-
Notifications
You must be signed in to change notification settings - Fork 385
BIP38 Security Unraveled
In multiply mode BIP-38 defines three new artifacts:
intermediate code
confirmation code
encrypted private key
It also makes use of existing standard artifacts:
private key
public key
payment address
The multiply mode scenario envisions two actors, an owner
and a printer
:
- The owner creates an
intermediate code
using a secret passphrase (on a trusted platform). - The owner provides the
intermediate code
to the printer. - The printer generates an
encrypted private key
from theintermediate code
. - The printer provides the
encrypted private key
and aconfirmation code
to the owner. - The printer has access to the
public key
andpayment address
and may provide these to the owner as well. - The printer has no ability to obtain the corresponding
private key
without the original passphrase. - The owner validates information obtained from the printer using the passphrase (more below).
From a privacy standpoint the only material issue is that the owner has given the printer knowledge of the public key
of an owner private key
. This means that any payment to a payment address
derived from that public key
can be associated with the owner's person (i.e. tainted). The printer is therefore trusted to not disclose this association.
The owner must validate information returned from the printer. Otherwise there are several ways the printer can steal (i.e. intentionally) or lose (i.e. through negligence) the owner's money. Validation must be done on a trusted platform, such as the one first used to generate the intermediate code
. Otherwise the private key
of the encrypted private key
may have been compromised.
The printer could just generate an encrypted private key
without using the owner's intermediate code
. In this case any money spent to the public key
of the encrypted private key
would be spendable by the printer and not by the owner. The owner can prevent this by validating the confirmation code
against the originating intermediate code
.
The printer could return a payment address
(or public key
) that is unrelated to the intermediate code
. If the intermediate code
is valid but does not represent the corresponding payment address
any money sent to the payment address
will be spendable by the printer and not the owner. Therefore the validation step must accept the payment address
as a parameter.
The printer could generate a valid confirmation code
using the owner's intermediate code
and return an unrelated encrypted private key
. If the owner validates the confirmation code
against the intermediate code
the owner will know that the printer cannot spend money sent to the related payment address
. However this offers no assurance whatsoever that the owner can spend from the validated payment address
.
In all respects the confirmation code
is actually a public analog to the encrypted private key
. In other words it retains the encrypted public key
of the private key
that is encrypted within the encrypted private key
. As such, using the original passphrase, only the owner can decrypt the confirmation code
. However the printer has access to its public key
as well, so this offers no protection against the printer.
The confirmation code
cannot be used to validate the encrypted private key
. Protecting against denial of money by the printer requires the owner
to validate the encrypted private key
provided by the printer against the payment address
using the original passphrase. This is the only way the owner protects against both theft and denial of money.
...if the
payment address
can be recreated by decrypting itsencrypted private key
with a passphrase, and it's a strong passphrase one can be certain only he knows himself, then he can safely conclude that nobody could know theprivate key
to thatpayment address
.
In other words, the confirmation code
is NOT used to validate the owner's ability to spend from the payment address
using the encrypted private key
.
The party generating the
payment address
has the option to return aconfirmation code
back to owner which allows owner to independently verify that he has been given apayment address
that actually depends on his passphrase, and to confirm the lot and sequence numbers (if applicable). This protects owner from being given apayment address
by the second party that is unrelated to the key derivation and possibly spendable by the second party. If apayment address
given to owner can be successfully regenerated through the confirmation process, owner can be reasonably assured that any spending without the passphrase is infeasible.
The "confirmation process" refers to use of the confirmation code
by the owner to validate that the payment address
is associated to the owner-generated intermediate code
. Note however that the guarantee provided is only against theft of money, not against denial: "any spending without the passphrase is infeasible".
The name confirmation code
is misleading from a security standpoint and complicates an understanding of multiply mode. The value is actually a public key
derived from the private key
of the encrypted private key
and encrypted for the owner. For this reason libbitcoin refers to this artifact as the encrypted public key
.
In the name intermediate code
the term "intermediate" is vague, as there are several steps and artifacts in the scenario. The term "code" does not refine "intermediate" as all of the artifacts are codes of some sort. In the interest of clarity and brevity libbitcoin refers to the intermediate code
as a token
.
Given that the multiply mode scenario rests on the presumption that the owner cannot trust the printer, we conclude that there is no valid use case for the confirmation code
. We strongly recommend against use of the confirmation code
and that BIP-38 be modified to remove the Confirmation Code section altogether.
The scenario should be:
- The owner creates a
intermediate code
using a secret passphrase. - The owner provides the
intermediate code
to the printer. - The printer generates an
encrypted private key
from theintermediate code
. - The printer provides the
encrypted private key
to the owner. - The owner extracts the
payment address
from theencrypted private key
using the passphrase.
- Steps 1 and 5 must be carried out on a trusted platform by the owner.
- The printer will have knowledge of the
public key
(andpayment address
). - Lot and sequence validation (as applicable) must use the
encrypted private key
.
Bitcoin Explorer key encryption commands
Users | Developers | License | Copyright © 2011-2024 libbitcoin developers
- Home
- manifesto
- libbitcoin.info
- Libbitcoin Institute
- Freenode (IRC)
- Mailing List
- Slack Channel
- Build Libbitcoin
- Comprehensive Overview
- Developer Documentation
- Tutorials (aaronjaramillo)
- Bitcoin Unraveled
-
Cryptoeconomics
- Foreword by Amir Taaki
- Value Proposition
- Axiom of Resistance
- Money Taxonomy
- Pure Bank
- Production and Consumption
- Labor and Leisure
- Custodial Risk Principle
- Dedicated Cost Principle
- Depreciation Principle
- Expression Principle
- Inflation Principle
- Other Means Principle
- Patent Resistance Principle
- Risk Sharing Principle
- Reservation Principle
- Scalability Principle
- Subjective Inflation Principle
- Consolidation Principle
- Fragmentation Principle
- Permissionless Principle
- Public Data Principle
- Social Network Principle
- State Banking Principle
- Substitution Principle
- Cryptodynamic Principles
- Censorship Resistance Property
- Consensus Property
- Stability Property
- Utility Threshold Property
- Zero Sum Property
- Threat Level Paradox
- Miner Business Model
- Qualitative Security Model
- Proximity Premium Flaw
- Variance Discount Flaw
- Centralization Risk
- Pooling Pressure Risk
- ASIC Monopoly Fallacy
- Auditability Fallacy
- Balance of Power Fallacy
- Blockchain Fallacy
- Byproduct Mining Fallacy
- Causation Fallacy
- Cockroach Fallacy
- Credit Expansion Fallacy
- Debt Loop Fallacy
- Decoupled Mining Fallacy
- Dumping Fallacy
- Empty Block Fallacy
- Energy Exhaustion Fallacy
- Energy Store Fallacy
- Energy Waste Fallacy
- Fee Recovery Fallacy
- Genetic Purity Fallacy
- Full Reserve Fallacy
- Halving Fallacy
- Hoarding Fallacy
- Hybrid Mining Fallacy
- Ideal Money Fallacy
- Impotent Mining Fallacy
- Inflation Fallacy
- Inflationary Quality Fallacy
- Jurisdictional Arbitrage Fallacy
- Lunar Fallacy
- Network Effect Fallacy
- Prisoner's Dilemma Fallacy
- Private Key Fallacy
- Proof of Cost Fallacy
- Proof of Memory Façade
- Proof of Stake Fallacy
- Proof of Work Fallacy
- Regression Fallacy
- Relay Fallacy
- Replay Protection Fallacy
- Reserve Currency Fallacy
- Risk Free Return Fallacy
- Scarcity Fallacy
- Selfish Mining Fallacy
- Side Fee Fallacy
- Split Credit Expansion Fallacy
- Stock to Flow Fallacy
- Thin Air Fallacy
- Time Preference Fallacy
- Unlendable Money Fallacy
- Fedcoin Objectives
- Hearn Error
- Collectible Tautology
- Price Estimation
- Savings Relation
- Speculative Consumption
- Spam Misnomer
- Efficiency Paradox
- Split Speculator Dilemma
- Bitcoin Labels
- Brand Arrogation
- Reserve Definition
- Maximalism Definition
- Shitcoin Definition
- Glossary
- Console Applications
- Development Libraries
- Maintainer Information
- Miscellaneous Articles