0
I'm wondering if its possible to design a hardware wallet such that it can be used for a Lightning node that routes payments for their channel partners such that their funds can never be stolen even if their main machine has been kernel hacked.
I'm thinking that this is how it might work:
- The hardware wallet would receive a signed transaction originating from its source channel-partner AND an unsigned transaction (to sign) sending to its destination channel-partner.
- The hardware wallet verifies that the sum of the amounts of both transactions sum to greater than 0 (ie verifying that the node isn't losing funds by signing this transaction), verifies that the inputs are valid (using SPV), verifies that both transactions requires the same hash-secret to unlock, and verifies that its only sending to a multi-sig address that requires its private key to unlock
- The hardware wallet then signs the unsigned requested transaction and gives it back to the Lightning Client to send
It seems like if a hardware wallet did this kind of verification, it would be safe to have a routing Lightning node that interacted with an always-connected hardware wallet with the level of security that a normal hardware wallet has. Is something along these lines possible?
Yes of course there's always risk of exploits in protocol or hardware - that's not what I'm talking about. I'm wondering if its theoretically possible to eliminate the threat of theft via kernel hack for an active LN node that routes payments automatically. – B T – 2018-01-11T08:06:33.047
It's the "eliminate the threat" part that I take issue with. That's not how security works. I would never give anyone that promise about any level of the stack. Threats can be mitigated, not eliminated. – Jestin – 2018-01-11T13:32:04.880
Ok how would you phrase my question? I'd rather you try to understand what I'm trying to communicate rather than taking issue with my phrasing. – B T – 2018-01-11T19:48:30.580
I don't think the phrasing is bad, I just think the answer is "no". You cannot eliminate threats. – Jestin – 2018-01-11T20:45:59.450
You're not understanding my question. I've updated my title to address pedantic concerns. – B T – 2018-01-13T21:18:51.350