Building a vault using blinded co-signers

A novel prototype for enhancing Bitcoin security through a vault-like scheme has been introduced, leveraging the concept of blinded co-signers in conjunction with Musig2, a multi-signature protocol. This approach minimizes the amount of information co-signers have about transactions, focusing on protecting fund movements on the blockchain. The implementation ensures that co-signers are not merely rubber-stamping transactions but are verifying their validity based on a predetermined policy - specifically, checking the correctness of a transaction's timelock through Zero-Knowledge (ZK) proofs before signing.

The system is designed around four key transaction types: vault_deposit, vault_recovery, unvault, and unvault_recovery. These transactions are pre-signed in anticipation of different scenarios involving the deposit, recovery, and utilization of funds within the vault. The critical aspect of this setup is the assurance it provides to fund owners; they or their designated watchtower can intervene and redirect funds to a recovery address if an unauthorized attempt to access the vault is detected. This mechanism hinges on at least one signer adhering strictly to the protocol, ensuring the security of the funds.

For those interested in exploring the prototype further, detailed documentation and code are available on GitHub (documentation and prototype). It's important to note that this prototype is intended for testing environments such as regtest and signet and should not be used with real funds until fully vetted. A simplified bash script provided in the VAULT_TOOL guide aids users in experimenting with the workflow.

One of the challenges identified in the current implementation is the proving time required for ZK proofs, particularly in demonstrating that the key and nonce aggregation complies with the protocol without revealing sensitive information to the co-signers. This process is currently time-intensive, especially noted on hardware like the Apple M1 Max, where it takes approximately 4 minutes per transaction, per signer. Future enhancements aim to reduce this proving time significantly, making the system more practical for less powerful devices and broadening the scope to accommodate other policies beyond the initial vault transaction structure. Feedback from the community is sought to refine and expand this innovative security framework.