Bitcoin Forum

Hello fellow Trezor developers !

I presume there are a few of us "alts" working on Trezor support at the moment so I would like to have a thread where we can share ideas about implementation.

For instance:


At the moment I am looking at when the user plugs in their Trezor and they want their wallet to appear.
If they have already used that particular Trezor on this machine, I want it to reopen the previous wallet and start syncing from where it was before.

Thus I want a naming convention for the wallet file that's stored on the machine (in their user data area most likely).

I was thinking: "trezor-" + hex(hash(master public key from device)) + ".wallet"

The thinking being:
+ use the 'trezor-" prefix so the user knows what the wallet is. Also this gives some namespace for when other types of hardware wallets come along.
+ you want to have the name of the wallet based on the MPK rather than the serial id of the device as the user can:
    1. Reprogram the device with another seed.
    2. Put the seed on another device.

It's the seed that determines the wallet, not the serial id of the Trezor.

I am thinking you'd want to hash the MPK to make it a bit shorter and for privacy reasons. Not sure what length to hash it to yet. Shorter is "friendlier" but you'll get more collisions (in theory). Then convert the hash into simple hex, lowercase.


It is not really a big deal if other wallets use a different naming convention but we will all most likely be tackling the same problems. I would be interested in what other people think.

Another option would be:

"trezor-" + hex(hash(serial number of the device || master public key from device)) + ".wallet" (where || means concatenation)

I think we have to decide if we want to treat two different devices loaded with the same seed as the same wallet (first option) or not (second one).

There are the following possibilities as you state:

Same seed, different Trezor.

Alice has Trezor #1. She initialises it and write down her mnemonic phrase.   She uses it for a while and then loses the Trezor #1.
She gets hold of Trezor #2 and loads in her previous seed. When she plugs it in, would she expect to:

1) use the same wallet as she had with Trezor #1
2) have a new wallet, which then syncs so she has the same transactions (but she might lose any extra data like labels).

?

edit: or you might have two people with their Trezors programmed with the same seed e.g. husband and wife using the same wallet (?) but they both have their own Trezors.


Same Trezor, different seed.
Bob has Trezor #3. He initialises it with one seed. Uses it for a while with a particular wallet.
Reprograms it. Pretty clearly the new seed needs a new wallet.

(He could then reprogram it back to the first seed and then the old wallet would be used).

This case isn't a problem I don't think.

Is there anything _different_ to one Trezor wallet with a particular seed and _another_ wallet with the same seed ?

Are they distinguishable to the user ?

I guess they may have a different device name and serial id (not sure that is a good enough reason to "split" the wallet) but is there anything else that is different ?

Gary has been writing the trezorj Java library which deals with the Trezor communications.

To make it a bit easier to see what is going on I have started a TrezorEmulatorUI. Once it's done you'll be able to see the messages going to and fro.
Here's what I have so far:

https://multibit.org/postImages/emulatorUI.png


It does not do much for real yet.
In the great tradition of emulators it is pig-ugly. :-)

I am thinking it could either be used for:
1) wrapping the datastreams to and from your trezor (like a port forwarding network sniffer)
or
2) a full emulation (which is why I have added a field for the display and the two soft buttons "Trezor Left Button' and 'Trezor Right Button').

Slush and stick have also created a python emulator but I figure there should be one in the trezorj library. Also I reckon you don't really understand something until you can replicate it.

Yes, there's at least these settings: PIN, language, selected coin (you need to be sure that the device is in "btc" mode, as we discussed over email).

Personally I prefer the option that two devices will act as one, when they have the same master public key.

However what if user connects two devices with the same seed at the same time? :-) What if you'll have the same seed in Trezor and in software walelt? I think client should somehow distinguish between logical wallet (show history, send transaction) and physical device (factory reset, set language, ...).

FYI feel free to use git master at https://github.com/trezor/trezor-emu . There should be always the code which passed all my unit tests, because I'm doing active development in other git branches.

Yeah I think we'll have to distinquish between BOTH different seeds and different physical trezors as you suggest.

Something, somewhere will break if we don't.

For issues such as 'I created a new wallet and all my labels are missing' I expect we will go down the route Electrum has taken and have a label sync system (if not the exact same one so you can sync labels across multibit and electrum HD wallets).

The idea of label syncing is perfect and we like it as well. Having description of all transactions and addresses on every client is very nice. However, as many other things in Electrum, the implementation is far from optimal. I mean that such system can be designed to work transparently, like all data can be encrypted and signed with key derived directly from the seed, so there's no need for handling the API key, email registration, password recovery and other stuff.

Shortly said, lets finalize all current project and then we can prepare new BIP for that :-).

Ha ha yes - one thing at a time !

:-)

Can we go one step back and explain how to set up the thing? For example, my Raspberry + Trezor sandwich has 3 USB ports - which one is the correct one? Do I need an SD card to boot up? I've never used a Raspberry before.

Gary wrote a useful guide on setting up the trezor emulator here:
https://github.com/bitcoin-solutions/trezorj/wiki/Trezor-on-Raspberry-Pi-from-scratch

The operating system is on an SD yes. I must admit I bought a prebuilt one when I bought the RasPi so cannot tell you exactly what the distribution is.

To talk to it you can plug in an an ethernet cable and use SSH.

The little (micro?) USB on the RasPi is power and I think you can use either of the 2 stacked USB for the 'trezor' cable back to your PC.

I also got a HDMI cable to hook up a monitor but I know Gary uses ethernet/ssh for everything so does not bother with a monitor. I also plugged in a little wireless keyboard but again you can do without.

@Andreas

Are you thinking of adding Trezor support into Bitcoin Wallet using USB on-the-go ?

For power you can use either of microUSB connectors. If you want to communicate with TREZOR, use the one on the shield (it will also provide power for the RasPi).

Ok so I take it the only connection I have to make is the USB port on the shield?

Well I wanted to try if communication is possible. For it to be usable, I guess someone should build a "mobile" version of the Trezor.

Right.

What happens to your coin if your trezor device gets broken?

When you initialize your trezor it shows on it's screen a 12 word passphrase (similar to Electrum's mnemonic phrase) that you write down.

If you lose your trezor you can then either:
+ reprogram another trezor with the seed
+ create a new wallet in a HD compatible wallet client with the new seed. (HD compatible wallet clients don't exist yet but Electrum, Armory and MultiBit are all planning to support it).

If you lose both your trezor AND your 12 word passphrase then you have lost access to your bitcoin.

Label syncing isn't the right model IMHO.

The right model is that the same private key seed generated by Trezor/your wallet is both used to control your Bitcoins and encrypt your wallet file (literally the .wallet protobuf generated by bitcoinj or other wallet equivalents). Once encrypted that file can then be uploaded to some cloud service, perhaps a P2P DHT run by the community. The files are only small. The public key (or hash of it) would act as the document name to let you redownload the wallet if you need it.

In the case where the cloud backup fails for some reason, it isn't there any more or whatever, the private key you wrote down can be used to get access to your money even if all the other data is lost.

Remember that in future wallets will hold not only keys and labels, but also things like signed payment requests (receipts), micropayment channel state, info for dispute mediation and so on. Lots of stuff.

Agree with Mike that as wallets contain more information having a secure cloud backup/ sync would work well.

It helps with wallet recovery in case of loss of laptop too.

That's something we'd like to tackle on some of the upcoming BIPs. Basically it is just defining which path(s) in BIP32 tree will be used for various purposes (PGP, SSH, etc.). We can also change "Bitcoin seed" to "Meta seed" (or sth similar) in the HMAC call during initialization of the root to make sure we won't be mixing address tree with meta tree.

You just wrote down my ideas :-).

Although it is mentioned in README.md of trezor-emu, maybe it isn't clear for non-pythonist:

Trezor-emu is using two modules which are not packaged yet - python-ecdsa and python-mnemonic. Please do following steps on fresh install of trezor-emu on RPi:

cd /home/pi/
git clone git@github.com:trezor/python-ecdsa.git
git clone git@github.com:trezor/python-mnemonic.git
cd trezor-emu
ln -s ../python-ecdsa/ecdsa
ln -s ../python-mnemonic/mnemonic

This is just a temporary solution, I'm working on accepting my patches of python-ecdsa into official release.

Mike, do you mean that users would maintain a small P2P filesharing network only for retaining backup copies of each others' encrypted wallets? We were thinking about an idea like that too. What do you think would be best, a tiny blockchain that is just a sticky ball of encrypted keys, or something more like DNS (and presumably keyservers?), with servers telling each other about/propagating new keys?

Well I think the first stage would be to use existing cloud backup services rather than create a new distributed one. For instance uploading to Google Drive if you have a Google account is pretty straightforward and it eliminates any issues with needing to pay to make backups, etc.

A simple DHT could come later.

If wallets are being uploaded to a public network where attackers could get the encrypted data you'll need to make sure your users use a cryptographically strong password - at least 128 bits of entropy. Of course humans are awful at memorizing long passwords, so you'll have to make sure they write it down somewhere and back up the password.

But if they have a 128bit secret backed up, why not just use BIP32 private key derivation directly? That's sufficient to recover users' funds; the only thing such a backup could provide in addition to that would be metadata like notes. Given how important it is to keep your seed/wallet password backed up why complicate the issue with (to the user) confusing discussions of some kind of "cloud backup" service that'll just lead them to think their wallet is effectively backed up when it isn't?

If you've read the whole thread you would have learned that the plan is to use BIP32 - maybe a modified one, so the "metadata" tree would not collide with the main address tree. :)

Ha, fair enough.

So here's my suggestion: don't use the word "backup" anywhere when referring to such a feature. Describe it as something along the lines of "your transactions are being retrieved from the Bitcoin network" so the user never wrongly thinks the wallet itself is somehow being backed up.

Did you actually read the whole thread? The whole point of the scheme we're discussing is exactly so metadata does get backed up. Yes, it's not typically very important today, but it will become more and more so in future. It's not only labels but stored payment requests for receipts, transaction labels, micropayment channel states and so on. The metadata is likely to be important for filling out tax returns if nothing else. We don't want users losing it.

It also reduces the reliance on having big indexes of the block chain to do wallet restores. If somehow you lose your wallet file backups but not your Trezor-generated master seed, you either need a full blown index of the block chain, or to scan the chain which is slow. Ideally that only happens very rarely.

Mea culpa.

I put some thought into doing P2P data storeage awhile ago; if the data is encrypted you'll wind up having created a useful general-purpose data-storage service, so you might as well architect it to be a good one. Rather than thinking about "blockchain vs. DHT"(1) models at this stage, step 1 should be to decide on what you're going to use for spam control: bitcoin days destroyed is the obvious choice and is easy to prove (two merkle paths) and doesn't cost anything extra. Merkle paths are still kinda long, but the proofs can be discarded immediately. (and of course communications between nodes with full transaction indexes need not provide full paths)

1) Note how Freenet's weak anti-spam measure of retaining the most popular data and dropping the least doesn't work for a wallet backup system.

It's easy to define a consistent priority ordering for everyone's data by sorting all data in terms of (value*days destroyed)/size, or (value*days destroyed)/(size*data age) so that older data is eventually expired out. (these equations are all rough sketches obviously) People donating bandwidth and storage capacity to this scheme can now easily do so on a best effort basis and know that there is some rational way to allocate their donation. Because the ordering is consistent its also easy for nodes to advertise what the cut-off minimum priority is for the data they have in their store, thus making it easy to search for someone who might have your old data.

Building on stick's idea of a metadata tree for the encryption keys, I'd also suggest the use of a metadata tag tree whose values can be made public. That tree is then used to derive tags associated with each bit of data stored, so that queries can be later done for the tags in an efficient way to recover a wallet fully. Of course, this invites making those tags be pubkeys and allowing updates, but that means you've got to charge for update bandwidth fairly somehow - leave it for version 2 IMO.

Double-spending your priority is an interesting thing... in a chain-based system it's not possible, but with a strict DHT it might be. I'd suggest just sticking to an "everyone has all the data" model at first. The other thing you can do is commit to the data in the transaction itself, for instance with an OP_RETURN <digest> output or even deriving the nonce in the signature in part from the digest. Doing so publicly with OP_RETURN almost has a nice benefit: you can hold nodes to account for failing to return the data when queried in the "everyone stores the same data set" model; with some signed advertisements, queries and responses you can basically create a short fraud proof.

Except that doesn't work because there's no guarantee the data was ever broadcast... except in the case of the transactions themselves which are guaranteed to be public by virtue of being in the blockchain. So now rather than doing UTXO commitments, a complex and invasive change that may not be implemented anytime soon, you can do UTXO set search query fraud proofs. Basically you're just creating a system where some service claims they'll honestly return queries for all transactions/UTXOs with some H(pushdata) in them, like sipa's searchrawtransactions, and you can hold those services to account if they fail to return transactions that matched. Of course, this also means that system can be later extended to this data storage service if we (merge) mine it, although the lack of actual economic incentives is a bit troubling.

A little update from my side: After realizing that my previous SD card had 32 MB not 32 GB :o , I finally bought a new card and installed Raspbian on it. And yeah, my raspi boots.

Now I wonder how do will Trezor setup be able to put its python software on the shield, given I do not have any network on the raspi.

Anyway... slush, I just read that python-ecdsa has been released. Does that change anything regarding the installation?

Hi guys!

We created a mailinglist trezor-dev for developers on Google Groups which is a better way to discuss technical stuff than forum.

Subscribe at Google groups (https://groups.google.com/forum/#!forum/trezor-dev)

or send a subscribe email to

trezor-dev+subscribe@googlegroups.com

to catch it all!

Jim: would you be so kind and lock this thread so we don't have two dev discussions going in parallel? Thanks!