Author: Hugo Nguyen 2021-04-11 16:45:00
Published on: 2021-04-11T16:45:00+00:00
In a conversation between Michael and Hugo regarding multisig in Bitcoin, Michael praises the effort being made to improve it, but raises concerns about two major issues. The first issue is the O(n^2) xpub validation problem which creates a bad user experience and is hard for non-advanced users to understand. The proposed solution, using an output descriptor checksum, has a 40-bit MITM collision attack vulnerability. Michael suggests using a checksum with higher entropy to reduce xpub validation to O(n) and create a better user experience. He also proposes using a child address to encode end-user verification across signers and stresses the importance of creating an unambiguous format for wallet ID. The second issue raised is the risk of stateless hardware wallets such as Trezor having their xpubs swapped out by a compromised coordinator. The current BIP does not improve this issue while adding complexity. Hugo disagrees with going stateless and suggests that signers in a multisig must be stateful. He highlights problems with signing the descriptor record, including the need to store the signature somewhere, the necessity to include a copy of the original descriptor, and sharing every detail of the contract indefinitely, which has massive privacy implications. Michael further explains that a stateless Signer could display a malicious receive address, leading to an attacker gaining control of funds. This is a concern for both self-hosted and hosted multisig services. Additionally, Michael suggests that the use of BIP39 words for session tokens is a big mistake since end-users have learned over time that these words are for private key material. However, Hugo argues that the TOKEN at 6-9 words is kept intentionally small and separate from the seed phrase BIP39 mnemonic. Furthermore, decimal format, not BIP39 mnemonic, is recommended in the spec.
Updated on: 2023-06-14T17:30:31.446226+00:00