From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Thu, 26 Mar 2026 11:07:34 -0700 Received: from mail-oa1-f63.google.com ([209.85.160.63]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1w5p7F-00083H-CB for bitcoindev@gnusha.org; Thu, 26 Mar 2026 11:07:34 -0700 Received: by mail-oa1-f63.google.com with SMTP id 586e51a60fabf-41c471678c4sf1410991fac.2 for ; Thu, 26 Mar 2026 11:07:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1774548447; x=1775153247; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:x-original-sender :mime-version:subject:references:in-reply-to:message-id:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=HJqWWs1pD0azUzOrIXOANVncgHulDFCxDYHDfJ83iFk=; b=yYROZxnsVI4UTsRVoMi+e/VKkLmQt9yCFVSiE3HekQVzg5rCFwR84TlqJ1OT/DiHcm gjfibSd7oY0HKhlhsXc5go1OwGU/JqYWyLCBrE682RE7vbUAdxQM41mfyBHL1JuzlG/x +UCirpUfKgnh+ZGeZRck6lYNIYWJdN4RA8u+AdnLrNmANumuLoMjKpPLLd+vBz7kPJmF 1tPL1i/sBTE0i+pQo6h102YHbypOGk3nc4utXBqbFKIpS+rZ5PoUkAkP/GDfyeS3yATD SMYshMJxZAnbj0b+dLmsypvMRm6i03lGcnRcZJe/e6/Dws5LznOiw5u+Lrq9AX9UWChj UwkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774548447; x=1775153247; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:x-original-sender :mime-version:subject:references:in-reply-to:message-id:to:from:date :x-beenthere:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=HJqWWs1pD0azUzOrIXOANVncgHulDFCxDYHDfJ83iFk=; b=SPMS6C0MsYL3JGGkCdPet+R/cTcdy3giBYxU2aPbqk5+rJw22R+FfitQRava8cxWBl D7pSo+JZYYAbXHsWCpGG8te7nOrzObDNUcX/pfpfGdlE44dYj0tGCmuYlNK8rpsUK82F qcyqsVdSGeg9BTeAI3pgQkZz6Unbmu1yl94Ez9ZwviuJ2RAYFr2bf9AykFjOJHehENDs ZuvwPfXO17HcOPQ/m7p8r4rGtewetpOyZg8ZIF3uBQdPXdRUm5BA6Bw1/EAIkaCGKAeQ bigkw0tNykovlE0E39NOO+fwHaKrBrY7PvF6r462VOPubO/BBjvozhODP6yj2y854RbY u6Yg== X-Forwarded-Encrypted: i=1; AJvYcCXc62NVCtdFpQfn7ViZb0XTgsFpIO4RdlBtjz4e5xMWVGDeW1cQnhZxb3nWwW8cySaxbYcywKerPmNf@gnusha.org X-Gm-Message-State: AOJu0Yx0hXIOCmrFWgv32Zab7GJhGagyg3CjVyX+8LSBWIYtYjX7nZHV Byb0RclzANAjhOoL4xQwHpU3pJM82uqANx/Nu79+10bobCeTDQhcYHfS X-Received: by 2002:a4a:e902:0:b0:67c:3ee:938 with SMTP id 006d021491bc7-67dff50e1aemr4135233eaf.28.1774548447050; Thu, 26 Mar 2026 11:07:27 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AYAyTiJa1hZL93qN6HioHxrjGaIeKPIg/+eeuKGFXZnKKietsA==" Received: by 2002:a05:6820:2293:b0:67b:f5b9:99d8 with SMTP id 006d021491bc7-67e0ce837e4ls443076eaf.0.-pod-prod-02-us; Thu, 26 Mar 2026 11:07:19 -0700 (PDT) X-Received: by 2002:a05:6808:1409:b0:467:100d:22c9 with SMTP id 5614622812f47-46a5c61022bmr3317969b6e.19.1774548439023; Thu, 26 Mar 2026 11:07:19 -0700 (PDT) Received: by 2002:a05:690c:a5ce:b0:79a:e1a5:fe7e with SMTP id 00721157ae682-79ae1a620bems7b3; Thu, 26 Mar 2026 09:19:44 -0700 (PDT) X-Received: by 2002:a05:690c:768e:b0:79a:c2a1:92dc with SMTP id 00721157ae682-79acf65a335mr64289517b3.29.1774541983335; Thu, 26 Mar 2026 09:19:43 -0700 (PDT) Date: Thu, 26 Mar 2026 09:19:42 -0700 (PDT) From: "'Sean Carlin' via Bitcoin Development Mailing List" To: Bitcoin Development Mailing List Message-Id: In-Reply-To: References: <3f1a1491-06e1-4453-9538-fa66bc432a06n@googlegroups.com> Subject: Re: [bitcoindev] [BIP Draft] Blind Relay: Stateless Encrypted WebSocket Coordination for PSBTs MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_70288_399718735.1774541982921" X-Original-Sender: SeanCarlin90@googlemail.com X-Original-From: Sean Carlin Reply-To: Sean Carlin Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.7 (/) ------=_Part_70288_399718735.1774541982921 Content-Type: multipart/alternative; boundary="----=_Part_70289_1654665607.1774541982921" ------=_Part_70289_1654665607.1774541982921 Content-Type: text/plain; charset="UTF-8" Hi Pyth, That is a fair point regarding Bitcoin Core's existing dependencies. I chose AES-GCM-256 specifically because this BIP targets Application Layer coordination, with a focus on cross-platform ubiquity (Web PWAs, Mobile, and Desktop). For these environments, AES-GCM is a core primitive of the Web Crypto API, meaning it is implemented natively and audited by browser/OS vendors. Standardizing on ChaCha20-Poly1305 would force web and mobile developers to bundle external, unoptimized JavaScript cryptographic libraries. In the context of a browser-based or mobile coordinator, I believe relying on native, hardware-accelerated OS primitives provides a smaller and more secure attack surface than importing third-party JS dependencies. If the protocol were strictly node-to-node (Transport Layer), I would agree on ChaCha20. But for client-to-relay coordination, the Web Crypto API support makes AES-GCM the safer choice for the average user's device in my opinion. Happy to discuss further if you see a reason why supporting ChaCha20 is a benefit other than ecosystem alignment. I updated the BIPs rationale section with this earlier today. All the best, Sean Carlin On Thursday, 26 March 2026 at 14:21:27 UTC pyth wrote: > Hi Sean, this is interesting, but note that bitcoin core doesn't have > dependencies for AES-GCM-256, while it have dependencies for CHACHA20- > POLY1305. > > Best, > Pyth > > On Wed, 2026-03-25 at 05:00 -0700, 'Sean Carlin' via Bitcoin > Development Mailing List wrote: > > Hi everyone, > > > > I'd like to propose a new BIP for real-time, trust-minimized > > coordination of multi-signature PSBTs. > > > > The Problem > > Coordinating N-of-M Bitcoin transactions currently forces users into > > a binary choice: > > - Manual out-of-band transfers (USB drives, secure messengers) that > > preserve privacy but introduce high friction and error risk, or > > - Stateful coordination servers that offer good UX but act as privacy > > honeypots, logging metadata, signer relationships, and often storing > > PSBTs on disk. > > > > The Proposal: Blind Relay > > This BIP introduces a "Blind Relay" - an ephemeral, stateless, zero- > > knowledge WebSocket relay. All payloads are encrypted client-side > > with AES-GCM-256, with decryption keys held exclusively in client- > > side URL fragments (never sent to the server). The relay operates > > entirely in RAM with a strict 24-hour TTL and self-destructs upon > > completion, providing real-time coordination without persistent > > metadata or disk storage. > > > > A reference implementation has been running in production for three > > months, successfully facilitating real multisig ceremonies. > > > > Links > > - BIP Draft: > > > https://github.com/scarlin90/bip-stateless-psbt-coordination/blob/main/bip-draft.md > > - Source Code: https://github.com/scarlin90/signingroom > > - Live Client: https://signingroom.io > > - Related Research Paper: https://arxiv.org/abs/2601.17875 > > > > I look forward to your technical feedback - especially on the > > specification, security model, edge cases, and any suggested > > improvements. > > > > Best regards, > > Sean Carlin > > -- > > You received this message because you are subscribed to the Google > > Groups "Bitcoin Development Mailing List" group. > > To unsubscribe from this group and stop receiving emails from it, > > send an email to bitcoindev+...@googlegroups.com. > > To view this discussion visit > > > https://groups.google.com/d/msgid/bitcoindev/3f1a1491-06e1-4453-9538-fa66bc432a06n%40googlegroups.com > > . > -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/b6af2c43-1bde-4f64-a2aa-42d948b9a1fen%40googlegroups.com. ------=_Part_70289_1654665607.1774541982921 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hi Pyth,

That is a fair point regarding Bitcoin Core's existi= ng dependencies. I chose AES-GCM-256 specifically because this BIP targets = Application Layer coordination, with a focus on cross-platform ubiquity (We= b PWAs, Mobile, and Desktop).

For these environments, AES-GCM is= a core primitive of the Web Crypto API, meaning it is implemented natively= and audited by browser/OS vendors. Standardizing on ChaCha20-Poly1305 woul= d force web and mobile developers to bundle external, unoptimized JavaScrip= t cryptographic libraries. In the context of a browser-based or mobile coor= dinator, I believe relying on native, hardware-accelerated OS primitives pr= ovides a smaller and more secure attack surface than importing third-party = JS dependencies.

If the protocol were strictly node-to-node (Tra= nsport Layer), I would agree on ChaCha20. But for client-to-relay coordinat= ion, the Web Crypto API support makes AES-GCM the safer choice for the aver= age user's device in my opinion.

Happy to discuss further if yo= u see a reason why supporting ChaCha20 is a benefit other than ecosystem al= ignment.
I updated the BIPs rationale section with this earlier today.=

All the best,
Sean Carlin


On Thursday, 26 March 2026 at 14= :21:27 UTC pyth wrote:
Hi Sean, this is interesting, but note that bitcoin core doesn= 9;t have
dependencies for AES-GCM-256, while it have dependencies for CHACHA20-
POLY1305.=20

Best,
Pyth

On Wed, 2026-03-25 at 05:00 -0700, 'Sean Carlin' via Bitcoin
Development Mailing List wrote:
> Hi everyone,
>=20
> I'd like to propose a new BIP for real-time, trust-minimized
> coordination of multi-signature PSBTs.
>=20
> The Problem
> Coordinating N-of-M Bitcoin transactions currently forces users in= to
> a binary choice:
> - Manual out-of-band transfers (USB drives, secure messengers) tha= t
> preserve privacy but introduce high friction and error risk, or
> - Stateful coordination servers that offer good UX but act as priv= acy
> honeypots, logging metadata, signer relationships, and often stori= ng
> PSBTs on disk.
>=20
> The Proposal: Blind Relay
> This BIP introduces a "Blind Relay" - an ephemeral, stat= eless, zero-
> knowledge WebSocket relay. All payloads are encrypted client-side
> with AES-GCM-256, with decryption keys held exclusively in client-
> side URL fragments (never sent to the server). The relay operates
> entirely in RAM with a strict 24-hour TTL and self-destructs upon
> completion, providing real-time coordination without persistent
> metadata or disk storage.
>=20
> A reference implementation has been running in production for thre= e
> months, successfully facilitating real multisig ceremonies.
>=20
> Links
> - BIP Draft:
> https://github.com/scarlin90/bip-stateless-psbt-coordination/blob/main= /bip-draft.md
> - Source Code: https://github.com/scarlin90/signingroom
> - Live Client: https://signingroom.io
> - Related Research Paper: https://arxiv.org/abs/2601.17875
>=20
> I look forward to your technical feedback - especially on the
> specification, security model, edge cases, and any suggested
> improvements.
>=20
> Best regards,
> Sean Carlin
> --=20
> You received this message because you are subscribed to the Google
> Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to bitcoi= ndev+...@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgi= d/bitcoindev/3f1a1491-06e1-4453-9538-fa66bc432a06n%40googlegroups.com
> .

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoind= ev/b6af2c43-1bde-4f64-a2aa-42d948b9a1fen%40googlegroups.com.
------=_Part_70289_1654665607.1774541982921-- ------=_Part_70288_399718735.1774541982921--