Re: [Bitcoin-development] BIP32 Index Randomisation

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: Gregory Maxwell <gmaxwell@gmail•com>
To: Matias Alejo Garcia <matias@bitpay•com>
Cc: Bitcoin Dev <bitcoin-development@lists•sourceforge.net>
Subject: Re: [Bitcoin-development] BIP32 Index Randomisation
Date: Fri, 13 Mar 2015 04:01:45 +0000	[thread overview]
Message-ID: <CAAS2fgSXR-njGtJgnvFpC8aT2L8Ch8D=_B8Rk-p0LG4JF0-ZyA@mail.gmail.com> (raw)
In-Reply-To: <CA+vKqYfG=SoNAgTeD0C_Q7F2p6MWdWE90u7728g9s3=nkmNi4w@mail.gmail.com>

This seems overly complicated to me, unless I'm missing something.

Instead, I think you should just give the server the master pubkey P
only without the chaincode.


Then when you transact you generate the address in whatever manner you
like and tell the server the scalar value iL which the user computes
as

iL = HMAC-SHA512(Key = cpar, Data = serP(Kpar) || ser32(i))[first 32
byes],  (per BIP 32).

and the server computes P + iL*G  and checks agreement with the address.

It would be inaccurate to call this private, as the server still
learns this particular relation. (and really users should _not_ be
using the same chaincode with different parties... as it exacerbates
the private key leak risk), but its certainly more private than giving
people the chain code.

The approach I suggest is also not gratuitously incompatible with
hardened derivation, which is what parties should be doing when they
don't actually need a third party to generate future addresses for
them without their cooperation (as appears to be the case here).










On Fri, Mar 13, 2015 at 3:48 AM, Matias Alejo Garcia <matias@bitpay•com> wrote:
>
> Hello everyone,
>
> We are working on bitcore-wallet-server (BWS), a HD multisig wallet
> 'facilitator'. We have a couple of questions regarding BIP32 path usage, and
> we would love to have feedback from you before moving forward.
>
> Currently the BWS instances hold the set of extended public keys of the
> wallet's peers to be able to derive  addresses.
>
> Since this is a problem from the privacy point of view, we thought using
> pseudo-random  BIP32 paths, with a seed only known be the peers, so the
> server will be able to verify that addresses  submitted by peers belong to
> the wallet, but will not be able to derive future wallet addresses.
>
> The workflow would be something like:
>
> ```
> Peer >   getCurrentIndex
>
> < Server [index]
>
> Peer:
>   pathSeed = PRNG(seed, index);
>
> Peer > createAddress(index, pathSeed);
>
> Server:
>   derives the address and add it to the wallet.
>
> < Server  new address
>
> Peer: Verifies the address and inform it the user.
> ```
>
> This way, accessing server data won't reveal future wallet addresses. The
> seed (only known by the peers) could
> be derived from hashes of their xprivs, so wallet funds can still be recover
> with:
>   1) The complete set of xprivs
>   2) The quorum of xprivs + the complete set of xpubs + the address seed.
>
> Thanks a lot in advance for any comment on this schema.
>
> matías
>
> --
> BitPay.com
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists•sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>

next prev parent reply	other threads:[~2015-03-13  4:01 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-13  3:48 Matias Alejo Garcia
2015-03-13  4:01 ` Gregory Maxwell [this message]
2015-03-13 16:40 ` Mike Hearn
2015-03-13 18:01   ` Matias Alejo Garcia
2015-03-13 18:04     ` Mike Hearn
2015-03-13 20:26       ` Matias Alejo Garcia
2015-03-13 21:34         ` Mike Hearn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAAS2fgSXR-njGtJgnvFpC8aT2L8Ch8D=_B8Rk-p0LG4JF0-ZyA@mail.gmail.com' \
    --to=gmaxwell@gmail$(echo .)com \
    --cc=bitcoin-development@lists$(echo .)sourceforge.net \
    --cc=matias@bitpay$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox