-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign transactions not fitting the wallet policy approach #210
Comments
@bigspider first of all, thanks for this issue, really waiting for this possibility to be opened |
In wallet policies, the restriction of having ranged xpubs (with distinct derivations) is explicitly kept even across leaves. Generating pubkeys is cheap, so an external co-signer that is able to provide a fixed pubkey can easily be generalized to instead provide an xpub, which solves the key-reuse problem. Of course, this is not an issue if instead of a "wallet account" (that can receive/send many transactions), you have a single UTXO, that you will spend entirely without a change address; but that's not the scope of wallet policies.
Not sure I understand what you mean by "other methods like unsafe confirmations". |
@bigspider thanks a lot for your reply, now it's clear P.s. in this case we don't care about revealing this Internal pubkey to anyone since it is not being used, but we really bother about not having a real internal public key which could've spent everything from the multisig wallet. |
In theory, using the syntax for the
and replace it with:
where Instead, if you want the public key path to really be unspendable, it is not difficult to produce an xpub such that there is (provably) no private key. Then you can use This has security implications, though: the fact the the aggregate/unspendable xpub is produced in a certain way is not verifiable from the device, so additional measures should be in place in the software wallet to guarantee that the xpub is not replaced with some attacker's xpub (for example, by malware on the user's machine). The appropriate fix would be to define a key expression for the descriptor language that describes an unspendable key. Then you could do something like:
Once such a standard exists, the UX could be simplified somewhat, as the fact that the key generated by |
@bigspider thanks so much for such a detailed explanation! |
@bigspider another point to consider |
@fess-v could you describe the kind of descriptors and/or signing flow that such extension wallets are using? I'm not familiar so it's hard to give an informed reply. |
@bigspider these wallets do not have a similar thing to the wallet policy.
Btw this flow is the same for all bitcoin applications, not only our multisig, like marketplaces, ordinals and brc20s related projects, etc. |
Not sure I understand; if you're not willing to reveal the descriptor, likewise you're not willing to reveal the wallet policy. If the limitation is because some systems are designed around address reuse, unfortunately wallet policies specifically want to not allow that, or at least not incentivize it. |
@bigspider got it. In this case, I think the only option to integrate Ledger to such Bitcoin apps mixed with other wallets would be to prepare something outside of Wallet Policies as you described in the issue. |
@bigspider when we develop a wallet, we encounter an issue that we could only got psbt from other app, but it seems it is impossible to get enough info from psbt to generate related wallet policy which will cause ledger device could not sign psbt. I think a interface that could blind sign taproot transaction is needed. |
Thank you for raising this important issue. We strongly agree that there's a pressing need to expand Ledger's signing capabilities beyond the current wallet policy model, particularly to support the growing Bitcoin DeFi ecosystem. While the wallet policy model provides robust security for standard transactions, it creates significant limitations for more complex operations like multi-signature setups, which are fundamental to many DeFi protocols. This restriction effectively creates a divide between Ledger users and those using hot wallets, hindering the growth of a unified, permissionless DeFi ecosystem on Bitcoin. We appreciate the security considerations you've outlined, especially regarding account segregation and user awareness. Your suggestions for handling transactions outside the wallet policy model, such as prominent warnings or opt-in settings, are valuable starting points. However, we believe a more comprehensive solution is needed. Perhaps a system similar to Ethereum's signing plugins could be implemented, allowing for greater flexibility while maintaining user awareness and security. This approach could potentially bridge the gap between Ledger's security model and the needs of complex DeFi applications. We'd like to emphasize that addressing this issue is crucial not just for individual use cases, but for the broader adoption and development of Bitcoin-based DeFi. A solution that allows Ledger users to participate fully in these protocols while maintaining strong security would significantly contribute to the growth of the ecosystem. We're eager to collaborate on finding a solution that balances security with the flexibility required for advanced Bitcoin applications. This could potentially involve developing new standards for representing complex transactions or exploring ways to extend the wallet policy model to encompass a wider range of use cases. |
I support the comment of ropl-btc. |
A number of issues were opened to request signing in cases that don't fit the wallet policy model:
This issue tries to generalize the problem. How do we safely sign transactions outside of the model of wallet policies?
Wallet policies
Wallet policies build on top of Output Script Descriptors to model in a sound way what software wallets typically call an account.
Whether single-sig, multisig, musig, miniscript, etc, for most software wallets, an account is exactly: a list of receiving addresses, plus a list of change addresses.
Wallet policies in hardware signers
Wallet policies are a first class citizen in the Ledger bitcoin app (and similar specs have now been implemented in the BitBox02, and in Blockstream Jade via the Wally library).
The signing API is currently similar to
sign(psbt, wallet_policy)
(plus thewallet_policy_hmac
, not relevant for this discussion), which means that the "wallet policy" is additional information on top of just the transaction being signed, represented in the psbt. (in principle, the wallet policy itself could be added to the psbt; however, there is no standard for it).Having precise knowledge of "what account" you are receiving to, or spending from, allows to strengthen the security model quite substantially, as malware in the in the software wallet can't tamper with that information. In practice, the expectation is that people will have multiple accounts, and many of them will involve multiple keys (other co-signers). Wallet policies allow you to know exactly from which account you're spending. That's important: if you have a 2-of-2 with your wife, and another 2-of-2 with your colleague at work, it's not enough to know that you're "spending 0.1 btc and sending it to bc1pxxx..", you want to know that you're "spending 0.1 from your work account and sending it to bc1pxxx". Without that, if your co-worker gets access to your computer, it's trivial for them to install malware to trick you to spend your wife's money when you think you're using the company account. Of course, this inherently requires full knowledge of the script on the hardware signer's end, including all of the cosigner's xpuOne would also have to think abs.
With wallet policies, the device can inform you that you're spending from the account named
Cold storage
(for example):The hardware signer can use the information in the psbt, plus the knowledge of the wallet policy, to:
In other words: wallet policies allow strict account segregation: the hardware device can guarantee that you're not touching any other account (as long as you take care to register different policies under different names, of course).
[*] In principle, before taproot, this doesn't strictly require wallet policies, as the descriptor could be "decompiled" from the witnessScript; this is no longer true in taproot trees, however, as the [PSBT](https://github.com/bitcoin/bips/blob/master/bip-0174.mediawiki) does not contain enough information (knowledge of how to generate the entire taptree, for any address index, is necessary).Safe signing outside of wallet policies
While wallet policies themselves could possibly be generalized to cover some use cases that are not currently represented by the BIP proposal, it's clear that there are other situations that just don't fit in this model of signing for an account: not all UTXOs are meaningfully part of an account as it can be represented in wallet policies.
UX considerations
Allowing signing behaviors that go outside the model of wallet policies would likely break the strong account segregation guarantee above.
That might be fine, as long as it doesn't happen seamlessly: the user must know that they are stepping somewhat outside of the safe zone. Possible options:
Another option that could be worth investigating is to attach the "unsafe signing behavior" to specific keys. That is, one could register a special kind of "wallet policy" (to be defined) that means "for these internal xpubs, allow unsafe signing". That would allow to keep the strong account segregation guarantees for any other xpubs, as long as the user is diligent in not reusing xpubs for different purposes. The downside is, of course, that software walltes would need to be aware and explicitly opt-in to this approach, which makes integrations somewhat harder.
What's safe to sign, if you don't have wallet policies?
This is to be defined, and knowing the desired use cases would help. (Note that this is about finding general approaches to signing that work for many use cases; nothing works for all use cases, and for specific applications, a separated customized app would be a better approach)
For transactions signed with SIGHASH_ALL, one case that would generally be safe (apart from not having the strong account segregation property mentioned above) is if:
The text was updated successfully, but these errors were encountered: