📅 Original date posted:2019-05-01
📝 Original message:Hi Stepan,
I think that this would be a good extension.
Just for clairty, by xpub, do you mean the extended serialization format
defined in BIP 32 or the Base58 check encoded string of that serialization?
Andrew
On 4/26/19 11:21 AM, Stepan Snigirev via bitcoin-dev wrote:
> Hi list,
>
> I was looking at the bip174 PSBT specs, in particular for
> multisignature setup, and I think with current spec there is a way to
> steal user funds in M of N setup with M ≤ N/2.
>
> I made a small write-up on this:
> https://github.com/stepansnigirev/random_notes/blob/master/psbt_multisig.md
>
> To compress:
>
> Currently in PSBT there is no way to reliably say if the output uses
> the keys derived from the same root keys as the inputs aside from the
> key owned by the signer => there is no way to verify that the output
> is a change output in multisig setup.
>
> Therefore an attacker can replace half of the keys in the change
> address by his own keys and still get the transaction signed.
>
> I suggest to add an xpub field to the inputs and outputs metadata,
> then signers can verify that the same xpubs are used for public keys
> in inputs and outputs => output is indeed a change.
>
> Normally change and receiving addresses are derived from the same xpub
> with non-hardened derivation pathes, so providing xpub after the last
> hardened index should be enough to see that public keys of inputs and
> change output are derived from the same xpub.
>
> I suggest to add the following key-value pairs to PSBT:
>
> Type: BIP 32 public key `PSBT_IN_BIP32_XPUB = 0x10`
> - Key: derivation path for xpub
> `{0x10}|{master key fingerprint}|{32-bit int}|...|{32-bit int}`
> - Value: 78-byte xpub value
> `{xpub}`
>
> Type: BIP 32 public key `PSBT_OUT_BIP32_XPUB = 0x03`
> - Key: derivation path for xpub
> `{0x03}|{master key fingerprint}|{32-bit int}|...|{32-bit int}`
> - Value: 78-byte xpub value
> `{xpub}`
>
> Derivation paths are in the key of the key-value pair as they are used
> for lookup, and xpub itself is the actual value being looked up.
>
> I also want to mention that Trezor for example doesn't suffer from
> this problem as they use xpubs to verify change outputs. So it may
> make sense to go through the communication protocols of existing
> hardware / multisignature wallets and see if there is something else
> we are missing.
>
> If everyone is happy about the proposal I would prepare a pull request
> to the bip.
>
> Best regards,
> Stepan Snigirev.
>
Andrew Chow [ARCHIVE] /
npub1fg…xak44
2023-06-07 18:17:52
in reply to nevent1q…ktqt
Author Public Key
npub1fgnnmg7f4wzup9hct8nv5pnd9l07wcjqdjku9ax432n4g69v4rgq7xak44Published at
2023-06-07 18:17:52Event JSON
{
"id": "d1534c211bab69dda409da0aebaba03828ff194522ca8df36f8ffcc513299817",
"pubkey": "4a273da3c9ab85c096f859e6ca066d2fdfe762406cadc2f4d58aa75468aca8d0",
"created_at": 1686161872,
"kind": 1,
"tags": [
[
"e",
"e8ccb894d086c83c3d0b88d47f67ce9c654e9ff574985390aa744acf7402f91e",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2019-05-01\n📝 Original message:Hi Stepan,\n\nI think that this would be a good extension.\n\nJust for clairty, by xpub, do you mean the extended serialization format \ndefined in BIP 32 or the Base58 check encoded string of that serialization?\n\nAndrew\n\nOn 4/26/19 11:21 AM, Stepan Snigirev via bitcoin-dev wrote:\n\u003e Hi list,\n\u003e\n\u003e I was looking at the bip174 PSBT specs, in particular for \n\u003e multisignature setup, and I think with current spec there is a way to \n\u003e steal user funds in M of N setup with M ≤ N/2.\n\u003e\n\u003e I made a small write-up on this: \n\u003e https://github.com/stepansnigirev/random_notes/blob/master/psbt_multisig.md\n\u003e\n\u003e To compress:\n\u003e\n\u003e Currently in PSBT there is no way to reliably say if the output uses \n\u003e the keys derived from the same root keys as the inputs aside from the \n\u003e key owned by the signer =\u003e there is no way to verify that the output \n\u003e is a change output in multisig setup.\n\u003e\n\u003e Therefore an attacker can replace half of the keys in the change \n\u003e address by his own keys and still get the transaction signed.\n\u003e\n\u003e I suggest to add an xpub field to the inputs and outputs metadata, \n\u003e then signers can verify that the same xpubs are used for public keys \n\u003e in inputs and outputs =\u003e output is indeed a change.\n\u003e\n\u003e Normally change and receiving addresses are derived from the same xpub \n\u003e with non-hardened derivation pathes, so providing xpub after the last \n\u003e hardened index should be enough to see that public keys of inputs and \n\u003e change output are derived from the same xpub.\n\u003e\n\u003e I suggest to add the following key-value pairs to PSBT:\n\u003e\n\u003e Type: BIP 32 public key `PSBT_IN_BIP32_XPUB = 0x10`\n\u003e - Key: derivation path for xpub\n\u003e `{0x10}|{master key fingerprint}|{32-bit int}|...|{32-bit int}`\n\u003e - Value: 78-byte xpub value\n\u003e `{xpub}`\n\u003e\n\u003e Type: BIP 32 public key `PSBT_OUT_BIP32_XPUB = 0x03`\n\u003e - Key: derivation path for xpub\n\u003e `{0x03}|{master key fingerprint}|{32-bit int}|...|{32-bit int}`\n\u003e - Value: 78-byte xpub value\n\u003e `{xpub}`\n\u003e\n\u003e Derivation paths are in the key of the key-value pair as they are used \n\u003e for lookup, and xpub itself is the actual value being looked up.\n\u003e\n\u003e I also want to mention that Trezor for example doesn't suffer from \n\u003e this problem as they use xpubs to verify change outputs. So it may \n\u003e make sense to go through the communication protocols of existing \n\u003e hardware / multisignature wallets and see if there is something else \n\u003e we are missing.\n\u003e\n\u003e If everyone is happy about the proposal I would prepare a pull request \n\u003e to the bip.\n\u003e\n\u003e Best regards,\n\u003e Stepan Snigirev.\n\u003e",
"sig": "1f9a99adbcf1401b9ceb5c8e8361002ed60a1d2f228115c76cd4c2a27b47db6bd620cb41df6b4379c86a181ee3cd715427b3315bb2ac73c1ef4cb3654aa48859"
}