Bitcoin Forum
November 14, 2024, 09:04:12 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: [ANN] ms-brainwallet.org - Multisignature P2SH in the browser  (Read 4637 times)
Sarchar (OP)
Member
**
Offline Offline

Activity: 88
Merit: 10


View Profile
November 05, 2013, 03:21:45 PM
Last edit: January 09, 2014, 07:48:59 AM by Sarchar
 #1

Admittedly, this proposal comes at the cost of a bit of convenience. I understand that...  I also want to say that I did some searching to see if anyone has documented this process before but I couldn't find much.

Brain wallets are tricky to get right, as we've seen in the past with practically a new story every week of how someone lost their brain wallet coins. After thinking today that I really wanted to move my coins to a brain wallet and also concluding that I just didn't want to have to remember yet another long password, I came up with the idea to combine the use of multi-signature transactions and pay-to-script-hash outputs.

The idea is simple.  You send your coins to a 2-of-3 multi-signature output. One of the keys will be generated as before with your brain wallet software. Another one of the keys will be generated for you using bitcoin software (you can use brainwallet.org's random key generator, for example) and you save it in a text file encrypted with strong GPG.  The third key can be generated from anything else you wish, but ideally you give this third key away to your spouse, store it in a bank safe, store in the cloud, or wherever.

So this 2-of-3 transaction output is really defined only by the output script. This script can be hashed and turned into something that looks just like a bitcoin address except the address starts with a `3...'.  You can then send your coins to this address like you would any other address.  These are called Pay-to-script-hash transactions (P2SH).  But of course, most of you know this already.

The benefits for the P2SH output is that an attacker trying to steal your coins doesn't know how many keys there are or how many keys are required to spend the output, nor the order of the keys required to produce the proper transaction. In fact, he doesn't even know if it's a multi-signature transaction at all.

Here's an example of how I might use this system:

1. I generate key1 using offline brainwallet.org software by hitting the 'random' button a few times and copying the "Private Key" (starts with a 5...) to a text file, encrypting it with my GPG key and storing it on my local machine and a remote backup. I may even print it and store it in a safe, like you would with a paper wallet.

2. I then come up with a strong brain wallet passphrase and enter it into the passphrase box. This produces key2 (it is never written down or saved, like a normal brain wallet).

3. (Don't use this step if you want to use 2-of-2 multisignature transactions) I ask my wife to type in a semi-strong password into the passphrase box.  This produces key3.  This key is never written down, as it is a brain wallet only in her head. I don't know it.

Using the public keys for each of the 3 private keys generated above, I produce a 2 of 3 multi-signature transaction.  The output script is then hashed, and a P2SH address is generated from that. Coins are sent to the corresponding address.

Normally, if I need to spend these coins I know how to access key1 and key2 and can produce the necessary signatures.  Use of the third key should be rare and only for emergencies. An attacker doesn't know how many keys there are nor how many are required.  In the event that I lose all hard copies of key1 or I forget my brain wallet passphrase for key2, I can ask my wife for access to the third key.  You never need to store the output script, either, because you can always reconstruct it as long as you know the public keys.

This strategy should provide the same security as a brain wallet, yet also eliminate any possibility of brain wallet scrapers from ever stealing your coins. A nice benefit is that your brain wallet passphrase doesn't have to be as strong.  Should a scraper ever figure out your passphrase, they would never know it because the Bitcoin address associated with your brain wallet never had coins sent to it (only the hash of the multi-signature script is public) and a scraper would pass right over it.  This doesn't mean you can pick weak passphrases, because if either of your other keys were compromised then a weak brain wallet is a liability.

So that's it.  Here are a few more extension ideas:

1. use 2-of-4 multi-signature, and have the fourth key be generated by your mother or someone else close to you.  This way, if anything happens to you, they can access to your coins.  You'd need to pick two people for keys 3 and 4 that you trust would never conspire against you, of course... (I think this may be a problem if only n-of-3 transactions are standard right now)

2. decoy coins.  Take each of your keys and send a small, but modest amount of bitcoins to them (say, 0.5 or 1) and add those addresses as 'watch-only' to your Bitcoin software.  If your hard copy of key1 is ever compromised and an attacker moves those coins you can be alerted immediately, indicating that you need to move all of your other multi-signature P2SH transactions to new ones.

OK, tear me up! If this gets enough positive feedback, I'd be happy write up some python scripts to generate and spend transactions like these.

Implementation (BETA, Use At Your Own Risk!!):

mbelshe
Newbie
*
Offline Offline

Activity: 36
Merit: 0



View Profile WWW
November 07, 2013, 11:07:59 PM
 #2

Hey Sarchar -

I think you and I have been thinking the same thing :-)

I have an online version of this implemented at bitgo.  https://bitgo.com.  It probably doesn't offer all the combinations of key creation that you're looking for yet, but send me an email (mike@bitgo.com) and I'll send you an invite.  Would love to get more feedback.

mike

Sarchar (OP)
Member
**
Offline Offline

Activity: 88
Merit: 10


View Profile
November 09, 2013, 01:55:49 PM
 #3

Hey Sarchar -

I think you and I have been thinking the same thing :-)

I have an online version of this implemented at bitgo.  https://bitgo.com.  It probably doesn't offer all the combinations of key creation that you're looking for yet, but send me an email (mike@bitgo.com) and I'll send you an invite.  Would love to get more feedback.

mike

Cool, I'm glad someone else has been thinking about this.  I actually have developed two scripts (a create and a spend) in Python that will produce the proper transactions to accomplish this.  I could publish them if anyone's interested.

What kind key combinations does your implementation allow?  Does it work offline?
Sarchar (OP)
Member
**
Offline Offline

Activity: 88
Merit: 10


View Profile
November 09, 2013, 07:48:30 PM
Last edit: January 09, 2014, 07:47:44 AM by Sarchar
 #4

I decided that in order to get people to test the idea out it would be convenient if I just implemented it in JavaScript.  So tonight, I've added the ability to generate and spend P2SH multisgs using the Brainwallet.org codebase as a starting point.  

The implementation is here, but be warned: it hasn't been tested thoroughly!


I'd love to hear some feedback.
Sarchar (OP)
Member
**
Offline Offline

Activity: 88
Merit: 10


View Profile
November 29, 2013, 10:42:40 AM
 #5

Just a quick update:

This codebase now supports BIP32 keys (3 at a time!) and also correctly sorts public keys in the redemption script before using them.  You can also now enter private keys in any order and they'll be signed correctly.

If anyone ends up using this, I'd be happy to hear how it works out for your - but definitely only test with small amounts, as this is still alpha!
Natanael
Newbie
*
Offline Offline

Activity: 27
Merit: 0


View Profile WWW
November 30, 2013, 10:15:40 PM
 #6

You should add Shamir's Secure Sharing Scheme support for additional security AND loss/destruction prevention.
Sarchar (OP)
Member
**
Offline Offline

Activity: 88
Merit: 10


View Profile
December 08, 2013, 10:24:20 AM
 #7

I have considered Shamir's secret sharing and while I think it'd be complementary to this brain wallet strategy, I think it's better implemented in a separate project.  It seems like using secret sharing for your brain passphrase (key2 in the OP) could yield added security.
Sarchar (OP)
Member
**
Offline Offline

Activity: 88
Merit: 10


View Profile
December 16, 2013, 03:04:40 AM
 #8

Code Review Bounty - 2 slots at 0.25 BTC each.

I need someone to review my bip32 code.  It's in JavaScript and freely accessible. 

This is the pull request I made to brainwallet that includes bip32 master key generation:

https://github.com/brainwallet/brainwallet.github.com/pull/35

It looks like the brainwallet guy is going to take his time in processing this, so in the meantime I'd really like it if someone could review the changeset and post feedback. In particular, I'm looking for people with good community standing (you're a well-known and respected programmer on the forums) and that your response is actually meaningful.  I want to have some respected people here give a thumbs up or thumbs down on the security and correctness of this bip32 javascript implementation.

Any takers?
xeroc
Sr. Member
****
Offline Offline

Activity: 345
Merit: 250



View Profile
December 16, 2013, 08:23:14 AM
 #9

This is a great project ..

(also bitgo.com)
Sarchar (OP)
Member
**
Offline Offline

Activity: 88
Merit: 10


View Profile
December 17, 2013, 05:39:17 AM
 #10

This is a great project ..

(also bitgo.com)

I checked out bitgo - their Bitcoin Gift protocol is actually this exact thing, indeed.  They don't use BIP32, but that's fine. My BIP32 stuff is still experimental.  Good on Bitgo! Nice to see more multisignature stuff around.
virtualmaster
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500



View Profile
December 17, 2013, 08:42:19 PM
 #11

Good work. Thanks.

Calendars for free to print: 2014 Calendar in JPG | 2014 Calendar in PDF Protect the Environment with Namecoin: 2014 Calendar in JPG | 2014 Calendar in PDF
Namecoinia.org  -  take the planet in your hands
BTC: 15KXVQv7UGtUoTe5VNWXT1bMz46MXuePba   |  NMC: NABFA31b3x7CvhKMxcipUqA3TnKsNfCC7S
CharlesSafety
Newbie
*
Offline Offline

Activity: 5
Merit: 0


View Profile
December 18, 2013, 12:57:45 AM
 #12

I love your work it is brilliant. Exactly something I was looking to play with.

So this is different than the sx implementation of multi signature brain wallets, they don't seem to be compatible.
Sarchar (OP)
Member
**
Offline Offline

Activity: 88
Merit: 10


View Profile
December 19, 2013, 08:38:04 AM
 #13

I love your work it is brilliant. Exactly something I was looking to play with.

So this is different than the sx implementation of multi signature brain wallets, they don't seem to be compatible.

Well, thank you! I'm working on a few new improvements that I think are really cool. 

Speaking of sx, do you know in which way the multisignature transactions are incompatible? I'll check it out myself later, as well.
CharlesSafety
Newbie
*
Offline Offline

Activity: 5
Merit: 0


View Profile
December 19, 2013, 09:34:39 PM
 #14

I love your work it is brilliant. Exactly something I was looking to play with.

So this is different than the sx implementation of multi signature brain wallets, they don't seem to be compatible.

Well, thank you! I'm working on a few new improvements that I think are really cool.  

Speaking of sx, do you know in which way the multisignature transactions are incompatible? I'll check it out myself later, as well.

I am a bit of a novice just tinkering,  I made an sx multi Sig brainwallet 'password1' 2 and 3, and it comes up with a different address than when I put the same passphrases in your tool.

As a side note, it appears that multi Sig brain wallets are not being brute forced, as nobody has stolen the small amount I sent to that address.

Your tool is much easier to work with than the sx tool (which is why that value is still stuck in the above mentioned brainwallet)
Sarchar (OP)
Member
**
Offline Offline

Activity: 88
Merit: 10


View Profile
December 20, 2013, 01:28:35 AM
 #15

I love your work it is brilliant. Exactly something I was looking to play with.

So this is different than the sx implementation of multi signature brain wallets, they don't seem to be compatible.

Well, thank you! I'm working on a few new improvements that I think are really cool.  

Speaking of sx, do you know in which way the multisignature transactions are incompatible? I'll check it out myself later, as well.

I am a bit of a novice just tinkering,  I made an sx multi Sig brainwallet 'password1' 2 and 3, and it comes up with a different address than when I put the same passphrases in your tool.

As a side note, it appears that multi Sig brain wallets are not being brute forced, as nobody has stolen the small amount I sent to that address.

Your tool is much easier to work with than the sx tool (which is why that value is still stuck in the above mentioned brainwallet)

How are you generating the public keys for those passwords? Typically I would use the standard brainwallet.org site and copy the public key into my site. sx may use a different hashing method than the default brainwallet site, too.

Also, did you check all 6 orderings?
Sarchar (OP)
Member
**
Offline Offline

Activity: 88
Merit: 10


View Profile
January 09, 2014, 07:48:12 AM
 #16

I configured a domain name for this project: http://ms-brainwallet.org/
chriswilmer
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


View Profile WWW
March 19, 2014, 06:23:44 AM
 #17

This is awesome!!

Are you still maintaining this? (i.e., should I be donating to you Wink )
Sarchar (OP)
Member
**
Offline Offline

Activity: 88
Merit: 10


View Profile
March 19, 2014, 12:15:32 PM
 #18

This is awesome!!

Are you still maintaining this? (i.e., should I be donating to you Wink )

Yes, although I haven't written new code for the site in a while, I still consider myself responsible for its operation.

If you want to contribute, write some code Smiley
Sarchar (OP)
Member
**
Offline Offline

Activity: 88
Merit: 10


View Profile
September 08, 2014, 06:00:00 AM
 #19

Small update - I've added a few new features.

  • Allow any m-of-n (not just m-of-3) transactions
  • Support for partially signing transactions
  • Support for adding signatures to raw transactions


With the above, ms-brainwallet should work well for doing things like escrow and without to share private keys or have all the private keys in one place.

Hope people find it useful!
abstream
Member
**
Offline Offline

Activity: 81
Merit: 10


View Profile
December 10, 2014, 01:30:58 AM
 #20

Hey,

you have done something great! I will have a look at the code within the next 10-12 days and get back to you with some feedback!

cheers.

Small update - I've added a few new features.

  • Allow any m-of-n (not just m-of-3) transactions
  • Support for partially signing transactions
  • Support for adding signatures to raw transactions


With the above, ms-brainwallet should work well for doing things like escrow and without to share private keys or have all the private keys in one place.

Hope people find it useful!

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!