 13:42, Jean-Pierre Rupp via bitcoin-dev wrote:\n\u003e \u003e\u003e I have been reviewing BIP-45 today. There is a privacy problem\n\u003e with it\n\u003e \u003e\u003e that should at least be mentioned in the document.\n\u003e \u003e\u003e\n\u003e \u003e\u003e When using the same extended public key for all multisig\n\u003e activity, and\n\u003e \u003e\u003e dealing with different cosigners in separate multisig accounts,\n\u003e reuse of\n\u003e \u003e\u003e the same set of public keys means that all cosigners from all\n\u003e accounts\n\u003e \u003e\u003e will be able to monitor multisig activity from every other\n\u003e cosigner, in\n\u003e \u003e\u003e every other account.\n\u003e \n\u003e \n\u003e I am not completely sure what you mean by 'account' and 'mutisig\n\u003e activity'. You seem to imply\n\u003e that the same set of extended public keys will be used in more that one\n\u003e wallet, which it is \n\u003e not required (and certainly not recommended) by BIP45.\n\u003e \n\u003e According to BIP45, a singing party, in order to generate a wallet\n\u003e address, needs the extended public keys of all the other parties, so\n\u003e each party will be able to see the transaction history of the wallet\n\u003e they are sharing, but if the party has other wallets with other copayers\n\u003e the xpub should be completely different.\n\u003e \n\u003e matĂas\n\u003e \n\u003e \n\u003e \n\u003e -- \n\u003e BitPay.com",
"sig": "67cc494f6bc031f117fe1a5b67e2b9badd8cea87ded58fb5af611b7be78297920c4b84c0f86e6532b7db8500d4eda9592b98740bcbb8b45012f8673276e2c2fc"
}