Sigsafe: A NFC key tag for signing bitcoin transactions

[colinistheman]

I like that second option the best with required phone authentication.

Cool invention and way to make it available for cheap. Hardware and software that helps the broad public easily use bitcoin is a contribution to the growth of bitcoin for all. And of course you will make money doing it too

[1714830741]

1714830741

[1714830741]

1714830741

[1714830741]

1714830741

[1714830741]

1714830741

[1714830741]

1714830741

[RAJSALLIN]

Very interesting. The NFC standard seems to be available for most android phones. What about iphones and laptops?

[hardhouseinc]

This is pretty cool.
PM me if there is some Indiegogo type funding project here and I might be in depending on price.

[Peter R]

Very interesting. The NFC standard seems to be available for most android phones. What about iphones and laptops?

The fact that NFC is not yet ubiquitous beyond Android phones is obviously an obstacle.  However, several laptops and tablets now come equipped with NFC (a lot of people don't realize that their laptop already supports it), and of course it's possible to add a USB NFC reader as well (although that sort of defeats the "low cost" value proposition of Sigsafe).  Regarding Apple, let's hope they finally add NFC to the iPhone 6. 

Beyond bitcoin, NFC is a great technology because it is very short range allowing you to authenticate or "pair" devices by touch (think simplified Bluetooth pairing with no codes to enter) and because it is possible to transmit significant power magnetically (think wireless charging of a device via the NFC antenna). 

[RAJSALLIN]

Very interesting. The NFC standard seems to be available for most android phones. What about iphones and laptops?

The fact that NFC is not yet ubiquitous beyond Android phones is obviously an obstacle.  However, several laptops and tablets now come equipped with NFC (a lot of people don't realize that their laptop already supports it), and of course it's possible to add a USB NFC reader as well (although that sort of defeats the "low cost" value proposition of Sigsafe).  Regarding Apple, let's hope they finally add NFC to the iPhone 6. 

Beyond bitcoin, NFC is a great technology because it is very short range allowing you to authenticate or "pair" devices by touch (think simplified Bluetooth pairing with no codes to enter) and because it is possible to transmit significant power magnetically (think wireless charging of a device via the NFC antenna). 

Agree with all this. I use NFC to pair my bluetooth headphones with my phone and it works great. Think you are definitely on the right track here.

[RAJSALLIN]

Any update on this?

[Peter R]

Any update on this?

Yes, the alpha-models work! 

Last week I believe I performed the first bitcoin multisig transaction signed offline by a passive NFC tag (no battery), transmitted over an air gap, and then broadcast to the bitcoin network in real time.

Here's a video demonstration:

https://vimeo.com/105458967

[RAJSALLIN]

Any update on this?

Yes, the alpha-models work! 

Last week I believe I performed the first bitcoin multisig transaction signed offline by a passive NFC tag (no battery), transmitted over an air gap, and then broadcast to the bitcoin network in real time.

Here's a video demonstration:

https://vimeo.com/105458967

Nice! When can we buy them?

[intron]

Any update on this?

Yes, the alpha-models work!  

Last week I believe I performed the first bitcoin multisig transaction signed offline by a passive NFC tag (no battery), transmitted over an air gap, and then broadcast to the bitcoin network in real time.

Here's a video demonstration:

https://vimeo.com/105458967

Nice! When can I buy one?

[dillpicklechips]

In a phone usage case could 2 of 2 multisig be used where the phone is one key and the NFC tag the other? The tag gives hardware security where the phone key allows me to see the transaction I'm signing? A bonus side effect is I don't have to trust the hardware as much.

[makki]

I would be happy to buy one as well please

[Peter R]

In a phone usage case could 2 of 2 multisig be used where the phone is one key and the NFC tag the other?

Yes, this is my proposal for the first "product" for the sigSafe technology (refer to the pitch in the video).  The phone signs with its private key, and then requests that the user taps his tag against his phone to produce the second signature (which is signed internally within the sigSafe tag and then relayed over NFC back to the phone).  


I need to give credit to DeathAndTaxes who actually suggested something like this to me when he reviewed the sigSafe white paper back in May.  But the simplicity of this solution didn't hit me until recently.  

The tag gives hardware security where the phone key allows me to see the transaction I'm signing?

Yes, this solution provides low-cost/simple hardware security by allowing the tag to piggyback off of the phone's screen.  

A bonus side effect is I don't have to trust the hardware as much.

That was exactly the intent: since the sigSafe only has one of the two required keys, you don't need to trust the hardware as much.  

A multisig solution like this permits something quite interesting: in production, these sigSafe keys could be sold with a random seed already stored in EEPROM and a back-up of that seed printed on archival-quality paper (folded in some tamper-evident packaging).  Although advanced users could upload their own keys, new users could actually just use the one that came with the device (even if the sigSafe manufacturer was malicious, the chances that they are also in cahoots with a malicious wallet provider is slim).  I really don't want to rely on new users actually making a properly-verified backup of their seed, so I'd rather the default behaviour be something like:

 - tap the tag to the phone to initially create your multisig wallet

 - enter the last 6 digits on the front of your paper back-up

I'm assuming here ^^ that the pubkey is printed on the front of the tamper-evident package and the private key is inside.  This would allow the phone to ensure that the sigSafe corresponds with the paper back-up.

- store the paper back-up some place private and secure.  THIS IS THE ONLY WAY TO RECOVER YOUR FUNDS SHOULD YOU LOSE YOUR SIGSAFE.  

As long as the user puts the paper backup somewhere safe, I think this solution should be pretty foolproof even if the user loses or destroys his sigSafe.

 

[LitcoinCollector]

Cool stuf, a simple way to get your coins out of cold storage, or is it not? The sound on the video could be better though.

[Peter R]

Cool stuf, a simple way to get your coins out of cold storage, or is it not?

Yes.  This nice thing is that you can also very easily prove to yourself that your cold storage "works" by sending some coins to an online wallet without ever revealing your private keys to an internet-connected device.  

The sound on the video could be better though.

A lot of things could be better.  Creating this video gave me new respect for talented video producers.  For example, it was a big challenge to even get the lighting decent.  And lol, the "desk" in the video is actually the top of my coffee table balanced across two tower speaker; it was the only way I could get something at the right height that still looked OK.

[Peter R]

Nice! When can we buy them?

Nice! When can I buy one?

I would be happy to buy one as well please

Thanks for the support guys!

My plan, assuming there's demand for such a device, is to be in "open-beta" selling to the bitcoin community this winter and I believe I'm still on schedule.  This device needs significantly more testing, a security audit, accelerated "lifespan" testing at high temperatures, a spec published regarding the NFC communication protocol, etc., etc.  There's also the issue that presently it takes about 2 seconds to sign a transaction [two weeks ago it was over a minute so I've made progress ].  I'd like to reduce this to under 0.5 seconds so it feels more like a "tap."

The critical path now is getting app developers to enable sigSafe connectivity in the popular bitcoin wallets.  I think somehow I need to sweeten the pot. One idea I recently had is that perhaps the sigSafe tags could come "keyed" to particular wallets¹ to enable a profit-sharing model:

  - 25% of profits go to the wallet developer for which the sold sigSafe is "keyed" to.  
  - 25% of the profits go to entity through which the sale was made (for example, if the user purchased the tag through WalletApp-X's site, WalletApp-X would get 25% + 25%  = 50% of the profits).
  - 50% of the profits go the sigSafe manufacturer.  

For developers who are interested, and who could credibly integrate sigSafe connectivity in an Android app (or perhaps with a browser extension, or--if the iPhone 6 has 2-way NFC--in an iOS app), please email or PM me your qualifications and I can probably get you a sigsafe device to play with as soon as I have the USB bootloader working (so that I can send you firmware updates without you requiring a JTAG programmer).  

¹But advanced users could just re-flash their device to "unkey" it.

[molecular]

Any update on this?

Yes, the alpha-models work! 

Last week I believe I performed the first bitcoin multisig transaction signed offline by a passive NFC tag (no battery), transmitted over an air gap, and then broadcast to the bitcoin network in real time.

Here's a video demonstration:

https://vimeo.com/105458967

Cool video, your excitement spills over to the viewer. Well done. (I assume it's you in the video?)

[starsoccer9]

Neat idea, personally I think just adding to the device a small button or way for the user to just approve signings before they happen would be great.

My reasoning for this is that someone who knows you have a sigsafe and dont have a password can just approach you and by accident hit your sigsafe. Having a button or something that needs to be pressed makes it alot safer.
While I do agree having a password is the safest way to make your coins secure I think just a small discreet button to approve transactions would be easier. Something like once a signing request is made you have 3 seconds to press the bottom to approve the transaction signing request.

[Newar]

Neat idea, personally I think just adding to the device a small button or way for the user to just approve signings before they happen would be great.

My reasoning for this is that someone who knows you have a sigsafe and dont have a password can just approach you and by accident hit your sigsafe. Having a button or something that needs to be pressed makes it alot safer.
While I do agree having a password is the safest way to make your coins secure I think just a small discreet button to approve transactions would be easier. Something like once a signing request is made you have 3 seconds to press the bottom to approve the transaction signing request.

If somebody knows you have a SigSafe, they will probably also know that it has a button that needs pressing. Are we talking 5$ wrench attack here?

[Peter R]

Neat idea, personally I think just adding to the device a small button or way for the user to just approve signings before they happen would be great.

Lack of a screen/button is the most common criticism on the sigsafe thread at r/bitcoin, but of course that also increases cost and complicates the user experience (it's now more complex than "tap to sign").  

This is the response I posted there:

It's immune to key-loggers (e.g., when used with your computer).

It's immune to wallet.dat stealers (since your important private keys are offline).

It's resistant to attacks on the sigsafe supply chain or poor random seed selection (since the other seed is generated by an independent party).

It's resistant to man-in-the-middle attacks (see below).

Regarding signing rogue TXs, I avoided too many details in the video (it's described in the white paper), but the device will only sign transactions authorized by its "signing rules." For example, the device can set "per tap" spend limits (or daily spend limits with the optional battery), verify an ECDSA signature (to reduce the threat of a MITM attack), check a PIN, etc.

Consider this scenario: My tag is configured to only sign up to 1 BTC "per tap." In the (IMO very) unlikely event that my wallet app "goes rogue" and remains undetected through several "day-to-day" transactions (even though it could just steal the online funds) until the moment that I'm about to transfer from my sigsafe, then modifies the TX in an undetected way, authenticates successfully with the sigSafe, and then I sign the rogue TX by tapping, the damage is sill limited to the per-tap spend limit. The attack must occur in the brief moment when your tag is in contact with the NFC reader and would be very difficult to execute.

There's no perfect security and there's certainly benefits to having a screen, buttons, etc. But we should also weigh probability of loss versus the cost and complexity of the security solution. I think a device like this is simple to use, low cost, and reduces the attack surface significantly.

That being said, I'd still like to make a more expensive version with a screen and capacitive touch sensor

[starsoccer9]

Neat idea, personally I think just adding to the device a small button or way for the user to just approve signings before they happen would be great.

Lack of a screen/button is the most common criticism on the sigsafe thread at r/bitcoin, but of course that also increases cost and complicates the user experience (it's now more complex than "tap to sign").  

This is the response I posted there:

It's immune to key-loggers (e.g., when used with your computer).

It's immune to wallet.dat stealers (since your important private keys are offline).

It's resistant to attacks on the sigsafe supply chain or poor random seed selection (since the other seed is generated by an independent party).

It's resistant to man-in-the-middle attacks (see below).

Regarding signing rogue TXs, I avoided too many details in the video (it's described in the white paper), but the device will only sign transactions authorized by its "signing rules." For example, the device can set "per tap" spend limits (or daily spend limits with the optional battery), verify an ECDSA signature (to reduce the threat of a MITM attack), check a PIN, etc.

Consider this scenario: My tag is configured to only sign up to 1 BTC "per tap." In the (IMO very) unlikely event that my wallet app "goes rogue" and remains undetected through several "day-to-day" transactions (even tough it could just steal the online funds) until the moment that I'm about to transfer from my sigsafe, then modifies the TX in an undetected way, authenticates successfully with the sigSafe, and then I sign the rogue TX by tapping, the damage is sill limited to the per-tap spend limit. The attack must occur in the brief moment when your tag is in contact with the NFC reader and would be very difficult to execute.

There's no perfect security and there's certainly benefits to having a screen, buttons, etc. But we should also weigh probability of loss versus the cost and complexity of the security solution. I think a device like this is simple to use, low cost, and reduces the attack surface significantly.

That being said, I'd still like to make a more expensive version with a screen and capacitive touch sensor

Well I agree that the signing on  transactions with a key can ensure that this doesnt happen, but for the less tech savvy of us, I think a button of some sort still provides the best protection. I do understand that the button can add a cost, but then it may be cheaper to just make it some sort of a small switch or even lever.