lfg2025/archy
1
0
Fork 0
Code Issues 14 Pull Requests Actions Packages Projects Releases 44 Wiki Activity
archy/docs/hardware-signer-design.md
archipelago df9d3a55be integration: preserve deployed 1.8.0 OTA work
2026-06-30 05:08:17 -04:00

7.8 KiB
Raw Blame History

Archipelago Hardware Signer — Design Notes (PSBT + Nostr)

Status: exploratory / spec stub (2026-06-24). No code yet. This captures the hardware-selection reasoning and architecture for a small, air-gapped, super-secure signing device built around the Tropic Square TROPIC01 secure element, intended to integrate with Archipelago as an external signer.

1. Goal

A small, super-secure, air-gapped handheld device that:

  • Signs Bitcoin PSBTs for the Archipelago wallet.
  • (Stretch / dual-function) Signs Nostr events for the node's sovereign identity.
  • Communicates only via QR (camera in, screen out) — no USB data path, no radio in use. Pure air-gap, same threat model as SeedSigner but with a real audited secure element.
  • Anchors key-at-rest security and RNG in the TROPIC01 open-source secure element.

2. The critical curve caveat

TROPIC01's signing engine supports P-256 (ECDSA) and Ed25519 (EdDSA) — NOT secp256k1. Bitcoin and Nostr both require secp256k1. Therefore:

  • The secure element is the vault + RNG + attestation, not the signer.
  • The seed lives encrypted inside TROPIC01 (tamper mesh, pairing, secure channel).
  • The host MCU does the actual secp256k1 ECDSA (Bitcoin) and Schnorr / BIP-340 (Taproot + Nostr) signing in software.
  • TODO before committing: re-check whether a firmware revision adds secp256k1 — it's open RISC-V silicon and has been a community ask. If/when it lands, this design gets materially stronger (signing in-silicon).

3. Architecture (two chips)

   [ QR in ]  -->  Camera (OV2640)
                        |
                   Host MCU (ESP32-S3)  <--SPI-->  TROPIC01 (Mini Board)
                        |                              (seed vault, RNG,
                   Touch screen                         secure channel, attest)
                        |
   [ QR out ] <--  Display (signed PSBT / signed event)
  • Host MCU drives camera, touch screen, QR parse/render, PSBT + Nostr logic, and the secp256k1/Schnorr signing.
  • TROPIC01 protects the seed at rest and supplies the TRNG + secure boot/attestation over an authenticated+encrypted SPI channel.

4. Hardware selection

4.1 MCU — the camera-ease vs radio-purity fork

ESP32-S3 (recommended) RP2350
Camera Native DVP interface; huge QR-scan code ecosystem No camera peripheral — bit-bang over PIO (harder)
Radios on die WiFi + BLE present (con for air-gap purists) None
Security Secure boot, flash encryption Cortex-M33 + TrustZone, signed boot, OTP
secp256k1 in SW Fine (240 MHz dual-core) Fine (150 MHz dual-core M33)
Price (chip / board) ~$3 / ~$6 ~$1.20 / ~$5

Pick: ESP32-S3 (N16R8 — 16MB flash / 8MB PSRAM). The camera is the hard part of the build and the S3 is the only cheap MCU with a native camera interface. PSRAM matters for holding camera frames during QR decode. The on-die radio is the one downside — acceptable because trust is anchored in the TROPIC01, not the MCU. If radio-on-die is a hard no, switch to RP2350 and accept harder camera bring-up. (SeedSigner deliberately chose a no-WiFi Pi Zero 1.3 for exactly this reason — the concern is legitimate.)

4.2 Camera

  • OV2640 2MP module — standard ESP32-cam sensor, code everywhere. ~$24.

4.3 Thin touch screen

Pick by review legibility (the whole security value is the human verifying address + amount before tap-to-approve):

  • 2.0" IPS ST7789 capacitive, 240×320 — recommended. Easiest to read a full Bitcoin address/amount. ~$812.
  • 1.69" rounded-rect IPS ST7789 + CST816 cap touch — best size/compactness balance. ~$710.
  • 1.28" round (GC9A01 + CST816) — smallest/thinnest but too cramped for address verification; skip for a signer.

Do not go below ~1.69". Use capacitive (not resistive) touch for a thin glass-front tap-to-confirm feel.

4.4 TROPIC01 board (from the Tropic Square order form)

All options speak SPI (wires to the S3 the same way). Two-board plan:

  • Development: TROPIC01 USB DevKit (€50) — STM32 + USB-to-SPI stick. Bring up the secure-element stack (pairing, key gen, secure channel) on a PC first, independent of the camera/screen work.
  • Final device: TROPIC01 Mini Board (€9.50) — small easy-to-solder module exposing SPI; solder straight to the S3's SPI bus inside the enclosure.
  • Skip: Standalone Sample (€5, bare QFN — needs hot-air), Raspberry Pi / Arduino Shields (wrong host form factor), MIKROE Click (€20, only if you have a mikroBUS rig).

4.5 Rough BOM

Item ~Cost
ESP32-S3 N16R8 board $68
OV2640 camera $24
2.0" cap-touch IPS $812
TROPIC01 Mini Board €9.50
(Dev only) TROPIC01 USB DevKit €50

Core device BOM ≈ $2030 + TROPIC01 Mini Board, before enclosure/battery.

5. Dual-function: Nostr signer

Genuinely viable and a natural fit — Nostr signs with Schnorr/BIP-340 over secp256k1, the same scheme as Bitcoin Taproot. So Nostr signing reuses the secp256k1+Schnorr code already needed for Bitcoin — near-zero marginal firmware cost.

5.1 One seed → two separated keys

From the single seed in the TROPIC01:

  • Bitcoin: BIP-32/39/84 HD derivation.
  • Nostr: NIP-06 deterministic derivation (m/44'/1237'/…) → nsec/npub.

One backup, two independent identities, no cross-contamination.

5.2 Cold vs hot tension

Bitcoin Nostr
Frequency Rare, high-value Frequent, often interactive
Natural transport QR / PSBT — air-gap perfect Apps want real-time signing
Air-gap comfort Excellent Fine for occasional events, painful for chat

Two possible modes:

  1. Air-gapped QR Nostr signer (recommended): app shows unsigned-event QR → camera scan → touch approve → signed-event QR back. Great for high-value/infrequent events (root identity, profile/metadata, key rotation, announcements). Keeps 100% air-gap.
  2. Connected NIP-46 "bunker" over USB/serial: enables interactive real-time signing but breaks the air-gap and reintroduces the USB/radio attack surface. Not recommended for this device.

5.3 Recommendation

Keep it cold for both roles. The device guards the Bitcoin spending key and the high-value Nostr identity key — neither ever touches a network. Day-to-day Nostr chatter uses a separate hot software key; the hardware device protects only the identity-defining key you can't afford to leak. Avoids putting a hot key next to cold Bitcoin funds.

6. Archipelago integration

  • Slots in as an external signer path alongside the existing wallet flow — does not touch the orchestrator. Archipelago builds PSBT → renders QR (animated QR for large txs) → device scans → touch review → returns signed-PSBT QR → Archipelago broadcasts.
  • Especially apt given Archipelago's Nostr/Blossom catalog + node-identity direction (see dht-distribution-design.md): the device becomes the hardware root of trust for both halves of a node's identity — its npub/DID and its Bitcoin keys — aligning with the sovereign/secure/rootless north star.

7. Open items / next steps

  • Pin budget: confirm the S3 GPIO/SPI budget fits camera DVP + display SPI + TROPIC01 SPI simultaneously. (Biggest unknown before buying.)
  • Confirm current TROPIC01 firmware secp256k1 status (could remove the §2 caveat).
  • Define QR payload formats for both roles (PSBT vs unsigned Nostr-event JSON) so a single scan→approve→return firmware loop handles either transparently.
  • Animated/multi-part QR strategy for large PSBTs.
  • Seed provisioning ceremony into the TROPIC01 (gen on-device via its TRNG; never import in clear).
  • Enclosure + power (battery vs USB-power-only-while-airgapped).
  • Decide: ESP32-S3 (radio present) vs RP2350 (no radio, harder camera) — final call.