How do you store your bitcoins? Sure, the coins are registered on the blockchain, but how do you store the private keys that secure your funds? If you don’t have any Bitcoin now, how would you keep your private keys, the small files that have direct monetary value, safe from both loss and hackers? Given that key security is one of the major obstacles to mainstream adoption of cryptocurrencies, and every single coin hacking event is a black eye for the entire cryptocurrency community, a lot rides on the answers to these questions.
Ask any cryptocurrency veteran and they’ll tell you that you need to create the keys using well-written software and true sources of randomness. And they’ll tell you to use multisig to divide up your keys such that hackers need to break into not just one, but multiple machines to gain access to your funds. And such safeguarding is quite difficult. The conventional method to keep private keys safe is to follow a 37-step operational security guidelines that involve air-gaps, dedicated laptops, and epoxied ports. But what kind of “Internet currency” needs to be kept on an air-gapped, dedicated laptop, potentially in a pyramid with a false burial chamber? It’s no wonder that mere mortals often opt-out of this decision by trusting a large exchange to keep their coins. Of course, that just outsources the problem to that exchange’s security, which faces exactly the same challenges, only with much (much) higher stakes.
The fundamental tradeoff between availability (which requires more replicas) and security (where more replicas mean more risk) means that regular users face a difficult decision. At the extremes, one either stores the keys on multiple devices, where they are vulnerable to theft, or keeps a single encrypted copy in air-gapped secure storage, which the user needs to visit, reconnect to the internet ever so briefly, and recite a full-paragraph password to recover the password.
As a result, cryptocurrency archives are full of “sorry for your loss” events where coins were lost by mistake, or where hackers stole private keys and got away with substantial sums. This happens to savvy users, too. A colleague, a CS graduate student who was an early Bitcoin miner, lost around 10,000 coins. Another friend chose a very very good password. It was so good that he could not recall it after a couple of years, even with the help of hypnosis and brute force attacks on his password-choosing strategy.
Overall, our computing infrastructure is nowhere near safe enough for storing high-value assets. Bitcoin has become a universal bounty, where hackers break into machines and immediately reap financial rewards. What we need is a way to lock up coins in a way that is impervious to hackers and thieves.
At the Bitcoin workshop in Barbados, Malte Möser will present our solution to the Bitcoin private key management problem. Specifically, our paper describes a way to create vaults, special accounts whose keys can be neutralized if they fall into the hands of attackers. Vaults are Bitcoin’s decentralized version of you calling your bank to report a stolen credit card -- it renders the attacker’s transactions null and void. And here’s the interesting part: in so doing, vaults demotivate key theft in the first place. An attacker who knows that he will not be able to get away with theft is less likely to attack in the first place, compared to current Bitcoin attackers who are guaranteed that their hacking efforts will be handsomely rewarded.
Operationally, the idea is simple. You send your money to a vault address that you yourself create. Every vault address has a vault key and a recovery key. When spending money from the vault address with the corresponding vault key, you must wait for a predefined amount of time (called the unvaulting period) that you established at the time you created the vault -- say, 24 hours. When all goes well, your vault funds are unlocked after the unvaulting period and you can move them to a standard address and subsequently spend them in the usual way. Now, in case Harry the Hacker gets a hold of your vault key, you have 24 hours to revert any transaction issued by Harry, using the recovery key. His theft, essentially, gets undone, and the funds are diverted unilaterally to their rightful owner. It’s like an “undo” facility that the modern banking world relies on, but for Bitcoin.
Now, the astute reader will ask what happens when Harry is really really good, and he lies in wait to steal not just your vault key, but also your recovery key. That is, he has thoroughly pwnd you and, as far as the network is concerned, is indistinguishable from you. Vaults protect you even in this case. The recovery keys have a similar lock period, allowing you to perpetually revert every transaction Harry makes. Unfortunately, at this point, Harry can do the same and revert every transaction you make. To avoid a perpetual standoff, the recovery keys can also burn the funds, so no one gets the money. The upshot is that Harry is not going to be able to collect a dime of proceeds from his theft. And this, in turn, means that Harry is unlikely to target vaults in the first place, because there is no positive outcome where he gets to keep the proceeds.
Implementing the vault mechanism in Bitcoin is far from trivial. One could implement a special purpose facility just for vaults -- with special address types for vault addresses, many new opcodes, and the like -- but we believe that architectural changes should be both minimal and general. We therefore propose a simple change to Bitcoin, called Bitcoin Covenants. As in legal covenants, a Bitcoin covenant checks a condition on the spending of a transaction. In essence, a covenant is a restriction placed on the shape of a future transaction. Because covenants can be recursive, they can self-perpetuate, or they can be limited in time, allowing one to implement a range of rich semantics.
The idea to extend the power of the scripting language isn’t new. In fact, we took the name covenants from an old tongue-in-cheek post by Greg Maxwell that suggested an unlikely mechanism and asked for preposterous use cases. It’s a recommended read.
It's critical to note that vaults do not affect coin fungibility or the irreversibility of regular transactions in any way. Vaults are a personal defense mechanism: you take the money that you want to keep safe and put them in a vault address that you create (call it V). In doing so, you give up the ability to spend them quickly in return for theft prevention. When you want to spend the coins, you unvault them from V into your hot wallet (W), and you pay a merchant M from W. Only coins in your possession can be vaulted, and they can only be unvaulted back to your possession. You can't trick someone into accepting a vault payment and then take the coins back. The entire design revolves around personal protection for chosen coins in one's possession, without disturbing any of the rest of Bitcoin's properties.
Overall, our suggestion is a simple yet powerful addition to the scripting language that is easy to reason about, and opens the door to a variety of constructs.
Vaults are one of the first use cases of covenants, a solution to a problem that has perennially plagued every Bitcoin user ever since the first day of the system’s release. We hope that vaults will make it easier for people to safely keep their funds online, knowing that they can always undo a theft, and, more importantly, to deter the thefts in the first place.