sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
thomasan_ has quit [Remote host closed the connection]
ghost43 has quit [Ping timeout: 256 seconds]
ghost43 has joined #bitcoin-wizards
DougieBot5000_ has joined #bitcoin-wizards
DougieBot5000 has quit [Read error: Connection reset by peer]
Cory has quit [Read error: Connection reset by peer]
spinza has quit [Quit: Coyote finally caught up with me...]
rafalcpp has quit [Excess Flood]
rafalcpp has joined #bitcoin-wizards
CubicEarth has quit [Ping timeout: 246 seconds]
DeanGuss has joined #bitcoin-wizards
Belkaar has quit [Ping timeout: 255 seconds]
CubicEarth has joined #bitcoin-wizards
Belkaar has joined #bitcoin-wizards
Belkaar has joined #bitcoin-wizards
Belkaar has quit [Changing host]
Cory has joined #bitcoin-wizards
spinza has joined #bitcoin-wizards
Jackielove4u has quit [Quit: Connection closed for inactivity]
TheoStorm has quit [Ping timeout: 255 seconds]
DougieBot5000_ is now known as DougieBot5000
booyah has quit [Read error: Connection reset by peer]
thomasan_ has quit [Remote host closed the connection]
Aranjedeath has quit [Quit: Three sheets to the wind]
thomasan_ has joined #bitcoin-wizards
thomasan_ has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 244 seconds]
pinheadmz has joined #bitcoin-wizards
renlord has quit [Remote host closed the connection]
mryandao has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 250 seconds]
booyah has joined #bitcoin-wizards
Jackielove4u has joined #bitcoin-wizards
<NicolasDorier>
is there an easy way to make a hardware wallet auto sign coinjoin transaction? I thought it was easy, but actually because the HW does not have memory and can't know if an input is not his without the keypath, an attacker could just ask to sign a transaction 3 times with 3 inputs owned by the HW but only revealing only one of those input each time.
ccdle12 has joined #bitcoin-wizards
vtnerd_ has quit [Ping timeout: 250 seconds]
tromp has joined #bitcoin-wizards
<NicolasDorier>
Say you have a transaction with where you own all inputs with valyes (2,4,6) and on output (10) back to you. The attacker can say to the hw you only own input n1, then the wallet would say "cool, I am making money, I agree to sign!". Then the attacker then do the same for n2 and n3. The HW would sign all of them.
<NicolasDorier>
now the attacker broadcast a transaction, but the owner of the wallet actually just lost 2 BTC
<NicolasDorier>
To prevent this, one solution is to encode the sequences of indices that the attacker ask to sign to the HW inside the keypath of the output address, and have the HW enforce it.
<NicolasDorier>
Say the attack asks the HW to sign input n1 and n2, the HW would check the output is "1/2". If the attacker then asks to send n3, the HW would check the output is "3".
<NicolasDorier>
Now the attacker would not be able to combine those two signatures into one transaction
<NicolasDorier>
But then we can't easily recover the wallet without remembering all the keypaths of outputs we used (no way to rescan everything)
pinheadmz has quit [Quit: pinheadmz]
_L0ki has joined #bitcoin-wizards
vtnerd has joined #bitcoin-wizards
enemabandit has joined #bitcoin-wizards
<waxwing>
NicolasDorier, i believe instagibbs had thoughts along these lines on the mailing list about a year or two ago, but i will struggle to find it. if he's here perhaps he can comment.
enemabandit has quit [Quit: leaving]
enemabandit has joined #bitcoin-wizards
<NicolasDorier>
ooooh it was instagibbs . Damn I remembered having this conversation I could not remember with who it was.
ccdle12 has quit [Read error: Connection reset by peer]
ccdle12 has joined #bitcoin-wizards
laptop500 has quit [Ping timeout: 246 seconds]
setpill has joined #bitcoin-wizards
mryandao has joined #bitcoin-wizards
renlord has joined #bitcoin-wizards
renlord has quit [Remote host closed the connection]
mryandao has quit [Remote host closed the connection]
renlord has joined #bitcoin-wizards
mryandao has joined #bitcoin-wizards
ccdle12 has quit [Ping timeout: 245 seconds]
ccdle12 has joined #bitcoin-wizards
mryandao has quit [Remote host closed the connection]
renlord has quit [Remote host closed the connection]
mryandao has joined #bitcoin-wizards
renlord has joined #bitcoin-wizards
laptop500 has joined #bitcoin-wizards
laptop500 has quit [Quit: Leaving]
AaronvanW has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
ccdle12 has quit [Remote host closed the connection]
enemabandit has quit [Quit: Lost terminal]
enemabandit has joined #bitcoin-wizards
spinza has quit [Quit: Coyote finally caught up with me...]
<waxwing>
ah thanks for link to that thread. very interesting discussion.
harrymm has quit [Ping timeout: 258 seconds]
spinza has joined #bitcoin-wizards
harrymm has joined #bitcoin-wizards
Jeremy_Rand_Talo has quit [Ping timeout: 250 seconds]
hsngrmpf[m] has quit [Ping timeout: 252 seconds]
azdrianz[m] has quit [Ping timeout: 252 seconds]
TheFuzzStone[m] has quit [Ping timeout: 252 seconds]
knuteis[m] has quit [Ping timeout: 250 seconds]
tomtau[m] has quit [Ping timeout: 250 seconds]
devdig[m] has quit [Ping timeout: 252 seconds]
charuto has quit [Ping timeout: 252 seconds]
kewde[m] has quit [Ping timeout: 264 seconds]
catcow has quit [Ping timeout: 268 seconds]
koshii has quit [Ping timeout: 246 seconds]
koshii has joined #bitcoin-wizards
Belkaar has quit [Ping timeout: 255 seconds]
Belkaar has joined #bitcoin-wizards
Belkaar has joined #bitcoin-wizards
Belkaar has quit [Changing host]
TheoStorm has quit [Quit: Leaving]
tromp has quit [Remote host closed the connection]
<waxwing>
instagibbs, wrt https://github.com/trezor/trezor-core/issues/465#issuecomment-480939709 and the following comment by Pavol Rusnak, I don't understand how *either* suggestion could count as a proof of non-ownership. suppose the HW wallet generates such sigs on each input it signs, what's to stop an attacker replacing it with garbage?
<waxwing>
i mean it's pretty clear i haven't understood your mechanism, but i can't figure it out
<waxwing>
oh. it has to be a signature, so it can be verified against the key tied to the utxo. huh, that's interesting.
<waxwing>
yeah i think that works. it's kinda surprising. since the message has fixed format there is no shenanigans to fake it.
Monnik has quit [Remote host closed the connection]
inersha has joined #bitcoin-wizards
inersha has left #bitcoin-wizards [#bitcoin-wizards]
<instagibbs>
waxwing, yeah reads correct.
<instagibbs>
yeah imo the problem itself is really hard to reason about compared to how trivial I think it should be
<instagibbs>
during generation of signature, you need to make sure you control U(host gives derivation path up front), and the amount needs to be verified by the full previous txns, of course
enemabandit has quit [Ping timeout: 255 seconds]
laptop500 has joined #bitcoin-wizards
<achow101>
instagibbs: wouldn't you essentially have to have a script interpreter to know that the proof for a particular input is valid?
<achow101>
otherwise you wouldn't know that the pubkey for the proof for an input actually belongs to that input
<waxwing>
that sounds like a rather good point .. i guess a hardware wallet could restrict this feature to a specific script type? or something?
<achow101>
it also breaks down with weird scripts and/or multisig I think. but those erode your privacy anyways
thomasan_ has joined #bitcoin-wizards
thomasan_ has quit [Remote host closed the connection]
<andytoshi>
miniscript lets you do this with a lot of generality and without a general script interpreter
<andytoshi>
sipa: does writing a C miniscript library designed for hw wallets sound fun to you? ;)
<gmaxwell>
andytoshi: ... that works in 64kb ram + stack.
<achow101>
andytoshi: miniscript doesn't cover p2pkh or p2wpkh though
thomasan_ has joined #bitcoin-wizards
<andytoshi>
ah, yeah, i mean "miniscript embedded in output descriptors"
<sipa>
what is the issue?
<achow101>
sipa: proving that an input for a coinjoin belongs to a hardware wallet
<sipa>
proving to whom?
<achow101>
proving to the hardware device
<sipa>
to another hardware device?
<andytoshi>
(full descriptor+miniscript support is probably overkill here .. but it would give us a clean/general way to extract public keys from a script)
<gmaxwell>
instagibbs: another way to let the hw wallet work, I think would be to have some input/output correspondance map commited to by something signed in the txn, and revealed to the hardware wallet.
<andytoshi>
the goal is to assure the hw device of which outputs it owns, and which outputs it doesn't own (thuogh it doesn't care who owns it beyond "me/not me")
<achow101>
sipa: the issue is that a malicious coinjoin creator can lie to a hardware wallet that some inputs do not belong to the device even though they actually do
<achow101>
the goals is to prove that inputs do or do not belong to the device
tromp has quit [Remote host closed the connection]
<gmaxwell>
I think it's better to prove that any input being signed for is paid back to the device, in a way that prevents double dipping.
<gmaxwell>
so for example if every output was a p2c privately commiting to its input.
thomasan_ has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
nothingmuch has joined #bitcoin-wizards
thomasan_ has joined #bitcoin-wizards
thomasan_ has quit [Remote host closed the connection]
elichai2 has joined #bitcoin-wizards
DeanGuss has quit [Ping timeout: 256 seconds]
tromp has quit [Remote host closed the connection]
jeremyrubin has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 250 seconds]
cfields_ has quit [Quit: cfields_]
cfields has joined #bitcoin-wizards
<instagibbs>
achow101, non-single-key addresses are left as an exercise, especially considering this mode would require multiple hosts plugged in for a multisig or something...
<achow101>
instagibbs: well it could be something that goes from a multisig to a single key after some time has passed. that's still a single signer and your scheme would still work, it's just a bit harder to verify that the pubkey attached to the proof is correct
<instagibbs>
eh sure, exercise to reader
<instagibbs>
gmaxwell, ah yeah that's related to something I was pontificating on, you could also commit to arbitrary signing policies
<instagibbs>
like "I'll ellide change output if the prevouts all come from same paired xpub set"
<instagibbs>
(ledger for example makes no assumption, only assumes for single-key destinations it has derivation path for)
<waxwing>
it might be worth elucidating more carefully the exact security model/threat model we're trying to address here, since it seems we're talking about a significantly different usage model of a hardware wallet.
<waxwing>
usually after all it pays stuff out. then in some coinjoin scenario it might be required not to pay out (lose money), or it might be required to only pay out "a thing" (like in that thread they talked about a wasabi fee and a bitcoin tx fee, which can be another can of worms)
<waxwing>
one could even imagine using such a thing to do coinswaps (sign N different transactions all-or-nothing based on an assessment of total balance change) ... i guess with LN you can't say something similar, but i'm really not sure.
<waxwing>
for coinswaps also read coinjoinxt ideas (sets of connected txs instead of disconnected)
<gmaxwell>
Goal: hardware wallet should be willing to sign transactions that don't make any coins inaccessible to it, but merely shuffle it around. But cannot sign things (without auth) that take coins away.
<gmaxwell>
waxwing: swaps are a little harder because you can lose funds just by timing out.
<waxwing>
yeah cancel all that stuff. that's a bit of a mess.
<waxwing>
i think 'don't take coins away' is a bit too simple though, it seems that the goal is "don't pay more than X" is the goal (at least as some people are thinking about it), whether network fees or coinjoin fees.
<gmaxwell>
right perhaps a dumber and more general way to address is that if the HWW just had a velocity limit.
<gmaxwell>
that could be run without human interaction.
<gmaxwell>
and just keep your join traffic below that.
<gmaxwell>
or even more snazzy, let deposits credit against that limit
<instagibbs>
you also have to do some reasoning about wallet utxo sizes
<waxwing>
instagibbs, "sizes" here being btc amounts or bytes?
<waxwing>
so it seems like the thinking is, we ask for automated signing, we assume the host can be 100% compromised, so may be doing its best to siphon funds, and simplest case we have the HW wallet insist on not paying anything, or relax it with a fee setting (which ofc would not be automated, so 2FA or some such). sorry for blethering i just want to be sure i know what the goal is.
laptop_ has joined #bitcoin-wizards
laptop500 has quit [Ping timeout: 268 seconds]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 252 seconds]
Guyver2 has quit [Quit: Going offline, see ya! (www.adiirc.com)]
thomasan_ has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
DeanGuss has joined #bitcoin-wizards
thomasan_ has quit [Remote host closed the connection]
thomasanderson has joined #bitcoin-wizards
son0p has joined #bitcoin-wizards
thomasanderson has quit [Remote host closed the connection]
thomasanderson has joined #bitcoin-wizards
laptop_ has quit [Quit: Leaving]
DeanGuss has quit [Remote host closed the connection]
DeanGuss has joined #bitcoin-wizards
spinza has quit [Quit: Coyote finally caught up with me...]
DeanGuss has quit [Ping timeout: 256 seconds]
Logicwax has quit [Read error: Connection reset by peer]
Logicwax has joined #bitcoin-wizards
Zenton has quit [Ping timeout: 246 seconds]
TheoStorm has quit [Ping timeout: 240 seconds]
tromp has quit [Remote host closed the connection]
thomasanderson has quit [Remote host closed the connection]