📅 Original date posted:2015-10-03
📝 Original message:Hello,
I have been reviewing BIP-45 today. There is a privacy problem with it
that should at least be mentioned in the document.
When using the same extended public key for all multisig activity, and
dealing with different cosigners in separate multisig accounts, reuse of
the same set of public keys means that all cosigners from all accounts
will be able to monitor multisig activity from every other cosigner, in
every other account.
Besides privacy considerations, HD wallet's non-reuse of public keys
provide some defence against wallets that do not implement deterministic
signing, and use poor entropy for signature nonces.
Unless users are expected to establish a single cosigning account, this
scheme will result in reuse of public keys, and degradation of privacy.
I understand that for convenience it is useful to have a single extended
public key that can be handed to every cosigner. This makes setting up
accounts or recovering from data loss a easier.
I suggest that privacy & potential security degradation due to increased
public key reuse in the case of users with multiple multisig accounts
should get a mention in the BIP-45 document.
Greetings
On 25/04/14 23:27, Manuel Araoz wrote:
> Hi, I'm part of the team building copay
> <https://github.com/bitpay/copay>;, a multisignature P2SH HD
> wallet. We've been following the discussion regarding standardizing the
> structure for branches both on this list and on github (1
> <https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki>;, 2
> <https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki>;, 3
> <https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki>;, 4
> <https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki>;, 5
> <https://github.com/bitcoin/bips/pull/52>;). Soon, we realized the
> assumptions in the discussions were not true for a multisig hd wallet,
> so we wanted to share our current approach to that, to get feedback and
> see if we can arrive to a new standard (and possibly a new BIP)
>
> These are our assumptions:
> - N parties want to share an m-of-n wallet.
> - Each party must generate their master private keys independently.
> - Use multisig P2SH for all addresses.
> - Use BIP32 to derive public keys, then create a multisig script, and
> use the P2SH address for that.
> - The address generation process should not require communicating with
> other parties. (Thus, all parties must be able to generate all public keys)
> - Transaction creation + signing requires communication between
> parties, of course.
>
> -------------------------------------------------
>
> Following BIP43, we're be using:
>
>
> m / purpose' / *
>
> where /purpose/ is the hardened derivation scheme based on the new BIP
> number.
> We then define the following levels:
>
>
> m / purpose' / cosigner_index / change / address_index
>
> Each level has a special meaning detailed below:
>
> /cosigner_index/ <http://en.wikipedia.org/wiki/Co-signing>;: the index of
> the party creating this address. The indices can be determined
> independently by lexicographically sorting the master public keys of
> each cosigner.
>
> /change/: 0 for change, 1 for receive address.
>
> /address_index/: Addresses are numbered from index 0 in sequentially
> increasing manner. We're currently syncing the max used index for each
> branch between all parties when they connect, but we're open to
> considering removing the index sync and doing the more elegant
> used-address discovery via a gap limit, as discussed in BIP44
> <https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki#address-gap-limit>;.
> We feel 20 might be too low though.
>
> *Wallet high-level description:*
> Each party generates their own extended master keypair and shares the
> extended purpose' public key with the others, which is stored encrypted.
> Each party can generate any of the other's derived public keys, but only
> his own private keys.
>
> *General address generation procedure:*
> When generating an address, each party can independently generate the N
> needed public keys. They do this by deriving the public key in each of
> the different trees, but using the same path. They can then generate the
> multisig script and the corresponding p2sh address. In this way, each
> path corresponds to an address, but the public keys for that address
> come from different trees.
>
> *Receive address case:*
> Each cosigner generates addresses only on his own branch. One of the n
> cosigners wants to receive a payment, and the others are offline. He
> knows the last used index in his own branch, because only he generates
> addresses there. Thus, he can generate the public keys for all of the
> others using the next index, and calculate the needed script for the
> address.
>
> /Example: /Cosigner #2 wants to receive a payment to the shared wallet.
> His last used index on his own branch is 4. Then, the path for the next
> receive address is m/$purpose/2/1/5. He uses this same path in all of
> the cosigners trees to generate a public key for each one, and from that
> he gets the new p2sh address.
>
> *Change address case:*
> Again, each cosigner generates addresses only on his own branch. One of
> the n cosigners wants to create an outgoing payment, for which he'll
> need a change address. He generates a new address using the same
> procedure as above, but using a separate index to track the used change
> addresses.
> /
> Example: /Cosigner #5 wants to send a payment from the shared wallet,
> for which he'll need a change address. His last used change index on his
> own branch is 11. Then, the path for the next change address is
> m/$purpose/5/0/12. He uses this same path in all of the cosigners trees
> to generate a public key for each one, and from that he gets the new
> p2sh address.
>
>
> *Transaction creation and signing:*
> When creating a transaction, first one of the parties creates a
> Transaction Proposal. This is a transaction that spends some output
> stored in any of the p2sh multisig addresses (corresponding to any of
> the copayers' branches). This proposal is sent to the other parties, who
> decide if they want to sign. If they approve the proposal, they can
> generate their needed private key for that specific address (using the
> same path that generated the public key in that address, but deriving
> the private key instead), and sign it. Once the proposal reaches m
> signatures, any cosigner can broadcast it to the network, becoming
> final. The specifics of how this proposal is structured, and the
> protocol to accept or reject it, belong to another BIP, in my opinion.
>
> *Final comments:*
> - We're currently lexicographically sorting the public keys for each
> address separately. We've read Mike Belshe's comments about sorting the
> master public keys and then using the same order for all derived
> addresses, but we couldn't think of any benefits of doing that (I mean,
> the benefits of knowing whose public key is which).
> - We originally thought we would need a non-hardened version of purpose
> for the path, because we needed every party to be able to generate all
> the public keys of the others. With the proposed path, is it true that
> the cosigners will be able to generate them, by knowing the extended
> purpose public key for each copayer? (m/purpose')
> - The reason for using separate branches for each cosigner is we don't
> want two of them generating the same address and receiving simultaneous
> payments to it. The ideal case is that each address receives at most one
> payment, requested by the corresponding cosigner.
>
>
> Thoughts?
> Manuel
>
>
> ------------------------------------------------------------------------------
> Start Your Social Network Today - Download eXo Platform
> Build your Enterprise Intranet with eXo Platform Software
> Java Based Open Source Intranet - Social, Extensible, Cloud Ready
> Get Started Now And Turn Your Intranet Into A Collaboration Platform
> http://p.sf.net/sfu/ExoPlatform
>
>
>
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
Jean-Pierre Rupp [ARCHIVE] /
npub1ym…v30qh
2023-06-07 17:42:20
in reply to nevent1q…0e2y
Author Public Key
npub1ymm7v2axmjgetkqvh6l7900qnk5za089fcu7snzsw6f5wzy55e5s3v30qhSeen on
wss://relay.noswhere.comPublished at
2023-06-07 17:42:20Event JSON
{
"id": "e129884fce88c8fe7374cc6dd9533747941b877b7931fe2a4cc7a2f3f680d05d",
"pubkey": "26f7e62ba6dc9195d80cbebfe2bde09da82ebce54e39e84c507693470894a669",
"created_at": 1686159740,
"kind": 1,
"tags": [
[
"e",
"3e46f2c62587acdbda9b227056f9de6eaf13013e7c73db7dc59fc81adea6f4b6",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2015-10-03\n📝 Original message:Hello,\n\nI have been reviewing BIP-45 today. There is a privacy problem with it\nthat should at least be mentioned in the document.\n\nWhen using the same extended public key for all multisig activity, and\ndealing with different cosigners in separate multisig accounts, reuse of\nthe same set of public keys means that all cosigners from all accounts\nwill be able to monitor multisig activity from every other cosigner, in\nevery other account.\n\nBesides privacy considerations, HD wallet's non-reuse of public keys\nprovide some defence against wallets that do not implement deterministic\nsigning, and use poor entropy for signature nonces.\n\nUnless users are expected to establish a single cosigning account, this\nscheme will result in reuse of public keys, and degradation of privacy.\n\nI understand that for convenience it is useful to have a single extended\npublic key that can be handed to every cosigner. This makes setting up\naccounts or recovering from data loss a easier.\n\nI suggest that privacy \u0026 potential security degradation due to increased\npublic key reuse in the case of users with multiple multisig accounts\nshould get a mention in the BIP-45 document.\n\nGreetings\n\n\nOn 25/04/14 23:27, Manuel Araoz wrote:\n\u003e Hi, I'm part of the team building copay\n\u003e \u003chttps://github.com/bitpay/copay\u003e, a multisignature P2SH HD\n\u003e wallet. We've been following the discussion regarding standardizing the\n\u003e structure for branches both on this list and on github (1\n\u003e \u003chttps://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki\u003e, 2\n\u003e \u003chttps://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki\u003e, 3\n\u003e \u003chttps://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki\u003e, 4\n\u003e \u003chttps://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki\u003e, 5\n\u003e \u003chttps://github.com/bitcoin/bips/pull/52\u003e). Soon, we realized the\n\u003e assumptions in the discussions were not true for a multisig hd wallet,\n\u003e so we wanted to share our current approach to that, to get feedback and\n\u003e see if we can arrive to a new standard (and possibly a new BIP)\n\u003e \n\u003e These are our assumptions: \n\u003e - N parties want to share an m-of-n wallet.\n\u003e - Each party must generate their master private keys independently.\n\u003e - Use multisig P2SH for all addresses.\n\u003e - Use BIP32 to derive public keys, then create a multisig script, and\n\u003e use the P2SH address for that.\n\u003e - The address generation process should not require communicating with\n\u003e other parties. (Thus, all parties must be able to generate all public keys)\n\u003e - Transaction creation + signing requires communication between\n\u003e parties, of course.\n\u003e \n\u003e -------------------------------------------------\n\u003e \n\u003e Following BIP43, we're be using:\n\u003e \n\u003e \n\u003e m / purpose' / *\n\u003e \n\u003e where /purpose/ is the hardened derivation scheme based on the new BIP\n\u003e number.\n\u003e We then define the following levels:\n\u003e \n\u003e \n\u003e m / purpose' / cosigner_index / change / address_index\n\u003e \n\u003e Each level has a special meaning detailed below:\n\u003e \n\u003e /cosigner_index/ \u003chttp://en.wikipedia.org/wiki/Co-signing\u003e: the index of\n\u003e the party creating this address. The indices can be determined\n\u003e independently by lexicographically sorting the master public keys of\n\u003e each cosigner.\n\u003e \n\u003e /change/: 0 for change, 1 for receive address.\n\u003e \n\u003e /address_index/: Addresses are numbered from index 0 in sequentially\n\u003e increasing manner. We're currently syncing the max used index for each\n\u003e branch between all parties when they connect, but we're open to\n\u003e considering removing the index sync and doing the more elegant\n\u003e used-address discovery via a gap limit, as discussed in BIP44\n\u003e \u003chttps://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki#address-gap-limit\u003e.\n\u003e We feel 20 might be too low though. \n\u003e \n\u003e *Wallet high-level description:*\n\u003e Each party generates their own extended master keypair and shares the\n\u003e extended purpose' public key with the others, which is stored encrypted.\n\u003e Each party can generate any of the other's derived public keys, but only\n\u003e his own private keys. \n\u003e \n\u003e *General address generation procedure:*\n\u003e When generating an address, each party can independently generate the N\n\u003e needed public keys. They do this by deriving the public key in each of\n\u003e the different trees, but using the same path. They can then generate the\n\u003e multisig script and the corresponding p2sh address. In this way, each\n\u003e path corresponds to an address, but the public keys for that address\n\u003e come from different trees.\n\u003e \n\u003e *Receive address case:*\n\u003e Each cosigner generates addresses only on his own branch. One of the n\n\u003e cosigners wants to receive a payment, and the others are offline. He\n\u003e knows the last used index in his own branch, because only he generates\n\u003e addresses there. Thus, he can generate the public keys for all of the\n\u003e others using the next index, and calculate the needed script for the\n\u003e address. \n\u003e \n\u003e /Example: /Cosigner #2 wants to receive a payment to the shared wallet.\n\u003e His last used index on his own branch is 4. Then, the path for the next\n\u003e receive address is m/$purpose/2/1/5. He uses this same path in all of\n\u003e the cosigners trees to generate a public key for each one, and from that\n\u003e he gets the new p2sh address.\n\u003e \n\u003e *Change address case:*\n\u003e Again, each cosigner generates addresses only on his own branch. One of\n\u003e the n cosigners wants to create an outgoing payment, for which he'll\n\u003e need a change address. He generates a new address using the same\n\u003e procedure as above, but using a separate index to track the used change\n\u003e addresses. \n\u003e /\n\u003e Example: /Cosigner #5 wants to send a payment from the shared wallet,\n\u003e for which he'll need a change address. His last used change index on his\n\u003e own branch is 11. Then, the path for the next change address is\n\u003e m/$purpose/5/0/12. He uses this same path in all of the cosigners trees\n\u003e to generate a public key for each one, and from that he gets the new\n\u003e p2sh address.\n\u003e \n\u003e \n\u003e *Transaction creation and signing:*\n\u003e When creating a transaction, first one of the parties creates a\n\u003e Transaction Proposal. This is a transaction that spends some output\n\u003e stored in any of the p2sh multisig addresses (corresponding to any of\n\u003e the copayers' branches). This proposal is sent to the other parties, who\n\u003e decide if they want to sign. If they approve the proposal, they can\n\u003e generate their needed private key for that specific address (using the\n\u003e same path that generated the public key in that address, but deriving\n\u003e the private key instead), and sign it. Once the proposal reaches m\n\u003e signatures, any cosigner can broadcast it to the network, becoming\n\u003e final. The specifics of how this proposal is structured, and the\n\u003e protocol to accept or reject it, belong to another BIP, in my opinion. \n\u003e \n\u003e *Final comments:*\n\u003e - We're currently lexicographically sorting the public keys for each\n\u003e address separately. We've read Mike Belshe's comments about sorting the\n\u003e master public keys and then using the same order for all derived\n\u003e addresses, but we couldn't think of any benefits of doing that (I mean,\n\u003e the benefits of knowing whose public key is which).\n\u003e - We originally thought we would need a non-hardened version of purpose\n\u003e for the path, because we needed every party to be able to generate all\n\u003e the public keys of the others. With the proposed path, is it true that\n\u003e the cosigners will be able to generate them, by knowing the extended\n\u003e purpose public key for each copayer? (m/purpose')\n\u003e - The reason for using separate branches for each cosigner is we don't\n\u003e want two of them generating the same address and receiving simultaneous\n\u003e payments to it. The ideal case is that each address receives at most one\n\u003e payment, requested by the corresponding cosigner. \n\u003e \n\u003e \n\u003e Thoughts?\n\u003e Manuel\n\u003e \n\u003e \n\u003e ------------------------------------------------------------------------------\n\u003e Start Your Social Network Today - Download eXo Platform\n\u003e Build your Enterprise Intranet with eXo Platform Software\n\u003e Java Based Open Source Intranet - Social, Extensible, Cloud Ready\n\u003e Get Started Now And Turn Your Intranet Into A Collaboration Platform\n\u003e http://p.sf.net/sfu/ExoPlatform\n\u003e \n\u003e \n\u003e \n\u003e _______________________________________________\n\u003e Bitcoin-development mailing list\n\u003e Bitcoin-development at lists.sourceforge.net\n\u003e https://lists.sourceforge.net/lists/listinfo/bitcoin-development\n\u003e",
"sig": "a3bd722ac454aead009591255aece26641577581b6b7b4652333f526250740b0ef6693ae89d02898502e9d2865ca82ba4dd9fa8f1e3330a843628d7fe2657e47"
}