Author

Topic: A -failed- solution to a collusion flaw in Deterministic Wallets (Read 1625 times)

ffe
sr. member
Activity: 308
Merit: 250
I'm curious. I've never used the IRC where this was discussed. Is there a reference I can refer to to get on there.

If you don't have an IRC client:

https://webchat.freenode.net/

for your client, if you have one, it's irc.freenode.net

join #bitcoin-dev

Thanks dabura
sr. member
Activity: 475
Merit: 252
I'm curious. I've never used the IRC where this was discussed. Is there a reference I can refer to to get on there.

If you don't have an IRC client:

https://webchat.freenode.net/

for your client, if you have one, it's irc.freenode.net

join #bitcoin-dev
sr. member
Activity: 475
Merit: 252
dabura667, I'm not sure exactly what you're proposing, but adding extra nonces (e.g. these Rn's) will only get you so far. If you have N secret values which are combined linearly to produce keys, then N linearly independent equations (i.e. collusion by N parties) will be able to solve for them all. So your collusion resistance is only linear in your system complexity :/.

I'm not proposing anything. ffe's post spoke of adding more complexity, not mine.
full member
Activity: 179
Merit: 151
-
You can mitigate this somewhat by use of hardened keys (which cannot be derived except by the holder of the private key). These cannot be derived publically, but still have the simplified key management of HD wallets. So if you only derive hardened keys from your master keys, and provide each of the derived keys to auditors, you can limit the damage caused by a single collusion attack (at the expense of needing to give more info to auditors).

dabura667, I'm not sure exactly what you're proposing, but adding extra nonces (e.g. these Rn's) will only get you so far. If you have N secret values which are combined linearly to produce keys, then N linearly independent equations (i.e. collusion by N parties) will be able to solve for them all. So your collusion resistance is only linear in your system complexity :/.

Edit: Ah, ffe beat me to the punch on that last point.
ffe
sr. member
Activity: 308
Merit: 250
You're right. r0 and r1 aren't truly independent random variables.

You would need a separate r for sub key at each level.
Something like rn = H(n,a,1) instead of r=H(a)
Then pass a separate Rn for each sub key to the auditor.      Ugh


never mind

Yeah, at which point... it would be better just to give the Auditor a list of the pubkeys for each department and not just the master pubkey.

it's a rough problem...

No. not quite that bad. You could protect from up to m-collusions by utilizing ri for i from 1 to m and using the equation

                 xn = (sn)a + rn1 + ... + rnm

to protect "a".  Each rni would be calculated from tni and ri

          tni = H(n,Ri)
          rni = (ri)(tni)

The auditor would need R1 thru Rm for his work but he would have to find  m  colluding managers to solve for "a".

With an "m" near 3 or 5 it would be practical I suppose.

sr. member
Activity: 475
Merit: 252
You're right. r0 and r1 aren't truly independent random variables.

You would need a separate r for sub key at each level.
Something like rn = H(n,a,1) instead of r=H(a)
Then pass a separate Rn for each sub key to the auditor.      Ugh


never mind

Yeah, at which point... it would be better just to give the Auditor a list of the pubkeys for each department and not just the master pubkey.

it's a rough problem...
ffe
sr. member
Activity: 308
Merit: 250
You're right. r0 and r1 aren't truly independent random variables.

You would need a separate r for sub key at each level.
Something like rn = H(n,a,1) instead of r=H(a)
Then pass a separate Rn for each sub key to the auditor.      Ugh


never mind
sr. member
Activity: 475
Merit: 252
Wait. If you know the equations for 2 different n, you now have _three_ unknowns: "a", r0, and r1. You still can't solve for "a".  You know Rn but not rn for different n's.

ok, let's say we know x0 and x1 (two derived private keys).... and we know A and R.

to generate s0 and s1 we just take H(0,A) and H(1,A)
to generate t0 and t1 we just take H(0,R) and H(1,R)

now we have x0, x1, s0, s1, t0, t1, A, R

since Rn = tn*R, we can replace it as such:
(Q is the generator point)

x0*Q = s0*a*Q + t0*r*Q
x1*Q = s1*a*Q + t1*r*Q

Remove the points to get:

x0 = s0*a + t0*r
x1 = s1*a + t1*r

a = (x0 - t0*r)/s0
a = (x1 - t1*r)/s1

0 = s1x0 - s1t0*r - s0x1 + s0t1*r
s0x1 - s1x0 = r(s0t1 - s1t0)

r = (s0x1 - s1x0)/(s0t1 - s1t0) (Note: this division should be inverse modulo operation against the order of the curve)

then plug in r to solve easily for a

simple add/sub/mult/div of normal numbers (mod order of the curve) will find you both a and r.

the only unknowns in the two equations are a and r. all other are known.

Remember, the index information in "n" is ONLY contained in tn. so when you say r0 and r1, you are actually saying t0*r and t1*r... which all tn can be derived from the pubkey for R.
ffe
sr. member
Activity: 308
Merit: 250
I'm curious. I've never used the IRC where this was discussed. Is there a reference I can refer to to get on there.
ffe
sr. member
Activity: 308
Merit: 250
From IRC:

Quote
18:28:54 xn = sn*a + tn*r
18:29:14 Xn = sn*A + tn*R
18:31:10 if you know sn and tn and xn for 2 different n, you can solve it
18:31:43 as you now have 2 equations with 2 unknowns (a and r)
18:32:17 and given A and R you can compute sn and tn for any n
18:33:56 so give me A and R and xn1 and xn2, and i can find a and r

So your method would effectively lower the risk from "One Master Public Key and one derived private key" to "One Master Public Key and two derived private keys"

Wait. If you know the equations for 2 different n, you now have _three_ unknowns: "a", r0, and r1. You still can't solve for "a".  You know Rn but not rn for different n's.

I chose the form xn = sn*a + rn carefully to match how Schnorr's signature algorithm for elliptic curves protects the secret key. If this doesn't protect "a" then Schnorr's algorithm is in trouble.
sr. member
Activity: 475
Merit: 252
From IRC:

Quote
18:28:54 xn = sn*a + tn*r
18:29:14 Xn = sn*A + tn*R
18:31:10 if you know sn and tn and xn for 2 different n, you can solve it
18:31:43 as you now have 2 equations with 2 unknowns (a and r)
18:32:17 and given A and R you can compute sn and tn for any n
18:33:56 so give me A and R and xn1 and xn2, and i can find a and r

So your method would effectively lower the risk from "One Master Public Key and one derived private key" to "One Master Public Key and two derived private keys"
sr. member
Activity: 475
Merit: 252
Edit #2: check the second reply in the next post.

Sounds good so far.

Question:

How would the owner of xn (private key) be able to derive a private key in the depth below him in such a way that the owner of "a" would be able to redeem the funds?

Edit: I think I got it.

we could store the compressed pubkey of R in addition to the chain code and A...

Then when you derive the pubkey Xn, you would store the chain code, Xn, and Rn. This would continue down the chain.

This is very interesting... and would remove the need for hardened keys. (although I'm sure someone will still find a use case for them.)
ffe
sr. member
Activity: 308
Merit: 250
edit  Fails as it doesn't adequately protect the secret master key from two collusions. See the comments.



http://bitcoinmagazine.com/8396/deterministic-wallets-advantages-flaw/

As described in the article above (go down to the section “An Understated Problem”), deterministic wallets have a flaw with a solution best described in the following quote:


The idea is that if you give the auditor the watch only wallet, he could conspire with one of the holders of the private keys below it to create the master private key and run away with all the money.

M = master public key
m = master private key

m/ = CEO holds it

M/ = Auditor holds it. With it, they can view all company funds, but not spend.

m/m1 = Department A head holds it, and can generate further chains with it.
m/m2 = Department B head holds it, and can generate further chains with it.
m/m3 = Department C head holds it, and can generate further chains with it.

combining M/ with m/mx would give me m/ ... so an auditor would have to conspire with one corrupt department head to run away with the company's entire finances.


With the solution provided says that the CEO would make

m1/
m2/
m3/

Then

Dept A:
m1/m1
m2/m1
m3/m1

Dept B:
m1/m2
m2/m2
m3/m2

Dept C:
m1/m3
m2/m3
m3/m3

Each dept using the three public keys generated by those chains to generate deterministic 2of3 chains.

The Auditor would ONLY receive:

M1/

Then they could check the blockchain for redeemscripts that included
M1/M1
M1/M2
M1/M3

Then they would know how much money each department SPENT without being able to collude to get 2 private keys.

Downside: They could only find SPENT funds, as the redeemscript is only revealed on the blockchain when funds are spent from the multi-sig address.

imo, the best way to do an audit for business would be to use a dual-key Stealth Address, and give the scan_privkey to the auditor... but this is a topic slightly unrelated to BIP32.

You could set up so your company's stealth addresses are generate on a per-department basis, but that all scan_keypairs are generated by a separate BIP32 chain.

Give that master private key to the auditor, as that keypair is only used to generate shared secrets to discover funds, not to spend it.

I think I have a solution that doesn’t depend on 2 of 3 keys as described above.

The owner of the Master Private Key (call it “a”) generates another secret from that (call it “r”) where r = H(a), a hash of “a”.

He passes the public sides, A = [a]Q and R = [r]Q, to the auditor and combined, they become the Master Public Key.

The owner generates the “n”th private key as follows:

   sn = H(n,A)
   tn = H(n,R)

   rn = (r)(tn)    the product of the two private parts modulo a large prime. Note, this remains secret to the owner by virtue of keeping “r” private.

   xn = (sn)a + (rn)    where xn becomes the “n”th private key.

The idea is that “rn” will not be known to the auditor or to the holder of “xn” as we will see in a second. It therefore “covers” the Master Private Key in case of collusion between the auditor and the holder of “xn”.

The Auditor:

The auditor knows A, R, and n  (Furthermore, he knows “xn” for any and all “n” due to collusion.)

He can generate the “n”th public key as follows:

   sn = H(n,A)
   tn = H(n,R)

   Rn = [tn]R    the public part of the private “rn” which he doesn’t know since he doesn’t know “r”.

   Xn = [sn]A + Rn    where Xn is the public side of “xn”, the “n”th private key.

Knowing “xn” does not give him “a” since “a” is protected by the unknown “rn” in the equation     xn = (sn)a + (rn)


edit  Fails as it doesn't adequately protect the secret master key from two collusions. See the comments.
Jump to: