Slides are up!
tldr: Payjoins / Coinjoins on hardware wallets is no bueno.
* Quick intro to payjoin and coinjoin cooperative spend transactions
* All the things current hwws / signing devices get wrong when displaying these txs to users (yes, nostr:npub17tyke9lkgxd98ruyeul6wt3pj3s9uxzgp9hxu5tsenjmweue6sqq4y3mgl blows it, too)
* Work-in-progress R&D on some better approaches.
Presented and discussed last night at #chibitdevs
TONIGHT at #chibitdevs I'll be presenting the UI/UX challenges that #payjoin and #coinjoin transactions impose on signing devices.
* What do retail hwws currently display?
* What SHOULD they?
Obv this all stems from what I've learned during my recent nostr:npub17tyke9lkgxd98ruyeul6wt3pj3s9uxzgp9hxu5tsenjmweue6sqq4y3mgl R&D.
txid is just some kind of hash of the transaction itself. Slightly change the tx and you get a different txid.
The end of the OP_RETURN has a random hexadecimal string. Randomize that, sign & finalize the tx, check the resulting txid. If no match, generate a new random hex string and repeat...
Have to grind / brute force for every part. I can't remember how long the mnemonic took to get one that yielded a c0ffee fingerprint, but it wasn't too bad. A 6-char hexadecimal match is over 16^6 possibilities so not too bad, but the bip39 calcs make each iteration slow. Probably did ~50 million over a few hours?
The 3Coffee address was the killer. Nested segwit addrs use base58 so a 6-char target is 58^6 possibilities. Had about 10 threads running for 2-3 days grinding address indices. About10.2 billion attempts.
(everything would've been probably 1000x faster if I did this in rust instead of python, but taking on rust would've been too ambitious)
Then the c0ffee txid was probably the easiest part. The end of the OP_RETURN has a random hexadecimal string; that causes the transaction to hash to a different txid each time. That only took about 2hrs of grinding while I made lunch today (an easy 4.4 million tries)!
Dayum, 2012. That's some OG tinkering right there!
Yo, where my nerds at?!!
I created a bitcoin mnemonic that starts with "coffee".
Its fingerprint is c0ffee4b
It has a receive address that starts with 3Coffee
That address wrote an OP_RETURN that says "c0ffee inception!"
And the txid of that transaction starts with... c0ffee!!!
https://mempool.space/tx/c0ffeebcb6682294ebe29f06e0afb790f23f551d5c592b59bce1ccaffe128049
BIP39 experts: where is the rest of the input coming from, if I only supply very limited entropy? E.g. why aren't the rest of the bits 0?
This is from https://www.reddit.com/r/coldcard/comments/17epqk8/comment/k69u1og
Coldcard runs the dice input through sha256.
If you set iancoleman to Base10 or Hex, it will also hash the input to yield a matching result.
Favorite new nostr:npub17tyke9lkgxd98ruyeul6wt3pj3s9uxzgp9hxu5tsenjmweue6sqq4y3mgl test seed!
Just had to brute force ~6mil random mnemonics to get here!
No. For a lot of the annoying controversies you'll still get people I want to hear (e.g. nostr:npub1ej493cmun8y9h3082spg5uvt63jgtewneve526g7e2urca2afrxqm3ndrm ) providing useful context, clarifications, etc. So a blanket keyword mute feels like too blunt a tool.
Though have been thinking about muting some of the bigger geopolitical stuff that doesn't have any ties to tech/bitcoin.
I've been trying an admittedly hopeless experiment on twitter: blocking every crypto BS airdrop/nft/etc ad it shows me.
I know, there's an inexhaustible supply of them. Fool's errand.
But maybe I'm getting some results! It just started showing me this Oreo cookie ad!
(tho I'm mostly keto and have never had a sweet tooth, so good luck with that. Def funny to see the algo just throwing random darts)
So I made sure to click on the ad and even watch the video; I want to encourage it to think that these are the best ads to show me.
Innocuous-enough Oreos are so much better than ads for incredibly dumb nft shit.
Watched Chapter 3 last night.
It WAS pretty good. You almost have to pull yourself out of the movie to really appreciate it though; it's almost more about showing off moviemaking technical feats ("wait, that whole sequence was one continuous take?!") and obv fight choreography than anything else.
The "Guns, lots of guns" callback to The Matrix was awesome and completely ridiculous and just a tiny bit cringe but totally the right call.
Oh man, Wally had to do so much editing around my inarticulate Spanish!
But we got to hang out, have breakfast, take in the view from the top of a volcano, and, of course, talk nostr:npub17tyke9lkgxd98ruyeul6wt3pj3s9uxzgp9hxu5tsenjmweue6sqq4y3mgl!
My 80IQ understanding of it is that it's basically Schnorr-like musig (many keys acting onchain as if they were one) but way more complicated because of not-Schnorr math and it seems like every few months some academic paper finds a new maybe-vulnerability. But useful for them because the same approach can secure every shitcoin they custody (including bitcoin) w/the same technique.
Strikes me as a weird place in the Venn diagram where very few players are doing it (and so there's all the usual risks of novel cryptography and limited eyes reviewing/improving the code) BUT the people who are using it are the biggest behemoths out there.
Seems kinda unsettling but also thus far has been totally fine...?
Ser, Robert's Rules requires that someone "second" a motion before a call to a vote can occur.
That being said, 🙋"second!"
I think all the massive b2b custodians are doing MPC. So it's effectively multisig, but not implemented via bitcoin scripting.
Okay, finally saw John Wick.
Fun enough, interesting-ish world. Keanu is Keanu but no one's expecting amazing acting here.
Then watched John Wick Chapter 2. Bit more "meh". Still more enjoyable than not.
Do I continue to Chapters 3 and 4?