📅 Original date posted:2019-05-08
📝 Original message:hello,
On 07. 05. 19 15:40, Dmitry Petukhov via bitcoin-dev wrote:
> At the setup phase, hardware wallet can sign a message that consists of
> xpubs of participants, and some auxiliary text. It can use the key
> derived from the master key, with path chosen specifically for this
> purpose.
This seems overly complicated.
What is your threat model?
IIUC, each individual multisig signature also signs the set of signers
(through signing redeem-script (or scriptPubKey in address-based multisig))
So if an attacker gives me bad xpubs, i will sign them, but the
signature won't be valid for the given multisig output - even if the
attacker manages to trick 2 of 3 signers and recombine their signatures.
Therefore, the input==output check is sufficient: if I use the same set
of signers for an input and an output, I can be sure that the change
goes to the same multisig wallet.
Or is there something I'm missing?
The weak spot is the part where you generate receiving address, because
that "creates" the particular multisig wallet. But that's nothing to do
with PSBT.
> This would allow to distinguish the trusted output even if the inputs
> are not all derived from the same set of xpubs, that could happen in
> more complex scenarios (batching, key rotation, etc.), and can possibly
> be used to have several different types of 'trusted' outputs.
This seems to be an attempt at a different, much broader problem. And it
won't help if the attacker can replay a different trusted-xpub package
(e.g., one that contains a revoked previously compromised key).
regards
m.
jan matejek [ARCHIVE] /
npub1e2…85plt
2023-06-07 18:17:53
in reply to nevent1q…as2z
Author Public Key
npub1e2xrx3ldtqhl37ewy3z7pdmq45ekktt54cx4qgy8z0f9z633dszq285pltPublished at
2023-06-07 18:17:53Event JSON
{
"id": "e8e6e02cc69958079fb3612c966439a2bcccf2ba5ed773ca87de2fb9a054b781",
"pubkey": "ca8c3347ed582ff8fb2e2445e0b760ad336b2d74ae0d50208713d2516a316c04",
"created_at": 1686161873,
"kind": 1,
"tags": [
[
"e",
"e8ccb894d086c83c3d0b88d47f67ce9c654e9ff574985390aa744acf7402f91e",
"",
"root"
],
[
"e",
"cf5217d774c71962a7b668cd049f384242da6da74d57a780858e689a593624ed",
"",
"reply"
],
[
"p",
"78f5a82a0b64fb3c18bd33a69c53b1af612b3ac8dd81e12f74ba62f3793dac05"
]
],
"content": "📅 Original date posted:2019-05-08\n📝 Original message:hello,\n\nOn 07. 05. 19 15:40, Dmitry Petukhov via bitcoin-dev wrote:\n\u003e At the setup phase, hardware wallet can sign a message that consists of\n\u003e xpubs of participants, and some auxiliary text. It can use the key\n\u003e derived from the master key, with path chosen specifically for this\n\u003e purpose.\n\nThis seems overly complicated.\n\nWhat is your threat model?\n\nIIUC, each individual multisig signature also signs the set of signers\n(through signing redeem-script (or scriptPubKey in address-based multisig))\nSo if an attacker gives me bad xpubs, i will sign them, but the\nsignature won't be valid for the given multisig output - even if the\nattacker manages to trick 2 of 3 signers and recombine their signatures.\n\nTherefore, the input==output check is sufficient: if I use the same set\nof signers for an input and an output, I can be sure that the change\ngoes to the same multisig wallet.\n\nOr is there something I'm missing?\n\nThe weak spot is the part where you generate receiving address, because\nthat \"creates\" the particular multisig wallet. But that's nothing to do\nwith PSBT.\n\n\u003e This would allow to distinguish the trusted output even if the inputs\n\u003e are not all derived from the same set of xpubs, that could happen in\n\u003e more complex scenarios (batching, key rotation, etc.), and can possibly\n\u003e be used to have several different types of 'trusted' outputs.\n\nThis seems to be an attempt at a different, much broader problem. And it\nwon't help if the attacker can replay a different trusted-xpub package\n(e.g., one that contains a revoked previously compromised key).\n\nregards\nm.",
"sig": "17ffd0b221801d1ef93d72002e0a57147c9bc9f6afcb22f440e1eea987a4530683b8122eeb4061fd79e5914a34f33e193943ce0ce4a24f328a7b5bac3f8e0754"
}