Re: [bitcoin-dev] Enc: Bitcoin cold hardwallet with (proof of creation)

[ZmnSCPxj via bitcoin-dev]

Good morning trilemabtc,

> Hash: SHA256
>
> In search of more freedom, I thought of a hardwallet that makes the funds 
> unseizable, using proof of creation (another step with key file), only the 
> creator can reveal the private keys, more details about the idea can be found 
> in the directory: https://github.com/trilemabtc/safedime I'm not a dev, but 
> the concept is well defined and I believe that the elements to execute the 
> project already exist. Hugs!


Comparing it to OpenDime is somewhat confusing, especially when you insist that 
creator is the only one who can reveal the privkey.
It seems to be more of the old saw of "what you have + what you know" i.e. "the 
correct way to 2-factor", where the device itself is the "what you have" and 
your "key file" is "what you know".

In particular: "Dime" is a kind of physical coin, and the point of physical 
coins is to transfer ownership of the coin to other people in exchange for 
goods and services; the device you describe sacrifices this transfer of 
ownership due to the key file.

>From what I can see, the basic idea is to generate a simple 2-of-2, possibly 
>by "just" combining the private key on the device plus a private key generated 
>from the key file.
They can be simply added or multiplied together, I believe.
Then the device stores the key generated from the entropy you provide and 
exposes a public key to the software.
Then the software generates a private key from the key file the user provides 
and tweaks the device pubkey to generate the Bitcoin address.
In order to spend from that address, both the key file and the device have to 
be put together.
I believe that with multiplication of two privkeys, you can use 2p-ECDSA to 
even have the device provide a signature share that the software can combine 
with a signature share with the privkey from the keyfile, creating a singlesig 
ECDSA signature.
This allows spending without having to enter revealed state.

The above allows the device to be configured with random entropy *separately* 
from the keyfile: when leaving "new unit" state it does *not* require the key 
file to be given.
This is good since it reduces the possibility of malware getting access to both 
the entropy you feed to the device, and the key file, which would be able to 
reconstruct the final privkey and steal funds.
That is: have the entropy-giving stage ***not*** require the key file (and in 
particular, strongly recommend to do it on a computer that has never touched 
the key file).
This would be required anyway if you want to have "backups", i.e. separate 
device units with the same device privkey.

I also would not recommend or even mention the use of brainwallets, at all, 
even for keyfiles.
Unless you generated it with sufficient entropy (e.g. dice) and chant it every 
day to yourself (to keep it fresh in your memory, assuming the user is human, 
anyway) the risk of loss with any kind of brainwallet is too high, even in a 
2-of-2 with a hardware device.

Regards,
ZmnSCPxj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

[bitcoin-dev] Enc: Bitcoin cold hardwallet with (proof of creation)

[trilemabtc via bitcoin-dev]

-BEGIN PGP SIGNED MESSAGE-

Hash: SHA256

In search of more freedom, I thought of a hardwallet that makes the funds 
unseizable, using proof of creation (another step with key file), only the 
creator can reveal the private keys, more details about the idea can be found 
in the directory: https://github.com/trilemabtc/safedime I'm not a dev, but the 
concept is well defined and I believe that the elements to execute the project 
already exist. Hugs!

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEExdl2BaappAJ3lpcJRT5Yw3Ri1V0FAmFUnXgACgkQRT5Yw3Ri

1V1KHw//Z6TOk4YATwsvdLYcZ+6xUmruETzKUZ27kYp/Fvy6wYo8de6I1+fzRH4M

gcMp+Jz4oD6hmY+Kcpg1bDo7fOKWnFFf+HgxzRhxRTh39I35EYXKEYboLzqeXm43

jEViRFSBnJHZNx4YV5UlTIFMczQ17Ew60N7n3Av9OWykOgDcafgbOTMKlBsePRsI

SQnUkqnh//1GFw8w9q0VS/7lD4dCHbPlASpd9LemVlKJGyCAvPGhXSwC6ay4vK6j

iWdRkEFGXbjuhVzhLbte0Pg9W/psKW7wg1JttG1EkxBep49o9preNHrFNe4KgQ3S

ggn9qm9KOaYSxh9ZMFKMx4Pif3vIcMROtm/OJk1U0E+WCBb3ymEZBWf6E2bRlwmN

uZ7/EbCCk7jiM+l4LYZO26OzSABR8aodo7HSsFYVwOq3zVWQx5ixy8Y0BjLhK9C0

XySSpU0aBzr39Szap8UBDgYarmuusu3m0o7ASvA6YSg1rifv2mIYAQ2ad/Cxwqxg

RC8c3JhW+WLNJKl6DXAv6LhAkBfUZNW6cESe8Uo1JDPs0I5XXDS0mIRi5x3Clz5N

QffEHupuQQjVtICJZl7zNvLFPUdn9EaRC6ZAGyuVU+7vNvpQOCBH2bdxLM1Zie6D

HoN+Q8kGvlqyWxWuXsWY5nbRWQEoi09Z94zKLdYRdLOW9NtsShM=

=3H+p

-END PGP SIGNATURE-___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Proposal: Package Mempool Accept and Package RBF

[Antoine Riard via bitcoin-dev]

Hi Bastien

> In the case of LN, an attacker can game this and heavily restrict
your RBF attempts if you're only allowed to use confirmed inputs
and have many channels (and a limited number of confirmed inputs).
Otherwise you'll need node operators to pre-emptively split their
utxos into many small utxos just for fee bumping, which is inefficient...

I share the concern about splitting utxos into smaller ones.
IIRC, the carve-out tolerance is only 2txn/10_000 vb. If one of your
counterparties attach a junk branch on her own anchor output, are you
allowed to chain your self-owned unconfirmed CPFP ?
I'm thinking about the topology "Chained CPFPs" exposed here :
https://github.com/rust-bitcoin/rust-lightning/issues/989.
Or if you have another L2 broadcast topology which could be safe w.r.t our
current mempool logic :) ?


Le lun. 27 sept. 2021 à 03:15, Bastien TEINTURIER  a
écrit :

> I think we could restrain package acceptance to only confirmed inputs for
>> now and revisit later this point ? For LN-anchor, you can assume that the
>> fee-bumping UTXO feeding the CPFP is already
>> confirmed. Or are there currently-deployed use-cases which would benefit
>> from your proposed Rule #2 ?
>>
>
> I think constraining package acceptance to only confirmed inputs
> is very limiting and quite dangerous for L2 protocols.
>
> In the case of LN, an attacker can game this and heavily restrict
> your RBF attempts if you're only allowed to use confirmed inputs
> and have many channels (and a limited number of confirmed inputs).
> Otherwise you'll need node operators to pre-emptively split their
> utxos into many small utxos just for fee bumping, which is inefficient...
>
> Bastien
>
> Le lun. 27 sept. 2021 à 00:27, Antoine Riard via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> a écrit :
>
>> Hi Gloria,
>>
>> Thanks for your answers,
>>
>> > In summary, it seems that the decisions that might still need
>> > attention/input from devs on this mailing list are:
>> > 1. Whether we should start with multiple-parent-1-child or
>> 1-parent-1-child.
>> > 2. Whether it's ok to require that the child not have conflicts with
>> > mempool transactions.
>>
>> Yes 1) it would be good to have inputs of more potential users of package
>> acceptance . And 2) I think it's more a matter of clearer wording of the
>> proposal.
>>
>> However, see my final point on the relaxation around "unconfirmed inputs"
>> which might in fact alter our current block construction strategy.
>>
>> > Right, the fact that we essentially always choose the first-seen
>> witness is
>> > an unfortunate limitation that exists already. Adding package mempool
>> > accept doesn't worsen this, but the procedure in the future is to
>> replace
>> > the witness when it makes sense economically. We can also add logic to
>> > allow package feerate to pay for witness replacements as well. This is
>> > pretty far into the future, though.
>>
>> Yes I agree package mempool doesn't worsen this. And it's not an issue
>> for current LN as you can't significantly inflate a spending witness for
>> the 2-of-2 funding output.
>> However, it might be an issue for multi-party protocol where the spending
>> script has alternative branches with asymmetric valid witness weights.
>> Taproot should ease that kind of script so hopefully we would deploy
>> wtxid-replacement not too far in the future.
>>
>> > I could be misunderstanding, but an attacker wouldn't be able to
>> > batch-attack like this. Alice's package only conflicts with A' + D',
>> not A'
>> > + B' + C' + D'. She only needs to pay for evicting 2 transactions.
>>
>> Yeah I can be clearer, I think you have 2 pinning attacks scenarios to
>> consider.
>>
>> In LN, if you're trying to confirm a commitment transaction to time-out
>> or claim on-chain a HTLC and the timelock is near-expiration, you should be
>> ready to pay in commitment+2nd-stage HTLC transaction fees as much as the
>> value offered by the HTLC.
>>
>> Following this security assumption, an attacker can exploit it by
>> targeting together commitment transactions from different channels by
>> blocking them under a high-fee child, of which the fee value
>> is equal to the top-value HTLC + 1. Victims's fee-bumping logics won't
>> overbid as it's not worthy to offer fees beyond their competed HTLCs. Apart
>> from observing mempools state, victims can't learn they're targeted by the
>> same attacker.
>>
>> To draw from the aforementioned topology, Mallory broadcasts A' + B' + C'
>> + D', where A' conflicts with Alice's P1, B' conflicts with Bob's P2, C'
>> conflicts with Caroll's P3. Let's assume P1 is confirming the top-value
>> HTLC of the set. If D' fees is higher than P1 + 1, it won't be rational for
>> Alice or Bob or Caroll to keep offering competing feerates. Mallory will be
>> at loss on stealing P1, as she has paid more in fees but will realize a
>> gain on P2+P3.
>>
>> In this model, Alice is allowed to evict those 2 transactions (A' + D')
>> but as she is