Hi Pavol, On Thu, Feb 11, 2021 at 5:25 AM Pavol Rusnak wrote: > > ENCRYPTION_KEY = SHA256(SHA256(TOKEN)) > > This scheme might be vulnerable to rainbow table attack. > Thank you for pointing this out! Incidentally, Dmitry Petukhov also told me the same privately. > > The following scheme might be more secure: > > DESCRIPTION = ASCII description provided by user > NONCE = 256-bit random number > ENCRYPTION_KEY = hmac-sha256(key=NONCE, msg=DESCRIPTION) > > Coordinator distributes DESCRIPTION (fka TOKEN) together with NONCE to > the signers. > This does seem to add a lot more entropy. The challenge is to balance the security requirement with UX. In the absence of some handshake protocol to exchange the shared secrets (DESCRIPTION / NONCE) , the user will have to enter these manually on the devices. I'll think about this some more. > > Also, is there any reason why you'd want to disable encryption? Why not > keep that as mandatory? > Making it mandatory would be nice, but IMHO not all use cases might require encryption. For example, if you are setting up the multisig locally under a safe environment you control, encryption might be an overkill. Best, Hugo > > > On Tue, 9 Feb 2021 at 12:39, Hugo Nguyen via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > >> >> >> On Tue, Feb 9, 2021 at 2:19 AM Christopher Allen < >> ChristopherA@lifewithalacrity.com> wrote: >> >>> >>> >>> On Tue, Feb 9, 2021 at 2:06 AM Hugo Nguyen wrote: >>> >>>> >>>> I don't think reusing XPUBs inside different multisig wallets is a good >>>> idea... For starters, loss of privacy in one wallet will immediately affect >>>> privacy of other wallets. I think multisig wallets should be completely >>>> firewalled from each other. That means one unique XPUB per wallet. This is >>>> what we have been doing with the Nunchuk wallet. >>>> >>> >>> To be clear, I have stated repeatedly that xpub reuse into multisig is a >>> poor practice. However, finding a trustless solution when a wallet is >>> airgapped with no network, or is stateless like Trezor, is quite hard. >>> >>> The challenge also includes how does an airgapped or stateless wallet >>> know that it is talking to the same process on the other side that that it >>> gave the xpub to in the first place. Without state to allow for a >>> commitment, or at least a TOFU, a cosigner who thought he was part of a 3 >>> of 5 could discover that he instead is in a 2 of 3, or in a script with an >>> OR, as some form of scam. >>> >> >> The shared secret approach that I mentioned in the proposal actually can >> help you here. The TOKEN doubles as a session ID - thereby establishing a >> common state on both sides. >> >> Best, >> Hugo >> >> >>> >>> — Christopher Allen >>> >>>> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> > > > -- > Best Regards / S pozdravom, > > Pavol "stick" Rusnak > CTO, SatoshiLabs > >