haveno icon indicating copy to clipboard operation
haveno copied to clipboard

Published 20 hours ago verified publisher icon haveno-dex

Implement efficient generation of multisig wallet addresses [$2500]

Open woodser opened this issue 3 years ago • 10 comments

Currently a taker must pay a trade fee before initializing the multisig wallet with the maker and arbitrator in order to prevent takers from spamming peers with unpaid work by creating multisig wallets.

As a result, the taker must have 2 outputs available in order to take a trade, one to cover the trade fee and one to deposit to multisig, which complicates the user experience. If the multisig wallet address could be known ahead of time, the taker could use one output to pay both the trade fee and the deposit tx in a single transaction.

Chapter 10 of Zero to Monero describes a way to derive the address of a multisig wallet before initializing the wallet among peers. The first two peers (maker and arbitrator) create a shared secret and publish its public key which the third peer (the taker) can use to derive the multisig address before the wallet is initialized among them.

This issue requests implementing the ability to derive multisig wallet addresses using this method. The implementation should be added to monero-project.

woodser avatar May 25 '21 14:05 woodser

There is a bounty on this issue, the amount is in the title. The bounty will be awarded to the first person(s) who resolves this issue. Read the full conditions in the 'bounties.md' file. If you are starting to work on this issue, please write a comment here, so that we can assign the issue to you and avoid duplicated work.

github-actions[bot] avatar May 25 '21 14:05 github-actions[bot]

Until commit-and-reveal is implemented (assuming it does...) (see ZtM2 section 9.3), you will need to make sure makers and takers never re-use keys between orders. Always generate new subaddresses. Even that restriction may not be enough to prevent Wagner attacks (ask a real cryptographer).

UkoeHB avatar May 29 '21 22:05 UkoeHB

I am investigating this issue. Multisig wallet/address generation needs a major overhaul.

UkoeHB avatar May 31 '21 20:05 UkoeHB

MRL is also investigating multisig with triptych.

woodser avatar May 31 '21 20:05 woodser

A good point from tobtoht (i invited them to join the conversation here):

Right now I'm am waiting on Sarang to get back with details on how multisig with work with Triptych. With Triptych on the horizon it might be a waste of time to build on top of the current ms implementation as a lot of ms related code and wallet APIs may need to be changed/rewritten.

erciccione avatar Jun 01 '21 15:06 erciccione

I am operating on the assumption that wallet/address generation will be unaffected. AFAIK it is mainly key image construction that requires new code/ideas (see here for example).

UkoeHB avatar Jun 01 '21 16:06 UkoeHB

I have an outline of the address generation workflow, but won't be able to pursue an implementation for a while. If someone else wants to pick this up from my notes, I am happy to collaborate.

UkoeHB avatar Jul 11 '21 00:07 UkoeHB

Note that efficient multisig creation is more an optimization than necessity now for Haveno.

The protocol will lock both traders into multisig with only 1 output with or without efficient multisig.

woodser avatar Jul 11 '21 15:07 woodser

A semi-stable branch to resolve this issue is prepared. It is waiting on this PR.

UkoeHB avatar Aug 19 '21 14:08 UkoeHB

PR: https://github.com/monero-project/monero/pull/8203

erciccione avatar Mar 04 '22 13:03 erciccione

@woodser is this still open?

NorrinRadd avatar Apr 06 '24 12:04 NorrinRadd

This hasn't been implemented, but closing this as stale and since Haveno no longer requires it for spam, since the traders sign a penalty tx with the arbitrator.

woodser avatar Apr 06 '24 13:04 woodser