SegWit and hardware wallets

Todays newsletter continues chapter 3 from Bitcoin: A Work in Progress.

Next week is the second edition of the BitDevs Amsterdam Socratic Seminar. If you find this content interesting, you should enjoy this meetup. RSVP here if you’re in the neighbourhood.

SegWit and Hardware Wallets

In addition to all the aforementioned benefits — fixing malleability, increasing block size, versioning, etc. — SegWit introduces a commitment to the inputs, which primarily benefits hardware wallets.

A hardware wallet is an external device that holds your private keys and can sign Bitcoin transactions. Because the device is purpose built and otherwise very simple, it’s less likely than your regular computer to have malware on it. It usually shows you a summary, based on its understanding of a transaction, and then asks you to approve the transaction before it actually signs.

Before signing a transaction, the device shows you the destination address and amount. That way you can verify that an attacker didn’t swap out the address for one they control.

The device also checks that the input amounts add up to the output plus the fee. This protects you against a scenario where an attacker makes you pay an absurd amount of fees (perhaps colluding with a miner).

However, transactions don’t actually specify their input amounts. The only way for the device to learn those is if you give it the input transactions. It can then inspect their output amounts. But having to send all the input transactions to the hardware wallet can be problematic, especially when they’re big, because these devices tend to be slow and have very limited memory resources.

To be clear, any wallet should perform these checks — not just hardware wallets. You always have inputs, which are coins you own. And then you have the outputs, which are coins you’re sending, including a change output to yourself usually. The difference between them is the fee the miner keeps, and the fee isn’t mentioned in the transaction, so the wallet calculates it for you.

This works for a regular wallet, because it knows how much all of the inputs are worth. But a hardware wallet is disconnected from the internet, so it doesn’t necessarily know how much all the inputs are worth. Without that information, it can’t be sure how much money it’s about to send.

Therefore, a hardware wallet has the risk that it’s sending 10 million coins as a fee without realizing it. And if somebody colludes with the miner or just wants to take your coins hostage in some weird way, that’s not good. So what SegWit does is it commits to those inputs.^[Unfortunately, the approach used by SegWit still left some potential attacks open, but these have been addressed by Taproot.]

What SegWit adds to this is that, before creating a signature, the output amount is added to the data that’s signed. The device now receives these amounts, along with the transaction it needs to sign. It uses that to inform the user and to create the signature. If your computer lied to the device about the amount, then the resulting signature is invalid. So the device no longer needs to look at the actual previous transaction.

Note that nothing is stopping your computer from crafting a fake transaction with fake inputs and any output amount it wants — the hardware wallet will happily sign it. But when your computer then broadcasts it to the network to get it included in the blockchain, it’s just not going to be valid. So it’s pointless for an attacker to try this.

SegWit Recap

The main benefit of SegWit is that it fixes malleability, which enables things like the Lightning network, resulting in a pretty big increase in potential transaction throughput.

The second benefit is an increase in block size, even though this is dwarfed by the capacity increase Lightning could achieve. The third is versioning, which makes it easier to deploy future upgrades. And the fourth is improved hardware wallet support.

Block Size War

If the above sounds great and uncontroversial, it’s because, in my opinion, it is. There was, however, a lot of drama in the years surrounding this soft fork. One account of this is provided in Jonathan Bier’s The Blocksize War.