Segregated Witness brings more than just capacity expansion, it also makes hardware wallets more secure

Bitcoin Core released its latest software version 0.13.1 last week, which includes the Segregated Witness soft fork. If the proposal is supported by a majority of miners, Segregated Witness will be activated on the Bitcoin network - perhaps as early as December. This soft fork will bring a number of benefits, including an effective increase in the block size limit and scalability fixes.

However, a lesser-known benefit is that transaction inputs — the amount of bitcoin being sent — will for the first time be cryptographically signed by the user: It’s a small change, but according to Ledger CTO Nicolas Bacca, ‘this change fixes one of the biggest issues currently facing bitcoin hardware wallets.’

Input

All Bitcoin transactions send Bitcoins from 'inputs' to 'outputs', where inputs specify the addresses to which Bitcoins are sent and outputs specify the recipient addresses.

Of course, all inputs are at least as large as the outputs. It is impossible for a sender to create bitcoins out of thin air.

However, in fact, in general, the input bitcoins are slightly more than the output. And this difference is the handling fee. So if all inputs are 1BTC, then all outputs may be 0.999 BTC, and anyone who processes this transaction can get 0.001BTC as a reward.

But there is one quirk. While the outputs contain explicit amounts, the inputs do not. This isn’t really a problem, because every input depends on a previous transaction, so Bitcoin wallets can check the blockchain to see how much an input has.

However, hardware wallets are an exception, as Bacca explained to Bitcoin Magazine:

“Hardware wallets do not store the entire blockchain, nor do they directly access the Bitcoin network. Instead, they collect transaction history by connecting to software. For example, they connect to the network through a wallet running on a computer, or through a web wallet.”

In many cases, this is fine. The hardware wallet generates a transaction to send a certain amount of Bitcoin to a certain address. If the user really wants to send Bitcoin to these addresses, he can sign the transaction. There is no risk in sending funds to the input.

However, this could create a risk of a ‘fee attack,’ Bitcoin Core and Digital Bitbox developer Jonas Schelli told Bitcoin Magazine.

“For example, if your computer is compromised by a Trojan horse, when sending funds from your hardware wallet, the Trojan horse will increase the input amount, or add additional inputs without informing the user. Through the hardware wallet, the user then confirms and checks the output and signs the transaction. However, the user does not know that the actual amount of input is higher than the transaction requires; even all the bitcoins stored in the hardware wallet may be sent without the user's knowledge and then distributed to the miners as a huge fee.”

While this may be unlikely, the risk severely undermines one of the key uses of hardware wallets. After all, the point of hardware wallets is that these devices cannot be hacked even if they are connected to an insecure computer.

Segregated Witness

Countermeasures against this "fee" attack do exist. Hardware wallets can connect to software to obtain the previous transaction on the blockchain, convert the output amount into a hash, and then compare it with the input amount hash of the new transaction.

However, Trezor architect Marek “Slush” Palatinus explained,

“These solutions are extremely complex and slow.”

Due to the limited computing resources of hardware wallets, they may not even be feasible in some cases.

Palatinus said:

“Transactions that include a large number of inputs or outputs, such as mining pool payouts, may take up to an hour to compute.”

Segregated Witness offers a better solution.

Segregated Witness moves cryptographic signatures to a kind of “additional” part of a transaction: the ‘witness’ part. This in itself is not important for hardware wallets. But as the signature data is moved, and changes the way wallets read it, Bitcoin Core developers decided to slightly change the signature generation process.

Specifically, the input amounts are signed — though they are still not part of the transaction itself. In a way, these input amounts become 'part' of the cryptographic signature. For example, a hardware wallet user would only sign the exact amount of bitcoin being sent — without going through a complicated and slow process and risking sending too much money. (If a Trojan tried to change the input amounts after signing, the transaction would be considered invalid by the Bitcoin node.)

If SegWit is activated, it will be easy to upgrade all existing hardware wallets to take advantage of this option. Ledger has already made upgrades to the Ledger codebase, while Trezor and Digital Bitbox will also be ready to integrate if the SegWit soft fork is activated.

Palatinus stressed:

“SegWit does more than just scale.”

“Bitcoin has other problems, and SegWit opens the door to new potential applications and use cases that are not possible today. This is important for those who think that only a larger block size can save the Bitcoin exchange rate, and for miners who will decide whether SegWit should be adopted, to understand.”