📅 Original date posted:2019-05-07
📝 Original message:> > Even with this additions to the PSBT format, I think PSBT-signing
> > devices still need to store the xpubs of their co-signers. It's not
> > possible to safely show an incoming address to the user without a
> > full understanding of the other keys in a "multisig wallet". Also,
> > it represents data that should not change between PSBT instances
> > (ie. tomorrow's co-signers should match today's).
>
> I would like to keep hardware wallets state-less, otherwise wiping and
> recovering them would be problematic.
> At the setup phase the user can verify a multisignature address (or
> xpub) on the screens of all devices,
> after that we just need to verify that xpubs in the inputs and in the
> change output are the same.
At the setup phase, hardware wallet can sign a message that consists of
xpubs of participants, and some auxiliary text. It can use the key
derived from the master key, with path chosen specifically for this
purpose.
Hardware wallet then gives out this signature to the software.
The software will store the message and the signature (or maybe it can
take xpubs from PSBT), and will send this 'trusted-xpub-package' to
hardware wallet along with the transaction.
Hardware wallet can then verify that the message is indeed signed by
the key for that purpose, and then can mark the ouputs that use the
pubkeys derived from 'verified' xpubs as 'trusted' outputs. It can also
display the auxiliary text along with the information about the
'trusted' output.
This way, hardware wallet does not need to store anything extra besides
the master key.
This would allow to distinguish the trusted output even if the inputs
are not all derived from the same set of xpubs, that could happen in
more complex scenarios (batching, key rotation, etc.), and can possibly
be used to have several different types of 'trusted' outputs.
If the user loses the signature for trusted-xpub-package, the signature
can be re-created again - but maybe the procedure should be more
involved than ordinary signing, because creating creating such
'trusted-xpub-package' with malicious keys can enable attackers to
bypass these checks.
Dmitry Petukhov [ARCHIVE] /
npub10r…9afdw
2023-06-07 18:17:53
in reply to nevent1q…c38n
Author Public Key
npub10r66s2stvnancx9axwnfc5a34asjkwkgmkq7ztm5hf30x7fa4szsv9afdwPublished at
2023-06-07 18:17:53Event JSON
{
"id": "cf5217d774c71962a7b668cd049f384242da6da74d57a780858e689a593624ed",
"pubkey": "78f5a82a0b64fb3c18bd33a69c53b1af612b3ac8dd81e12f74ba62f3793dac05",
"created_at": 1686161873,
"kind": 1,
"tags": [
[
"e",
"e8ccb894d086c83c3d0b88d47f67ce9c654e9ff574985390aa744acf7402f91e",
"",
"root"
],
[
"e",
"6b04b81b58f02b8c75db57e7f8ed75459cd242a497f2e29a8f66ab4103e0415f",
"",
"reply"
],
[
"p",
"30beaf829947399fbeeb7348a86be391039f59a4ce9970d65a7afc54ec6b9f68"
]
],
"content": "📅 Original date posted:2019-05-07\n📝 Original message:\u003e \u003e Even with this additions to the PSBT format, I think PSBT-signing\n\u003e \u003e devices still need to store the xpubs of their co-signers. It's not\n\u003e \u003e possible to safely show an incoming address to the user without a\n\u003e \u003e full understanding of the other keys in a \"multisig wallet\". Also,\n\u003e \u003e it represents data that should not change between PSBT instances\n\u003e \u003e (ie. tomorrow's co-signers should match today's).\n\u003e \n\u003e I would like to keep hardware wallets state-less, otherwise wiping and\n\u003e recovering them would be problematic.\n\u003e At the setup phase the user can verify a multisignature address (or\n\u003e xpub) on the screens of all devices,\n\u003e after that we just need to verify that xpubs in the inputs and in the\n\u003e change output are the same.\n\nAt the setup phase, hardware wallet can sign a message that consists of\nxpubs of participants, and some auxiliary text. It can use the key\nderived from the master key, with path chosen specifically for this\npurpose.\n\nHardware wallet then gives out this signature to the software.\n\nThe software will store the message and the signature (or maybe it can\ntake xpubs from PSBT), and will send this 'trusted-xpub-package' to\nhardware wallet along with the transaction.\n\nHardware wallet can then verify that the message is indeed signed by\nthe key for that purpose, and then can mark the ouputs that use the\npubkeys derived from 'verified' xpubs as 'trusted' outputs. It can also\ndisplay the auxiliary text along with the information about the\n'trusted' output.\n\nThis way, hardware wallet does not need to store anything extra besides\nthe master key.\n\nThis would allow to distinguish the trusted output even if the inputs\nare not all derived from the same set of xpubs, that could happen in\nmore complex scenarios (batching, key rotation, etc.), and can possibly\nbe used to have several different types of 'trusted' outputs.\n\nIf the user loses the signature for trusted-xpub-package, the signature\ncan be re-created again - but maybe the procedure should be more\ninvolved than ordinary signing, because creating creating such\n'trusted-xpub-package' with malicious keys can enable attackers to\nbypass these checks.",
"sig": "ebe769c8548a85af6ab8a46fa90b1e326460667e76d32a17502a08cceb89897acb03e2e2ac5ebda2331282bf96961761c6f6cb5f08d6614a18c93ee1f53f52dd"
}