Implement efficient generation of multisig wallet addresses [$2500]

[woodser]

Currently a taker must pay a trade fee before initializing the multisig wallet with the maker and arbitrator in order to prevent takers from spamming peers with unpaid work by creating multisig wallets.

As a result, the taker must have 2 outputs available in order to take a trade, one to cover the trade fee and one to deposit to multisig, which complicates the user experience. If the multisig wallet address could be known ahead of time, the taker could use one output to pay both the trade fee and the deposit tx in a single transaction.

Chapter 10 of Zero to Monero describes a way to derive the address of a multisig wallet before initializing the wallet among peers. The first two peers (maker and arbitrator) create a shared secret and publish its public key which the third peer (the taker) can use to derive the multisig address before the wallet is initialized among them.

This issue requests implementing the ability to derive multisig wallet addresses using this method. The implementation should be added to monero-project.

[github-actions]

There is a bounty on this issue, the amount is in the title. The bounty will be awarded to the first person(s) who resolves this issue. Read the full conditions in the 'bounties.md' file. If you are starting to work on this issue, please write a comment here, so that we can assign the issue to you and avoid duplicated work.

[UkoeHB]

Until commit-and-reveal is implemented (assuming it does...) (see ZtM2 section 9.3), you will need to make sure makers and takers never re-use keys between orders. Always generate new subaddresses. Even that restriction may not be enough to prevent Wagner attacks (ask a real cryptographer).

[UkoeHB]

I am investigating this issue. Multisig wallet/address generation needs a major overhaul.

[woodser]

MRL is also investigating multisig with triptych.

[erciccione]

A good point from tobtoht (i invited them to join the conversation here):

Right now I'm am waiting on Sarang to get back with details on how multisig with work with Triptych.
With Triptych on the horizon it might be a waste of time to build on top of the current ms implementation as a lot of ms related code and wallet APIs may need to be changed/rewritten.

[UkoeHB]

I am operating on the assumption that wallet/address generation will be unaffected. AFAIK it is mainly key image construction that requires new code/ideas (see here for example).

[UkoeHB]

I have an outline of the address generation workflow, but won't be able to pursue an implementation for a while. If someone else wants to pick this up from my notes, I am happy to collaborate.

[woodser]

Note that efficient multisig creation is more an optimization than necessity now for Haveno.

The protocol will lock both traders into multisig with only 1 output with or without efficient multisig.

[UkoeHB]

A semi-stable branch to resolve this issue is prepared. It is waiting on this PR.

[erciccione]

PR: monero-project/monero#8203

[NorrinRadd]

@woodser is this still open?

[woodser]

This hasn't been implemented, but closing this as stale and since Haveno no longer requires it for spam, since the traders sign a penalty tx with the arbitrator.