Zcash 'Sapling' standalone hardware wallet

[flathashedtree]

At this time of writing, Bitcoin gains more widespread use for day-to-day payment. We can buy clothes, we can pay electricity bills, we can visit the nearby coffee shop and pay with it. However, as Bitcoin is the gold standard; it is also like gold: heavy to use. Most shops accept Bitcoin through payment processors with bad user experience, increased transaction costs and online wallet providers are not really in the spirit of decentralized blockchains.

Existing hardware devices like Trezor or Ledger are more kind of a vault. And because Bitcoin or almost all other coins are not private; Zcash comes into play. Especially shielded transactions.

The 'Sapling protocol', would make it possible to build a lowpower device wich can leverage shielded transactions.

That is why I propose a little creditcard-sized device for OverTheCounter, day to day, standalone payments.

Features:

• Has its own display(e-ink) and a easy to use 4-way navigational pad.
• Standalone; in the sense of: can create, verify and transmit shielded sapling transactions on its own.
• ~~wireless communication would be over low proximity sound (you name it; loudspeaker,microphone) because every computer, smartphone, or other personal computing devices nowadays has it.~~
• Communication with ambient light (RGB LED) and maybe QR codes.
• Low power, no need to recharge everyday; More like recharge once a week.
• And maybe more

Besides the hardware, this project will also contain a companion webapp to manage and sync the device with the network. The companion webapp can be seen as a software wallet with the big exception that nothing is stored on the device and its only purpose is to view/create transactions and synchronize the hardware wallet via low proximity sound ambient light.

User experience:

It would make sense to sell those in packs of three. One for daily usage, another for backup and the third could be stored in a secure place. The companion webapp would do all the onboarding/introduction and can be used on almost all devices with a loudspeaker, microphone camera and a recent webbrowser.

This is still a draft and open for discussion. Feedback greatly appreciated

Concept page https://arcula.bitbucket.io

[Voluntary-zcash]

What price range do you anticipate? How long will it take to perform a shielded transaction? What if there are multiple UXTOs that have to be gathered into the payment - won't that take significantly longer? Is this device supposed with-hold private key data like existing hardware wallets?

[flathashedtree]

Low volume price would be about ~120 Euros, but will drop almost 50% if we do manufacturing batches in 10k quantities. That means low volume pure hardware cost without case etc is 60 Euro. So I aim to produce quality hardware with real leather as enclosure. This has a whole better feeling than let's say; 80 Euro for a plastic 'thing' or 120 Euro with a leather enclosure.

My guess for proof generation is 2-3 seconds. About the same time as with debit card terminals on average. I am optimistic that we can get to ~1 second maybe for simple 1-in-1out transactions.

We will know more once the specifications for sapling are complete ;)

All data will be stored on the device (private keys, commitments etc, everyting belonging to the spending key). I will also design tamper/theft protection for the flash storage.

The onboarding/setup experience should include a way to secure the spending key on paper or maybe a little seperate eeprom tag included with every device.

[acityinohio]

This is really cool to see @flathashedtree, thanks for the early submission and solicitation of feedback.

I'm having trouble walking through the concept page—do you think you could do a video/screen share walking through a typical flow via https://arcula.bitbucket.io ? No worries if not; I may be alone here, but knowing what you intend for the flow (and in particular for switching cards) would help me understand it a bit more.

[flathashedtree]

@acityinohio Nice to hear that.

I will extend the concept page to be more interactive.

The stack of cards may be confusing at first, but is really easy once you get the 'aha' effect. At the moment, if you have stack of 9 cards (more or less; depending on screen 'real estate') you just swap the position of the current active card and the card you selected.

If you have more; say 50, the stack begins to work like these rotating business card holders. For example: Array of cards = [0, 1, 2, ......., 49] Active card = 1 If you select the third card from the stack (ActiveCard, firstStackCard, secondStackCard....) which would be number 1 + 3 = 4; 4 is now the active card and 3 new cards will be appended to the bottom (in order of that array).

That whole design is also just an experiment. I have no problems to change it to whatever we see fit.

[flathashedtree]

@acityinohio I updated the page a bit. Regarding the mention of 'scan/codes', they will be like 'streaming barcodes' on the hardwallet, and the companion app does communicate to the device via rapid changing colors to be implemented later in the interface.

Let's say we have a 'transmission card' with a rapid changing color field in the companion app, the hardwallet will have an ambient light sensor on its back. You would put the hardwallet on the smartphones screen and voila, data transmission from phone to hardwallet via the phones display.

That way of data transmission is just for metadata though; the effective datarate would be ~100 bytes per second.

For anything else; streaming barcodes(for image sensors(camera), optical scanners) and self aligning(magnets) metal pads on the hardwallet for high speed serial communication(hardwallet to hardwallet, USB cable) - something like the MagSafe adapter.

[acityinohio]

Thanks for the update and UX explanation @flathashedtree, that makes more sense to me now.

Did you see this open issue regarding Sapling hardware wallet best practices from the Zcash Co? Might want to check it out and make sure your eventual design is capable of the list of features mentioned there: https://github.com/zcash/zcash/issues/3038

[flathashedtree]

The hardware wallet will fully support sapling, incl. proving/verifying. And also thermal and light random sources. However, a privacy issue is that the hardware wallet has to transmit the viewing key/keys to the app; which in turn has to query a service for new transactions with the key(s). That means we disclose sapling notes .

A good tradeoff might be the following:

• let the user choose between to 'sync' options in the companion app
  1. Fast sync; will transmit viewing key to the service and therefore disclose the notes; service takes care of scavenging and decryption.
  2. Slow sync; will query the service for all sapling notes since merkle anchor N. And detection happens on user device. (Bandwidth and computational heavy)

(Oh, I recall); the project also includes infrastructure development ;).

[flathashedtree]

Ops, the silicon has 24 free running oscillators which seems to be phase shifted; instead of thermal random properties

[mineZcash]

I think this is a very cool idea, I would be interested in seeing a working protoype.

[flathashedtree]

@mineZcash Me too ;)

At the moment I play with the sapling-crypto/bellman repo and ported a great amount to ECMAScript (bellman/Groth16 still to go) and just started to evaluate performance improvements in my spare time.

I also want to experiment with circuit-on-paper (EcoFriendly!) via CNC laser engraving, ideally for this project.

Because prototyping is time intensive, I need at least 3 weeks full-time; which I do not have at the moment.

Design question for navigation pops up:

• tactile buttons beneath the display to interact with the device (click on edges 4 edges) or
• a nice rotary wheel with detent?

[flathashedtree]

FYI, I plan to use: https://octavosystems.com/octavo_products/osd335x-sm/

; which is a good fit. But if someone has a better inside tip, let me know.

[mineZcash]

I'm a bit of a computer geek so small electronics are interesting me. As far as prototyping goes: for the circuit layout it's much easier/cheaper to etch a PCB than Laser CNC. https://youtu.be/IXKwkcgimZI

(Note: my opinions about the electronics of this project are independent of how/if the project fits within the scope of the Zcash Foundations Grant program)

[flathashedtree]

Yep. But with a pitch of 1.27mm and a pad landing size of 0.5mm, superior etching is required and is still a bit of a hassle; at least last time I checked, and that was ages ago ;).

Normally, if I want to prototype a specific design, I design a bigger breakout board and let it produce. Turnaround times are fast and price for double sided boards is not expensive these days. But also that was different 3 years ago.

It is nice to read that you are interested in these things, if you want to experiment with simpler circuits/or circuits on paper: http://gmwgroup.harvard.edu/pubs/pdf/1075.pdf

That paper has some good information.

[autotunafish]

This is a cool idea and I hope the recent EU mandatory KYC actions regarding cryptocurrencies dont stifle this plan too much (seriously, really cool) Has it affected your planning?

[flathashedtree]

@autotunafish

I don't know why KYC rules could affect this project at all. Do I miss something?

[autotunafish]

No, that's good news, wasnt sure so I asked

[flathashedtree]

Revision: 1

Zcash 'Sapling' standalone hardware wallet.

Open hardware & software reference design.

Why

At this time of writing, Bitcoin gains more widespread use for day-to-day payment. We can buy clothes, we can pay electricity bills, we can visit the nearby coffee shop and pay with it. However, as Bitcoin is the gold standard; it is also like gold: heavy to use. Most shops accept Bitcoin through payment processors with bad user experience, increased transaction costs and online wallet providers are not really in the spirit of decentralized blockchains.

Existing hardware devices like Trezor or Ledger are more kind of a vault, not a nice experience for day-to-day or shopping journeys ;). And because Bitcoin or almost all other coins are not private; Zcash comes into play. Especially shielded transactions.

The 'Sapling protocol', makes it possible to build a lowpower device wich can leverage shielded transactions.

That is why I propose a little (smaller than)creditcard-sized device for OverTheCounter, day to day, standalone payments.

Besides the hardware, this project will also contain a companion webapp and a service backend to manage and sync the device with the network. The companion webapp can be seen as a software wallet with the big exception that nothing is stored on the device and its only purpose is to view/create transactions, synchronize the hardware wallet and other supportive actions.

Feedback greatly appreciated.

Concept page https://arcula.bitbucket.io

How

Hardware

42x73mm-sized device with leather as enclosure, dimensions are not final.

Visible parts:

• 1.2 or 1.3-inch sharp memory display.
• Rotary wheel with center button or a 4-way navigational pad for user input.
• Ambient light sensor for 'wireless' metadata transmission from the companion app to the hardware wallet.
• Magnetic snap-on connectors on both sides for high-speed serial communication and for charging.
• Eyelet

Horsepower: https://octavosystems.com/octavo_products/osd335x-sm/

Additionally to the hardware wallet:

• Magnetic snap-on connector to USB adapter.
• A little 'backup tag' to store the encrypted private key, generated in the setup/onboarding flow.

Software

• Hardware wallet firmware.
• Companion (web)app.
• Service-API backend for the companion app. As a caching/convenience layer on top of zcashd.

Side goal: I also have a app for merchants on my mind, to make it easier for them to accept Zcash with the hardware wallet.

User experience

Onboarding: By opening the companion app, the user can start the onboarding flow which walks them through these steps:

• Either connect the hardware wallet with the USB adaptor or put/hold the wallet on a specific screen area to load the firmware to the device.
• Interaction goes to the hardware wallet which asks to enter (2 times) a variable-length PIN for encryption and unlocking of the hardware wallet.
• After that is done, the hardware wallet generates a random key from two sources and asks the user to attach the 'backup tag' to the device, which stores the encrypted key for backup purposes. That 'backup tag' should be stored in a secure place. Additionally the user has the option to display the encrypted key in human-readable form on the display.
• Ready to use.

Payment(s): Payment 'requests' can be made from the companion app. (Seller) The buyer has to unlock his/her hardwallet wallet and can either 'scan' the request with the ambient light sensor (hold/put) on the sellers display - or if the seller has the USB adapter connected, buyer connects his/her wallet to the self-aligning(magnetic) USB adapter. Payment request pops up on the hardware wallet which has to be confirmed by the buyer. After confirmation wallet computes the transaction and transmit it over to the seller; the companion app validates and broadcast it to the network and additionally displays a guess when the transaction will be confirmed or displays an error if something is wrong.

Payment requests/payments can also work from hardware wallet to hardware wallet. The transaction will be broadcasted from either party on next synchronisation with the companion app.

Emergency situations: The companion app should include a flow to walk the owner through best practices if the wallet is lost, or move/recover funds from the backup tag or from the written down encrypted spending key. (Actions from the onboarding flow)

The hardware wallet could also display statistics of spending habits. For example, 'You spent 0.47 ZEC in the last 24 hours. Equivalent to x EUR. Keep going ;)'.

Also, the hardware wallet should be able to consolidate transaction inputs to avoid congestion, manually by the user or automatically.

Security

• Coated and shielded circuit board against water and interference.
• Variable-length PIN which a exponantially increasing locktime on failed unlock attempts.
• Storage of the encrypted spending key in EEPROM is inside a system in package on the circuit board. Storage address/location of the key depends also on the PIN. In case a bad actor disassembles the device, it will destroy the EEPROM/contents both with software and hardware techniques.
• 24 free-running oscillators as random oracle. The ambient light sensor could also be used as semi-random source/extra seed for the random pool.
• Bootloader multi-signature support for firmware verification.

Stages

• Start development of firmware and companion app. Play with different user experience flows. Preorder parts to make sure they arrive on time for the second stage.

• Bootstrap initial design, play with different parts to decide what fit is best. Parallel development of hardware firmware and user experience flows.

• Enclosure design. Play with different coatings, leather types and folding/assembly techniques. Parallel development of firmware and companion app. Start development of service backend.

• Final design decisions for hardware and software. Do a development sprint.

• Last stage. Polishing and hunt all remaining bugs - time.

Workpower

I have almost 12 years of experience with all kinds of digital, analog and software - development. My primary specialty is embedded hardware and software design.

Along the way, I also would work together with friends/collegues/maybe other contractors on this project for enclosure and design-/user experience.

As I have a habit for switching pseudonyms, information about my identity and the persons involved are available via selective disclosure for the commitee/foundation.

Budget

• I estimate 5 to 6 months full-time. Round about 1200 - 1500 hours ; ~110k USD.

• Contractors/enclosure design round about 24k USD.

• Access to makerspace with all kinds of tooling. 700 * 5(months) USD

• Parts and materials for development. 1800 USD

• Security buffer for everything 6k USD

A rounded down sum of 145k USD total. It is possible to disburse the sum in parts, according to progression.

Other things

• Weekly progression report.
• Every bit & piece will be open-source.

[flathashedtree]

FYI; After some chatting with friends, it may be possible eradicate the 24k contractor budget, because I know one who is good at that and available if I plan it at least 7-9 weeks in advance. The security buffer would be adequate for that option.

[tromer]

Is there any meaningful work that can be done on a significantly smaller budget, that can be a first step towards full hardware production by you (or others)?

[flathashedtree]

Yes, we can develop the reference firmware and companion app only, for a open reference platform with hardware/interface guidelines.

This will cut 300-400 hours (about 30k) and the external contractors- and parts budget.

We can cut this proposal also into chunks. Let me know what is most important for you.

[tromer]

The Zcash Foundation Grant Review committee has reviewed your pre-proposal, including the above discussion, to evaluate its potential and competitiveness relative to other proposals. Every pre-proposal was evaluated by at least 4 committee members .

The committee's opinion is that your pre-proposal is not a leading candidate for funding in this round, and the committee therefore does not invite you to submit a full proposal. This decision is advisory, and you can still choose to submit a full proposal by June 15th, following the detailed structure described in the Call for Proposals. Note that if the full proposal is substantially the same as discussion so far reflects, then it's unlikely to be chosen for funding; and if it isn't, then we encourage you to post a draft (or at least answer any open questions) as early as possible, to allow for community feedback. Regardless of your choice, we thank you for participation thus far.

[flathashedtree]

One possibility for a meaningful project on the lowest budget I can think of is the implementation of the open firmware.

Goals:

• Establish reference standards for security, user experience & overall implementation correctness.
• Full sapling circuit support.
• Easy to use user interface / establish best practices.
• Low effort entry for hardware producers.

I think it is feasible to do in round about ~320 hours; 27k USD.

[flathashedtree]

^Ping;

Any feedback on that matter?

I have to re-arrange my time and like to hear some final recommendations.

In any case, for questions or other things, contact me at protonmail.com

Thanks.

[sonyamann]

We're wrapping up this round of the Grants Program, and no further discussion is expected on this issue, so I'm closing it. Thank you!