Delegate Bitcoin Core's private key management to Eclair

[sstone]

We want to use Eclair to manage private keys for Bitcoin Core to protect our onchain funds.
We would create empty Bitcoin Core wallets and then import descriptors generated by Eclair (this is similar to how hardware wallets are used with Bitcoin Core or Electrum).

To validate transactions without a trusted display and without human interaction, we define a very simple policy:

• we explicitly track all inputs and outputs that belong to our onchain wallet
• we only sign inputs that are tagged as belonging to us
• we verify that we can spend all outputs that are tagged as belonging to us

This works when onchain transactions are created by Eclair (funding, dual-funding, RBF, but also with the trusted swaps that we are currently using).

Bitcoin Core would treat Eclair’s onchain wallet as a watch-only wallet and will not be able to sign transactions: “sendtoaddress” and “walletprocesspsbt” RPC call will fail. To send funds to a specific onchain address, users will need to call Eclair’s “sendonchain” API which requires human validation with a trusted Ledger device.

It would also be possible to initialise a Ledger device with Eclair’s onchain seed and keep it as a backup but using it would interfere with Eclair’s operations (both wallets may try and use the same UTXOs).

Wallet descriptors

Descriptors describe how to generate public keys. Bitcoin Core will use these descriptors to create a wallet, track public keys and utxos, fund transactions and provide information about its wallet inputs and outputs (like amounts being spent and BIP32 paths of the wallet public keys) which Eclair will use internally to validate transactions before signing them.

This is a descriptor for a BIP84 wallet:

wpkh([92aeacc2/84'/1'/0']tpubDCyGWF1tZPqSDq7HqKtM31ZDDFoYybL56RDrfKHFQXTmx1rf5Uh6T5aFTE7wZmxaCQNCzfnu6wMv53k8kZNEtmSpgiCAuvBWmv7zjBxZcAF/0/*)#hdngjcua

It includes an “xpub”, a derivation template (/0/*), and the type of script to generate (wpkh)

Implementation

What we need to do in Eclair is:

• implement a new key manager to manage onchain keys (we’ll follow the BIP84 specs)
• add an API call to return wallet descriptors
• modify our Bitcoin Core client to use our keymanager to sign transactions

Signature Workflow

Whenever we need to fund and sign a transaction we:

• create an non-funded transaction
• ask bitcoin core to add inputs and outputs, with a specified fee rate
• mark all inputs and outputs that were not in the non-funded transaction as belonging to us
• create a PSBT from the funded transaction
• ask bitcoin core to add metadata (spent amounts, BIP derivations paths) to the PSBT
• check that the fees for this PSBT match the target feerate
• for all our inputs, check that we can recompute their pubkey script using the provided BIP32 paths and sign them
• for all our outputs, check that we can recompute their pubkey script using the provided BIP32 paths

This workflow is safe because:

• we only sign inputs that we explicitly tag as belonging to us. Even if a hacker manager to control our Bitcoin Node and used our UTXOs to negotiate a dual-funding channel with us, we would not sign these inputs (because during the interactive tx negotiation Eclair will explicitly tag them as “theirs/remote”)
• we verify that we can actually spend our wallet outputs: Bitcoin Core cannot lie to us about change outputs
• we are protected against overpaying fees because Bitcoin Core cannot lie about the amounts of the wallet inputs that are spend, because they are included in the hash that is signed (see https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki#specification)

We check that the full transaction that is spent is included in the PSBT’s non-witness utxo field.

Master Seed Management and Compatibility with other BIP32 wallets

We define a new eclair-signer.conf file that includes BIP32 mnemonic words and passphrase. It should be compatible with any BIP32-compliant wallet.
Descriptors generated by Eclair can also be used to create a watch-only wallet on another Bitcoin Node (we could also simply copy Eclair’s wallet since it does not contain private keys).

And a new “getmasterxpub” API call has been added to eclair, which will return an “xpub” that can be used to create an Electrum watch-only wallet.

[codecov-commenter]

Codecov Report

Merging #2613 (d3ac588) into master (148fc67) will decrease coverage by 0.15%.
The diff coverage is 80.73%.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

@@            Coverage Diff             @@
##           master    #2613      +/-   ##
==========================================
- Coverage   85.89%   85.74%   -0.15%     
==========================================
  Files         215      216       +1     
  Lines       17854    18013     +159     
  Branches      756      759       +3     
==========================================
+ Hits        15335    15446     +111     
- Misses       2519     2567      +48     

Files Changed	Coverage Δ
...r-core/src/main/scala/fr/acinq/eclair/Eclair.scala	55.69% <0.00%> (-2.98%)	⬇️
...chain/bitcoind/rpc/BasicBitcoinJsonRPCClient.scala	100.00% <ø> (ø)
...in/bitcoind/rpc/BatchingBitcoinJsonRPCClient.scala	75.00% <0.00%> (-25.00%)	⬇️
...ir/blockchain/bitcoind/rpc/BitcoinCoreClient.scala	88.23% <74.28%> (-10.23%)	⬇️
...q/eclair/channel/publish/ReplaceableTxFunder.scala	85.49% <84.00%> (-3.96%)	⬇️
...air/crypto/keymanager/LocalOnChainKeyManager.scala	87.64% <87.64%> (ø)
...re/src/main/scala/fr/acinq/eclair/NodeParams.scala	93.29% <100.00%> (ø)
...ir-core/src/main/scala/fr/acinq/eclair/Setup.scala	75.14% <100.00%> (+0.29%)	⬆️
...ala/fr/acinq/eclair/blockchain/OnChainWallet.scala	100.00% <100.00%> (ø)
...inq/eclair/channel/fund/InteractiveTxBuilder.scala	91.37% <100.00%> (+0.31%)	⬆️

... and 7 files with indirect coverage changes

[remyers]

So far I have only found minor issues and noted some questions. I'll look at the tests next.

It will help with review to add something to the release notes and perhaps a new guide to docs\ about how to setup and use the watch-only wallet when in external_signer mode.

[remyers]

Changes to remove HWI look great. Especially s/WithExternalSigner/WithEclairSigner - this eliminated a major source of cognitive dissonance for me.

While looking at this some more, I noticed it should be possible to remove params from or possibly even migrated getDescriptors to bitcoin-kmp.

[remyers]

We should always check that the fee returned in FundTransactionResult matches what we requested - as you do in makeFundingTx and sendToPubkeyScript.

Because we must call signPsbt before we have all of the information this check can't be done in one place. This is not ideal because if we add a new call to fundTransaction we are likely to forget to do the check.

Would it make sense to not return the fee result in FundTransactionResult as a way to remove the chance it could be relied on without confirming it matches what we requested?

[remyers]

Just found another issue with fundrawtransaction that looks like we can fix by adding some requires in the bitcoind client.

[t-bast]

Concept ACK, the scope of this PR looks good, and you've been able to reduce it to a somewhat small change (mostly just a move to using the PSBT RPCs and verifying the results bitcoind sends back).

I think it can be simplified further (see comments below), but otherwise this looks good. I think this will deserve some clean-up to remove some kotlin<->scala awkwardness and make some functions more readable, but this is a good start!

[t-bast]

I spent a lot of time staring at the code, playing with it and tweaking it, it looks mostly good to me!
All my comments are addressed by a follow-up PR at #2726, once this is integrated this feel ready 👍

[t-bast]

LGTM 🚀

[t-bast]

LGTM, I'll start working on a follow-up PR to simplify the ReplaceableTxFunder

[pm47]

This looks mostly good, and pretty well contained given the significance of the change. I have only minor comments.

My main remark would be on the structure of the PR: the PSBT change should have been made an independent commit at the beginning. It would have made it much easier to assess the impact of the delegated signature, which is the core of the PR.

I'm not familiar with PSBT and haven't reviewed the related code.

[t-bast]

LGTM, great job I like how small the change ends up being compared to what it accomplishes. The test that randomly fails is unrelated to this PR, it's on my TODO list (it's related to the migration to bitcoind 24.1).

[pm47]

LGTM 🔑

There is some polishing left on the doc, and on namings (there are two many related terms: eclair signer ? managed bitcoin keys? onchain key manager?) but that can be done in a follow up PR.