Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: Integrating Validating Remote Signer (VLS) in RGB Lightning Node #43

Open
gofman8 opened this issue Dec 11, 2024 · 2 comments
Open

Proposal: Integrating Validating Remote Signer (VLS) in RGB Lightning Node #43

gofman8 opened this issue Dec 11, 2024 · 2 comments

Comments

@gofman8
Copy link

gofman8 commented Dec 11, 2024
edited
Loading

Proposal: Integrating Validating Remote Signer (VLS) in RGB Lightning Node

At ThunderStack, we aim to provide the best possible service and security for our clients, developers, and users. To achieve this, we propose integrating the Validating Remote Signer (VLS) into the RGB Lightning Node.

Motivation

During the implementation of a cloud solution for the RGB Lightning Node (RLN), one of the primary concerns raised by users was the need for higher standards of security. Users emphasized the importance of separating the signer from the node to minimize attack surfaces and enhance key protection. To address these needs, we propose providing several deployment options for the signer, each offering different trade-offs in terms of security, usability, and control. See the use cases below for details.

Use Cases

1. Secure Remote Signer Deployment

By default, deploy the remote signer to AWS Nitro Enclaves, ensuring:

  • Isolation of the signer in a hardware-secured environment.
  • Protection against unauthorized access and external threats.

Reference: AWS Nitro Enclaves

2. User-Hosted Non-Custodial Signers

Provide users with:

  • Scripts and documentation for hosting signers locally, ensuring full key ownership.
  • Optional MPC-based signing for enterprise-grade security in cloud environments, inspired by Fireblocks custody solutions.

Reference: Fireblocks MPC API, AWS Nitro MPC

3. Mobile Wallet Integration

Enable signers to operate on mobile wallets by:

  • Supporting a non-custodial architecture suitable for mobile aligning with the Greenlight framework, to keep secret keys on user's device for signing operations.
  • Leveraging notification systems to wake the device for signing operations.

Reference: Breez SDK Notifications, Greenlight Key Manager

Reference Implementation

LDK VLS Implementation

The LDK VLS Implementation demonstrates the use of Lightning Development Kit (LDK) with VLS

Design Goals

  • Ensure compatibility with Greenlight.
  • Enhance security for both cloud-hosted and user-hosted setups.
  • Introduce enterprise-level security via MPC mechanisms.

References

  1. AWS Nitro Enclaves
  2. Fireblocks MPC
  3. Breez SDK Notifications
  4. Greenlight Key Manager
  5. VLS Overview
  6. VLS Transaction Diagrams
@nicbus
Copy link
Contributor

nicbus commented Dec 16, 2024

Thanks for the proposal, we'll have a deeper look at it and post our updates here. We're currently working on other tasks ATM so it could take some time for us to post a reply.

@gofman8
Copy link
Author

gofman8 commented Dec 16, 2024

Thanks for the proposal, we'll have a deeper look at it and post our updates here. We're currently working on other tasks ATM so it could take some time for us to post a reply.

Thank you for your response! I appreciate you taking the time to consider the proposal, and I’m ready to provide anything you need from me if it helps. Looking forward to your updates!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nicbus @gofman8