summaryrefslogtreecommitdiff
path: root/67/372fa11b773c14d0467cb7e9a3403a4a78c9da
blob: e1dd7cf0bf82d3924e4a80c42ea465440dedf720 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
Return-Path: <miron@hyper.to>
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 8DF8BC013A
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Sun, 17 Jan 2021 02:47:10 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by fraxinus.osuosl.org (Postfix) with ESMTP id 7579F86108
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Sun, 17 Jan 2021 02:47:10 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
 by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Xc4WZiT02GUA
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Sun, 17 Jan 2021 02:47:08 +0000 (UTC)
X-Greylist: delayed 00:06:09 by SQLgrey-1.7.6
Received: from mail-ej1-f52.google.com (mail-ej1-f52.google.com
 [209.85.218.52])
 by fraxinus.osuosl.org (Postfix) with ESMTPS id CE4B9860AD
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Sun, 17 Jan 2021 02:47:07 +0000 (UTC)
Received: by mail-ej1-f52.google.com with SMTP id a10so2253059ejg.10
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Sat, 16 Jan 2021 18:47:07 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=x8rbOfTi3iu04pyxE7RTx9rLXesHsg8Kvl4EKRXGEug=;
 b=LyOg1479OSUDBW9lgpfzW3dm9chnufGB24b51qPGRT2vPUoDKAXZbIzEKLt8/IyyST
 x7DaAtaenRBlPt3zkBT/JFXMOsRpUcfKRpX9jcT679Gvr3ch3wKW0KJ7eu4E+p2Aj+Lz
 WIqvJKiQVabsrNzJF5rYXaqQFad04XwYJtuq/1Y3f1/ONt7D4XM5pjo2mYeK4Wcn+MYl
 CS03kC0gXrhy27g7+eoVx3wTKYcFHA7/u9ch6znH9At4roOvvVoXgzV9FlzXq9z6Ltem
 Ikl8rcE7WvSCFP/qldNNcPR54v0B+dH06ipoZpbHI6kqJzJ001s/HggXScZq+1nqo1Qr
 SOSw==
X-Gm-Message-State: AOAM531XICzc1Fv3Evvf36STlXueb4K/ATOZg9YsjUOTz7LxEsRw4b62
 hi0Gd3U73Iu0Z5fd+6hS1tEku1nfhZJf09ItFZyw/a8GT/TFUTSH580=
X-Google-Smtp-Source: ABdhPJwY9fE1dQ4AAhfrcv/mH5/ZOSwkEUdHqi+uM5E3C/GfQ4GdKFVY3jQBJxOzDsEAbJgh7sRqaFUjlVS1Iqyna8k=
X-Received: by 2002:a17:906:cf81:: with SMTP id
 um1mr13771386ejb.122.1610851256160; 
 Sat, 16 Jan 2021 18:40:56 -0800 (PST)
MIME-Version: 1.0
References: <da42f7e09cabcaa935bce4036340ef14f4bf454c.camel@revault.dev>
 <IUjfIb-kgkDrL-Lq2aezCk5sjSoICBCUEZbchHqLDFStputPn0Y8xmPHdIwg6tEwZIMI-075CMO1jwy4FgIhhTgDclpdJXwRYlrESFDqfSc=@protonmail.com>
In-Reply-To: <IUjfIb-kgkDrL-Lq2aezCk5sjSoICBCUEZbchHqLDFStputPn0Y8xmPHdIwg6tEwZIMI-075CMO1jwy4FgIhhTgDclpdJXwRYlrESFDqfSc=@protonmail.com>
From: Devrandom <c1.bitcoin@niftybox.net>
Date: Sat, 16 Jan 2021 18:40:44 -0800
Message-ID: <CAB0O3SWvARDpdPt562SY-p+FE63rhEYg_DGEVJsBnmG-pdkw5Q@mail.gmail.com>
To: ZmnSCPxj <ZmnSCPxj@protonmail.com>, 
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="000000000000e8e9e605b90f8888"
X-Mailman-Approved-At: Sun, 17 Jan 2021 02:50:30 +0000
Subject: Re: [bitcoin-dev] Hardware wallets and "advanced" Bitcoin features
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Jan 2021 02:47:10 -0000

--000000000000e8e9e605b90f8888
Content-Type: text/plain; charset="UTF-8"

Dear ZmnSCPxj,

On Thu, Jan 14, 2021 at 4:28 PM ZmnSCPxj via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> The primary issue here is that we have a base assumption that the hardware
> wallet cannot be sophisticated enough to have Internet access; "do not
> enter seed words on an online device", as the typical advice goes.
> Most clawback transactions are time-based, and *must* be broadcast at a
> particular blockheight.
> Yet if the hardware wallet cannot be an online device, then it cannot know
> the current blockheight is now at a time when the clawback transaction
> *must* be broadcast.
>
> Thus, the hardware must always tr\*st the software to actually perform the
> clawback in that case.
>

I believe it is possible to achieve much of the desired "liveness"
requirements without compromising too much on the air-gap.  The solution
requires the following:

- a set of UTXO oracles which attest to the UTXO set
- optionally, a set of clock oracles which attest to the current time (e.g.
using the roughtime protocol)
- an air-gap connection between the node software and the signer, e.g.
using a narrow optical or serial protocol
- a set of operators that can react to lack of liveness

The Signer performs the following steps periodically:

- if the funding UTXO has not been spent (per oracle attestation), proceed
normally with any channel commitment signing
- if the funding UTXO has been spent, ensure that the node provided the
spending tx, and check if there is any reaction needed (e.g. a justice tx
is needed)
- if a reaction is needed, ensure that there is a further spend within a
certain deadline (shorter than the CSV/CLTV deadline)
- if there is no deadline violation, sign a heartbeat message with the
current time (either from a local clock or from oracle clock)

The node software then relays the signed heartbeat message to the
operators, e.g. through Tor.  If a heartbeat is not seen by the operators,
they manually intervene (e.g. by standing up a clean node).

Of course, we will never have Lightning paper wallets, by definition, since
you can't participate in the network without being online.  But the above
setup seems to be at least as secure as USB hardware wallets attached to
online machines.  You could even have intermittently connected signers for
slow-moving channels, or signers behind Tor, etc. .

--
devrandom

--000000000000e8e9e605b90f8888
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Dear ZmnSCPxj,</div><br><div class=3D"gmail_quote"><d=
iv dir=3D"ltr" class=3D"gmail_attr">On Thu, Jan 14, 2021 at 4:28 PM ZmnSCPx=
j via bitcoin-dev &lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.o=
rg">bitcoin-dev@lists.linuxfoundation.org</a>&gt; wrote:<br></div><blockquo=
te class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px =
solid rgb(204,204,204);padding-left:1ex">The primary issue here is that we =
have a base assumption that the hardware wallet cannot be sophisticated eno=
ugh to have Internet access; &quot;do not enter seed words on an online dev=
ice&quot;, as the typical advice goes.<br>
Most clawback transactions are time-based, and *must* be broadcast at a par=
ticular blockheight.<br>
Yet if the hardware wallet cannot be an online device, then it cannot know =
the current blockheight is now at a time when the clawback transaction *mus=
t* be broadcast.<br>
<br>
Thus, the hardware must always tr\*st the software to actually perform the =
clawback in that case.<br></blockquote><div><br></div><div>I believe it is =
possible to achieve much of the desired &quot;liveness&quot; requirements w=
ithout compromising too much on the air-gap.=C2=A0 The solution requires th=
e following:</div><div><br></div><div><div>- a set of UTXO oracles which at=
test to the UTXO set</div>- optionally, a set of clock oracles which attest=
 to the current time (e.g. using the roughtime protocol)<br></div><div>- an=
 air-gap connection between the node software and the signer, e.g. using a =
narrow optical or serial protocol</div><div>- a set of operators that can r=
eact to lack of liveness<br></div><div><br></div><div>The Signer performs t=
he following steps periodically:</div><div><br></div><div>- if the funding =
UTXO has not been spent (per oracle attestation), proceed normally with any=
 channel commitment signing<br></div><div>- if the funding UTXO has been sp=
ent, ensure that the node provided the spending tx, and check if there is a=
ny reaction needed (e.g. a justice tx is needed)<br></div><div>- if a react=
ion is needed, ensure that there is a further spend within a certain deadli=
ne (shorter than the CSV/CLTV deadline)</div><div>- if there is no deadline=
 violation, sign a heartbeat message with the current time (either from a l=
ocal clock or from oracle clock)</div><div><br></div><div>The node software=
 then relays the signed heartbeat message to the operators, e.g. through To=
r.=C2=A0 If a heartbeat is not seen by the operators, they manually interve=
ne (e.g. by standing up a clean node).</div><div><br></div><div>Of course, =
we will never have Lightning paper wallets, by definition, since you can&#3=
9;t participate in the network without being online.=C2=A0 But the above se=
tup seems to be at least as secure as USB hardware wallets attached to onli=
ne machines.=C2=A0 You could even have intermittently connected signers for=
 slow-moving channels, or signers behind Tor, etc. .</div><div><br></div><d=
iv>--</div><div>devrandom</div><div><br></div></div></div>

--000000000000e8e9e605b90f8888--