📅 Original date posted:2017-08-21
📝 Original message:On 21.08.2017 20:12, Greg Sanders via bitcoin-dev wrote:
> To fix this I consulted with andytoshi and got something we think works
> for both cases:
>
> 1) When a signing device receives a partially signed transaction, all
> inputs must come with a ownership proof:
> - For the input at address A, a signature over H(A || x) using the key
> for A. 'x' is some private fixed key that only the signing device
> knows(most likely some privkey along some unique bip32 path).
> - For each input ownership proof, the HW wallet validates each signature
> over the hashed message, then attempts to "decode" the hash by applying
> its own 'x'. If the hash doesn't match, it cannot be its own input.
> - Sign for every input that is yours
Interesting, basically a proof of non-ownership :), a proof that the
hardware wallet doesn't own the address.
But shouldn't x be public, so that the device can verify the signature?
Can you expand on this, what is exactly signed with which key and how is
it checked?
One also has to make sure that it's not possible to reuse signatures as
ownership proof that were made for a different purpose.
Jochen
Jochen Hoenicke [ARCHIVE] /
npub1tu…dca6f
2023-06-07 18:04:51
in reply to nevent1q…8ka5
Author Public Key
npub1tue9u2scw5pe77vn4fz0464zz0387gm0zwy2zjhqg2yap36zhj2s4dca6fPublished at
2023-06-07 18:04:51Event JSON
{
"id": "bd6807a2288a8c3bd8a1564200564daad4a601490ad67a3c837b47dfc2b82768",
"pubkey": "5f325e2a1875039f7993aa44faeaa213e27f236f1388a14ae04289d0c742bc95",
"created_at": 1686161091,
"kind": 1,
"tags": [
[
"e",
"5cd5214269f946d37a1d955267a73986452bec6b7573f46c8d7892c1584778ec",
"",
"root"
],
[
"e",
"e13be0268f427e08a6367d9b5916b7b2662d984adbf7004c42659a4f0a0c1754",
"",
"reply"
],
[
"p",
"937f10fc4f78d8676348562d9d886843fbb351d99d6c96423fe9970819962e19"
]
],
"content": "📅 Original date posted:2017-08-21\n📝 Original message:On 21.08.2017 20:12, Greg Sanders via bitcoin-dev wrote:\n\u003e To fix this I consulted with andytoshi and got something we think works\n\u003e for both cases:\n\u003e \n\u003e 1) When a signing device receives a partially signed transaction, all\n\u003e inputs must come with a ownership proof:\n\u003e - For the input at address A, a signature over H(A || x) using the key\n\u003e for A. 'x' is some private fixed key that only the signing device\n\u003e knows(most likely some privkey along some unique bip32 path).\n\u003e - For each input ownership proof, the HW wallet validates each signature\n\u003e over the hashed message, then attempts to \"decode\" the hash by applying\n\u003e its own 'x'. If the hash doesn't match, it cannot be its own input.\n\u003e - Sign for every input that is yours\n\nInteresting, basically a proof of non-ownership :), a proof that the\nhardware wallet doesn't own the address.\n\nBut shouldn't x be public, so that the device can verify the signature?\nCan you expand on this, what is exactly signed with which key and how is\nit checked?\n\nOne also has to make sure that it's not possible to reuse signatures as\nownership proof that were made for a different purpose.\n\n Jochen",
"sig": "bd3a3b9106d69717bfc5ac1c4859162be70847829bb98814408bdca12d884f5183b94a44063ed0c1e0d493cb9cf4124c15d1be7ecda0cfb15e7c13d82664513b"
}