While I mainly foresee issues/improvements that may affect Revault, I would be really happy to see people joining this thread with any other ideas and remarks that would benefit some parts of Bitcoin that I overlooked. This email discusses improvements that would benefit everyone, and some that are more suitable for “layer 2” or pre- signed transactions protocols. This will hopefully encourage existing players to keep on improving their devices and that will ultimately benefit us all. Vault users will likely hold very large sums and would be happy to pay a high premium for more secure HW. Revault does not plan on building hardware wallets, we hope existing and upcoming manufacturers will implement a strong security that we could use for the Revault protocol users. This is weak security and bad user experience. However I truly believe most of these points are a MUST have for any decent security.
Most pre-signed transactions protocols are used today as a form of defense mechanism, spending any input would mean incapacitating the entire defense mechanism. While this can be exploited for fee attacks, it is a bigger threat to pre-signed transactions protocols. This applies to pre-signed transaction protocols especially well as the template of these transactions could be known and recognized by the HW. Once any input of a (pre-signed)transaction is spent, this transaction isn’t valid anymore. They mainly prevent private-key extraction today, and aren’t very suitable against an attack on the transaction being signed, as explained further. It is mainly Blackjack as well as poker games that take a step towards being partly determined by the skill of the player. Feel free to reply with your comments or adding suggestions, I am not a hardware wallet expert and would take criticism wit hout being offended. If you don’t want to risk going on a nitro plot or get into something you don’t master, it can be nice to try with free money first.
Going further, the xpubs could be aliased the first time they are entered/verified (as part of, say, an initial setup ceremony) for instance with the previously mentioned Miniscript policy: or(pk(Alice), and(pk(Bob), after(42))). The best way to do so would be to lift this Script to a more user-friendly format such as a MiniScript Policy display, but anything would be better than an “address”. Going further, most of these protocols require to follow a specific signing order (typically the “clawback” first, then the regular spend path) so adding a way to check that a “clawback” has been signed first, with the same input, would be very helpful. Kind of annoying for a signing device. The correct usage would be for a user to verify this address on a third device (mobile phone, for example). The postulate we start from is that Hardware Wallets (HW) are useful to mitigate the compromission of the day-to-day device of a user. Hello everyone, I would like to start a discussion on improving Hardware Wallets.
The goal is to spark discussions and hopefully iterate to a more secure and more usable hardware ecosystem for all bitcoiners. If you don’t assume the computer on which the transaction is crafted is compromised, then you don’t need a hardware wallet. If you assume it may be compromised, then the HW needs to be able to defend against those. I understand some of these changes may be very difficult, especially given the low memory and computational power of secure elements. No matter where you go on your next gaming adventure, both we and you know that it is a safe experience that awaits. Proposed improvement: The HW could know pubkeys or xpubs it does not hold the private keys for, and display a label (or understand it for logic reasons, such as “expected pubkeys” as the previous example). Typically for Revault, the HW could display: “Unvault Transaction, all expected pubkeys present in the script”. Proposed improvement: The HW should display the Bitcoin Script itself when possible (including the unlock conditions). Proposed improvement: for protocols that requires it, keeping track of inputs already signed once would be extremely helpful. Problem: A typical HW today would display the “destination” of a transaction in the form of a bitcoin address.