Bitcoin Forum
November 12, 2024, 11:50:39 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Feedback on P2SH web wallets  (Read 3818 times)
mbelshe (OP)
Newbie
*
Offline Offline

Activity: 36
Merit: 0



View Profile WWW
November 07, 2013, 07:06:57 PM
 #1

Hey guys -

Recently I've been toying with how to better utilize multi-signature addresses (P2SH) as a mechanism for safer web wallets.  Basically, I think we should all be utilizing P2SH instead of single-key bitcoin addresses.  That led me to writeup the following idea.  So far, it has gotten pretty good feedback, but I wanted to share it here to see what you guys think.

The full whitepaper is available at this link (https://bitgo.com/p2sh_safe_address), but I've also included the text here.

Any feedback would be super.

Hope you find this interesting.

Mike







P2SH Safe Address
mike belshe
mike@bitgo.com

This paper describes a mechanism for using Bitcoin’s P2SH functionality to build a stronger, more secure web wallet.

Background
Bitcoin addresses are secured today using public key cryptography and the Elliptic Curve Digital Signature Algorithm (ECDSA). This offers very strong security. But the secret keys used within ECDSA are lengthy 256 numbers which humans can’t remember, and the security of your bitcoin hinges on how safely you can protect this key from others. To help us protect and manage our keys, users employ bitcoin wallets. There are many wallets available to choose from, and each offers its unique benefits for ease of use, security, and features. But wallets can be divided into two basic categories:
Client-side Wallets
These wallets, such as the original Satoshi Client, run using software installed locally on the user’s computer.
Web Wallets
These wallets are hosted on a web site and require no custom software installation from the user.


Client-side wallets
The advantage of a client side wallet is that your bitcoin keys are entirely your own. No intermediaries are required to help you transact. The disadvantage of the client side wallet is that the security is entirely your own. In effect you are the guard of your own bank. As such you need to: prevent malware and viruses from stealing your keys maintain and update proper backups of your keys enforce physical security of the computer(s) containing the keys (e.g. locked with an encrypted hard disk). Accessing your bitcoins from multiple computers can be difficult, as it requires you to transfer the keys safely between multiple computers. Further, because most users take extra precautions with their passwords for their bitcoin cash, forgetting or losing unusually ‘strong’ passwords becomes a real threat of loss.

Web Wallets
Web Wallets have the advantage that they are accessible through the web, from anywhere. The web site hosting your wallet needs to be a trusted party, as they often require direct access to your keys, or they may hold your keys while you don’t have them at all. Assuming that the website does a good job managing the security of your keys, this can be an advantage, as you don’t need to do it yourself.
But the disadvantages are obvious. A web site holding many keys for millions of users is a very obvious target for attackers. If the web site is hacked, you will lose your bitcoin. Similarly, if the website is shutdown due to failure to meet regulatory compliance, you will lose your bitcoin as well.

Pay To Script Hash (a.k.a. P2SH)
P2SH is a new type of bitcoin address which was introduced as part of Bitcoin Improvement Proposal 16 (BIP 16) in early 2012. P2SH addresses can be secured by more complex algorithms than traditional bitcoin addresses. In this paper, we evaluate using a 2-of-3 signature address, which we’ll call a “2-of-3 address”.
Unlike traditional bitcoin addresses, which are secured with a single ECDSA key, 2-of-3 addresses are secured with three ECDSA keys. Depositing funds into the 2-of-3 address is the same as depositing funds into a standard bitcoin address. However, withdrawing funds from the 2-of-3 address requires at least 2 of the 3 keys to sign.

Using a 2-of-3 address offers several advantages:

  • you can give a trusted party a single key for final approval on transactions without enabling them to initiate transactions on your funds alone.
  • you can lose a key but not lose access to your funds.
  • you can share a key with multiple, trusted parties who individually cannot access your funds, but can if they work together.

A Proposal for a 2-of-3 Address Web Wallet Implementation
In this section, we propose an implementation of a web wallet using the 2-of-3 address. It provides the following features
Safety
  • The service cannot initiate a transaction by itself
  • Stealing the user’s online password is not sufficient to steal funds
  • Stealing the user’s online private key is not sufficient to steal funds
  • Malware on the user’s computer cannot steal funds
Convenience
  • The user can access his funds from any computer
  • The user does not need to remember his private key and can access funds with a password and two-factor authentication.
Recovery
    The user can recover funds even if the service is shutdown due to regulatory reasons[/li]
  • The user can lose his website password and not lose his funds
  • The user can lose his private key and not lose his funds
Privacy
  • Privacy must be maintained for the user’s funds

This implementation will rely upon:
  • A service (e.g. a website) with all communications over TLS.
  • Coordination between a browser and that service
  • Use of 2-factor authentication
  • Use of strong passwords
  • 2-of-3 Address Creation
The mechanics of creating the 2-of-3 address is very important. In this proposal, it will be done both on the user’s computer and on the website. Critically, the user will generate 2 keys while the server will generate one. Address creation time is the only time when two or more of the keys are on the same computer concurrently.
The process starts with the user’s browser (or client-side key creator) generating 2 ECDSA keys:

The user’s key-pair
A backup key-pair

The backup private key-pair will be printed out and stored completely offline. It is only for fund recovery. The backup public key will be stored with the service. The service never sees the backup private key and cannot use it to unlock funds.
The user’s private key will be encrypted on the user’s machine with a strong password of the user’s choice. The encrypted private key and the public key will be stored in the service. Because the private key is encrypted with a password the service has never seen, the service cannot use this key to unlock funds.

The server will then create a 3rd key. The private key will be encrypted with a strong password known to the service and stored on the server. The server will use the 2 public keys from the user as well as the service key to create the 2-of-3 address. The server will notify the user of the server’s public key, as this will be critical for recovering funds from the address if the service ever goes down. The user will print out a copy of all 3 public keys and store them securely.

With this system, we now have an address where the user has 1 key, the service has 1 key, and the 3rd key has been saved for later use.

Withdrawing Funds from the 2-of-3 Address
To withdraw funds from the 2-of-3 address, the following steps will need to take place.
First, the user will login or authenticate to the service, and inform the service that she will make a withdrawal. The service will require the user to further authenticate with a 2-factor authentication challenge to a smartphone or mobile device. Note: 2-factor authentication is required because even strong passwords can be stolen with a keylogger.

Upon validation of the 2-factor authentication, the service sends the user’s encrypted private key to the user’s browser. The browser will prompt the user for the user’s password to unlock the encrypted private key.

Executing within the user’s browser, the application creates the bitcoin transaction for the withdrawal, unlocks the encrypted private key, and signs the transaction with a single signature.

Finally, the signed transaction is then sent to the service. The service validates the transaction, and if suitable, applies the 2nd signature using its private key. Note that the service will likely implement transaction limits. If, for some reason, the user's account was compromised, the service can refuse to sign large transactions unless further authentication or the backup key signature is presented.

Maintaining Privacy
To maintain maximal privacy, it is important to not re-use bitcoin addresses. However, re-generating such keys repeatedly with each transaction would make many of the backup benefits that come with this system difficult. Users of bitcoin standard addresses already face this problem today and use a variety of deterministic wallet mechanisms to generate multiple keys from a single source.
The same techniques can be applied to the 2-of-3 address. Any key used as a signature should be rotated to a new address based on the next sequence in the deterministic key.

As a compromise solution, the 2-of-3 address offers one more option: only rotating the server's key. Since the 2-of-3 key is generated from 3 keys, one of which is managed by the service, we can rotate the user's funds to a new address by only rotating the server’s key. The resulting address cannot be correlated to the original 2-of-3 address. However, upon spending of the outputs, the public keys will again be revealed and a correlation could be made at that time. To maintain the ability for the user to extract funds without the service, the service will need to send the newly minted service public key to the user for safekeeping. This can be done via email. But again for maximal privacy, use of deterministic key rotation is recommended.

Other Advantages
Using multi-signature wallets provides flexibility for the user to share keys with trusted family without exposing all funds. For example, a user may decide to give one key to his sister, and another to his lawyer, with instructions to get the bitcoin when the user dies. With a traditional bitcoin address, the lawyer and sister would both have full access to the user’s funds. With a 2-of-3 wallet, they would need to collude against the user. But overall, the 2-of-3 address offers a lot of flexibility.
Weaknesses
No security mechanism is perfect. One potential weakness with the 2-of-3 address is that it does have 2 of the 3 keys online in the user’s browser at the time of address creation. Malware that specifically targeted an application using 2-of-3 wallets could lie-in-wait of an address to be created, steal the keys, and then extract the funds later. However, any wallet, client or server suffers from this problem. With a 2-of-3 address, the exposure to malware is mostly limited to address creation time, whereas traditional addresses are exposed to this weakness any time you transact. Hardware wallets may be the best mitigator against this particular attack.
waxwing
Sr. Member
****
Offline Offline

Activity: 469
Merit: 253


View Profile
November 07, 2013, 07:27:04 PM
 #2

Nicely thought out. The gains over a traditional approach using 2FA are only incremental, but then 2FA properly implemented ought already to be highly fraud resistant, even under malware conditions.
The real gains are in the nature of the backup, I guess.

Wrt to the address creation vulnerability: why is it necessary to have the user and the backup privkey on the machine concurrently? What about creating the backup privkey on an airgapped machine and then transferring the pubkey for address creation?

PGP fingerprint 2B6FC204D9BF332D062B 461A141001A1AF77F20B (use email to contact)
mbelshe (OP)
Newbie
*
Offline Offline

Activity: 36
Merit: 0



View Profile WWW
November 07, 2013, 07:35:00 PM
 #3

Nicely thought out. The gains over a traditional approach using 2FA are only incremental, but then 2FA properly implemented ought already to be highly fraud resistant, even under malware conditions.
The real gains are in the nature of the backup, I guess.

Wrt to the address creation vulnerability: why is it necessary to have the user and the backup privkey on the machine concurrently? What about creating the backup privkey on an airgapped machine and then transferring the pubkey for address creation?

Thanks for reading!

Regarding 2FA: I think the biggest security measure here is that there are two machines involved in signing.  2FA is a nice add on to anything, but if you only need one signature, then you just have to break one machine.  This can be mitigated with strong passwords, but users seem to just love terrible passwords.  And then, if you ask them to create a strong password, they forget it!  Forgetting your passwords is probably a source of lost bitcoin as theft...  So, that's why this proposal uses the 2-of-3 instead of just 2-of-2.  You get the extra backup key.

Regarding creation of keys:  You're absolutely right - it is not necessary to create the keys in the browser.  Importing just the public key (you need the full public key, not the address hash) would be more secure for sure.  The only trouble is making that super easy to use....

Mike
waxwing
Sr. Member
****
Offline Offline

Activity: 469
Merit: 253


View Profile
November 07, 2013, 07:45:12 PM
 #4

Nicely thought out. The gains over a traditional approach using 2FA are only incremental, but then 2FA properly implemented ought already to be highly fraud resistant, even under malware conditions.
The real gains are in the nature of the backup, I guess.

Wrt to the address creation vulnerability: why is it necessary to have the user and the backup privkey on the machine concurrently? What about creating the backup privkey on an airgapped machine and then transferring the pubkey for address creation?

Thanks for reading!

Regarding 2FA: I think the biggest security measure here is that there are two machines involved in signing.  2FA is a nice add on to anything, but if you only need one signature, then you just have to break one machine.
It's true that your model is secure against server compromise, but any model where a single key is kept user-side has that feature too. You don't need to break two machines in your architecture, you (edit: without 2FA) only have to take control user side. Edit: that's why I say properly implemented 2FA is what counts.

PGP fingerprint 2B6FC204D9BF332D062B 461A141001A1AF77F20B (use email to contact)
mbelshe (OP)
Newbie
*
Offline Offline

Activity: 36
Merit: 0



View Profile WWW
November 07, 2013, 07:54:01 PM
 #5

Nicely thought out. The gains over a traditional approach using 2FA are only incremental, but then 2FA properly implemented ought already to be highly fraud resistant, even under malware conditions.
The real gains are in the nature of the backup, I guess.

Wrt to the address creation vulnerability: why is it necessary to have the user and the backup privkey on the machine concurrently? What about creating the backup privkey on an airgapped machine and then transferring the pubkey for address creation?

Thanks for reading!

Regarding 2FA: I think the biggest security measure here is that there are two machines involved in signing.  2FA is a nice add on to anything, but if you only need one signature, then you just have to break one machine. 
It's true that your model is secure against server compromise, but any model where a single key is kept user-side has that feature too. You don't need to break two machines in your architecture, you only have to take control user side.

Sort of; it all depends on how you create and store the keys.  The idea is that you need 3 keys.  Put one straight into cold storage as a backup, keep one on your client, and keep the 3rd on a server.  Now, hacking a single machine won't steal the keys.  The problem for the user is in how to cleanly create those 3 keys without ever having 2 keys on the same computer at the same time.

I've helped a number of people with cold storage.  I am very certain that a lot of people using user-side only solutions will be losing their passwords or keys either due to forgetfulness, accidental deletion, hardware failure, or other user error.  So this solution emerged as much to help with the "lost key" problem as the security/malware problem.

I wonder if there is any data on whether people lose more coins to losing their own keys or theft?  Most people probably won't admit! :-)

Mike



waxwing
Sr. Member
****
Offline Offline

Activity: 469
Merit: 253


View Profile
November 07, 2013, 08:03:49 PM
 #6

Sort of; it all depends on how you create and store the keys.  The idea is that you need 3 keys.  Put one straight into cold storage as a backup, keep one on your client, and keep the 3rd on a server.  Now, hacking a single machine won't steal the keys.  The problem for the user is in how to cleanly create those 3 keys without ever having 2 keys on the same computer at the same time.

I've helped a number of people with cold storage.  I am very certain that a lot of people using user-side only solutions will be losing their passwords or keys either due to forgetfulness, accidental deletion, hardware failure, or other user error.  So this solution emerged as much to help with the "lost key" problem as the security/malware problem.

I wonder if there is any data on whether people lose more coins to losing their own keys or theft?  Most people probably won't admit! :-)
Mike

Not disagreeing at all. That's why I was saying "the real advantage is in the backup". I'd still argue that in terms of defending against attacks, it's the 2FA that matters.

Quote from: gweedo
Safe and web wallet don't go together! STOP WITH WEB WALLETS, they are not safe, they don't help the community. Local wallets help the community.
I think that's too simplistic a criticism. This kind of model does not delegate spending power to the server, so that takes one huge risk out of the equation.
Another interesting attack vector is where the malware on the machine changes the payee BTC address under the hood. In this case, a "web wallet" which has to interact with a server is actually an advantage over a local client wallet, because the server can confirm the payee address to the user before spend confirmation, defending against that attack.

PGP fingerprint 2B6FC204D9BF332D062B 461A141001A1AF77F20B (use email to contact)
dserrano5
Legendary
*
Offline Offline

Activity: 1974
Merit: 1029



View Profile
November 07, 2013, 08:06:58 PM
 #7

On a compromised client's computer, the attacker only has to wait for the user to start any transaction. The attack consists in replacing the transaction (generated client-side) into one that sends all funds to the attacker. User doesn't know this, she enters 2FA and encryption key believing everything's ok.

Right, then I'll create the transaction server-side so the user validates it before entering the 2FA and/or her encryption key!

No, because then the attacker will target the server and present a bogus transaction to the user, who will happily agree with it without knowing that it's fake and provide the key.
mbelshe (OP)
Newbie
*
Offline Offline

Activity: 36
Merit: 0



View Profile WWW
November 07, 2013, 08:10:43 PM
 #8

Safe and web wallet don't go together! STOP WITH WEB WALLETS, they are not safe, they don't help the community. Local wallets help the community.

You might be over-reacting to the word "web wallet", which does have some very insecure forms.  But I'm not referring to the same-old thing here.  I suspect you didn't read what I wrote :-)

I think we absolutely do need to figure out how to build a secure web wallet.  The fact is that most people can't keep malware off their machines today.  This has nothing to do with bitcoin.  If you can't securely administer a machine, how could you possibly securely manage a local wallet?  Further, you need to backup your keys, but most people can't administer proper backups either.  Is it really a requirement that you need to be both a security and IT expert before you can use bitcoin?  If so, you're making Bitcoin much smaller than it could be.

The proposal uses a combination of keys, one local and one server side to secure your keys, with a 3rd available to help as a backup.

You're right, it doesn't "help the community" (I assume you're referring to joining as a peer in the network); I'd love to figure out better ways to solve that part of the problem.

Mike
waxwing
Sr. Member
****
Offline Offline

Activity: 469
Merit: 253


View Profile
November 07, 2013, 08:12:47 PM
 #9

On a compromised client's computer, the attacker only has to wait for the user to start any transaction. The attack consists in replacing the transaction (generated client-side) into one that sends all funds to the attacker. User doesn't know this, she enters 2FA and encryption key believing everything's ok.

Right, then I'll create the transaction server-side so the user validates it before entering the 2FA and/or her encryption key!

No, because then the attacker will target the server and present a bogus transaction to the user, who will happily agree with it without knowing that it's fake and provide the key.

Only the scenario where both the server and the user are compromised does the attack succeed. This is why mbelshe is proposing the P2SH approach, because two signatures are needed, and they must of course be signing the exact same transaction.

PGP fingerprint 2B6FC204D9BF332D062B 461A141001A1AF77F20B (use email to contact)
mbelshe (OP)
Newbie
*
Offline Offline

Activity: 36
Merit: 0



View Profile WWW
November 07, 2013, 08:18:26 PM
 #10

On a compromised client's computer, the attacker only has to wait for the user to start any transaction. The attack consists in replacing the transaction (generated client-side) into one that sends all funds to the attacker. User doesn't know this, she enters 2FA and encryption key believing everything's ok.

Right, then I'll create the transaction server-side so the user validates it before entering the 2FA and/or her encryption key!

No, because then the attacker will target the server and present a bogus transaction to the user, who will happily agree with it without knowing that it's fake and provide the key.

Fair points.  Note that all wallets have this exact problem too :-)

But the p2sh wallet offers some real hope.  The user can specify on the server spending limits or authorized accounts that he/she is willing to transact to.  After the client coins the transaction, the server can validate that everything looks okay, before applying its signature.

Nothing is perfect, but you can't do this at all with a standard bitcoin address.

The payment protocol (with authenticated recipients) would help with users not noticing that funds are being siphoned to an attacker's address.

Mike
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
November 07, 2013, 08:23:06 PM
 #11

The fact is that most people can't keep malware off their machines today.  This has nothing to do with bitcoin.  If you can't securely administer a machine, how could you possibly securely manage a local wallet?  Further, you need to backup your keys, but most people can't administer proper backups either.  Is it really a requirement that you need to be both a security and IT expert before you can use bitcoin?
It's a hard problem because even experts can't guarantee security, and as their services become more popular the incentives for thieves to spend a lot of resources breaking their systems only increases.
mbelshe (OP)
Newbie
*
Offline Offline

Activity: 36
Merit: 0



View Profile WWW
November 07, 2013, 08:26:41 PM
 #12

On a compromised client's computer, the attacker only has to wait for the user to start any transaction. The attack consists in replacing the transaction (generated client-side) into one that sends all funds to the attacker. User doesn't know this, she enters 2FA and encryption key believing everything's ok.

Right, then I'll create the transaction server-side so the user validates it before entering the 2FA and/or her encryption key!

No, because then the attacker will target the server and present a bogus transaction to the user, who will happily agree with it without knowing that it's fake and provide the key.

Only the scenario where both the server and the user are compromised does the attack succeed. This is why mbelshe is proposing the P2SH approach, because two signatures are needed, and they must of course be signing the exact same transaction.

dserrano is right - there are some types of attacks you can't catch.  He suggests a real-time attack, where you wait for the user to transact, and then change the contents of the transaction (depending on the API this could be a client-side or server-side attack).  For example, you may be able to change the destination address without the user noticing.  Of course, all wallets, even local ones, are susceptible to this attack today.  But with the client/server hybrid, the server can act as your co-signer and make sure it at least fits the right parameters.  In the future, I believe you could use this same mechanism to send to a human co-signer (like a business partner) for a human verification.

But, I think the P2SH address, used either web-based or locally is fundamentally stronger than a single-key address.

Mike
mbelshe (OP)
Newbie
*
Offline Offline

Activity: 36
Merit: 0



View Profile WWW
November 07, 2013, 08:30:59 PM
 #13

The fact is that most people can't keep malware off their machines today.  This has nothing to do with bitcoin.  If you can't securely administer a machine, how could you possibly securely manage a local wallet?  Further, you need to backup your keys, but most people can't administer proper backups either.  Is it really a requirement that you need to be both a security and IT expert before you can use bitcoin?
It's a hard problem because even experts can't guarantee security, and as their services become more popular the incentives for thieves to spend a lot of resources breaking their systems only increases.

I agree with you on that!!!

In this system, even if the server is hacked, the attacker can't get your coins.  The server only has one key, but you need two to access the funds.  So although you lost one key, you've still got the same level of protection as you would have had with a client-side single key address.

Mike
waxwing
Sr. Member
****
Offline Offline

Activity: 469
Merit: 253


View Profile
November 07, 2013, 08:44:38 PM
 #14

On a compromised client's computer, the attacker only has to wait for the user to start any transaction. The attack consists in replacing the transaction (generated client-side) into one that sends all funds to the attacker. User doesn't know this, she enters 2FA and encryption key believing everything's ok.

Right, then I'll create the transaction server-side so the user validates it before entering the 2FA and/or her encryption key!

No, because then the attacker will target the server and present a bogus transaction to the user, who will happily agree with it without knowing that it's fake and provide the key.

Only the scenario where both the server and the user are compromised does the attack succeed. This is why mbelshe is proposing the P2SH approach, because two signatures are needed, and they must of course be signing the exact same transaction.

dserrano is right - there are some types of attacks you can't catch.  He suggests a real-time attack, where you wait for the user to transact, and then change the contents of the transaction (depending on the API this could be a client-side or server-side attack).  For example, you may be able to change the destination address without the user noticing.  Of course, all wallets, even local ones, are susceptible to this attack today.  But with the client/server hybrid, the server can act as your co-signer and make sure it at least fits the right parameters.  In the future, I believe you could use this same mechanism to send to a human co-signer (like a business partner) for a human verification.

But, I think the P2SH address, used either web-based or locally is fundamentally stronger than a single-key address.

Mike

But if the malware changes the payee address under the hood, the partially signed transaction can be pinged off the server and feedback the contents via another route - an email address, or other, so that the user can verify what it is they're sending over the wire, no? If the malware allows this step, and only changes the tx contents on the "real" send, then the test and the real won't match, and the server will reject. This kind of confirmation mechanism is used a lot today, e.g. my online brokerage sends me an email with a pin number to confirm a withdrawal.

The attacker can compromise the way the server's response appears, in principle, but it gets incredibly difficult to compromise if there is this kind of alternative messaging route (email, SMS).

PGP fingerprint 2B6FC204D9BF332D062B 461A141001A1AF77F20B (use email to contact)
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1918
Merit: 1570


Bitcoin: An Idea Worth Spending


View Profile WWW
November 08, 2013, 02:54:04 AM
 #15

We have one girl here at BitGo... actually it's me, the author of our bitcointalk posts - and I use BTC  Smiley

What's BitGo?

BitGo is a startup that hasn't launched yet: http://www.bitgo.com/

I must say that is the funnest coming soon web page I've ever visited.

It also sparked my interest as to what exactly the start up's services are, so I will stay tuned.

PS: I'm not just saying that because you're a girl. About half of my previous post in this thread was just me joking around.. I am not looking for an online girlfriend rofl.  Grin

Thanks, yeah the landing page is fun Smiley

Haha, well, I am single and looking Wink this is me:



We have one girl here at BitGo... actually it's me, the author of our bitcointalk posts - and I use BTC  Smiley

Hey, Mike. Who's Tiffney and are you affiliated with bitgo.co/bitgo.ca/bitgo.x (x = other TLD)?

~TMIBTCITW
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1918
Merit: 1570


Bitcoin: An Idea Worth Spending


View Profile WWW
November 08, 2013, 03:01:55 AM
 #16

Maybe full disclosure is overrated.

Which alternative unicode BitCoin symbol do you like the best?

Ƀ


B⃦



฿



Someone needs to create the unicode symbol for the typical BTC… with the two vertical lines penetrating the center of the B.

I like option b.
Undecidable
Newbie
*
Offline Offline

Activity: 16
Merit: 0


View Profile
November 08, 2013, 05:10:12 AM
 #17

Maintaining Privacy
To maintain maximal privacy, it is important to not re-use bitcoin addresses. However, re-generating such keys repeatedly with each transaction would make many of the backup benefits that come with this system difficult. Users of bitcoin standard addresses already face this problem today and use a variety of deterministic wallet mechanisms to generate multiple keys from a single source.
The same techniques can be applied to the 2-of-3 address. Any key used as a signature should be rotated to a new address based on the next sequence in the deterministic key.

As a compromise solution, the 2-of-3 address offers one more option: only rotating the server's key. Since the 2-of-3 key is generated from 3 keys, one of which is managed by the service, we can rotate the user's funds to a new address by only rotating the server’s key. The resulting address cannot be correlated to the original 2-of-3 address. However, upon spending of the outputs, the public keys will again be revealed and a correlation could be made at that time. To maintain the ability for the user to extract funds without the service, the service will need to send the newly minted service public key to the user for safekeeping. This can be done via email. But again for maximal privacy, use of deterministic key rotation is recommended.

I'm totally with you on multisig for wallet security.  That said, I'm unconvinced these privacy measures are worth the inconvenience they incur vs the benefits of having a stable address.  It will be painfully obvious which TX output is change because it's overwhelming likely to be the only P2SH output ... there are other signals one could incorporate as well but this one alone would likely be sufficient 99% of the time.
mbelshe (OP)
Newbie
*
Offline Offline

Activity: 36
Merit: 0



View Profile WWW
November 08, 2013, 06:09:10 AM
 #18

Phinneas -

That's Tiffney, and she works with me at bitgo!  I'll have to talk with her about your request.

Bitgo.com is the one true BitGo, I think.  But it does appear to be a popular name, with similar sounding names popping up in canada and israel that are unrelated.
mbelshe (OP)
Newbie
*
Offline Offline

Activity: 36
Merit: 0



View Profile WWW
November 08, 2013, 06:20:01 AM
 #19

Maintaining Privacy
To maintain maximal privacy, it is important to not re-use bitcoin addresses. However, re-generating such keys repeatedly with each transaction would make many of the backup benefits that come with this system difficult. Users of bitcoin standard addresses already face this problem today and use a variety of deterministic wallet mechanisms to generate multiple keys from a single source.
The same techniques can be applied to the 2-of-3 address. Any key used as a signature should be rotated to a new address based on the next sequence in the deterministic key.

As a compromise solution, the 2-of-3 address offers one more option: only rotating the server's key. Since the 2-of-3 key is generated from 3 keys, one of which is managed by the service, we can rotate the user's funds to a new address by only rotating the server’s key. The resulting address cannot be correlated to the original 2-of-3 address. However, upon spending of the outputs, the public keys will again be revealed and a correlation could be made at that time. To maintain the ability for the user to extract funds without the service, the service will need to send the newly minted service public key to the user for safekeeping. This can be done via email. But again for maximal privacy, use of deterministic key rotation is recommended.

I'm totally with you on multisig for wallet security.  That said, I'm unconvinced these privacy measures are worth the inconvenience they incur vs the benefits of having a stable address.  It will be painfully obvious which TX output is change because it's overwhelming likely to be the only P2SH output ... there are other signals one could incorporate as well but this one alone would likely be sufficient 99% of the time.

Cool.  Good to know.  You're right that for now the P2SH keys kinda stand out :-)

Right now I'm working on a scheme which uses deterministic wallets to auto-rotate your address in a way that you never have to worry about.  A 2-of-3 P2SH address is simply a set of 3 keys; we can independently rotate them on the client & server predictably such that your addresses change with every transaction in an uncorrelated way without revealing the private keys to the other machine.  It turns out that I need this more for maintaining sane key management than for privacy.  Users do need multiple addresses - and if you've got 2 keys to manage for each address, it's just too much work.

Hopefully P2SH will not be so standout 6 months from now!

If you want to try it out, this is live on bitgo.com now and has been in use for some time.  Send me (or tiffney if you prefer!) an email for an invite.  mike@bitgo.com.

mike
dserrano5
Legendary
*
Offline Offline

Activity: 1974
Merit: 1029



View Profile
November 08, 2013, 08:46:00 AM
 #20

Fair points.  Note that all wallets have this exact problem too :-)

Which is another way to say that p2sh web wallets have the same problem as anything else Smiley (barring offline ones).
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!