Re: [bitcoin-dev] PSA: Taproot loss of quantum protections

2021-03-17 Thread Eoin McQuinn via bitcoin-dev 
How do people in other non-English-speaking parts of the world use and
develop Bitcoin Core?

On Wed, Mar 17, 2021 at 1:24 AM Ryan Grant via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> I enjoyed the reindexing using a distinct subject and I appreciate the
> new clarifications by those whose instinct was to put effort into a
> response.  Although I try to keep up, some of the taproot QC
> mitigations that are possible had escaped my attention thus far.
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] BIP70 is dead. What now?

2021-02-21 Thread Eoin McQuinn via bitcoin-dev 
What is a 'pull request'?

On Fri, Feb 19, 2021 at 1:49 PM Andrew Kozlik via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Hi Thomas,
>
> I am working on an experimental implementation [1] of a new payment
> request format in Trezor T. In some respects it's similar to BIP-70. The
> main differences are:
>
> 1. There is no reliance on X.509, since that seems to have been the main
> reason for BIP-70's downfall. The signature is mandatory, since for us the
> main feature is protection against a man-in-the-middle attack. So in this
> sense it's more similar to BOLT11.
>
> 2. It can be used to solve a similar problem with coin exchange. When you
> are sending BTC to a trusted exchange service and expecting another
> cryptocurrency in return, say LTC, you want to be sure that you not only
> have the correct BTC address, but also that the exchange service has your
> correct LTC address.
>
> 3. It uses an optional nonce for replay protection.
>
> The two interesting parts in [1] are probably the `TxAckPaymentRequest`
> protobuf message [2] and the signature verification [3]. The protobuf
> message is only for communication between Trezor and the host software
> running on the user's computer. It's not intended for interchange between
> wallets. We haven't defined the interchange format yet. I intend to create
> a SLIP documenting all this.
>
> Andrew
>
> [1] https://github.com/trezor/trezor-firmware/compare/andrewkozlik/payreq2
> [2]
> https://github.com/trezor/trezor-firmware/blob/andrewkozlik/payreq2/common/protob/messages-bitcoin.proto#L403-L427
> [3]
> https://github.com/trezor/trezor-firmware/blob/andrewkozlik/payreq2/core/src/apps/bitcoin/sign_tx/payment_request.py
>
> On Fri, Feb 19, 2021 at 1:43 PM Charles Hill via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Hi, Thomas,
>>
>> I developed a URL signing scheme for use with LNURL as a method for
>> authorizing payments on behalf of offline devices /applications. It's
>> not specifically off-chain or on-chain related, but could be repurposed.
>> The gist of the scheme is as follows:
>>
>> Before any signing is done:
>>
>> 0) Generate an API key (ID/reference, secret, encoding) to be shared
>> between a server and an offline device or application.
>>
>> To generate a signature:
>>
>> 1) Generate a random nonce (unique per API key)
>>
>> 2) Build a query string with the `id`, `nonce`, `tag`, "Server
>> parameters" (see [Subprotocols](#subprotocols) above), and any custom
>> parameters. The `id` parameter should be equal to the API key's ID.
>> Example:
>> `id=b6cb8e81e3=d585674cf991dbbab42b=withdrawRequest=5000=7000=example=CUSTOM1_PARAM_VALUE=CUSTOM2_PARAM_VALUE`.
>>
>> Note that both the keys and values for query parameters should be URL
>> encoded. The following characters should be __unescaped__: `A-Z a-z 0-9
>> - _ . ! ~ * ' ( )`. See
>> [encodeURIComponent](
>> https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent#description)
>>
>> for more details.
>>
>> 3) Sort the query parameters by key (alphabetically). This is referred
>> to as the "payload". Example:
>>
>> `custom1=CUSTOM1_PARAM_VALUE=CUSTOM2_PARAM_VALUE=example=b6cb8e81e3=7000=5000=d585674cf991dbbab42b=withdrawRequest`
>>
>> 4) Sign the payload (the sorted query string) using the API key secret.
>> Signatures are generated using HMAC-SHA256, where the API key secret is
>> the key.
>>
>> 5) Append the signature to the payload as follows:
>>
>> `custom1=CUSTOM1_PARAM_VALUE=CUSTOM2_PARAM_VALUE=example=b6cb8e81e3=7000=5000=d585674cf991dbbab42b=withdrawRequest=HMAC_SHA256_SIGNATURE`.
>>
>> You can find more details here:
>>
>> https://github.com/chill117/lnurl-node#how-to-implement-url-signing-scheme
>>
>>
>> I would change a few things with this scheme to fit better with the
>> use-case you describe. For example:
>>
>> * Remove the "tag" and LNURL-specific parameters
>>
>> * Instead of HMAC-SHA256 with a shared secret, it could use pub/priv key
>> signing instead. The lnurl-auth subprotocol has an interesting approach
>> to protecting user privacy while allowing verification of signatures.
>> See for more details on that:
>>
>> https://github.com/fiatjaf/lnurl-rfc/blob/master/lnurl-auth.md
>>
>>
>> - chill
>>
>>
>> On 2/19/21 10:14 AM, Thomas Voegtlin via bitcoin-dev wrote:
>> > I never liked BIP70. It was too complex, had too many features, and when
>> > people discuss it, they do not even agree on what the main feature was.
>> >
>> > Nevertheless, there is ONE feature of BIP70 that I find useful: the fact
>> > that payment requests were signed. I am making this post to discuss
>> this.
>> >
>> > When I send bitcoins to an exchange, I would like to receive a signed
>> > request. I want to have a proof that the exchange asked me to send coins
>> > to that address, in case it has been hijacked by some intern working
>> > there. If that feature was implemented by an exchange, it would guide my
>> > decision to use