Amsterdam Bitcoin 2014, payment protocol, stealth addresses, coinjoin and merge avoidance

Bitcoin-2014-Conference-LogoWe are getting closer and closer to what I believe to be the most important Bitcoin conference of 2014. We are really  excited to be part of it and can’t wait to meet everyone, especially the devs but also startups and ultimately what makes Bitcoin really great and
unique – the community and the people!

At this point it looks like most of the schedule is final and we are definitely looking forward to hear the keynote speech and all the feature presentations.  These presentations now have a title, but are  not ultra detailed yet:  we are guessing to hear all sorts of things, ranging from legacy-banking bridges, insurance, regulation but also more robust storage and payment solutions with ease of use, security and privacy in mind as one main focus.

Especially regarding the security and privacy we hope to hear talks about the payment protocol (for which we just finished the implementation of the client component,  currently in a test-phase  on our testnet environment) but also stealth addresses, coinjoin and merge avoidance.

Dark-Wallet-Application-Aims-To-Provide-Better-Bitcoin-PrivacyWe would also like to congratulate with the  DarkWallet team for pulling off the first wallet that implements innovative privacy features such as coinjoin and stealth addresses. There has been a lot of discussion about all these features in the recent past, especially stealth addresses and the so called waste of disk/memory capacity due to  blockchain overbloat.

For those unfamiliar with the argument behind stealth addresses I’m going to quote an excellent comment on reddit by Chris Patia:

BIP32 allows for the creation of a Master key pair. Using the master public key you can derive an unlimited number of child public keys, the private keys for which can be derived from the master private key.

You could theoretically put your master public key on a server and dynamically generate a new address for each new payee. This way you don’t have to keep your private keys on the server.

The problem is that doesn’t work in some use cases. For example, I have a basic WordPress blog with a static tip address. I cant dynamically generate a new address for each tipper because I don’t control wordpress’s server.

I could put my master public key on my blog, but then anyone can use that to derive all my addresses and see the balance of my wallet.

The reason stealth was created was to allow me to put up a single address and receive payments to a new address each time without other people seeing my balance.

mikehearnNow, you can still have stealth addresses without using the blockchain as a mean to store the secret. But it requires communication with the party you intend to transact with, which as Mike suggests, could be easily
done with the payment protocol.

It’s really hard to say, yet, what is waste and what isn’t, especially thinking about multisig  addresses. In fact, they take additional space too – as Peter Todd said in the bitcoin-dev mailing list – and we certainly don’t consider that a waste so it will be interesting to see what happens. It seems clear the community wants and needs an peter-toddoffline way to generate addresses for third parties and using the blockchain means you don’t need to backup additional data each time (which would be required if the system used was exclusively the payment protocol without a fall back measure on the blockchain).

On the other hand, using stealth addresses this way has privacy and scalability consequences, especially for light clients.  This can be, in theory,  at least partially tackled with SPV improvements or trusted third parties. The discussion about boom filters changes and SPV seems a compromise between how many clients will know about your transactions  and how much.  Additionally,  I’m not too convinced on adding Tor to SPV to improve the privacy of thin clients. As according to the wiki it would make wallets more vulnerable to the sybil attack:

Low-latency encryption/anonymization of Bitcoin’s transmissions (With Tor, JAP, etc.) can be defeated relatively easy with a timing attack if you’re connected to several of the attacker’s nodes and the attacker is watching your transmissions at your ISP.

Regarding online creation of new addresses,  there can also be third parties providing new addresses as needed. This has obviously its weaknesses as you rely on this third party being available which is certainly not always a  given but also it could provide non-user addresses if malicious.  We have this feature but we also have stealth
addresses in the road map, especially as the original specification supported multisignature (although it is my understanding that Darkwallet doesn’t current implement it).
greenaddress-donate-greenTo see in action our dynamic address  click the green link donate  button on the left hand side
or see it in action on ZealDocs.

What about coinjoin?  People have been speaking about improving the current interoperability between wallets, as all coinjoin implementation currently rely on a single centralized server,   correction, the guys at Darkwallet already have gateway channels available. One such improvement is creating a ‘federation’ of coinjoin servers but it won’t mean that the system will be really decentralized. At least in a federation system it should be easier to increase the number of parties and, because of how coinjoin works, I presume this should mean improved privacy.

What I’m actually looking forward for is a system that is fully decentralized.  I am not yet entirely sure how a system like this would work, but I wouldn’t be surprised if someone is not far from envisioning one or if one is already available and I did not have a chance to find it yet. It was pointed out to me that something is in the works.   At GreenAddress we have coinjoin or something similar in our roadmap although – obviously – if something betters becomes available we’d skip directly to that 🙂 bitcoin-payment-protocol

Last but not least, a word on merge avoidance. Generally, I think it is a great idea and a great way of improving privacy. I think wallets could be smart enough to have the right mix of efficiency and privacy
with regards to how they would split amounts by knowing what amounts you spend most often and optimize for that, so that you can have your privacy and avoid splitting bitcoin to too many (or too few) addresses.

Reusing addresses is bad, M’kay?

tl;dr Reusing bitcoin addresses has both security and privacy consequences and should be avoided, especially since services and tools that don’t reuse addresses are available and even easy to use.

 

locked-wallet-1First what do we mean by “address re-use”?

In general we mean sending, ever, more than one transaction to any specific bitcoin address.

Specifically what you want to do is to prevent having funds sent  to an address after any bitcoin has been spent that were addressed to that same address. Technically receiving two transaction on an address and then spending is OK but receiving, spending and receiving from an address in this order is not. The easiest thing to do is not reuse, especially since you can’t easily synchronize with parties which may pay you after you spend from an address.

Yet, a lot of people are reusing addresses over and over and over, mostly because they don’t know better and, most importantly, reusing addresses is the default option in the tool or service of their choice.

From a privacy standpoint it should be clear why this is really bad: people that have your address can see your past and future transactions and track you and also, by making yourself more identifiable you’re making it harder for everyone else to use Bitcoin privately.  Poor privacy is infectious.

One-Time1

If you ever pay someone that also uses a public address, like a gambling site, everyone that knows that you control that address will also be able to know you gamble, when you gamble and who you gamble with which may not be something you want people to find out or even phantom as a possibility, yet is trivial to do, as the bitcoin public ledger, the blockchain, is, duh, public.

From a security standpoint it’s not obvious why it is better to not reuse addresses but there are two/three components:

  1. Not reusing addresses can protect you from a weak random number generator or buggy ECDSA implementation (see what happened on Android with their RNG)
  2. Not reusing addresses protects you from quantum computing
  3. Not reusing addresses may prevent you to be exposed from undiscovered holes in ECDSA theory

 

A reasonable question/answer  about this topic is on bitcoin.stackexchange.

Historically reusing addresses has also been practiced for two main reasons:

  1. Simpler to reuse, both from user and developer implementation perspective (and most people don’t know yet about bitcoin, that this is even an issue or how to track you)
  2. Every time you ‘create’ a new address you must also create a new private key and with that comes responsibilities such as making backups of the new private keys each time a new one is created. This is no longer an issue if you use a deterministic wallet

How to solve the issue? People should be made aware of the problems associated more clearly and services and tools like Mycelium and Blockchain.info or even Bitgo, which are relatively famous tools/services that do at least some address reuse by default , should really avoid reusing addresses before more users are harmed.

hacking-bitcoin-with-goUsers that don’t want to wait for these service or tool providers to catch up and update can use services like GreenAddress which never reuses addresses, uses a deterministic approach and provides true per-transaction two factor authentication via multisig.

 

Feedback is welcome!

When you can and can’t rely on 0 confirmations

The Bitcoin community has been hit with a wide range of security related news lately: first CVE-2014-0160 aka ‘Heartbleed’ , a serious vulnerability in the popular OpenSSL cryptographic software library. The Bitcoin core team has issued an update of the Bitcoin software and an alert  . We have tweeted about the vulnerability, just after we upgraded and checked our services (we recommend Saltstack to manage your servers, great especially in these situations ).

Then user espringe on Reddit announced BitUndo, a service that “can help you to revert mistaken payments” effectively allowing users to double spend their transaction back to themselves for a 10% fee to BitUndo.

One immediate community reactions was to suggest that this service could also be used to defraud merchant or bitcoin payment processors such as Bitpay  and Coinbase.

So far the service doesn’t seem to have any sufficient hashrate to be successful in double spend attempts often to be a problem however this may change as the BitUndo mining pool seems to have better incentives for miners and the situation will become worse as the block reward halves. There seems little that the network can do from a decentralized perspective to stop this from happening.

The situation appears to be much worse: Peter Todd, one of the core Bitcoin developers has submitted on reddit a post titled “Double-spending unconfirmed transactions is a lot easier than most people realise”  which shows and proves how he and anyone that tries can easily double spend with around a 50% chance. He continues, “Fact is, unconfirmed transactions aren’t safe.”  This is caused principally by the difference in how some miners perceive a low fee as dust and won’t include it (nor check for double spends) while others will happily include it. Submitting first a transaction with one of the new lower fees is what causes the problem.

This will improve as more miners move to the latest version and Peter has also proposed some patches that will allow to somewhat counterbalance this attack but ultimately any difference in the transaction that miners accept will allow some percentage of double spends and as mentioned above the incentives will change further as the block reward halves.

Solutions to this problem are various:

  • accept risk and perhaps use one of the new counterbalancing measures or wait for a number of confirmations in relation to the amount and risk in the local area/product category
  • require users to pre deposit their Bitcoins well in advance

One more thing worth mentioning is about localbitcoins , a market place for trading bitcoins locally and over the internet. User don4of4 submitted a post on Reddit  in which he advise users to empty their accounts.

There seems to be an issue with stolen bitcoins. While it is not clear yet whether the hack was on the user credentials externally to localbitcoins or whether it was on localbitcoins service itself, one thing that is clear is that a multisignature system would have prevented funds to be moved without access to the user private key.

This could be implemented directly by localbitcoins.com, or should they prefer, it could be provided with the help of a specialized third party such as greenaddress.it that could help them concentrate on their core business and at the same time allow user funds to be locked only while in escrow and not require predepositing with localbitcoins.com.

Greenaddress user’s funds are in a multisignature 2of2 P2SH between them and the server and as such both the keys from the user and GreenAddress are required to move funds. This allows us to prevent user double spend, effectively guaranteeing to receivers instant payment, even under the 0-confirmation scenario, as long as the merchant trusts us. At the same time, should we disappear for _any_ reasons, users can sleep feeling safe as we provide in advance transaction unlocking their funds in the future.

GreenAddress.it could help in sending the user funds to localbitcoins.com upon user signature and two factor authentication directly in the escrow system. This would provide localbitcoins.com a signed instant confirmation proving the users funds came from a wallet in multisignature with GreenAddress.it

This would mean that users and merchants don’t have to wait to trust that funds will be received!

This mechanism could also allow exchanges to provide a competitive advantage to users both in terms of inter-exchange transfer for arbitration but also in terms of security as user funds would only be compromisable when in order or instant book, reducing the extent to which MtGoxing like scenarios can happen in the first place.

For more info on the design, see the white paper here.

UPDATE:

Allegedly the localbitcoins issue was caused by the user reusing data across services of which some have been recently compromised and information thereof leaked. See their initial response here . Ultimately we think it doesn’t really matter who is at fault, using multisignature can help prevent this class of issues entirely and services should evolve to take advantage of improved standards.

iOS, Bitcoin and qr codes

At GreenAddress, to support the Android platform (and soon more) we use Cordova ,  a framework that allows to target multiple platforms with one code base and in theory (and in our case I believe in practice too) increase reuse and reduce rewrites.

Unfortunately, even though this would allow us to easily support iOS via an app, because of Apple policies and their history in regards to Bitcoin, it is the case that we can really only support jail broken phones on alternative markets or we can attempt to submit a version of the app to the Apple store with the send functionality removed which would really cripple its utility and it still does not guarantee our app would make it.

Qrcode scanning is almost at the core of Bitcoin payments, especially on the go.  While so far we offered support for it on Android  we did not provide any support or any other platform which we feel that especially on iOS devices limits the use of the wallet.

With some inspiration from Coinpunk QR support on iOS and the great work from the guys at http://webqr.com/,  I’m happy to announce that we now support qrcode scanning on any HTML5 enabled browser via both camera or local file ‘upload’!

Note that this functionality is also available to login into a wallet and that it includes support for all Android devices we have tested, Chrome and Safari on iOS devices 🙂

Happy scanning!

‘White paper’ and other updates

First post on our simple blog. 🙂 My name is Lawrence Nahum, I’m the founder of GreenAddress. Here’s my LinkedIn profile: I have only been interested first and then involved in Bitcoin for a bit more than the last two years, but it feels like much more than that, and the last few months, and especially the last few weeks have been so packed but great with lots of new users and amazing feedback and obviously a lot of hard work.

We started with the first deterministic Multisig 2of2 Wallet with time unlocking functionality: a wallet that at the same time sports a large array of features improving privacy, security and convenience.

We have open sourced both our clients for both Android and Desktop as well as Gentle, we then added a bunch of languages (more coming), and today have published a document that describes our design and implementation, sometimes called a ‘white paper’, at least in B2B .

If you want to read it have a look here  and please do say what you think,  we’d love to hear your feedback. If instead you want to see a quick and superficial video infographics  about GreenAddress you can find one here.

We will soon publish more information on our short-term roadmap which includes an API (check out the preview) coinjoin integration, payment protocol and more. 🙂

UPDATE: Post on Reddit with comments.

Cheers!

Lawrence