A custody architecture based on Revault but with cosigners instead of watchtowers #121
Comments
|
Spend:
Ok, The change output is going back to warm wallet. Stakeholders: Emergency: Can we imagine a way for a team to switch from this warm/cold wallet to a revault setup with only the creation of the unvault descriptor ? (No new ceremony for the stakeholders multisig) |
Yeah, in this model what is delegated stays delegated. The delegation and spending policies are separated one from another. The former is done manually (without the caveats and cost of using pre-signed txs) and the latter automatically from the "warm" wallet.
What do you mean? In this model the delegation is way more granular: you delegate exactly the amount you expect. With Revault you have thresholds by which you may delegate, it is either coarse grained (and you don't decide the thresholds) or expensive and complex (with a consolidation-split transaction created beforehand).
Oh, right, thanks!
I believe the answer is yes to both. |
|
Maybe this idea can be part of the revault setup:
Emergency txs are signed for both delegation kinds It can give way more flexibility: |
|
I really like the proposal! I think Revault should offer both products, and then let the clients choose what's best for them.
YAAAAAY looks at #82 impatiently
Agreed, since you have anyways the NofN spend path in the delegation tx, you should just go with a "delegation emergency" tx. Also, notice that in the watchtower model you could have watchtowers enforcing different policies, and the "global policy" will be a sum of the strictest ones. In this case, if you have just a thresh of the cosig servers needed for spending, the actual policy applied is not necessarily a sum of the strictest ones. For example (supposing no server is dead):
In this case, you can only spend on Mondays, max 10 BTC a day
In this case, if the thresh is 1 cosigner, you might decide to spend 10 BTC on a Tuesday, or 11 BTC on a Monday. This makes it a bit harder to reason on the various constraints you have on the spends. |
|
Thanks everyone for the feedback!
I'm not sure. The entire point of today Revault was to make things easier for stakeholders. Our insight was that making a larger multisig more usable would make people actually use it, thereby increasing SeCuRiTy ™️.
I don't think it's that simple. The incentive of the managers here is for the software to not get in their way. I can't think of any situation where they would bother themselves with several more transactions, and timelocks, and the uncertainty of the payment making it through, and give away the change output, when they can just make a regular payment immediately.
Yes. It not necessarily is, but it can. It's just more flexible. I find it very interesting to think about all the possible combinations in different Taproot leaves with or without Musig, available at a very small cost. |
I've been discussing this a lot privately, mainly as a point of comparison when considering tradeoffs in Revault's architecture and/or deployment. Especially with regard to watchtowers, which bring a lot of tradeoffs.
Here i describe how a custody protocol with the same feature set as Revault but with different tradeoffs could be concretely designed.
Conceptual description
We keep the stakeholders / managers types of participants. The purpose is to keep the restrictive delegation of Revault without the burden of managing watchtowers, the cost of using them, and the unpredictability of their enforcement of the policy.
Starting from today's Revault, instead of pre-signing Cancel transaction and giving out an authorization by the form of the signature of an Unvault transaction, coins are locked to both the managers and a set of Cosigning Servers managed by stakeholders. The automated cosigning servers enforce any kind of policy: for instance, "notify the stakeholders and authorize by default after a hour if not told otherwise", or "don't accept any transaction with outputs that don't pay to one of these addresses or any deposit address (whitelist)".
You can still, optionally, have the Emergency.
Concrete modifications to practical-revault
Scripts and transactions
The deposit policy is still a multisig between all the stakeholders.
We introduce a new "Delegation" transaction that spend any number of deposit UTxOs and creates one "delegated" UTxO.
The "delegated" policy has two branches:
There is no Unvault, Cancel and UnvaultEmergency transaction anymore. The Spend transaction directly spends from "delegated" UTxOs. The Emergency descriptor and transaction may be kept as well as introducing a "DelegatedEmergency" transaction spending from a "delegated" UTxO.
Coordinator
We don't need the coordinator to synchronize the exchange of presigned transactions' signatures anymore (apart if keeping the Emergency), or to announce a Spend. It may still be used to coordinate the creation of a Spend or a "Delegation" transaction.
Watchtower
Removed, or rather "merged" with the Cosigning Servers in terms of functionality (not messages).
Cosigning server
In place of the single
signmessage we have today, we have 2 of them to allow the cosigning servers to enforce a timeout without the need to maintain a connection for a long period of time.We use the first one to "register" a Spend. The second one is used to poll fpr Spend signature by txid (the Cosigning Server may return "ack", "nack", "pending".
Discussion
This design is conceptually much simpler, it's essentially a cold -> warm design with integrated policy enforcement. The protocol is greatly simplified, too. The implementation would very likely be too.
The User Experience would obviously be way neater and intuitive:
The cost would be much lower:
It also presents some advantages compared to Today's Revault:
Also note that it shares an advantage of "Revault-with-cosigning-servers-for-spending-policies":
The obvious disadvantage (heh, there needs to be one, at least!) compared to Revault is in the "securing by decentralizing". Watchtowers are (supposed to be) easy-and-inexpensive-to-spin-up servers that can directly enforce the delegation policies and can be replicated any number of time to reduce some liveness risks. Replacing them with cosigning servers involves introducing a limited number of "participants" which are identified and pre-committed to in the Script.
I think that it is a big deal in theory, but not so much in practice. You can scale the number of Cosigning Servers up by a lot before being in any way remotely close to the cost of using Revault. In addition, you can add more Cosigning Servers with Musig so you can decentralize a lot at very little cost (with additional assumptions wrt the session state, but mutlisig security is additive).
The same goes with the manual broadcast of the Cancel transaction. In today's Revault you assume you can reach the Bitcoin network (or rather, a decent % of the hashrate) with a decent fee (if miners are still incentivized by those and not some out-of-band mechanism). In this version, you are trusting that not all of your cosigning servers were not compromised. It's hard to compare as the former is pretty fuzzy.
Another obvious disadvantage is the increased potential for downtimes. It is inherent to refusing the "authorized by default" mechanism". However, i don't think it's a valid con. To the contrary. Take the same situations for both architectures: a cosigning server down VS a watchtower down. In the former situation, the transaction is stuck. In the latter, the transaction does go through but the policy enforced by this watchtower aren't enforced. I think the best tradeoff in this situation is to prime "security" (as in policy enforcement) over availability.
[0] If that's not obvious: if the deposit multisig in Today's Revault is not an N-of-N then N-1 parties can sign an Unvault transaction without giving you the Cancel transaction as much as they can spend directly from the deposit ("bypass") without you.
The text was updated successfully, but these errors were encountered: