Why Nostr? What is Njump?
2023-06-07 18:18:48

Jonathan Underwood [ARCHIVE] on Nostr: ๐Ÿ“… Original date posted:2019-06-27 ๐Ÿ“ Original message:Hi Peter, tl;dr The ...

๐Ÿ“… Original date posted:2019-06-27
๐Ÿ“ Original message:Hi Peter,

tl;dr The problem this solves is "How can a signer verify an address with
HD changing the address every time?"

As an aside: (This is sort of explaining the current PR for the 0x01 global
field (separate from mine))
The problem is more easily understood with change addresses: If someone can
alter my PSBT before signing, they could replace my change address with
their address, and my signer would not know unless the signer just guesses
all the path sets it knows, then derives thousands of change addresses and
searches (most likely a signer is offline, so gap limit doesn't work since
we can't tell which change addresses have tx history. So the 0x01 global
tag will tell the signer "here's how you get from your master private key
to the xpub used in the change output's output BIP32_DERIVATION tag... you
can then derive the same key and check it is yours before signing."

Back to my proposal, this problem extends across wallets, since,
for example, if I want to send from my cold wallet to my warm wallet, I
don't want to give my cold signer my warm master key just so it can derive
and check the key. That's what signatures are for. So this proposal says "A
signer can be built to only sign if it sees a signature that itself has
signed, then from that signed xpub(s) derives the BIP32_DERIVATION in the
outputs, and if the output doesn't match it will reject and not sign"

This creates a sort of "chain of trust" for the wallet.

Currently the best way to prevent this (hacker swapping the send to
address) without using signatures is to reuse the same address every time
you want to send to the warm wallet, since after a few times, the signers
(people) will be able to remember the address.

This is a huge HD drawback for high security requirement environments.
Having this data in the PSBT standard will allow Trezor etc. to create an
enforceable whitelist feature.

Let me know if you have feedback on the details.

Thanks,
Jon

2019ๅนด6ๆœˆ28ๆ—ฅ(้‡‘) 0:07 Peter D. Gray <peter at coinkite.com>:

> I haven't studied the new proposal in depth, but my first impression is:
>
> Wouldn't it just be easier and better to just sign the entire "outputs"
> section of the PSBT?
>
> The signature would cover every byte, and therefore would cover any
> future BIP additions to the outputs area, and also help non-multisig
> cases today.
>
> ---
> Peter D. Gray || Founder, Coinkite || Twitter: @dochex || GPG:
> A3A31BAD 5A2A5B10
>
>

--
-----------------
Jonathan Underwood
ใƒ“ใƒƒใƒˆใƒใƒณใ‚ฏ็คพ ใƒใƒผใƒ•ใƒ“ใƒƒใƒˆใ‚ณใ‚คใƒณใ‚ชใƒ•ใ‚ฃใ‚ตใƒผ
-----------------

ๆš—ๅทๅŒ–ใ—ใŸใƒกใƒƒใ‚ปใƒผใ‚ธใ‚’ใŠ้€ใ‚Šใฎๆ–นใฏไธ‹่จ˜ใฎๅ…ฌ้–‹้ตใ‚’ใ”ๅˆฉ็”จไธ‹ใ•ใ„ใ€‚

ๆŒ‡็ด‹: 0xCE5EA9476DE7D3E45EBC3FDAD998682F3590FEA3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190628/eee0ccf7/attachment.html>;
Author Public Key
npub1axv7m5dyyrnatcvmu7rse0860x9mnr95prje9x32rqvperr0rhhqp0ftr0