Sealed Wallet is a hardware device that enables transferring control of Bitcoin by exchanging a physical object. It is a USB device that can do the following:
1. Generate a private key on the device
2. Sign transactions using the private key
3. Refuse to double-spend outputs
4. Prevent the private key from ever leaving the device
5. Show a list of transactions it has signed
How it’s used:
- Alice has Sealed Wallet loaded with 100 mBTC and wishes to give 50 mBTC to Bob.
- Alice plugs her Sealed Wallet into her phone and asks it to sign a transaction tx1 spending 50 mBTC to an address controlled by Alice.
- Alice hands the Sealed Wallet to Bob.
- Later, Alice broadcasts tx1 to the network.
- Alice now has 50 mBTC and Bob has a Sealed Wallet containing 50 mBTC.
What ensures this outcome?
Attack: Alice attempt to make Bob believe that she has given him the Sealed Wallet, but in fact, she has not. Perhaps she gives Bob a dummy for example.
Defense: Authentic Sealed Wallet device is signed with the manufacturer key. Bob can plug the Sealed Wallet into his computer and verify that the device is authentic.
Attack: Alice gives Bob a Sealed Wallet that was loaded with less than 100 mBTC.
Defense: Bob has a copy of the blockchain and can verify that the Sealed Wallet was loaded with 100 mBTC.
Attack: Alice gives Bob a Sealed Wallet that was loaded with 100 mBTC, but she used it to sign transactions spending more than 50 mBTC, so that less than 50 mBTC is available for Bob.
Defense: Bob can query the Sealed Wallet, asking it “what transactions have you signed?” Sealed Wallet responds with a list of signed transactions. Bob can combine this information with the state of the blockchain and calculate how much BTC the wallet retains control over.
Attack: After Alice gives Bob the Sealed Wallet, Alice stops cooperating and does not broadcast the transaction spending 50 mBTC to Alice and 50 mBTC to the Sealed Wallet.
Defense: Bob can query the Sealed Wallet, asking it “what transactions have you signed?” Sealed Wallet responds with a list of signed transactions. Bob can broadcast the transaction sending 50 mBTC to Alice and 50 mBTC to the Sealed Wallet.
Attack: Alice behaves honestly, but Bob tries to stop her from getting the 50 mBTC that the Sealed Wallet has sent to her.
Defense: Alice obtained a copy of the signed transaction prior to giving the Sealed Wallet to Bob, so Bob cannot prevent Alice from broadcasting this transaction. Bob cannot double-spend the 100 mBTC to different outputs because Bob cannot learn the private key from the Sealed Wallet. Bob cannot command the Sealed Wallet to form a different transaction spending the 100 mBTC, because the device remembers that it has already spent this output and refuses to double spend it.
Attack: Alice did not use enough fee in her spend transaction.
Defense: Bob can refuse to accept the Sealed Wallet unless a certain mining fee is paid. If mining fee is too low and a transaction has already been signed, a child pay for parent transaction could unstick the transaction.
Attack: Evil software on Alice’s computer causes Alice to unwittingly send 50 mBTC to Mallory.
Defense: Possibly, Sealed Wallet could have a display that shows the destination address. Alternatively, Sealed Wallet could plug into another unit that has a additional hardware such as a display/buttons etc. In any case, Sealed Wallet should have a physical button that must be pressed before it will sign a transaction.
Could this be used with the lightning network?
Would it help or would it hurt to have the option to reset the device, causing it to forget everything and start over with a new address?
Since Sealed Wallets would not be free, Bob and Alice could exchange Sealed Wallets as part of the transaction.