Published on: 2021-01-17T10:02:32+00:00
Hardware wallets (HW) are an essential tool in protecting private keys and safeguarding user devices. The purpose of this email is to initiate a discussion on improving HW for all bitcoiners, with a particular focus on addressing concerns relevant to the development of Revault, a vault protocol. The proposed improvements encompass various aspects such as displaying the Bitcoin Script itself, recognizing pubkeys or xpubs not associated with private keys, enhancing Bitcoin compatibility, monitoring signed inputs, and implementing a mechanism to verify "clawback" signatures. These enhancements are crucial for ensuring robust security, especially in situations where the transaction crafting computer may be compromised. It should be noted that Revault does not intend to manufacture hardware wallets but hopes that existing and future manufacturers will prioritize the implementation of strong security measures for their users.The primary obstacle faced by hardware wallets is their lack of internet access. This limitation becomes problematic when broadcasting clawback transactions at specific block heights. Without online connectivity, the hardware wallet cannot determine the current block height, necessitating trust in the software to execute the clawback. However, devrandom believes it is possible to achieve the desired level of "liveness" without compromising the air-gap too much. This objective can be accomplished through UTXO oracles, which attest to the UTXO set, along with a narrow optical or serial protocol for the air-gap connection between node software and signer. Operators capable of responding to liveness issues further contribute to maintaining security. Optionally, clock oracles utilizing the roughtime protocol can provide attestation to the current time. The Signer periodically performs several actions, including checking if the funding UTXO has been spent, verifying that the spending transaction is provided by the node, and signing a heartbeat message containing the current time if a reaction is required. The node software then relays the signed heartbeat message to the operators, who manually intervene if a heartbeat is not detected. This setup is deemed as secure as USB hardware wallets connected to online machines and can accommodate intermittently connected signers within slow-moving channels or those operating behind Tor. However, it is important to note that Lightning paper wallets are not viable due to the network's requirement for online participation.The email emphasizes that the proposed improvements would benefit all bitcoin users while also catering to "layer 2" or pre-signed transaction protocols. The aim is to encourage discussions and iterate towards a more secure and user-friendly hardware ecosystem for the entire bitcoin community. The suggested enhancements include displaying the Bitcoin Script itself, including unlock conditions, whenever possible, as well as recognizing pubkeys or xpubs that do not possess private keys and labeling them accordingly. Furthermore, ensuring compatibility with advanced Bitcoin features, tracking previously signed inputs for protocols that necessitate it, and implementing a means to verify that a "clawback" has been signed before using the same input are considered essential for robust security. Revault clarifies that its focus lies in vault protocol development rather than hardware wallet production, expressing hope that manufacturers will adopt stronger security measures that can benefit Revault protocol users.A significant concern raised in the email pertains to the risk of poisoned inputs in hardware wallets and pre-signed transaction protocols. The spending of any input within a (pre-signed) transaction renders the entire transaction invalid, thereby compromising the entire defense mechanism. To address this issue, it is proposed to keep track of inputs that have already been signed once. As most protocols require a specific signing order, incorporating a check to ensure that a "clawback" has been signed first with the same input would be highly beneficial. However, maintaining state within the hardware device necessitates a Merklized persistent data structure, storing the majority of storage within trust-minimized software. The primary challenge arises from the assumption that hardware wallets cannot have internet access, as clawback transactions often rely on specific block heights for broadcasting. If the hardware wallet cannot connect online, it remains unaware of the current block height required for timely clawback transaction broadcasting. Delayed clawbacks can provide an advantage to counterparties, enabling potential theft. Going online introduces an increased attack surface to the blockchain, which serves as proof of time passing. Consequently, active online engagement is necessary to obtain this proof through searching for the block tip.In summary, the email initiates a discussion on improving hardware wallets for bitcoin users, beginning with the requirements of the Revault vault protocol. It highlights the importance of hardware wallets in mitigating device compromises and provides links to previous work on related issues. The proposed improvements encompass various areas, including output script parsing, pubkey interpretation, Bitcoin compatibility, tracking signed inputs, and verifying "clawback" signatures. While acknowledging the challenges presented by limited memory and computational power of secure elements, the author argues that these enhancements are crucial for ensuring decent security. The email concludes by reiterating that Revault does not plan to manufacture hardware wallets but hopes that manufacturers will adopt stronger security measures to benefit all bitcoin users.
Updated on: 2023-08-02T03:02:18.094108+00:00