public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Greg Sanders <gsanders87@gmail•com>
To: Jochen Hoenicke <hoenicke@gmail•com>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] [BIP Proposal] Partially Signed Bitcoin Transaction (PSBT) format
Date: Tue, 22 Aug 2017 12:26:30 -0700	[thread overview]
Message-ID: <CAB3F3Dt6zo_SHAUL72czPZTkh6T9sA3G93wC52Agfd1e3+kKXQ@mail.gmail.com> (raw)
In-Reply-To: <5f67d70d-a432-7826-22df-4207580aa1d2@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 1856 bytes --]

If 'x' is public, that makes it identifiable and privacy-losing across
inputs.

To avoid "re-use" I suppose you'd want to sign some message like
`HMAC("ownership proof", H(A || x) )` instead. Otherwise any signature you
make using `A` ends up being used as a proof you don't know the input(this
seems like just details but to be more clear)...

To reiterate:

Sign `HMAC("ownership proof", H(A || x) )` using `A`. Public verifiers see
`HMAC("ownership proof", some_random_hash_connected_to_A )` and the HWW
that owns that input can recreate `some_random_hash_connected_to_A` by `H(A
|| x) )`

On Mon, Aug 21, 2017 at 2:36 PM, Jochen Hoenicke <hoenicke@gmail•com> wrote:

> On 21.08.2017 20:12, Greg Sanders via bitcoin-dev wrote:
> > To fix this I consulted with andytoshi and got something we think works
> > for both cases:
> >
> > 1) When a signing device receives a partially signed transaction, all
> > inputs must come with a ownership proof:
> > - For the input at address A, a signature over H(A || x) using the key
> > for A. 'x' is some private fixed key that only the signing device
> > knows(most likely some privkey along some unique bip32 path).
> > - For each input ownership proof, the HW wallet validates each signature
> > over the hashed message, then attempts to "decode" the hash by applying
> > its own 'x'. If the hash doesn't match, it cannot be its own input.
> > - Sign for every input that is yours
>
> Interesting, basically a proof of non-ownership :), a proof that the
> hardware wallet doesn't own the address.
>
> But shouldn't x be public, so that the device can verify the signature?
> Can you expand on this, what is exactly signed with which key and how is
> it checked?
>
> One also has to make sure that it's not possible to reuse signatures as
> ownership proof that were made for a different purpose.
>
>   Jochen
>

[-- Attachment #2: Type: text/html, Size: 2578 bytes --]

      reply	other threads:[~2017-08-22 19:26 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-18 22:11 Andrew Chow
2017-08-21  0:00 ` Bryan Bishop
2017-08-21 18:12   ` Greg Sanders
2017-08-21 21:36     ` Jochen Hoenicke
2017-08-22 19:26       ` Greg Sanders [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAB3F3Dt6zo_SHAUL72czPZTkh6T9sA3G93wC52Agfd1e3+kKXQ@mail.gmail.com \
    --to=gsanders87@gmail$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    --cc=hoenicke@gmail$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox