Re: [bitcoin-dev] Proposal: Bitcoin Secure Multisig Setup
After off-list discussion with Hugo, I'm convinced that adding a requirement for signers to derive participant ids is unnecessary complication that only buys slight convenience for coordinator, and this is not a net positive tradeoff. And since the coordinator can choose to generate unique TOKEN per participant without participants even knowing about this, there's probably no reason to mention this possibility in the spec, either. В Sun, 14 Feb 2021 11:37:52 +0100 Dmitry Petukhov wrote: > I think that it is better to issue individual TOKEN for each > participant. Otherwise it will be possible for one participant to > attack another (intercept and replace their xpub sent to the > coordinator). > > It will also be convenient to have a public 'participant id', derived > from the token. It can be derived from the same token, but with > different (but fixed) `Pwd`. With unique token per participant, such > derivation will uniquely identify each participant, so the coordinator > won't need to try all the tokens to decrypt the data. > > It will also be easier to deal with more elaborate setups where the > position of the xpub in the descriptor does matter - for example, with > miniscript-extended descriptors. With a descriptor template such as > > `wsh(or(multi(2, , , ), older(1000, ))` > > The coordinator will be able to store the map between the participant > labels (Alice, Bob, Carol, Dylan) and their participant ids (and the > TOKENs). When the data from Alice comes with participant id attached, > the coordinator will immediately know which TOKEN to use, and which > place in the descriptor the xpub should be put in. > > Of course this is all possible without 'participant id' derived from > token, as long as there's unique TOKEN per participant - the > coordinator can always try all the tokens to decrypt the data from > participant. But implementors will likely invent their own ways to > introduce 'participant id' anyway, as this is more convenient, and it > might make sense to have this standardized, for interoperability. > > В Fri, 12 Feb 2021 09:54:57 -0800 > Hugo Nguyen wrote: > > > On Fri, Feb 12, 2021 at 9:36 AM Dmitry Petukhov > > wrote: > > > > > If HUMAN_READABLE_TITLE is the additional secret, the user would > > > need to enter it on the device in addition to the nonce, wouldn't > > > it defeat the advantage in UX that was gained by using > > > (relatively) short nonce ? > > > > > > Is 64 bit nonce not enough ? > > > > > > > > Good question. If we don't need the extra entropy, we can fix > > the HUMAN_READABLE_TITLE string. > > > > Something like "No SPOF". (No Single Point Of Failure). > > > > > > > > > It seems that to crack this with fixed Pwd and 64 bit nonce, the > > > attacker will need to be about 10^15 more powerful than 80Mhz MCU: > > > (2^64)/(0.3*10^15)/3600 = 17 hours. I don't know if 10^15 is > > > realistic scale. Average desktop cpu seems to be about 10^3 more > > > powerful than the mentioned MCU for this task. > > > > > > Maybe for the UX it would be better to choose the number of rounds > > > to use in PBKDF2, instead of using variable Pwd. Number of rounds > > > will be easier to enter on the device (or just choose it from a > > > set of pre-defined values). The more money is at stake, the higher > > > number of rounds could the coordinator choose (taking into account > > > the characteristics of the participant devices) > > > > > > > > Or simply allow bigger entropy (more than 6 mnemonic words), if > > > the coordinator feels that 64 bit of entropy is not enough. > > > > > > That could work. Allowing variable iteration count is probably > > better UX-wise. > > > > Best, > > Hugo > > > > > > > > > > В Fri, 12 Feb 2021 08:55:55 -0800 > > > Hugo Nguyen wrote: > > > > > > > Thanks everyone who has provided inputs so far! > > > > > > > > This is the new proposal for the encryption aspect of the > > > > scheme, based on all the feedback. > > > > > > > > The key derivation function would be PBKDF2, with PRF = SHA512. > > > > This should be readily available on today's hardware already, as > > > > they are used for BIP39. > > > > > > > > DK = PBKDF2(PRF, Password, Salt, c, dkLen) > > > > PRF = SHA512 > > > > Pwd = HUMAN_READABLE_TITLE > > > > Salt = NONCE > > > > c = 2048 > > > > dkLen = 256 > > > > > > > > HUMAN_READABLE_TITLE is in ASCII format, minimum length = 8, > > > > maximum length = 20. > > > > NONCE is a 64-bit number. > > > > > > > > Reason for going with SHA512 is due to legacy support on some > > > > hardware. c=2048 also mimics BIP39. It takes about ~3 seconds to > > > > derive the encryption key on a 80Mhz MCU. We feel like this is a > > > > good enough tradeoff for this use case. The assumption here is > > > > that the secure session is only needed temporarily for a few > > > > hours, maybe up to one day. > > > > > > > > The Coordinator and Signers agree and exchange these 2 secrets > > > > prior to the setup. The NONCE
Re: [bitcoin-dev] Proposal: Bitcoin Secure Multisig Setup
I think that it is better to issue individual TOKEN for each participant. Otherwise it will be possible for one participant to attack another (intercept and replace their xpub sent to the coordinator). It will also be convenient to have a public 'participant id', derived from the token. It can be derived from the same token, but with different (but fixed) `Pwd`. With unique token per participant, such derivation will uniquely identify each participant, so the coordinator won't need to try all the tokens to decrypt the data. It will also be easier to deal with more elaborate setups where the position of the xpub in the descriptor does matter - for example, with miniscript-extended descriptors. With a descriptor template such as `wsh(or(multi(2, , , ), older(1000, ))` The coordinator will be able to store the map between the participant labels (Alice, Bob, Carol, Dylan) and their participant ids (and the TOKENs). When the data from Alice comes with participant id attached, the coordinator will immediately know which TOKEN to use, and which place in the descriptor the xpub should be put in. Of course this is all possible without 'participant id' derived from token, as long as there's unique TOKEN per participant - the coordinator can always try all the tokens to decrypt the data from participant. But implementors will likely invent their own ways to introduce 'participant id' anyway, as this is more convenient, and it might make sense to have this standardized, for interoperability. В Fri, 12 Feb 2021 09:54:57 -0800 Hugo Nguyen wrote: > On Fri, Feb 12, 2021 at 9:36 AM Dmitry Petukhov > wrote: > > > If HUMAN_READABLE_TITLE is the additional secret, the user would > > need to enter it on the device in addition to the nonce, wouldn't > > it defeat the advantage in UX that was gained by using (relatively) > > short nonce ? > > > > Is 64 bit nonce not enough ? > > > > > Good question. If we don't need the extra entropy, we can fix > the HUMAN_READABLE_TITLE string. > > Something like "No SPOF". (No Single Point Of Failure). > > > > > It seems that to crack this with fixed Pwd and 64 bit nonce, the > > attacker will need to be about 10^15 more powerful than 80Mhz MCU: > > (2^64)/(0.3*10^15)/3600 = 17 hours. I don't know if 10^15 is > > realistic scale. Average desktop cpu seems to be about 10^3 more > > powerful than the mentioned MCU for this task. > > > > Maybe for the UX it would be better to choose the number of rounds > > to use in PBKDF2, instead of using variable Pwd. Number of rounds > > will be easier to enter on the device (or just choose it from a set > > of pre-defined values). The more money is at stake, the higher > > number of rounds could the coordinator choose (taking into account > > the characteristics of the participant devices) > > > > > Or simply allow bigger entropy (more than 6 mnemonic words), if > > the coordinator feels that 64 bit of entropy is not enough. > > > That could work. Allowing variable iteration count is probably better > UX-wise. > > Best, > Hugo > > > > > > В Fri, 12 Feb 2021 08:55:55 -0800 > > Hugo Nguyen wrote: > > > > > Thanks everyone who has provided inputs so far! > > > > > > This is the new proposal for the encryption aspect of the scheme, > > > based on all the feedback. > > > > > > The key derivation function would be PBKDF2, with PRF = SHA512. > > > This should be readily available on today's hardware already, as > > > they are used for BIP39. > > > > > > DK = PBKDF2(PRF, Password, Salt, c, dkLen) > > > PRF = SHA512 > > > Pwd = HUMAN_READABLE_TITLE > > > Salt = NONCE > > > c = 2048 > > > dkLen = 256 > > > > > > HUMAN_READABLE_TITLE is in ASCII format, minimum length = 8, > > > maximum length = 20. > > > NONCE is a 64-bit number. > > > > > > Reason for going with SHA512 is due to legacy support on some > > > hardware. c=2048 also mimics BIP39. It takes about ~3 seconds to > > > derive the encryption key on a 80Mhz MCU. We feel like this is a > > > good enough tradeoff for this use case. The assumption here is > > > that the secure session is only needed temporarily for a few > > > hours, maybe up to one day. > > > > > > The Coordinator and Signers agree and exchange these 2 secrets > > > prior to the setup. The NONCE can be converted to either: > > > (a) a 6-word phrase using BIP39 wordlist > > > (b) a 20-digit decimal number > > > (c) a QR code > > > > > > Depending on the vendor. This flexibility in the data format > > > allows each vendor to customize the UX based on their respective > > > device capabilities. > > > > > > Best, > > > Hugo > > > > > > On Thu, Feb 11, 2021 at 8:25 AM Dmitry Petukhov via bitcoin-dev < > > > bitcoin-dev@lists.linuxfoundation.org> wrote: > > > > > > > В Thu, 11 Feb 2021 05:45:33 -0800 > > > > Hugo Nguyen via bitcoin-dev > > > > wrote: > > > > > > > > > > > ENCRYPTION_KEY = SHA256(SHA256(TOKEN)) > > > > > > > > > > > > This scheme might be vulnerable to rainbow table attack. > > > > > > > > > > >
