1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
|
Return-Path: <nadav@shesek.info>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133])
by lists.linuxfoundation.org (Postfix) with ESMTP id CFB73C002D
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 25 Apr 2022 17:27:24 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp2.osuosl.org (Postfix) with ESMTP id BD08D40A5D
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 25 Apr 2022 17:27:24 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.697
X-Spam-Level:
X-Spam-Status: No, score=-1.697 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_NONE=0.001] autolearn=no autolearn_force=no
Authentication-Results: smtp2.osuosl.org (amavisd-new); dkim=neutral
reason="invalid (public key: not available)" header.d=shesek.info
Received: from smtp2.osuosl.org ([127.0.0.1])
by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id X956u1ehdKnX
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 25 Apr 2022 17:27:23 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com
[IPv6:2607:f8b0:4864:20::d2f])
by smtp2.osuosl.org (Postfix) with ESMTPS id 3A17040503
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 25 Apr 2022 17:27:23 +0000 (UTC)
Received: by mail-io1-xd2f.google.com with SMTP id z19so12021409iof.12
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 25 Apr 2022 10:27:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shesek.info; s=shesek;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
bh=fST5qO8dAmzj4ewEYpPweycoivZQpEnVlCR4km5TgH0=;
b=lJ4B3Tvzfi8aoC58j46Ku8owKNoQt9rCUUT4GS66Hy7aDYfEHyqi4Fz9/JjtcHdr/L
/s3rTdcRVIQ90AK2TcL1LHepzuD9fJyxzWz/Er6BS3rNMYHJlRkYOUhXMpCwQqiNkaUY
1rpSNVlaHLCRW287pvPNLKjaiini9F9ur1haw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to;
bh=fST5qO8dAmzj4ewEYpPweycoivZQpEnVlCR4km5TgH0=;
b=zteYwzxPLOzSVT9QOQhpUr7M4mS4m5ahdQlyYcDmE+IP+j3rnzmQw1zJZaV+4UPe1u
zflEmM6biXUPLAiSsy0nlxt+I0zkVHHSOjTHfFOdmB1Ofvdhpoaxh9oM34PpdIZyLDC9
TcSuR6fy1dJYjHpClilgsB6QCa8jmyo/V2KSOjKcPJqLQrLgS0O+buYhhhzyHsudeMlg
z7HuKMrr9m/KUkhOYz/GEPsSKYTChjLQLjEvlbw3K14fOhniK9LSg05aWcKqVDuzzC/t
gGknadfHexX0XD4ZLDZYoPUfRVUDLuOPEaEQLMm6Afo798iFmqeVhsoCYtKa0c4M+c+y
uxEA==
X-Gm-Message-State: AOAM532rhdpvKh9MLlQTxGH8jgUYx+LiXDJlkIWDfg3+wYhOaj3AE10J
fm03CMWHMCzwirCm62q9KUtv+a5DmMagfUNtzWhQl7RlbwSs2Pmp
X-Google-Smtp-Source: ABdhPJzn+H2Q5b6u1jKWQ86791R6yTk53KYexCh4rMv/LvIBBarG9I9vaamL6q44oS8bKGfpOxIxPhKIVJFJW2mqqHw=
X-Received: by 2002:a05:6638:c3:b0:32a:f5d0:5d58 with SMTP id
w3-20020a05663800c300b0032af5d05d58mr2049123jao.40.1650907642155; Mon, 25 Apr
2022 10:27:22 -0700 (PDT)
MIME-Version: 1.0
References: <64a34b4d46461da322be51b53ec2eb01@dtrt.org>
<d95eec37-269d-eefb-d191-e8234e4faed3@mattcorallo.com>
<4b252ef6f86bbd494a67683f6113f3fe@dtrt.org>
<c779648c-891d-b920-f85f-c617a0448997@mattcorallo.com>
<CAPfvXfJe6YHViquT8i+Kq2QUjZDZyUq24nKkJd2a6dYKgygxNQ@mail.gmail.com>
<CAMZUoK=GONdGwj34PcqjV5sFJBg+XqiSOHFk4aQoTgy00YFG=Q@mail.gmail.com>
<48a4546c-85b3-e9ff-83b5-60ba4eae2c76@mattcorallo.com>
<CAMZUoKniYvmtYXOOOqpDGyaEyzG5DObwbFQhvaYkndSnJUmvkg@mail.gmail.com>
<CAGpPWDaeKYABkK+StFXoxgWEhVGzqY02KPGOFjOtt9W8UPRr1A@mail.gmail.com>
In-Reply-To: <CAGpPWDaeKYABkK+StFXoxgWEhVGzqY02KPGOFjOtt9W8UPRr1A@mail.gmail.com>
From: Nadav Ivgi <nadav@shesek.info>
Date: Mon, 25 Apr 2022 20:27:11 +0300
Message-ID: <CAGXD5f1EzUh4rUcsvGE5BZi2az0yaXbTSvUrFp=o6DnQXTJLfw@mail.gmail.com>
To: Billy Tetrud <billy.tetrud@gmail.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="000000000000916ba405dd7de37d"
X-Mailman-Approved-At: Mon, 25 Apr 2022 17:31:22 +0000
Subject: Re: [bitcoin-dev] Vaulting (Was: Automatically reverting
("transitory") soft forks)
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 17:27:24 -0000
--000000000000916ba405dd7de37d
Content-Type: text/plain; charset="UTF-8"
On Mon, Apr 25, 2022 at 1:36 PM Billy Tetrud via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> If you unvault an output to your hot wallet, the thief could be lying in
wait, ready to steal those funds upon them landing.
One way to mitigate some of the risk is to split up your UTXOs so that your
hot wallet exposure is limited.
> However, if you compare it against a multisig wallet (eg 2 of 3), you can
see that while theft of a single key would never result in any theft in
that setup, it could in a CTV vault.
These are two orthogonal things though. You can have a CTV vault where the
hot key signer is a multisig to get the advantages of both. In this case
the addition of a CTV-based unvaulting procedure is an improvement compared
to not using it.
shesek
On Mon, Apr 25, 2022 at 1:36 PM Billy Tetrud via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> @Matt
> > both of which are somewhat frustrating limitations, but not security
> limitations, only practical ones.
>
> So I think the first limitation you mentioned (that if your hot wallet's
> key gets stolen you need) can be legitimately considered a security
> limitation. Not because you need to rotate your keys, but because you might
> *not know* your hot wallet key has been stolen. If you unvault an output to
> your hot wallet, the thief could be lying in wait, ready to steal those
> funds upon them landing. At that point, you would then know your hot wallet
> key was compromised and could rotate your vault keys in order to prevent
> further theft. However, the fact that there is a clear theft vulnerability
> is something I would say should be considered a "security limitation".
>
> As you mentioned, this is of course also a security limitation of a hot
> wallet, so this setup definitely has a lot of advantages over a simple hot
> wallet. However, if you compare it against a multisig wallet (eg 2 of 3),
> you can see that while theft of a single key would never result in any
> theft in that setup, it could in a CTV vault. The other trade offs there
> are ones of practicality and convenience.
>
> This isn't to say a CTV vault wouldn't be useful. Just that it has
> significant trade offs.
>
> @Russel
> > the original MES vault .. commits to the destination address during
> unvaulting
>
> I see. Looking at the MES16 paper, OP_COV isn't described clearly enough
> for me to understand that it does that. However, I can imagine how it
> *might* do that.
>
> One possibility is that the intended destination is predetermined and
> hardcoded. This wouldn't be very useful, and also wouldn't be different
> than how CTV could do it, so I assume that isn't what you envisioned this
> doing.
>
> I can imagine instead that the definition of the pattern could be
> specified as a number indicating the number of stack items in the pattern,
> followed by that number of stack items. If that's how it is done, I can see
> the user inputting an intended destination script (corresponding to the
> intended destination address) which would then be somehow rotated in to the
> right spot within the pattern, allowing the pattern to specify the coins
> eventually reaching an address with that script. However, this could be
> quite cumbersome, and would require fully specifying the scripts along the
> covenant pathways leading to a fair amount of information duplication
> (since scripts must be specified both in the covenant and in spending the
> subsequent output). Both of these things would seem to make OP_COV in
> practice quite an expensive opcode to spend with. It also means that, since
> the transactor must fully specify the script, its not possible to take
> advantage of taproot's script hiding capabilities (were it to send to a
> taproot address).
>
> However, my assumptions might be incorrect. If you think OP_COV would be a
> useful opcode, I would encourage you to write up a complete specification.
>
> > What ways can we build a secured vault that commits to the destination
> address?
>
> Some kind of passed-through state allows doing this. With OP_COV (if my
> assumptions above are correct), the intended destination can be passed
> through the output script pattern(s). With my own proposed
> op_pushoutputstack
> <https://github.com/fresheneesz/bip-efficient-bitcoin-vaults/blob/main/pos/bip-pushoutputstack.md>,
> state is passed as an attachment on the output more directly. Curious what
> you think about that proposal.
>
> > Are there elegant ways of building secure vaults by using CTV plus
> something else.
>
> Since CTV predefines all the transactions that can happen under its
> control, passed state like this can't help because any dynamic state would
> change the template and render the CTV transaction invalid. I don't see any
> way of solving this problem for CTV.
>
> I'm curious how you think op_cat could enable this with CTV (other than
> the cat+schnorr tricks that don't require CTV at all).
>
>
>
> On Sat, Apr 23, 2022 at 2:31 PM Russell O'Connor via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Okay, Matt explained to me the intended application of CTV vaults off
>> list, so I have a better understanding now.
>>
>> The CTV vault scheme is designed as an improvement over the traditional
>> management of hot-wallets and cold-wallets. The CTV vault is logically on
>> the "cold-side" and lets funds be sent from the "cold" side to *one's own*
>> the hot wallet after the unvaulting delay. In this case, the hot wallet
>> funds are always at risk, so it isn't unexpected that those funds could be
>> stolen. After all, that is how hot wallets are today. The advantage is
>> that funds can be moved from the "cold" side without needing to dig out the
>> cold keys.
>>
>> The MES vault scheme applies to a different scenario. In the MES case it
>> is the hot funds are inside the vault, and it is the hot key that unvaults
>> the funds and sends them to *customer's addresses* after a delay. If the
>> hot-key is used in any unauthorised way, then funds can be sent to the
>> address of the cold key (the MES vault actually does something fancy in
>> case of recovery, but it could be adapted to simply send funds to a cold
>> wallet).
>>
>> The MES vault lie somewhere between "better" and "different" when
>> compared to the CTV vault. If one is unwilling to use the MES vault on the
>> hot side and have every withdrawl vetted, then, while you could use the MES
>> design on the cold side like the CTV vault, it wouldn't really offer you
>> any advantages over a CTV vault. However, if you are interested in
>> managing all your payments through a vault (as I've been imagining) then
>> the CTV vault comes across as ineffective when compared to an MES style
>> vault.
>>
>> On Sat, Apr 23, 2022 at 2:24 PM Matt Corallo <lf-lists@mattcorallo.com>
>> wrote:
>>
>>> Still trying to make sure I understand this concern, let me know if I
>>> get this all wrong.
>>>
>>> On 4/22/22 10:25 AM, Russell O'Connor via bitcoin-dev wrote:
>>> > It's not the attackers *only choice to succeed*. If an attacker
>>> steals the hot key, then they have
>>> > the option to simply wait for the user to unvault their funds of their
>>> own accord and then race /
>>> > outspend the users transaction with their own. Indeed, this is what
>>> we expect would happen in the
>>> > dark forest.
>>>
>>> Right, a key security assumption of the CTV-based vaults would be that
>>> you MUST NOT EVER withdraw
>>> more in one go than your hot wallet risk tolerance, but given that your
>>> attack isn't any worse than
>>> simply stealing the hot wallet key immediately after a withdraw.
>>>
>>> It does have the drawback that if you ever get a hot wallet key stole
>>> you have to rotate all of your
>>> CTV outputs and your CTV outputs must never be any larger than your hot
>>> wallet risk tolerance
>>> amount, both of which are somewhat frustrating limitations, but not
>>> security limitations, only
>>> practical ones.
>>>
>>> > And that's not even mentioning the issues already noted by the
>>> document regarding fee management,
>>> > which would likely also benefit from a less constrained design for
>>> covenants.
>>>
>>> Of course I've always been in favor of a less constrained covenants
>>> design from day one for ten
>>> reasons, but that's a whole other rabbit hole :)
>>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--000000000000916ba405dd7de37d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr"><div>On Mon, Apr 25, 2022 at 1:36 PM Bill=
y Tetrud via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@lists.linuxfound=
ation.org">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:</div><div><=
br></div><div>> If you unvault an output to your hot wallet, the thief c=
ould be lying in wait, ready to steal those funds upon them landing.</div><=
div><br></div><div>One way to mitigate some of the risk is to split up your=
UTXOs so that your hot wallet exposure is limited.</div><div><br></div><di=
v>> However, if you compare it against a multisig wallet (eg 2 of 3), yo=
u=20
can see that while theft of a single key would never result in any theft
in that setup, it could in a CTV vault.</div><div><br></div><div>These are=
two orthogonal things though. You can have a CTV vault where the hot key s=
igner is a multisig to get the advantages of both. In this case the additio=
n of a CTV-based unvaulting procedure is an improvement compared to not usi=
ng it.</div><div><br></div><div>shesek<br></div></div><br><div class=3D"gma=
il_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Apr 25, 2022 at 1:3=
6 PM Billy Tetrud via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@lists.l=
inuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br=
></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;=
border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><=
div>@Matt<br></div>>=C2=A0
both of which are somewhat frustrating limitations, but not security limita=
tions, only practical ones.<div><br></div><div>So I think the first limitat=
ion you mentioned (that if your hot wallet's key gets stolen you need) =
can be legitimately considered a security limitation. Not because you need =
to rotate=C2=A0your keys, but because you might *not know* your hot wallet =
key has been stolen. If you unvault an output to your hot wallet, the thief=
=C2=A0could be lying in wait, ready to steal those funds upon them landing.=
At that point, you would then know your hot wallet key was compromised and=
could rotate your vault keys in order to prevent further theft. However, t=
he fact that there is a clear theft vulnerability is something I would say =
should be considered a "security limitation".=C2=A0</div><div><br=
></div><div>As you mentioned, this is of course also a security limitation =
of a hot wallet, so this setup definitely has a lot of advantages over a si=
mple hot wallet. However, if you compare it against a multisig wallet (eg 2=
of 3), you can see that while theft of a single key would never result in =
any theft in that setup, it could in a CTV vault. The other trade offs ther=
e are ones of practicality and convenience.</div><div><br></div><div>This i=
sn't to say a CTV vault wouldn't be useful. Just that it has signif=
icant trade offs.=C2=A0</div><div><br></div><div>@Russel<br></div><div>>=
the original MES vault ..=C2=A0commits to the destination address during u=
nvaulting</div><div><br></div><div>I see. Looking at the MES16 paper, OP_CO=
V isn't described clearly enough for me to understand that it does that=
. However, I can imagine how it *might* do that.=C2=A0</div><div><br></div>=
<div>One possibility is that the intended destination is predetermined and =
hardcoded. This wouldn't be very useful, and also wouldn't be diffe=
rent than how CTV could do it, so I assume that isn't what you envision=
ed this doing.</div><div><br></div><div>I can imagine instead that the defi=
nition of the pattern could be specified as a number indicating the number =
of stack items in the pattern, followed by that number of stack items. If t=
hat's how it is done, I can see the user inputting an intended destinat=
ion script (corresponding to the intended destination address) which would =
then be somehow rotated in to the right spot within the pattern, allowing t=
he pattern to specify the coins eventually reaching an address with that sc=
ript. However, this could be quite cumbersome, and would require fully spec=
ifying the scripts along the covenant pathways leading to a fair amount of =
information duplication (since scripts must be specified both in the covena=
nt and in spending the subsequent output). Both of these things would seem =
to make OP_COV in practice quite an expensive opcode to spend with. It also=
means that, since the transactor must fully specify the script, its not po=
ssible to take advantage of taproot's=C2=A0script hiding capabilities (=
were it to send to a taproot address).=C2=A0</div><div><br></div><div>Howev=
er, my assumptions might be incorrect. If you think OP_COV would be a usefu=
l opcode, I would encourage you to write up a complete specification.</div>=
<div><br></div><div>> What ways can we build a secured vault that commit=
s to the destination address?<br></div><div><br></div><div>Some kind of pas=
sed-through state allows doing this. With OP_COV (if my assumptions above a=
re correct), the intended destination can be passed through the output scri=
pt pattern(s). With my own proposed=C2=A0<a href=3D"https://github.com/fres=
heneesz/bip-efficient-bitcoin-vaults/blob/main/pos/bip-pushoutputstack.md" =
target=3D"_blank">op_pushoutputstack</a>, state is passed as an attachment =
on the output more directly. Curious what you think about that proposal.<br=
></div><div><br></div><div>> Are there elegant ways of building secure v=
aults by using CTV plus something else.</div><div><br></div><div>Since CTV =
predefines all the transactions that can happen under its control, passed s=
tate like this can't help because any dynamic state would change the te=
mplate and render the CTV transaction invalid. I don't see any way of s=
olving this problem for CTV.=C2=A0=C2=A0</div><div><br></div><div>I'm c=
urious how you think op_cat could enable this with CTV (other than the cat+=
schnorr tricks that don't require CTV at all).</div><div><br></div><div=
><br></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"g=
mail_attr">On Sat, Apr 23, 2022 at 2:31 PM Russell O'Connor via bitcoin=
-dev <<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D=
"_blank">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br></div><blo=
ckquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left=
:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div>Okay, M=
att explained to me the intended application of CTV vaults off list, so I h=
ave a better understanding now.</div><div><br></div><div>The CTV vault sche=
me is designed as an improvement over the traditional management of hot-wal=
lets and cold-wallets.=C2=A0 The CTV vault is logically on the "cold-s=
ide" and lets funds be sent from the "cold" side to *one'=
;s own* the hot wallet after the unvaulting delay.=C2=A0 In this case, the =
hot wallet funds are always at risk, so it isn't unexpected that those =
funds could be stolen.=C2=A0 After all, that is how hot wallets are today.=
=C2=A0 The advantage is that funds can be moved from the "cold" s=
ide without needing to dig out the cold keys.<br></div><div><br></div><div>=
The MES vault scheme applies to a different scenario.=C2=A0 In the MES case=
it is the hot funds are inside the vault, and it is the hot key that unvau=
lts the funds and sends them to *customer's addresses* after a delay.=
=C2=A0 If the hot-key is used in any unauthorised way, then funds can be se=
nt to the address of the cold key (the MES vault actually does something fa=
ncy in case of recovery, but it could be adapted to simply send funds to a =
cold wallet).</div><div><br></div><div>The MES vault lie somewhere between =
"better" and "different" when compared to the CTV vault=
.=C2=A0 If one is unwilling to use the MES vault on the hot side and have e=
very withdrawl vetted, then, while you could use the MES design on the cold=
side like the CTV vault, it wouldn't really offer you any advantages o=
ver a CTV vault.=C2=A0 However, if you are interested in managing all your =
payments through a vault (as I've been imagining) then the CTV vault co=
mes across as ineffective when compared to an MES style vault.<br></div><br=
><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Sat, A=
pr 23, 2022 at 2:24 PM Matt Corallo <<a href=3D"mailto:lf-lists@mattcora=
llo.com" target=3D"_blank">lf-lists@mattcorallo.com</a>> wrote:<br></div=
><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border=
-left:1px solid rgb(204,204,204);padding-left:1ex">Still trying to make sur=
e I understand this concern, let me know if I get this all wrong.<br>
<br>
On 4/22/22 10:25 AM, Russell O'Connor via bitcoin-dev wrote:<br>
> It's not the attackers *only choice to succeed*.=C2=A0 If an attac=
ker steals the hot key, then they have <br>
> the option to simply wait for the user to unvault their funds of their=
own accord and then race / <br>
> outspend the users transaction with their own.=C2=A0 Indeed, this is w=
hat we expect would happen in the <br>
> dark forest.<br>
<br>
Right, a key security assumption of the CTV-based vaults would be that you =
MUST NOT EVER withdraw <br>
more in one go than your hot wallet risk tolerance, but given that your att=
ack isn't any worse than <br>
simply stealing the hot wallet key immediately after a withdraw.<br>
<br>
It does have the drawback that if you ever get a hot wallet key stole you h=
ave to rotate all of your <br>
CTV outputs and your CTV outputs must never be any larger than your hot wal=
let risk tolerance <br>
amount, both of which are somewhat frustrating limitations, but not securit=
y limitations, only <br>
practical ones.<br>
<br>
> And that's not even mentioning the issues already noted by the doc=
ument regarding fee management, <br>
> which would likely also benefit from a less constrained design for cov=
enants.<br>
<br>
Of course I've always been in favor of a less constrained covenants des=
ign from day one for ten <br>
reasons, but that's a whole other rabbit hole :)<br>
</blockquote></div></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div></div>
--000000000000916ba405dd7de37d--
|