search

olalonde / proof-of-solvency

Proof of Solvency (PoS) is a scheme designed to let users verify the solvency of online websites which accept Bitcoin (or other similar currency) deposits (e.g. exchange websites, online wallets, gambling websites, etc.) in a way that doesn't compromise the privacy of users.
MIT License
71 stars 9 forks source link

Asset proof: support HD wallet master key signatures #3

Closed olalonde closed 10 years ago

olalonde commented 10 years ago

We should support HD wallets so that only one signature is required and the master public key.

jaekwon commented 10 years ago

I like this. Not having to create a new signature for the cold wallet every time adds to exchange security.

My use-case is probably different than other's with HD wallets. HD wallets are typically used as a flat array of addresses, and with the "gap" parameter one could figure out all the addresses generated. I use BIP0032 to create a full tree of addresses (e.g. each user on my exchange gets their own subtree), so it isn't clear to somebody with just my master public key which addresses I've generated.

What I want to do is publish the master public key, the signature, and a list of chainPath -> amounts. e.g.

[{
    MPK: "0271b114194fd037a410366b693b338ef7d190c8c2a20ce6164f0c9bc40df417d9",
    Chain: "8b8e225c197e9606e04ae9f0a7582e43177934b7383efbc452055abfbf3a5d0e",
    Message: "Hot Wallet for My Exchange",
    Addresses: [
        {address: "1xyz1", chainPath: "1/1/1", amount: 123 },
        {address: "1xyz2", chainPath: "1/1/2", amount: 234 },
        {address: "1xyz3", chainPath: "3/1", amount: 345 },
        {address: "1xyz4", chainPath: "3/2", amount: 456 },
    ]
},
{
    // And another for the cold wallet
}]
thallium205 commented 10 years ago

Why would you ever want to post your master public key? You realize that if any single one of those child private keys get exposed, the child private + the public master will give an attacker the ability to derive the master private key...

olalonde commented 10 years ago

Seems unlikely an attacker would get access to a private child key but not the master private/public key though.

thallium205 commented 10 years ago

They would gain access to the master public key because the site would be publishing it. All it would take is a single child private key (of any depth) to be compromised to wipe out the entire exchange.

If proof of assets is to work with HD wallets, I don't think it is wise to build it in such a way where the master public key be used. Instead, every sub-pubkey that is used to generate addresses should be published with the addresses they generated.