Hi Pavol,

On Thu, Feb 11, 2021 at 5:25 AM Pavol Rusnak <stick@satoshilabs.com> wrote:
ENCRYPTION_KEY = SHA256(SHA256(TOKEN))

This scheme might be vulnerable to rainbow table attack.

Thank you for pointing this out! Incidentally, Dmitry Petukhov also told me the same privately.
 

The following scheme might be more secure:

DESCRIPTION = ASCII description provided by user
NONCE = 256-bit random number
ENCRYPTION_KEY = hmac-sha256(key=NONCE, msg=DESCRIPTION)

Coordinator distributes DESCRIPTION (fka TOKEN) together with NONCE to the signers.

This does seem to add a lot more entropy. The challenge is to balance the security requirement with UX. In the absence of some handshake protocol to exchange the shared secrets (DESCRIPTION / NONCE) , the user will have to enter these manually on the devices. I'll think about this some more. 
 

Also, is there any reason why you'd want to disable encryption? Why not keep that as mandatory?

Making it mandatory would be nice, but IMHO not all use cases might require encryption. For example, if you are setting up the multisig locally under a safe environment you control, encryption might be an overkill.

Best,
Hugo

 


On Tue, 9 Feb 2021 at 12:39, Hugo Nguyen via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:


On Tue, Feb 9, 2021 at 2:19 AM Christopher Allen <ChristopherA@lifewithalacrity.com> wrote:


On Tue, Feb 9, 2021 at 2:06 AM Hugo Nguyen <hugo@nunchuk.io> wrote:

I don't think reusing XPUBs inside different multisig wallets is a good idea... For starters, loss of privacy in one wallet will immediately affect privacy of other wallets. I think multisig wallets should be completely firewalled from each other. That means one unique XPUB per wallet. This is what we have been doing with the Nunchuk wallet.

To be clear, I have stated repeatedly that xpub reuse into multisig is a poor practice. However, finding a trustless solution when a wallet is airgapped with no network, or is stateless like Trezor, is quite hard.

The challenge also includes how does an airgapped or stateless wallet know that it is talking to the same process on the other side that that it gave the xpub to in the first place. Without state to allow for a commitment, or at least a TOFU, a cosigner who thought he was part of a 3 of 5 could discover that he instead is in a 2 of 3, or in a script with an OR, as some form of scam.

The shared secret approach that I mentioned in the proposal actually can help you here. The TOKEN doubles as a session ID - thereby establishing a common state on both sides.

Best,
Hugo
 

— Christopher Allen 
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


--
Best Regards / S pozdravom,

Pavol "stick" Rusnak
CTO, SatoshiLabs