multisig: force update option for key exchange [master]

[UkoeHB]

Motivation

In the default multisig key exchange (account setup) ceremony, every key exchange round requires a message from every signer. That requirement may not be strictly necessary in some real-world use-cases (where it may be safe to assume some or all signers are trustworthy during account setup), so this PR adds an option to 'force-update' key exchange.

Changes

• Adds a force_update_use_with_caution flag to the multisig_account::kex_update() method (it defaults to false). That interface change is propagated up the call stack to the exchange_multisig_keys() method in wallet2 and the RPC.
  • When force-updating an intermediate key exchange round, you need at least num_signers - current_round_num messages from other signers (this is the bare minimum to actually make progress).
  • When force-updating the post-kex verification round, you only need to pass in the local account's post-kex verification message (which was the local account's output from the previous round).
• Adds a unit test demoing the new method.
• Miscellaneous cleanup related to multisig (gen_multisig.cpp, unit tests, etc.).

Future Work

• Currently, simplewallet and the MMS don't have an interface for the force update flag (I just defaulted it to false). A future PR can update the interface there if it's desired (@rbrunner7 ).

Dangers

The new flag is a foot-gun that can enable the following problems.

• A signer's account created through force-updating may be unable to participate in signing (i.e. the final multisig address they obtain is malformed if there is a malicious player during account setup).
• If a signer force-updates the post-kex verification round, they may believe their account is complete and the multisig group is able to create signatures. In reality, there may not be a threshold of honest signers that completed their accounts. Any funds sent to the multisig address obtained by the force-updater might be lost forever.
• If honest multisig signers force-update any intermediate key exchange round, a malicious player could execute an 'address hostage' attack where the final address produced can only make signatures if that malicious player participates (although he wouldn't be able to make signatures on his own).

[UkoeHB]

Resolved merge conflicts. Updated wallet2::exchange_multisig_keys() method so if your account has completed the main kex rounds you can call this with NO kex messages to extract the account's final post-kex verification message (a kludge to avoid adding a whole new RPC endpoint). To migrate pre-v0.18 multisig accounts to v0.18, the following two workflows should be sufficient (assuming you have a multisig account that was completed before v0.18).

Workflow 1 (recommended)

1. Let all multisig group members call exchange_multisig_keys() with NO key exchange messages. Save the output strings as R1, R2, ..., Rn.
2. Each multisig group member calls exchange_multisig_keys(R1, R2, ..., Rn) again. Their accounts should be complete and usable after that.

Workflow 2 (fastest, less robust in general if there is a malicious group member)

1. Call exchange_multisig_keys() with NO key exchange messages locally. Save the output string as R_local.
2. Call exchange_multisig_keys(R_local, force_update_use_with_caution = true) (using the force update flag). The user's account should be complete and usable after that.

[UkoeHB]

I removed checks from exchange_multisig_keys() that would throw an error if calling it when your multisig account is already complete. This way you can always call it with no kex messages to extract the post-kex verification message.

If wallets can enter a state where the post-kex verification message can't be extracted, then malicious users could plausibly claim 'I can't get my post-kex verification message'.

[vtnerd]

Nothing critical, just a few questions (that may or may not require changes).

[vtnerd]

Pinging @moneromooo-monero some whitespace changes ... allow ?

[vtnerd]

Here again.

[vtnerd]

Was CHECK_MULTISIG_ENABLED() intentionally removed? Its not used in mms_next.

[UkoeHB]

No, this was a rebase mistake, will fix.

[vtnerd]

Why was the !ready check removed? Seems like that should be done, even with the new if statement below.

[UkoeHB]

Existing multisig wallets (which have ready == true) have no way to recover the post-kex verification message, which may be needed by other signers even after the local signer has done their post-kex verification round.

[vtnerd]

Is this just to retrieve the post-kex message multiple times or something? Otherwise I don't see why this was added.

[UkoeHB]

Yes, because existing multisig wallets are stuck, unable to complete the post-kex verification round that was added in v0.18 (an oversight in testing the multisig changes).

[vtnerd]

They aren't guaranteed to be stuck though, right? Seems like this would only happen if other signers lost someone's post-kex message? If that could happen, couldn't any of the steps get stuck? I guess that's why the force option was added?

[UkoeHB]

The post-kex round did not exist before v0.18, and the only way to get a post-kex message right now is from exchange_multisig_keys() as the output of a kex round (but existing accounts already completed their last kex round without getting a post-kex message).

I guess I am overloading this PR a little so we can fix multisig faster, the post-kex stuff isn't directly related to the force update option. However, you need force updating to get your account past the post-kex step if you aren't able to get post-kex messages from all other group members (which may be the case for old accounts).

[vtnerd]

Why remove this check?

[UkoeHB]

Existing multisig wallets (which have ready == true) have no way to recover the post-kex verification message, which may be needed by other signers even after the local signer has done their post-kex verification round.

[vtnerd]

Ok, so the hold up has been me confused by the naming scheme with the post-kex messaging. multisig_kex_rounds_required(...) appears to be the number of kex messages, not including the "post-round" message to verify that all participants are active. multisig_is_ready() only returns true after this additional message has been verified.

wallet2::multisig(...) check calls the first function, which was the source of my confusion in my prior comments. I kept transposing that function call to the latter function. It's also confusing, because there's a sense in which the local wallet truly is ready - this particular wallet can immediately sign valid messages - but it is not certain about the status of the remaining wallets. Ouch, kind of a mess, but I think you've done the a decent job correcting all this.

[UkoeHB]

Squashed commits

[UkoeHB]

@tmoravec do you want to test this PR? It should fix #8541

[tmoravec]

@tmoravec do you want to test this PR? It should fix #8541

I'd love to but I'd need to implement the simplewallet parts first. I can do that, but not today or tomorrow unfortunately :( .

[selsta]

@tmoravec I would like to include this in the next release, it would be great if you could test this in the next days :)

[tmoravec]

Thanks for the reminder, selsta :) .

I've added the new parameter to simplewallet to facilitate testing: UkoeHB#4

Trying to follow the Workflow 2, I'm getting an error: Error: Failed to perform multisig keys exchange: Multisig post-kex round messages from other signers did not all contain two pubkeys.

It looks like the check CHECK_AND_ASSERT_THROW_MES(pubkey_origins_map.size() == 2 in src/multisig/multisig_account_kex_impl.cpp is not taking incomplete_signer_set into account but I might be missing something.

EDIT: Here are the commands (on stagenet):

[wallet 51sehD (no daemon)]: exchange_multisig_keys force-update
Wallet password:
Another step is needed
MultisigxV2Rn1WBRa6XZrJ3A1kmifR2yXjDcbPGmrKfk6fknJiY9p4xf9AXnwJ8Gijm23iV9U3Vj8zHB8haMVVgsaMSkhBtksPzHfn1QuGXja3Hhifv9HSDNfsNQ7icCYh2oX6GAuKBc3uvj3bdGt9jyGyNWxxih4t88sT8XzrqUrU8guMkgXnoWDymd1gCttzgd2toGzVV3XUtPEGTfmWV6ETou95fNboLMuSaF2Ds
Send this multisig info to all other participants, then use exchange_multisig_keys <info1> [<info2>...] with others' multisig info
[wallet 51sehD (no daemon)]: exchange_multisig_keys force-update MultisigxV2Rn1WBRa6XZrJ3A1kmifR2yXjDcbPGmrKfk6fknJiY9p4xf9AXnwJ8Gijm23iV9U3Vj8zHB8haMVVgsaMSkhBtksPzHfn1QuGXja3Hhifv9HSDNfsNQ7icCYh2oX6GAuKBc3uvj3bdGt9jyGyNWxxih4t88sT8XzrqUrU8guMkgXnoWDymd1gCttzgd2toGzVV3XUtPEGTfmWV6ETou95fNboLMuSaF2Ds
Wallet password:
Error: Failed to perform multisig keys exchange: Multisig post-kex round messages from other signers did not all contain two pubkeys.

[UkoeHB]

Moved this so expanded_msgs is defined right before its use.

[UkoeHB]

@tmoravec ok updated to hopefully fix that issue (also added your changes for simplewallet - note that I use the longer force-update-use-with-caution flag because it REALLY needs to be used with caution).

I am wondering if removing PRINT_USAGE(USAGE_EXCHANGE_MULTISIG_KEYS); will cause problems... is there another way to get the usage?

[tmoravec]

I am wondering if removing PRINT_USAGE(USAGE_EXCHANGE_MULTISIG_KEYS); will cause problems... is there another way to get the usage?

Now it supports zero arguments and any number of arguments. I can't think of wrong usage that would trigger this generic error. Happy to put it back if we can make up the condition.

FWIW There's always help exchange_multisig_keys. Plus more specific error messages, for example:

[wallet 51sehD (no daemon)]: exchange_multisig_keys test
Wallet password:
Error: Failed to perform multisig keys exchange: basic_string::substr: __pos (which is 13) > this->size() (which is 4)

[tmoravec]

ok updated to hopefully fix that issue

I've tested this and it works 👍 . What I did:

• Open two parts of a 2/3 multisig wallet created with v0.17.2.0.
• Finish the multisig setup with Workflow 2 above using exchange_multisig_keys force-update-use-with-caution ...
• Verify that the addresses match the previous address (as seen in v0.17.2.0 software).
• Refresh, exchange multisig info, receive transfer, send transfer.

Thank you, @UkoeHB !

[UkoeHB]

squashed commits