UNSUBSCRIBE On Wed, Feb 11, 2015 at 2:25 AM, < bitcoin-development-request@lists.sourceforge.net> wrote: > Send Bitcoin-development mailing list submissions to > bitcoin-development@lists.sourceforge.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > or, via email, send a message with subject or body 'help' to > bitcoin-development-request@lists.sourceforge.net > > You can reach the person managing the list at > bitcoin-development-owner@lists.sourceforge.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Bitcoin-development digest..." > > > Today's Topics: > > 1. Re: Proposal for P2P Wireless (Bluetooth LE) transfer of > Payment URI (Eric Voskuil) > 2. Proposal: Requiring a miner's signature in the block header > (Hector Chu) > 3. Re: Proposal: Requiring a miner's signature in the block > header (Natanael) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 10 Feb 2015 09:56:39 -0800 > From: Eric Voskuil > Subject: Re: [Bitcoin-development] Proposal for P2P Wireless > (Bluetooth LE) transfer of Payment URI > To: M?rtin H?bo??tiak > Cc: Bitcoin Dev , Paul Puey > > Message-ID: <54DA4657.5080604@voskuil.org> > Content-Type: text/plain; charset="utf-8" > > On 02/10/2015 09:16 AM, M?rtin H?bo??tiak wrote: > > I'm not sure if I was clear enough. Handshake should be used to > > establish authenticated AND encrypted communication using ECDH (or > > just DH, but I think it's easier to use ECDH, since required functions > > are already used in Bitcoin protocol), like RedPhone does. BTW > > knowledge of verification string is useless to the attacker. > > Yes, I think this was clear from your description. > > > Yes, the customer must verify it verbally and the merchant shouldn't > > send the transaction before verification. Other possibility is that in > > case of differing verification strings new address is generated, so > > attacker doesn't know the address. But in this case, amount is leaked > > and there is quite high probability it can be found in the Blockchain. > > Yes, for each handshake the payment request would need to contain a > different address, mitigating some of the privacy loss. > > > Anyway, I don't believe the transaction can be made securely without > > such interaction except with white-listing public keys, so I see no > > reason why interaction should be problematic. > > It can be done securely and privately by transfer of a shared secret > through a private channel. > > > We don't have such strict regulations but I agree that security is > > important. Currently I think that verbal verification and manual > > confirmation is the best way to achieve high security and reasonable > > user-friendliness. > > I think for a broadcast model (e.g. Bluetooth only) that is the only > want to ensure integrity and privacy. A narrow cast can use proximity to > establish trust. > > > 2015-02-10 17:55 GMT+01:00 Eric Voskuil : > >> Martin, > >> > >> I like your idea for the commit protocol in that it resolves the > >> vandalous address substitution attack. However, I don't see a way to > >> prevent privacy loss without adverse impact to the scenario. > >> > >> Anyone could perform the handshake and thereby obtain the payment > >> request. Therefore to prevent inadvertent disclosure the customer must > >> visually confirm the "phrase" and then verbally tell the merchant to > >> proceed by sending the payment request. > >> > >> One might argue that it's sufficient to preserve the integrity of the > >> transaction while suffering the privacy loss, especially given that a > >> hijacked handshake should never result in a completed transaction - > >> unless of course the hijacker pays. > >> > >> But imagine someone purchasing their meds. HIPAA requires the checkout > >> queue to form behind a yellow line. That speaks directly to this > question. > >> > >> e > >> > >> On 02/06/2015 01:07 AM, M?rtin H?bo??tiak wrote: > >>> 2015-02-06 2:29 GMT+01:00 Eric Voskuil : > >>>> On 02/05/2015 04:36 PM, Martin Habov?tiak wrote: > >>>>> I believe, we are still talking about transactions of physical > >>>>> people in physical world. So yes, it's proximity based - people > >>>>> tell the words by mouth. :) > >>>> > >>>> Notice from my original comment: > >>>> > >>>>>>>> A MITM can substitute the key. If you don't have verifiable > >>>>>>>> identity associated with the public key (PKI/WoT), you need > >>>>>>>> a shared secret (such as a secret phrase). > >>>> > >>>> I said this could only be accomplished using a shared secret or a > >>>> trusted public key. Exchanging a value that is derived from a pair of > >>>> public keys is a distinction without a difference. The problem remains > >>>> that the parties must have a secure/out-of-band channel for > >>>> communicating this value. > >>>> > >>>> The fact that they are face-to-face establishes this channel, but that > >>>> brings us back to the original problem, as it requires manual > >>>> verification - as in visual/audible scanning of the two values for > >>>> comparison. At that point the visual comparison of the address, or > some > >>>> value derived from it, is simpler. > >>> > >>> I have never been against manual verification. What I'm trying to say > >>> is let's just make manual verification easier and more secure. > >>> Comparison of address is simpler for the coder but also simpler to > >>> attack. It has these problems: > >>> - Addresses broadcasted in plaintext (privacy issue) > >>> - Amounts broadcasted in plaintext (privacy issue) > >>> - Address is long - takes lot of time to verify (user experience issue) > >>> - Address prefix can be brute-forced, if too short or used to make > >>> "black hole" address if longer (vandalism issue) > >>> > >>> Commit protocol can be used for both the encryption and the > >>> authentication while user experience is not bad and everything is > >>> still secure. > >>> > >>>> > >>>>> In case of RedPhone, you read those words verbally over not-yet- > >>>>> verified channel relying on difficulty of spoofing your voice. Also > >>>>> the app remembers the public keys, so you don't need to verify > >>>>> second time. > >>>> > >>>> This is reasonable, but wouldn't help in the case of an ad-hoc > >>>> connection between parties who don't know each other well. > >>>> > >>>>> I suggest you to try RedPhone (called Signal on iPhone) yourself. > >>>>> It's free/open source, Internet-based and end-to-end encrypted. You > >>>>> may find it useful some day. Also I'm willing to help you with > >>>>> trying it after I wake up. (~8 hours: Send me private e-mail if > >>>>> you want to.) > >>>> > >>>> I appreciate the offer. I really don't trust *any* smartphone as a > >>>> platform for secure communication/data. But encrypting on the wire > does > >>>> of course shrink the attack surface and increase the attacker's cost. > >>>> > >>>> e > >>>> > >>>>> D?a 6. febru?ra 2015 1:22:23 CET pou??vate? Eric Voskuil > >>>> nap?sal: > >>>> > >>>>>> On 02/05/2015 04:04 PM, M?rtin H?bo??tiak wrote: > >>>>>>> That's exactly what I though when seeing the RedPhone code, but > after > >>>>>>> I studied the commit protocol I realized it's actually secure and > >>>>>>> convenient way to do it. You should do that too. :) > >>>>> > >>>>>> I was analyzing the model as you described it to me. A formal > analysis > >>>>>> of the security model of a particular implementation, based on > >>>>>> inference > >>>>> >from source code, is a bit beyond what I signed up for. But I'm > >>>>>> perfectly willing to comment on your description of the model if you > >>>>>> are > >>>>>> willing to indulge me. > >>>>> > >>>>>>> Shortly, how it works: > >>>>>>> The initiator of the connection sends commit message containing the > >>>>>>> hash of his temporary public ECDH part, second party sends back > their > >>>>>>> public ECDH part and then initiator sends his public ECDH part in > >>>>>>> open. All three messages are hashed together and the first two > bytes > >>>>>>> are used to select two words from a shared dictionary which are > >>>>>>> displayed on the screen of both the initiator and the second party. > >>>>> > >>>>>>> The parties communicate those two words and verify they match. > >>>>> > >>>>>> How do they compare words if they haven't yet established a secure > >>>>>> channel? > >>>>> > >>>>>>> If an attacker wants to do MITM, he has a chance of choosing right > >>>>>>> public parts 1:65536. There is no way to brute-force it, since that > >>>>>>> would be noticed immediately. If instead of two words based on the > >>>>>>> first two bytes, four words from BIP39 wordlist were chosen, it > would > >>>>>>> provide entropy of 44 bits which I believe should be enough even > for > >>>>>>> paranoid people. > >>>>>>> > >>>>>>> How this would work in Bitcoin payment scenario: user's phone > >>>>>>> broadcasts his name, merchant inputs amount and selects the name > from > >>>>>>> the list, commit message is sent (and then the remaining two > >>>>>>> messages), merchant spells four words he sees on the screen and > buyer > >>>>>>> confirms transaction after verifying that words match. > >>>>> > >>>>>> So the assumption is that there exists a secure (as in > proximity-based) > >>>>>> communication channel? > >>>>> > >>>>>> e > >>>>> > >>>>>>> 2015-02-06 0:46 GMT+01:00 Eric Voskuil : > >>>>>>>> On 02/05/2015 03:36 PM, M?rtin H?bo??tiak wrote: > >>>>>>>>>> A BIP-70 signed payment request in the initial broadcast can > >>>>>> resolve the > >>>>>>>>>> integrity issues, but because of the public nature of the > >>>>>> broadcast > >>>>>>>>>> coupled with strong public identity, the privacy compromise is > >>>>>> much > >>>>>>>>>> worse. Now transactions are cryptographically tainted. > >>>>>>>>>> > >>>>>>>>>> This is also the problem with BIP-70 over the web. TLS and other > >>>>>>>>>> security precautions aside, an interloper on the communication, > >>>>>> desktop, > >>>>>>>>>> datacenter, etc., can capture payment requests and strongly > >>>>>> correlate > >>>>>>>>>> transactions to identities in an automated manner. The payment > >>>>>> request > >>>>>>>>>> must be kept private between the parties, and that's hard to do. > >>>>>>>>> > >>>>>>>>> What about using encryption with forward secrecy? Merchant would > >>>>>>>>> generate signed request containing public ECDH part, buyer would > >>>>>> send > >>>>>>>>> back transaction encrypted with ECDH and his public ECDH part. If > >>>>>>>>> receiving address/amount is meant to be private, use commit > >>>>>> protocol > >>>>>>>>> (see ZRTP/RedPhone) and short authentication phrase (which is > hard > >>>>>> to > >>>>>>>>> spoof thanks to commit protocol - see RedPhone)? > >>>>>>>> > >>>>>>>> Hi Martin, > >>>>>>>> > >>>>>>>> The problem is that you need to verify the ownership of the public > >>>>>> key. > >>>>>>>> A MITM can substitute the key. If you don't have verifiable > identity > >>>>>>>> associated with the public key (PKI/WoT), you need a shared secret > >>>>>> (such > >>>>>>>> as a secret phrase). But the problem is then establishing that > >>>>>> secret > >>>>>>>> over a public channel. > >>>>>>>> > >>>>>>>> You can bootstrap a private session over the untrusted network > using > >>>>>> a > >>>>>>>> trusted public key (PKI/WoT). But the presumption is that you are > >>>>>>>> already doing this over the web (using TLS). That process is > subject > >>>>>> to > >>>>>>>> attack at the CA. WoT is not subject to a CA attack, because it's > >>>>>>>> decentralized. But it's also not sufficiently deployed for some > >>>>>> scenarios. > >>>>>>>> > >>>>>>>> e > >>>>>>>> > >>>>> > >>>>> > >>>> > >> > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 473 bytes > Desc: OpenPGP digital signature > > ------------------------------ > > Message: 2 > Date: Wed, 11 Feb 2015 08:54:15 +0000 > From: Hector Chu > Subject: [Bitcoin-development] Proposal: Requiring a miner's signature > in the block header > To: bitcoin-development@lists.sourceforge.net > Message-ID: > < > CAAO2FKEFxC_byt4xVJb0S-7yy0M7M-Av7MHUH-RBDuri_GAFtw@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > A proposal for stemming the tide of mining centralisation -- Requiring a > miner's signature in the block header (the whole of which is hashed), and > paying out coinbase to the miner's public key. > > Please comment on whether this idea is feasible, has been thought of > before, > etc., etc. Thank you. > > Motivation > ---------- > > Mining is centralising to a handful of pool operators. This is bad for a > number of political reasons, which we won't go into right now. But I have > always believed that some years down the line, they could hold the users > hostage and change the rules to suit themselves. For instance by > eliminating > the halving of the block reward. > > Solution > -------- > > Currently the block header is formed by the pool operator and distributed > for > hashing by the pooled miners. It is possible to divide the work among the > miners as the only thing that is used to search the hash space is by > changing > a nonce or two. > > I propose that we require each miner to sign the block header prior to > hashing. The signature will be included in the data that is hashed. > Further, > the coinbase for the block must only pay out to the public key counterpart > of > the private key used to sign the block header. > > A valid block will therefore have a signature in the block header that is > verified by the public key being paid by the coinbase transaction. > > Ramifications > ------------- > > Work can no longer be divided among the pooled miners as before, without > sharing the pool's private key amongst all of them. If the pool does try to > take this route, then any of the miners may redeem the coinbase when it > matures. Therefore, all miners will use their own key pair. > > This will make it difficult to form a cooperating pool of miners who may > not > trust each other, as the block rewards will be controlled by disparate > parties > and not by the pool operator. Only a tight clique of trusted miners would > be > able to form their own private pool in such an environment. > > Attacks > ------- > > Pooled hashpower, instead of earning bitcoins legitimately may try to break > the system instead. They may try a double-spending attack, but in order to > leverage the pool to its full potential the pool operator would again have > to > share their private key with the whole pool. Due to the increased > cooperation > and coordination required for an attack, the probability of a 51% attack is > much reduced. > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 3 > Date: Wed, 11 Feb 2015 10:25:27 +0100 > From: Natanael > Subject: Re: [Bitcoin-development] Proposal: Requiring a miner's > signature in the block header > To: Hector Chu > Cc: bitcoin-development@lists.sourceforge.net > Message-ID: > Ref9mN7bJLg-odep3m5teZ7JWDLC+zknQdQQ@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Den 11 feb 2015 09:55 skrev "Hector Chu" : > > > > A proposal for stemming the tide of mining centralisation -- Requiring a > > miner's signature in the block header (the whole of which is hashed), and > > paying out coinbase to the miner's public key. > > > > Please comment on whether this idea is feasible, has been thought of > before, > > etc., etc. Thank you. > > > > Motivation > > ---------- > > > > Mining is centralising to a handful of pool operators. This is bad for a > > number of political reasons, which we won't go into right now. But I have > > always believed that some years down the line, they could hold the users > > hostage and change the rules to suit themselves. For instance by > eliminating > > the halving of the block reward. > > [...] > > > I propose that we require each miner to sign the block header prior to > > hashing. The signature will be included in the data that is hashed. > Further, > > the coinbase for the block must only pay out to the public key > counterpart of > > the private key used to sign the block header. > > [...] > > > This will make it difficult to form a cooperating pool of miners who may > not > > trust each other, as the block rewards will be controlled by disparate > parties > > and not by the pool operator. Only a tight clique of trusted miners would > be > > able to form their own private pool in such an environment. > > People already trust things like cloud mining, so your solution with > increasing technical trust requirements won't help. But you will however > break P2Pool instead. > > Also, note that threshold signatures (group signatures) could probably be > used by an actual distrusting pool's miners. There are already a proof of > concept for this implemented with secp256k1 that works with Bitcoin clients > silently. This wouldn't prevent such a pool from working. > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is > your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > > ------------------------------ > > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > > > End of Bitcoin-development Digest, Vol 45, Issue 37 > *************************************************** >