How Segregated Witness Is About to Fix Hardware Wallets
Bitcoin Core launched its latest software release last week, which includes a proposed Segregated Witness soft fork. If a majority of miners signal support for the proposal, Segregated Witness will activate on the Bitcoin network — perhaps as soon as December. This would offer several benefits, including an effective block size limit increase, a malleability fix and more.
A lesser known benefit is that input amounts of transactions — the amount of bitcoins being sent — will for the first time be cryptographically signed by users: a small change, but according to Ledger CTO Nicolas Bacca, “this fixes one of the biggest issues hardware wallets are faced with today.”
All Bitcoin transactions send bitcoins from “inputs” to “outputs,” where inputs specify from which Bitcoin-addresses bitcoins are sent, and outputs refer to receiving addresses.
Naturally, all inputs must contain at least as many bitcoins as all outputs. A sender can’t create bitcoins out of thin air.
In fact, however, inputs typically contain slightly more bitcoins than the outputs. That difference is the mining fee. So if all inputs are worth one BTC, and all outputs are worth 0.999 BTC, whomever mines the transaction can attribute himself the remaining 0.001 BTC.
But currently there’s an odd quirk. While outputs specifically contain explicit amounts, inputs do not. That’s not really a problem, because each input relies on a previous transaction. Bitcoin wallets can therefore look up how much a specific input contains by checking the blockchain.
The exception is hardware wallets, Bacca explained to Bitcoin Magazine:
“Hardware wallets don’t store the entire blockchain, nor do they have access to the Bitcoin network directly. Instead, to collect the transaction history, they connect to software that does. They connect to the Bitcoin network through wallets running on desktop computers, for instance. Or web-wallets.”
In many ways, this is not a problem. The hardware wallet generates a transaction, spending a certain amount of bitcoins to certain addresses. Only if the user really wants to send this amount of bitcoins to these addresses, will he sign the transaction. There is no risk of sending too many funds to the outputs.
But this still leaves open the risk of a “fee attack,” Bitcoin Core and Digital Bitbox developer, Jonas Schnelli, told Bitcoin Magazine:
“As a simple example, let’s say your computer is compromised by a Trojan horse. When sending funds from your hardware wallet, this Trojan horse increases the input amounts, or adds extra inputs, without revealing this to the user. Through the hardware wallet, the user then confirms that the outputs check out, as do the output amounts, and signs the transaction. Little does he know, the inputs contained much more bitcoins than needed for the transactions; perhaps even all bitcoins stored on the hardware wallet. All these bitcoins are then all attributed to the miner, as a huge fee.”
While perhaps unlikely, this risk defeats an important purpose of hardware wallets. After all, the idea is that these devices cannot be hacked into, even if used in combination with an insecure computer.
A countermeasure to this “fee attack” does exist. Hardware wallets can fetch a previous transaction from the blockchain through the software it connects to, hash the output amounts, and compare this with hashes of the input amounts of the new transaction.
But, Trezor architect Marek “Slush” Palatinus explained, “these solutions are crazy complex and slow.” And due to limited computational resources in hardware wallets, in some cases they are not even viable. “Transactions that include lots of inputs or outputs, like payouts from mining pools or faucets, can take up to one hour to calculate,” Palatinus said.
Segregated Witness offers a better solution.
Segregated Witness moves the cryptographic signatures to a sort of “add-on” part of a transaction: the “Witness.” This in itself is not important for hardware wallets. But as the signature data is being moved anyway, changing how wallets read them, Bitcoin Core developers decided to slightly change how the signatures are generated as well.
Specifically, the input amounts — while still not part of the transaction itself — are signed. In a way, these input amounts become “part of” the cryptographic signature. As such, a hardware wallet user will only sign for specific amounts of bitcoins to be sent — with no need to go through a complex and slow process, and with no risk of sending too many funds. (If a Trojan horse would try to change the input amount after it is signed, the transaction would be considered invalid by Bitcoin nodes.)
If Segregated Witness is activated, it would be relatively easy to upgrade all existing hardware wallets to utilize this option. Ledger has already updated Ledger’s code-base, while Trezor and Digital Bitbox integration should be ready if and when the soft fork activates.
“Segregated Witness is not just about scaling,” Palatinus emphasized. “There are other issues with Bitcoin under the hood, and SegWit opens potential for applications and use-cases that are not possible today. For those who think only bigger blocks will save bitcoin’s exchange rate, and for miners who are going to decide on whether or not they should adopt SegWit, this is important to understand.”
For a more detailed technical explanation, see this article by Ledger’s Nicolas Bacca.