Cornell IC3 Researchers Propose Solution to Bitcoin’s Multisig “Paralysis” Problem
Owning cryptocurrency comes with its own set of challenges. One of the biggest of those challenges is managing the private keys that enable you to spend funds. Lose your private keys, and your money is gone.
In a business environment, a common way to manage funds owned by multiple people is via what’s called a multisignature (multisig) address, a type of smart contract requiring two or more parties to sign off on a transaction to move the funds.
This can be problematic, however. Let’s say you have a three-of-three multisig that requires you and two business partners to sign off on a transaction. If one person dies, disappears or becomes incapacitated, those assets become frozen — a risk some might feel uncomfortable with when dealing with tens of thousands of dollars or more.
One way to ameliorate that risk might be to opt for a two-of-three multisig, where only two instead of all three individuals need to sign off on a transaction. But that’s not a complete solution either. Two players could conspire against the other one and run off with the money.
What now? If your funds are on the Ethereum blockchain, you could write a smart contract that would allow you to free the funds if one person in your trio disappeared.
However, Bitcoin with its limited scripting language makes things more difficult. “This seems like an unsolvable problem if you think about the traditional tools,” said Ari Juels, a professor at Cornell Tech and co-director of the Cornell Initiative for Cryptocurrencies and Contracts (IC3).
In a paper titled “Paralysis Proofs: How to Prevent Your Bitcoin from Vanishing,” researchers Fan Zhang, Phil Daian, Iddo Bentov and Ari Juels from the IC3 outline how to deal with what happens when a party is unable, or unwilling, to sign off on a multisig transaction in Bitcoin. The solution involves a combination of blockchain technology and trusted hardware — Intel SGX, in this case.
Trusted hardware allows you to run code inside a protected enclave. Even a computer’s own operating system is unable to access data inside an enclave, so if your computer were to be hacked, the code in the enclave would remain secure.
IC3’s solution proposes replacing a trusted third party, such as a lawyer or a bank, who would put money in an escrow, with a trusted hardware solution that retains control of a master key to the funds.
If one of the three people in the contract dies, the other two initiate a “paralysis proof.” That proof is based on a challenge sent to the missing third person. If the missing person responds to the challenge, the money stays put. If the missing person does not respond, the trusted hardware releases the funds to the remaining two players.
Trusted hardware is only part of the solution, however. If the third person were to try and respond to the challenge request with an indication she is still alive, conceivably, the other players could intercept that message. To ensure that does not happen, the second half of IC3’s solution involves sending the message via the blockchain, which provides a tamper-proof and censorship-resistant medium.
“By combining these two [methods], we can achieve the exact properties we’re after,” Juels explained to Bitcoin Magazine. “We can enable trusted hardware to determine whether or not somebody is alive, and there is no way to prevent a relevant message from getting transmitted if it is coming through the blockchain.”
How It Works
Put simply, this is how to achieve a paralysis proof as outlined by the IC3 researchers:
- Two players suspect a third is dead, so they post a challenge on the blockchain. The challenge consists of a tiny “dust” UTXO that the third person must spend within a certain period of time, say 24 hours, to prove she is alive.
- The two players also get a “seize” transaction they may post to the blockchain later to collect the funds, if the third person does not respond to the challenge.
- If the third person sends back a response by spending the UTXO, the game is over; the two others are not able to take control of the funds.
- Alternatively, if the third person does not return an “alive” signal by spending the UTXO before the time-out, then the two others can use the “seize” transaction to take control of the funds.
This not the only use case for a paralysis-proof system. Juels thinks the solution would work well in any situation that called for a controlled access to private keys that could not otherwise be maintained on a blockchain. “It is actually a very general scheme you could use for lots of other purposes,” he said.
For instance, a paralysis-proof system could be used as a dead man’s switch for control over the release (or decryption) of leaked information or a journalist’s raw materials. It could also be used in numerous ways to control daily spending limits from a common pool of money or as a conditioned expenditure based on an outside event (as reported by an oracle), like a student getting good grades or a salesperson meeting a sales quota.
“Basically, you can a rich set of conditions around the expenditure of money using the fact that a trusted hardware kind of acts like a trusted third party,” said Juels.