{"id":24602,"date":"2016-11-02T18:07:37","date_gmt":"2016-11-02T18:07:37","guid":{"rendered":"http:\/\/ci027cfe7a00072697"},"modified":"2016-11-02T18:07:37","modified_gmt":"2016-11-02T18:07:37","slug":"how-segregated-witness-is-about-to-fix-hardware-wallets-1478110057","status":"publish","type":"post","link":"https:\/\/bitcoinmagazine.com\/technical\/how-segregated-witness-is-about-to-fix-hardware-wallets-1478110057","title":{"rendered":"How Segregated Witness Is About to Fix Hardware Wallets"},"content":{"rendered":"<div id=\"bsf_rt_marker\"><\/div><figure><img decoding=\"async\" src=\"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/11\/how-segregated-witness-is-about-to-fix-hardware-wallets.jpg\" title=\"\"><\/figure>\n<p><strong><\/strong><a href=\"https:\/\/bitcoincore.org\/\" target=\"_blank\" rel=\"noopener\">Bitcoin Core<\/a><a href=\"https:\/\/bitcoinmagazine.com\/articles\/segregated-witness-officially-introduced-with-release-of-bitcoin-core-1477611260\">launched<\/a> its latest software release last week, which includes a proposed&nbsp;<a href=\"https:\/\/bitcoinmagazine.com\/articles\/segregated-witness-part-how-a-clever-hack-could-significantly-increase-bitcoin-s-potential-1450553618\">Segregated<\/a><a href=\"https:\/\/bitcoinmagazine.com\/articles\/segregated-witness-part-why-you-should-care-about-a-nitty-gritty-technical-trick-1450827675\">Witness<\/a> soft fork. If a majority of miners signal support for the proposal, Segregated Witness will activate on the Bitcoin network \u2014 perhaps as soon as December. This would offer several benefits, including an effective block size limit increase, a malleability fix and more.<\/p>\n<p>A lesser known benefit is that input amounts of transactions \u2014 the amount of bitcoins being sent \u2014 will for the first time be cryptographically signed by users: a small change, but according to&nbsp;<a href=\"https:\/\/www.ledger.com\/\" target=\"_blank\" rel=\"noopener\">Ledger<\/a> CTO Nicolas Bacca, \u201cthis fixes one of the biggest issues hardware wallets are faced with today.\u201d<\/p>\n<h2><strong>Input amounts<\/strong><\/h2>\n<p>All Bitcoin transactions send bitcoins from \u201cinputs\u201d to \u201coutputs,\u201d where inputs specify from which Bitcoin-addresses bitcoins are sent, and outputs refer to receiving addresses.<\/p>\n<p>Naturally, all inputs must contain at least as many bitcoins as all outputs. A sender can\u2019t create bitcoins out of thin air.<\/p>\n<p>In fact, however, inputs typically contain slightly more bitcoins than the outputs. That difference is the mining fee. So if all inputs are worth one BTC, and all outputs are worth 0.999 BTC, whomever mines the transaction can attribute himself the remaining 0.001 BTC.<\/p>\n<p>But currently there\u2019s an odd quirk. While outputs specifically contain explicit amounts, inputs do not. That\u2019s not really a problem, because each input relies on a previous transaction. Bitcoin wallets can therefore look up how much a specific input contains by checking the blockchain.<\/p>\n<p>The exception is hardware wallets, Bacca explained to <em>Bitcoin Magazine<\/em>:<\/p>\n<p>\u201cHardware wallets don\u2019t store the entire blockchain, nor do they have access to the Bitcoin network directly. Instead, to collect the transaction history, they connect to software that does. They connect to the Bitcoin network through wallets running on desktop computers, for instance. Or web-wallets.\u201d<\/p>\n<p>In many ways, this is not a problem. The hardware wallet generates a transaction, spending a certain amount of bitcoins to certain addresses. Only if the user really wants to send this amount of bitcoins to these addresses, will he sign the transaction. There is no risk of sending too many funds to the outputs.<\/p>\n<p>But this still leaves open the risk of a \u201cfee attack,\u201d Bitcoin Core and&nbsp;<a href=\"https:\/\/shiftcrypto.ch\/\" target=\"_blank\" rel=\"noopener\">Digital Bitbox<\/a> developer, Jonas Schnelli, told <em>Bitcoin Magazine<\/em>:<\/p>\n<p>\u201cAs a simple example, let\u2019s say your computer is compromised by a Trojan horse. When sending funds from your hardware wallet, this Trojan horse increases the input amounts, or adds extra inputs, without revealing this to the user. Through the hardware wallet, the user then confirms that the outputs check out, as do the output amounts, and signs the transaction. Little does he know, the inputs contained much more bitcoins than needed for the transactions; perhaps even all bitcoins stored on the hardware wallet. All these bitcoins are then all attributed to the miner, as a huge fee.\u201d<\/p>\n<p>While perhaps unlikely, this risk defeats an important purpose of hardware wallets. After all, the idea is that these devices cannot be hacked into, even if used in combination with an insecure computer.<\/p>\n<h2><strong>Segregated Witness<\/strong><\/h2>\n<p>A countermeasure to this \u201cfee attack\u201d does exist. Hardware wallets can fetch a previous transaction from the blockchain through the software it connects to, hash the output amounts, and compare this with hashes of the input amounts of the new transaction.<\/p>\n<p>But,&nbsp;<a href=\"http:\/\/bitcointrezor.com\/\" target=\"_blank\" rel=\"noopener\">Trezor<\/a> architect Marek \u201cSlush\u201d Palatinus explained, \u201cthese solutions are crazy complex and slow.\u201d And due to limited computational resources in hardware wallets, in some cases they are not even viable. \u201cTransactions that include lots of inputs or outputs, like payouts from <a href=\"https:\/\/bitcoinmagazine.com\/bitcoin-mining\/what-are-bitcoin-mining-pools\">mining pools<\/a> or faucets, can take up to one hour to calculate,\u201d Palatinus said.<\/p>\n<p>Segregated Witness offers a better solution.<\/p>\n<p>Segregated Witness moves the cryptographic signatures to a sort of \u201cadd-on\u201d part of a transaction: the \u201cWitness.\u201d This in itself is not important for hardware wallets. But as the signature data is being moved anyway, changing how wallets read them, Bitcoin Core developers decided to slightly change how the signatures are generated as well.<\/p>\n<p>Specifically, the input amounts \u2014 while still not part of the transaction itself \u2014 are signed. In a way, these input amounts become \u201cpart of\u201d the cryptographic signature. As such, a hardware wallet user will only sign for specific amounts of bitcoins to be sent \u2014 with no need to go through a complex and slow process, and with no risk of sending too many funds. (If a Trojan horse would try to change the input amount after it is signed, the transaction would be considered invalid by Bitcoin nodes.)<\/p>\n<p>If Segregated Witness is activated, it would be relatively easy to upgrade all existing hardware wallets to utilize this option. Ledger has already updated Ledger\u2019s code-base, while Trezor and Digital Bitbox integration should be ready if and when the soft fork activates.<\/p>\n<p>\u201cSegregated Witness is not just about scaling,\u201d Palatinus emphasized. \u201cThere are other issues with Bitcoin under the hood, and SegWit opens potential for applications and use-cases that are not possible today. For those who think only bigger blocks will save bitcoin\u2019s exchange rate, and for miners who are going to decide on whether or not they should adopt SegWit, this is important to understand.\u201d<\/p>\n<p><em>For a more detailed technical explanation, see&nbsp;<a href=\"https:\/\/segwit.org\/segregated-witness-and-hardware-wallets-cc88ba532fb3?gi=9ce24f8e3ddd\" target=\"_blank\" rel=\"noopener\">this article<\/a> by Ledger\u2019s Nicolas Bacca.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Bitcoin Corelaunched its latest software release last week, which includes a proposed&nbsp;SegregatedWitness soft fork. If a majority of miners signal support for the proposal, Segregated Witness will activate on the Bitcoin network \u2014 perhaps as soon as December. This would offer several benefits, including an effective block size limit increase, a malleability fix and more. [&hellip;]<\/p>\n","protected":false},"author":2509,"featured_media":24603,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35],"tags":[410,851,1079,708,163],"class_list":{"0":"post-24602","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technical","8":"tag-addresses","9":"tag-ledger","10":"tag-segwit","11":"tag-transactions","12":"tag-wallets"},"author_data":{"id":2509,"name":"Aaron van Wirdum","nicename":"aaron-van-wirdum","avatar_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/12\/aaron-van-wirdum-96x96.jpg"},"featured_image_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/11\/how-segregated-witness-is-about-to-fix-hardware-wallets.jpg","_links":{"self":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/24602","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/users\/2509"}],"replies":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/comments?post=24602"}],"version-history":[{"count":0,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/24602\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media\/24603"}],"wp:attachment":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media?parent=24602"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/categories?post=24602"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/tags?post=24602"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}