Topic: A -failed- solution to a collusion flaw in Deterministic Wallets (Read 1618 times)

If you don't have an IRC client:

https://webchat.freenode.net/

for your client, if you have one, it's irc.freenode.net

join #bitcoin-dev

I'm curious. I've never used the IRC where this was discussed. Is there a reference I can refer to to get on there.

dabura667, I'm not sure exactly what you're proposing, but adding extra nonces (e.g. these Rn's) will only get you so far. If you have N secret values which are combined linearly to produce keys, then N linearly independent equations (i.e. collusion by N parties) will be able to solve for them all. So your collusion resistance is only linear in your system complexity :/.

Yeah, at which point... it would be better just to give the Auditor a list of the pubkeys for each department and not just the master pubkey.

it's a rough problem...

You're right. r0 and r1 aren't truly independent random variables.

You would need a separate r for sub key at each level.
Something like r_n = H(n,a,1) instead of r=H(a)
Then pass a separate R_n for each sub key to the auditor.      Ugh


_{never mind}

Wait. If you know the equations for 2 different n, you now have _three_ unknowns: "a", r0, and r1. You still can't solve for "a".  You know Rn but not rn for different n's.

From IRC:


So your method would effectively lower the risk from "One Master Public Key and one derived private key" to "One Master Public Key and two derived private keys"

18:28:54 xn = sn*a + tn*r
18:29:14 Xn = sn*A + tn*R
18:31:10 if you know sn and tn and xn for 2 different n, you can solve it
18:31:43 as you now have 2 equations with 2 unknowns (a and r)
18:32:17 and given A and R you can compute sn and tn for any n
18:33:56 so give me A and R and xn1 and xn2, and i can find a and r

The idea is that if you give the auditor the watch only wallet, he could conspire with one of the holders of the private keys below it to create the master private key and run away with all the money.

M = master public key
m = master private key

m/ = CEO holds it

M/ = Auditor holds it. With it, they can view all company funds, but not spend.

m/m₁ = Department A head holds it, and can generate further chains with it.
m/m₂ = Department B head holds it, and can generate further chains with it.
m/m₃ = Department C head holds it, and can generate further chains with it.

combining M/ with m/m_x would give me m/ ... so an auditor would have to conspire with one corrupt department head to run away with the company's entire finances.


With the solution provided says that the CEO would make

m₁/
m₂/
m₃/

Then

Dept A:
m₁/m₁
m₂/m₁
m₃/m₁

Dept B:
m₁/m₂
m₂/m₂
m₃/m₂

Dept C:
m₁/m₃
m₂/m₃
m₃/m₃

Each dept using the three public keys generated by those chains to generate deterministic 2of3 chains.

The Auditor would ONLY receive:

M₁/

Then they could check the blockchain for redeemscripts that included
M₁/M₁
M₁/M₂
M₁/M₃

Then they would know how much money each department SPENT without being able to collude to get 2 private keys.

Downside: They could only find SPENT funds, as the redeemscript is only revealed on the blockchain when funds are spent from the multi-sig address.

imo, the best way to do an audit for business would be to use a dual-key Stealth Address, and give the scan_privkey to the auditor... but this is a topic slightly unrelated to BIP32.

You could set up so your company's stealth addresses are generate on a per-department basis, but that all scan_keypairs are generated by a separate BIP32 chain.

Give that master private key to the auditor, as that keypair is only used to generate shared secrets to discover funds, not to spend it.