📅 Original date posted:2022-05-09
📝 Original message:
( a formatted version of this message is here:
https://gitlab.com/lightning-signer/docs/-/wikis/Blind%20Signing%20Considered%20Harmful
)
# Introduction
This post discusses blind signers. Blind signers do not put the user in
control of their funds and are subject to a long list of exploits.
This post also (re-)introduces the open-source [Validating Lightning
Signer](https://gitlab.com/lightning-signer/docs/-/blob/master/README.md)
Project.
# Background
A **Signer** is a component that performs cryptographic operations,
separately from a wallet. A Bitcoin hardware wallet is an example of a
Signer, where private keys are controlled on a hardened device. There is
currently no complete solution for a hardware signer for the Lightning
network.
A **Blind Signer** is a signer that does not perform validation. There are
several Lightning wallets and node implementations that as of today support
only blind signing. I believe these configurations are insecure.
A **Validating Signer** performs a comprehensive set of policy checks to
ensure that the keys are not misused. For example, a validating Bitcoin
hardware wallet checks the destination, amount and change outputs in
collaboration with the user.
A layer-2 validating signer is significantly more complex, because of the
complexity of the Lightning protocol.
**While a Blind Signer is a technical step on the road to the higher
security of a Validating Signer, by itself it actually reduces security if
deployed in production. This is because it presents two points of attack -
at the node and at the signer.**
# The VLS Project
The [Validating Lightning Signer](
https://gitlab.com/lightning-signer/docs/-/blob/master/README.md) project
aims to close the gap for securing the Lightning ecosystem. It is an
open-source Rust library and reference implementation. The project is
approaching Beta, which is the point where the main goal will be met: funds
are safe even if the node is completely compromised.
The task is relatively complex because of the complexity of the Lightning
protocol. There are more than [50 policies](
https://gitlab.com/lightning-signer/docs/-/blob/master/policy-controls.md)
that must be enforced, and many of them require stateful inspection of the
protocol.
Both servers and consumer devices are targeted, the latter via a Rust
`no_std` compilation mode.
# Signing Configurations
Here are some of the potential configurations of a Lightning node:
* Monolithic node
* Node with a separate Blind Signer
* Node with a separate Validating Signer - the signer ensures that the
Lightning state machine ran correctly and funds are not at risk
# The (In)security of Blind Signing
* The monolithic case has one point of attack - at the node.
* The blind signing case has **two points of attack** - at the node and at
the Signer. A blind signer will perform any signing operation the node
requests, so **a compromised node will still result in loss of funds**. And
obviously, a compromised signer will also result in loss of funds. This is
worse than a monolithic node because funds can be lost if **either** is
compromised.
* The validated signing case has just one point of attack with a small
attack surface
# Wallets with Blind Signers Must Trust the Node Operator
Blind signing wallets where the node is run by an LSP (Lightning Service
Provider) are not self-custodial because the LSP can unilaterally control
the funds. The LSP merely has to provide the Signer with a transaction that
sends the funds to the LSP or another destination.
# Examples of Blind Signing Exploits
A compromised node can unilaterally submit transactions to be signed by the
blind Signer. The following can result in the funds being stolen:
* The node submits a mutual closing transaction which sends funds to the
attacker's address
* The node asks the blind signer to sign a revoked transaction which will
cause loss of all funds when published
* And many more ...
A compromised node can also lose funds when it doesn't follow the Lightning
protocol. Some potential exploits include:
* The node fails to validate the counter-party's revocation, and the
counter-party broadcasts an old commitment transaction that sends most of
the funds to the counter-party
* The node fails to claim input HTLCs when routing payments, leading to the
gradual loss of all funds
* And many more ...
# Validating Signers
In the Validating Signer case, a compromise of the Lightning node will not
result in the loss of funds. The security of such a setup is only dependent
on the security of the Signer. The Signer can be hardened as needed for the
specific use case.
Some of the validation rules that a validated Signer can implement include:
- Don't sign a revoked commitment transaction
- Don't revoke a signed commitment transaction
- Don't close a channel to an unapproved destination
- Routed payments must have at least as much input as output value
- Payments must claim at least as much from the input as was claimed from
us on the output
- And many more ...
# Conclusion
Blind signers reduce the security of Lightning nodes and are subject to
[many exploits](
https://gitlab.com/lightning-signer/docs/-/wikis/Potential-Exploits).
Validating signers improve security by reducing the attack surface. The VLS
project aims to provide a library and reference implementation for
enterprise servers and consumer devices.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20220509/95d3c85d/attachment.html>;
Devrandom [ARCHIVE] /
npub1j0…w9k8n
2023-06-09 13:06:00
in reply to nevent1q…pujk
Author Public Key
npub1j0js72tmnxzmrtd6j0j5wcvfuhsqwgqxdwkpmw28rmmuy22y3wzsdw9k8nPublished at
2023-06-09 13:06:00Event JSON
{
"id": "617e47cc42f38e9507af360ca98b0511797568fb4bad58e5cf91636488b84995",
"pubkey": "93e50f297b9985b1adba93e5476189e5e00720066bac1db9471ef7c229448b85",
"created_at": 1686315960,
"kind": 1,
"tags": [
[
"e",
"fd83037e8858fe6f85919295f43f2d74d0a06761fc47673d956b45c2da9be3de",
"",
"reply"
],
[
"p",
"9456f7acb763eaab2e02bd8e60cf17df74f352c2ae579dce1f1dd25c95dd611c"
]
],
"content": "📅 Original date posted:2022-05-09\n📝 Original message:\n( a formatted version of this message is here:\nhttps://gitlab.com/lightning-signer/docs/-/wikis/Blind%20Signing%20Considered%20Harmful\n)\n\n# Introduction\n\nThis post discusses blind signers. Blind signers do not put the user in\ncontrol of their funds and are subject to a long list of exploits.\n\nThis post also (re-)introduces the open-source [Validating Lightning\nSigner](https://gitlab.com/lightning-signer/docs/-/blob/master/README.md)\nProject.\n\n# Background\n\nA **Signer** is a component that performs cryptographic operations,\nseparately from a wallet. A Bitcoin hardware wallet is an example of a\nSigner, where private keys are controlled on a hardened device. There is\ncurrently no complete solution for a hardware signer for the Lightning\nnetwork.\n\nA **Blind Signer** is a signer that does not perform validation. There are\nseveral Lightning wallets and node implementations that as of today support\nonly blind signing. I believe these configurations are insecure.\n\nA **Validating Signer** performs a comprehensive set of policy checks to\nensure that the keys are not misused. For example, a validating Bitcoin\nhardware wallet checks the destination, amount and change outputs in\ncollaboration with the user.\n\nA layer-2 validating signer is significantly more complex, because of the\ncomplexity of the Lightning protocol.\n\n**While a Blind Signer is a technical step on the road to the higher\nsecurity of a Validating Signer, by itself it actually reduces security if\ndeployed in production. This is because it presents two points of attack -\nat the node and at the signer.**\n\n# The VLS Project\n\nThe [Validating Lightning Signer](\nhttps://gitlab.com/lightning-signer/docs/-/blob/master/README.md) project\naims to close the gap for securing the Lightning ecosystem. It is an\nopen-source Rust library and reference implementation. The project is\napproaching Beta, which is the point where the main goal will be met: funds\nare safe even if the node is completely compromised.\n\nThe task is relatively complex because of the complexity of the Lightning\nprotocol. There are more than [50 policies](\nhttps://gitlab.com/lightning-signer/docs/-/blob/master/policy-controls.md)\nthat must be enforced, and many of them require stateful inspection of the\nprotocol.\n\nBoth servers and consumer devices are targeted, the latter via a Rust\n`no_std` compilation mode.\n\n# Signing Configurations\n\nHere are some of the potential configurations of a Lightning node:\n\n* Monolithic node\n* Node with a separate Blind Signer\n* Node with a separate Validating Signer - the signer ensures that the\nLightning state machine ran correctly and funds are not at risk\n\n# The (In)security of Blind Signing\n\n\n\n* The monolithic case has one point of attack - at the node.\n* The blind signing case has **two points of attack** - at the node and at\nthe Signer. A blind signer will perform any signing operation the node\nrequests, so **a compromised node will still result in loss of funds**. And\nobviously, a compromised signer will also result in loss of funds. This is\nworse than a monolithic node because funds can be lost if **either** is\ncompromised.\n* The validated signing case has just one point of attack with a small\nattack surface\n\n# Wallets with Blind Signers Must Trust the Node Operator\n\nBlind signing wallets where the node is run by an LSP (Lightning Service\nProvider) are not self-custodial because the LSP can unilaterally control\nthe funds. The LSP merely has to provide the Signer with a transaction that\nsends the funds to the LSP or another destination.\n\n# Examples of Blind Signing Exploits\n\nA compromised node can unilaterally submit transactions to be signed by the\nblind Signer. The following can result in the funds being stolen:\n\n* The node submits a mutual closing transaction which sends funds to the\nattacker's address\n* The node asks the blind signer to sign a revoked transaction which will\ncause loss of all funds when published\n* And many more ...\n\nA compromised node can also lose funds when it doesn't follow the Lightning\nprotocol. Some potential exploits include:\n\n* The node fails to validate the counter-party's revocation, and the\ncounter-party broadcasts an old commitment transaction that sends most of\nthe funds to the counter-party\n* The node fails to claim input HTLCs when routing payments, leading to the\ngradual loss of all funds\n* And many more ...\n\n# Validating Signers\n\nIn the Validating Signer case, a compromise of the Lightning node will not\nresult in the loss of funds. The security of such a setup is only dependent\non the security of the Signer. The Signer can be hardened as needed for the\nspecific use case.\n\nSome of the validation rules that a validated Signer can implement include:\n\n- Don't sign a revoked commitment transaction\n- Don't revoke a signed commitment transaction\n- Don't close a channel to an unapproved destination\n- Routed payments must have at least as much input as output value\n- Payments must claim at least as much from the input as was claimed from\nus on the output\n- And many more ...\n\n# Conclusion\n\nBlind signers reduce the security of Lightning nodes and are subject to\n[many exploits](\nhttps://gitlab.com/lightning-signer/docs/-/wikis/Potential-Exploits).\n\nValidating signers improve security by reducing the attack surface. The VLS\nproject aims to provide a library and reference implementation for\nenterprise servers and consumer devices.\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20220509/95d3c85d/attachment.html\u003e",
"sig": "acdbc05d1a59ee84805e1ce7e280c63b7e3947196d2d0616e6ee1c39b5522019c5300e28362d400439162e78bda706941bd3cee71bddbd26abab78f6b68b7d25"
}