The primary issue here is that we have a base assumption that the hardware wallet cannot be sophisticated enough to have Internet access; "do not enter seed words on an online device", as the typical advice goes.
Most clawback transactions are time-based, and *must* be broadcast at a particular blockheight.
Yet if the hardware wallet cannot be an online device, then it cannot know the current blockheight is now at a time when the clawback transaction *must* be broadcast.
Thus, the hardware must always tr\*st the software to actually perform the clawback in that case.
I believe it is possible to achieve much of the desired "liveness" requirements without compromising too much on the air-gap. The solution requires the following:
- a set of UTXO oracles which attest to the UTXO set
- optionally, a set of clock oracles which attest to the current time (e.g. using the roughtime protocol)
- an air-gap connection between the node software and the signer, e.g. using a narrow optical or serial protocol
- a set of operators that can react to lack of liveness
The Signer performs the following steps periodically:
- if the funding UTXO has not been spent (per oracle attestation), proceed normally with any channel commitment signing
- if the funding UTXO has been spent, ensure that the node provided the spending tx, and check if there is any reaction needed (e.g. a justice tx is needed)
- if a reaction is needed, ensure that there is a further spend within a certain deadline (shorter than the CSV/CLTV deadline)
- if there is no deadline violation, sign a heartbeat message with the current time (either from a local clock or from oracle clock)
The node software then relays the signed heartbeat message to the operators, e.g. through Tor. If a heartbeat is not seen by the operators, they manually intervene (e.g. by standing up a clean node).
Of course, we will never have Lightning paper wallets, by definition, since you can't participate in the network without being online. But the above setup seems to be at least as secure as USB hardware wallets attached to online machines. You could even have intermittently connected signers for slow-moving channels, or signers behind Tor, etc. .
--
devrandom