Proposing new feature in Bitcoin protocol to reduce the number of thefts

[blackarrow]

Dear Bitcoin Developers,

We would like to propose a feature in Bitcoin protocol in order to reduce the number of Bitcoin thefts.

Real world scenario: attacker installs a trojan into your computer, downloads the Bitcoin wallet and keylogs your computer to get the password. The attacker can and will spend all your money and there's nothing you can do about it.

So, we would like to propose this feature to be added to Bitcoin protocol:

A "Time Lock" command for Bitcoin addresses.

    This will function in the same way as a safe does: The owner of the address will announce the network that he/she wishes to lock this address and will require X amount of minutes/days to be unlocked.
     This would mean that the Bitcoin network will require the user to issue the unlock command and wait for the timer to expire before allowing him/her to spend the money from that address. The GUI client must announce the owner that his address has been unlocked and display a countdown timer so he has a chance to take action.

     There's a problem with the above scenario: as the hacker has access to the keys, the owner still cannot stop spending because he/she can lock the money again but the attacker can unlock them, triggering a race that leads only to a draw (permanent lock of the funds) or the attacker to win (as the hackers are dedicated to make software that will trigger their transaction faster or will spend higher commissions to get the transaction processed quicker etc).

Here is the solution to this problem:

    Lock command will also require an emergency backup address. A 2nd lock command issued will not allow to change the emergency backup address. If the attacker triggers the unlock command and the real owner wants the money back, he/she can issue an emergency recover command and the network will send the money to the emergency address (that was set-up when the first lock command was issued).  It is important that transfer will be completed only after the lock timeout expires and the new address will be locked again for the original timeout. This is required in order to give a chance to the real owner to issue the last and final command (if the hacker had managed to get access to the 2nd address as well).
    The last and final command that can be issued by the real owner of the new address will be to destroy the funds. The funds will be destroyed, not sent to the miners. This is important in order to deter the hackers to develop any other techniques to steal the money (for example few days ago I read that they hacked 6 ISPs and redirected the whole hashing power towards themselves). If we do not destroy the funds, we are inviting them to hack our hashing power.


To summarize:

   lock(address, delay, emergency address)
      note: a new lock command, issued while the lock is active, will not accept to change the emergency address or the delay.
   unlock(address, where_to_spend);
      note: a new unlock command will refresh the timer to the original lock command. If a previous unlock command was issued with no address to spend, there will not be accepted any new addresses
   issue_emergency(address);
       will cancel any unlock commands and send the money to the emergency address set with original lock(). emergency address will be locked for the same amount of time as issued by original lock(). No further unlock commands are accepted.
   destroy(emergency_address);
       can be issued only on emergency addresses that are locked. it is important that this transaction to be signed by emergency_address only as we do not want the hacker that has access to our original address to be able to destroy our saved funds.

   

Regards!

[vancsj]

A 2-of-2 multisignature address would cover your needs, I think.

[vancsj]

I've considered that, it is not the same.

Can you explain the difference?

[confirmation120]

You lock the funds. The thief cannot access them and you will become aware if your funds are in danger. You can postpone the transfer as much as you want until the police can locate the thief. If you cannot locate the thief, you can destroy the funds.

Why destroy the funds? It is the same as death penalty in real life: will deter other people to repeat the crime.

IMO, most bitcoin related thefts are done behind TOR and VPNs that do not keep logs, therefore most thefts are not traceable.

Another issue is that this would lead to additional "transactions" needing to be done by the miners without compensation. In order for this to work properly, both "lock" and "unlock" transactions would need to be confirmed by the miners otherwise the network would not know for sure which one is "correct".

This would also make it much easier to launch what would essentially be double spend attacks against merchants that accept 0/unconfirmed TXs. The attack would work like this: You send a TX to a node that a merchant is connected to, and send a "lock" command to a well connected node a few seconds later. If the "lock" command would have a higher priority then a TX (it would have to in order to be effective) then the "lock" command would take precedent over the TX and the merchant would never receive their funds (having the same effect as a double spend). You would then issue an "unlock" command after the 0/unconfirmed TX is "forgotten" by the nodes

Another issue is that this would make it very easy to attack the network. Someone could easily create thousands of BTC addresses, send a very small amount BTC to each of these addresses and then send "lock" and "unlock" commands for each of these addresses. This would likely overwhelm both the miners and the nodes, making it difficult to even get a TX propagated, or if it is propagated to get it confirmed. 

[Cubic Earth]

I proposed almost the exact same thing in this thread: https://bitcointalk.org/index.php?topic=511881.0;all
At first I titled the thread Transaction reversability would be a good thing, but I some point I realized people were not even reading the original post, and they were just attacking the idea on the title.  That's when I changed it to Transaction reversability would be a BAD thing.

[justusranvier]

So, we would like to propose this feature to be added to Bitcoin protocol:

A "Time Lock" command for Bitcoin addresses.

Are you aware that Bitcoin addresses do not exist on the blockchain or in the protocol?

[DannyHamilton]

So, we would like to propose this feature to be added to Bitcoin protocol:

A "Time Lock" command for Bitcoin addresses.

Are you aware that Bitcoin addresses do not exist on the blockchain or in the protocol?

And that "addresses" are not spent, "outputs" are.

And that transactions don't have timestamps?

And that the timestamp on a block is unreliable as an indication of current real-world calendar time?

And that the change you are proposing would require so much modification to the way the protocol works that it would likely destroy the consensus system and the fungible nature of bitcoins?

[cr1776]

If flood is a problem, lock and unlock can be charged as any other transaction.

Just go ahead and implement it and do a pull request. That will give everyone time to evaluate the proposal in reality and determine whether this hard fork is justified. 

[inBitweTrust]

One problem with depending upon "lock_time" for security is that it will tie up the funds from the owner when for his own security he may need to access his funds sooner than anticipated.

This service could also be handled off the block with mutisig with a service like copay where the other party or oracle locks the transaction for a certain time period.

[Cubic Earth]

One problem with depending upon "lock_time" for security is that it will tie up the funds from the owner when for his own security he may need to access his funds sooner than anticipated.

Tying up, or encumbering one's own funds is and would always be a personal choice.  With freedom comes the freedom to make bad decisions.  It would be up the owner to weigh the pros and cons of trying up the funds.  It sounds to me like you are saying the 'problem' would be people making a choice, and then later regretting it.  Or am I missing something?

[inBitweTrust]

It sounds to me like you are saying the 'problem' would be people making a choice, and then later regretting it.  Or am I missing something?

No, I want people to have the freedom to make bad decisions. They can already use nTimeLock right now to make this decision so that isn't the issue.
blackarrow is definitely correct there are very specific use case benefits for doing this for either security (akin to how banks have timers on their vaults),
 preventing an interference from immediately being used,  or for green addresses.

The original recommendation wouldn't be feasible without a serious overhaul of the way the bitcoin protocol functions but lets assume that we are just talking about
adding a button on Bitcoin core that performed the timelock for the user. Additionally, lets ignore the ability to do this with Oracles- https://github.com/orisi/wiki/wiki/Performing-a-Timelock-transaction
What we are discussing is a UI implementation to ease the use of this feature that already exists in the protocol.

A few concerns:
1) Should we go out of our way implementing a feature that has a very specific use case that can be so easily accidentally misused?
2) Under "blackarrow's" scenario :

For example, imagine that you are at home and a theif bust in. They will get your 2 keys or 100 keys if they are located at home.
However, if you have a timelock they cannot override it. This feature give enough time to the police to take action.

When a physical attacker has a person hostage, ntimelock is a good way of getting this hostage killed either out of the thief's frustration or the thief needs more time until the timelock is released and killing the hostage would grant him that time.

3) There are other concerns with timelock with heavy use either being purposely or accidentally DDoS'ing the network.

[vancsj]

I think that the advantages of timelock are:
 - ease of use
 - more secure

For example, imagine that you are at home and a theif bust in. They will get your 2 keys or 100 keys if they are located at home.
However, if you have a timelock they cannot override it. This feature give enough time to the police to take action.

I agree it may be easier to use when your private key is not stolen, but I don't think it's more secure.

For the 2-of-2 strategy, the hacker can do nothing with just 1 key; but with your proposal, the hacker still have chance to succeed, if the hostage doesn't response quickly.

[dabura667]

How would you plan to implement this securely without exposing the pubkey?

The entire reason for not reusing addresses and using two types of hash on the pubkey is so you wouldn't have to expose it, protecting you from a theoretical breaking of ECDSA.

Obviously this would require a digital signature to prove ownership to the lock function, and thus expose the pubkey.

How would you mitigate this problem?

[DannyHamilton]

- snip -

- snip -

- snip -

Are you aware that 10% of the bitcoins in circulation are currently stolen? Are we going to do anything about it?

Are you including bitcoins that were willingly given to the thief or situations where large quantities of bitcoins weren't stored in cold storage at all (such as inputs.io, MtGox, pirateat40, SilkRoad, etc) in your calculation of "10%"?

If so, please explain how your proposal would have helped in any of those situations?

If not, then please explain where you come up with a number like 10%?

[inBitweTrust]

If you gave them the BTC willingly, I assure you that we did not.

183k already. If they reach 1M, I can only guess what will happen to BTC value ...

Grifters will always be able to game the credulous if you allow people to make dumb decisions. With freedom comes responsibility.

The lesson to be learned with all these "hacked" exchanges and hot wallets is that by exchanging your private keys for IOU tokens
you are defeating one of the main purposes of Bitcoin being p2p and not needing a middleman.  Bitcoin's purpose is not just to become a
cheaper paypal.

Exchanges should be decentralized and these are many ways to accomplish this task.

[CIYAM]

The lesson to be learned with all these "hacked" exchanges and hot wallets is that by exchanging your private keys for IOU tokens
you are defeating one of the main purposes of Bitcoin being p2p and not needing a middleman.  

Agreed - services will always be created "above Bitcoin" and numerous of those will "turn out to be scams".

Not everyone is *ready* to take *responsibility for their own money* (so if banks ever decide to allow "Bitcoin accounts" I am sure they'll be very popular).

[inBitweTrust]

Not everyone is *ready* to take *responsibility for their own money* (so if banks ever decide to allow "Bitcoin accounts" I am sure they'll be very popular).

Correct, and with Bitcoin it doesn't have to be an either or proposition. People can benefit by storing some of their BTC in insured and regulated hot wallets like circle and coinbase
and than keep most of their savings offline in multisig paper wallets or hardware wallets.

Our task and goal is to make the above task easy and user friendly. The OP intentions are in the right place but the details are what we have concerns about.

[CIYAM]

Correct, and with Bitcoin it doesn't have to be an either or proposition.

Agreed 100% - if one of the banks I use decided to offer a BTC account I think I'd probably put some BTC there.

[OgNasty]

What makes you say that these coins are stolen?

We've chased our stolen coins here.

Maybe you should ask KunaBTC why they ended up with your supposedly stolen coins?

https://twitter.com/kunabtc

EDIT:  Anyone know who runs KunaBTC?  Are they a forum member here?  I would love to have their explanation of how they ended up with "stolen coins" from Black Arrow. 

[silversurfer1958]

Whatever scenario you envisage that requires a solution, I'm sure someone else can come up with a scenario that will require anotrher solution.
at the end of the day, the tools are available for us to protect our assets.
If someone chooses to holds a gun to our heads, or to our children's they can possibly defeat any means of protection employed by most people.