CCC: COLDCARD can now Co-sign like collaborative multisig HSMs, no centralized servers needed.

KeyTeleport: Send secrets on a video call to other COLDCARD! Securely move seeds, secure notes/passwords, multisig PSBTs, even full backups (full clone), between two Q using QR or NFC

CCC - ColdCard Cosign

COLDCARD holds a key in a 2-of-3 multisig, in addition to the normal signing key it has.

• It applies a spending policy like an HSM:

  • velocity and magnitude limits

  • whitelisted destination addresses

  • 2FA authentication using phone app (RFC 6238)

• But will sign its part of a transaction automatically if those condition are met, giving you 2 keys of the multisig and control over the funds

• Spending policy can be exceeded with help of the other co-signer (3rd key), when needed

• Cannot view or change the CCC spending policy once set, policy violations are not explained

• Existing multisig wallets can be used by importing the spending-policy-controlled key

• CCC Demo Video (youtube) and Online docs (coldcard.com)

Key Teleport (Q)

Easily and securely move seed phrases, secure notes/passwords, multisig PSBT files, and even full Coldcard backups, between two COLDCARD Q using QR codes and/or NFC with helper website.

• Can send master seed (words, xprv), anything held in seed vault, secure notes/passwords (singular, or all) and PSBT involved in a multisig to the other co-signers

• Full COLDCARD backup is possible as well, but receiver must be “unseeded” Q for best result.

• In other words, you can clone your Q over a zoom call to another person.

• ECDH to create session key for AES-256-CTR, with another layer of AES-256-CTR using a short password (stretched by PBKDF2-SHA512) inside

• Receiver shows sender a (simple) QR and a numeric code; sender replies with larger BBQr and 8-char password

• See protocol spec in docs/key-teleport.md

• Online docs are coming soon.

• Related website is: keyteleport.com

Teleport of Multisig PSBT

After you sign a multisig PSBT, you have option to “Key Teleport” the PSBT file to any one of the other signers in the wallet. We already have a shared pubkey with them, so the process is simple and does not require any action on their part in advance. Plus, starting in this firmware release, COLDCARD can finalize multisig transactions, so the last signer can publish the signed transaction via PushTX (NFC tap) to get it on the blockchain directly.

Above is an example of the menu shown where you select who should get the PSBT file next. As you can see two have already signed the file (checkmarks).

Shared Improvements - Both Mk4 and Q

• New Feature: Multisig transactions are finalized when sufficiently signed. Allows use of PushTX with multisig wallets.

• New Feature: Signing artifacts re-export to various media. Now you have the option of exporting the signing products (transaction/PSBT) to different media than the original source. Incoming PSBT over QR can be signed and saved to SD card if desired.

• New Feature: Multisig export files are signed now. Read more here

• Enhancement: NFC export usability upgrade: NFC keeps exporting until CANCEL/X is pressed

• Enhancement: Add Bitcoin Safe option to Export Wallet

• Enhancement: 10% performance improvement in USB upload speed for large files

• (Q only) Enhancement: Always choose the biggest possible display size for QR

Bugfixes

• Do not allow change Main PIN to same value already used as Trick PIN, even if Trick PIN is hidden.

• Fix stuck progress bar under Receiving... after a USB communications failure

• Showing derivation path in Address Explorer for root key (m) showed double slash (//)

• Can restore developer backup with custom password other than 12 words format

• Virtual Disk auto mode ignores already signed PSBTs (with “-signed” in file name)

• Virtual Disk auto mode stuck on “Reading…” screen sometimes

• Finalization of foreign inputs from partial signatures. Thanks Christian Uebber!

• Temporary seed from COLDCARD backup failed to load stored multisig wallets

• Destroy Seed also removes all Trick PINs from SE2.

• Lock Down Seed requires pressing confirm key (4) to execute

• (Q only) Only BBQr is allowed to export Coldcard, Core, and pretty descriptor

Download the latest firmware

Exciting news - our #BitcoinBlackFriday Sale has officially started! Dive into incredible deals with up to 25% off on select items. It's the perfect time to enhance your family's Bitcoin security with the trusted COLDCARD. Discover the innovative TAPSIGNER, a game-changer simple bitcoin signer. And keep track of Bitcoin’s time chain with the stylish and informative BLOCKCLOCK. Don't miss out on these exclusive offers!

Happy Shopping! 🛍️🎉

SHOP COINKITE DEALS NOW

Our answer is what we’re calling “Edge Firmware for Mk4”. It will be updated more frequently and contain the very latest in BIP’s and other upcoming tech for Bitcoin. It’s not for everyday hodlers: it’s for the wallet developers and power users who are itching to experiment with new types of signatures, and complex new on-chain wallet types.

Let’s not be #reckless — Do not use this firmware on your main stash. Do not run it to impress potential sexual partners.

Winning features from “edge” will be moved to the normal firmware only when they are ready, and we are still developing new and practical features on both branches. Isolating the riskier stuff allows us to concentrate on everyday features, that everyone can use right away, while the Bitcoin community develops supporting code for new types of signatures and consensus related changes.

If you are not a developer, you can ignore Edge version completely.

Where to Find It

The source code lives on branch edge on the same Coldcard github repo: Edge branch on Github

Binaries can be reproduced from the code in that branch and signed binaries will carry an X in their version number. The code will alert the user on each power up, and the scroll bar is marked with “EDGE”, on screen.

Get the signed binary here

6.0.0X - First Edge release.

TAPROOT

• Taproot keyspend & Tapscript multisig sortedmulti_a (tree depth = 0)

• Paper wallets can be P2TR address format.

• Limitations:

  • only TREE of depth 0 is allowed

  • max 32 signers in TR multisig, only allowed script is: sortedmulti_a

  • if we can sign by both key path and script path: key path has precedence.

• Full technical details available here.

BIP-0129 Bitcoin Secure Multisig Setup (BSMS)

• Both Coordinator and Signer roles are supported.

• Encryption and decimal and hex tokens are supported.

• More screenshots and user documentation.

Fixes & Common Enhancements

• Enhancement: change Key Origin Information export format in multisig addresses.csv according to BIP-0380 (m=0F056943)/m/48'/1'/0'/2'/0/0 –> [0F056943/48'/1'/0'/2'/0/0]

• Bugfix: correct scriptPubkey parsing for segwit v1-v16

• Bugfix: do not infer segwit just by availability of PSBT_IN_WITNESS_UTXO in PSBT

These have been fixed on master as well, but are not yet part of a release.

What’s Next

Obviously… Miniscript!

Download the latest firmware

Get COLDCARD Mk4

With extensive industry knowledge and experience under his belt, Vivek is eager to share his expertise with you. He will be embarking on a nationwide tour, conducting workshops to help you fully harness the power of Coinkite's comprehensive product suite, including the indispensable COLDCARD. Recognizing the importance of the COLDCARD to the Bitcoin community, we are committed to equipping our users with all the necessary resources for maximizing its potential.

We'd love to hear from you! Share your suggestions for COLDCARD tutorials you'd like Vivek to create by participating in this Twitter thread:

—The Coinkite Team

New Features

• “MicroSD card as Second Factor”. Specially marked MicroSD card must be already inserted when (true) PIN is entered, or else seed is wiped. Add, remove and check cards in menu: Settings -> Login Settings -> MicroSD 2FA

• Import TAPSIGNER encrypted backup as main or ephemeral seed, for PSBT signing. This is a great way to safely use the key previously held inside a TAPSIGNER, because the COLDCARD can take over the signing that used to be done by the card.

• Detached Bitcoin signature files for most exports.

  • Files exported are now signed with a detached signature. Look for a .sig file with the same name, and verify signature with your favourite Bitcoin tools. See “Signed Exports” in docs/msg-signing.mdfor more information.

  • Coldcard can now verify signed files:

    • SD card and Virtual disk Advanced/Tools -> File Management -> Verify Sig File

    • NFC Advanced/Tools -> NFC Tools -> Verify Sig File

  • Learn more here

  • Related new website: Check your Bitcoin signatures here

Enhancements

• Address Explorer:

  • Application-specific derivation paths in Address Explorer -> Applications

  • Bugfix: Change value was ignored when generating addresses file

• Imports:

  • Add import multisig wallet via Virtual Disk

  • Add import extended private key via Virtual Disk and via NFC

  • Import seed in compact/truncated form (just 3-4 letters of each seed word)

  • Import extended private key as ephemeral seed

• Export:

  • Samourai POST-MIX and PRE-MIX descriptor export options added

  • Lily Wallet added

  • Ability to export all supported wallets via NFC (instead of SD card only)

  • Change electrum export file name from ‘new-wallet.json’ to ‘new-electrum.json’

  • Allow export of Wasabi skeleton for Bitcoin Regtest.

• Backup Enhancement:

  • Option to save the backup file’s encryption password for next backup. Then next backup is quick and simple: no need to record yet another 12 words.

• During seed generation from dice rolls, enforce at least 50 rolls for 12 word seeds, and 99 rolls for 24 word seeds. Statistical distribution check

• Single signature wallet generic descriptor export Advanced -> Export Wallet -> Descriptor. Both new format with internal/external in one descriptor <0;1> and standard with two descriptors are supported. added to prevent users from generating low-entropy seeds by rolling same value repeatedly.

• Docs: Add docs/rolls12.py script for verifying dice rolls math for 12 word seeds.

Bug Fixes

• Offer import/export from/to Virtual Disk in UI even if SD Card is inserted.

• Recalculate extended key saved in settings upon chain change (BTC, XTN, XRT).

• Provide correct derivation path (m/84’/1’/0’) for testnet Wasabi export.

• Properly display UX checkmark only if testnet (XTN, XRT) is enabled in Settings- > Danger Zone -> Testnet Mode.

  Get the Mk4

  

At Coinkite, we believe in putting users first and that's exactly what we have done with the Q1. Our team listened to the needs of the Bitcoin community and worked tirelessly to create a solution that would meet their most pressing requirements.

The result is a product that is truly outstanding in the world of hardware signing devices. The COLDCARD Q1 is a testament to the power of collaboration, bringing together user needs and engineering brilliance to create a product that offers security and ease of use like never before.

This innovative product embodies the true spirit of collaboration, blending user feedback with engineering prowess to create a solution that truly empowers Bitcoiners.

Effortless BIP-39 Passphrase Entry & Dedicated Function Keys

With a full QWERTY keyboard, entering your BIP-39 passphrase has never been easier to type in. The addition of dedicated function keys streamlines submenu navigation, NFC compatibility, QR code decoding, and even a built-in flashlight for optimal scanning in low-light conditions.

Superior Display with QR Code Accessibility

With a colored LCD screen featuring 9 times more pixels than the MK4, text readability and QR code accessibility have been elevated to new heights. This improvement ensures compatibility with even the most basic scanning devices.

Convenient Data Storage & Backup

Enjoy the convenience of our push-pull design and extended hanging mechanism for easily handling the microSD cards. It makes creating backups and transfiguring data a breeze. Keep your unsigned and signed transactions separate with ease and streamline backup operations with two accessible MicroSD slots.

Power Independence & Air-gapping

With both USB-C and battery power options, the Q1 offers exceptional power independence. Both USB-C data and NFC data can be permanently disabled by cutting a specific PCB trace.

Powered by USB-C, delivering 100mA at 5 volts, or alternatively with 3 AAA batteries, the Q1 offers unparalleled power independence. For added security, both USB data and NFC data can be permanently disabled by cutting a specific PCB trace, ensuring your data remains secure at all times.

The QR code decoder on the Q1 boasts bright LED lights, ensuring optimal scanning even in low-light conditions. Data decoding is executed via a secure 2-wire serial port connection, preventing any malicious incursions.

Convenient Data Storage & Backup

Enjoy the convenience of a push-pull design and extended hanging mechanism, making data storage and retrieval effortless. Keep your unsigned and signed transactions separate with ease, and streamline backup operations and file transfers with these two accessible slots. Say goodbye to the hassle of battery removal and hello to a more efficient self-custody experience with the COLDCARD Q1.

Be a part of the future of self-custody with the COLDCARD Q1.

Early bird discount now available on Coinkite’s store: https://store.coinkite.com/store/cc-q1

Learn more: https://coldcard.com/docs/coldcard-q1

NVK: Cool, thanks, Dee. I think it'd be really cool to talk about some of the some of the FUD around solutions and some of the ways the products in the market do address them, hopefully, we can clear a few of those, because that's in my view, one of the things that keep people from using good solutions is just this fear of the nearly impossible attacks, or attacks that are complete lies (ie FUD). Why don't we start with: 'can Sha 256 be broken?' We hear every time the price of Bitcoin goes up. People come into this Bitcoin space and start saying that somebody could break bitcoin's cryptography. How big is the entropy space for ECDSA and Schnorr in the way that Bitcoin uses it? And how hard it is to break it.

Rijndael: It's really large orders of magnitude. Humans are really bad at comprehending orders of magnitude. The order of the number of atoms in the observable universe is about two orders of magnitude larger than the number of valid ECDSA keys that you can have in Bitcoin. What Justine was saying earlier about that your seed is a representation of your private key. What happens is, when you go to create a new wallet, your wallet generates new really big random numbers, and then feeds it into an algorithm that creates a master private key. And then that master private key is used to derive all of your addresses and the corresponding private keys for them. There's two ways that somebody could get your private key: one of them is that they just get really lucky. And they have what's called a collision where they randomly pick a key, that's the same as one of your keys. And as I mentioned, there's a really, really, really large number of keys out there. It's very unlikely that somebody is going to pick the same one. Or the other thing is the security of Bitcoin’s digital signatures rests on a thing called the discrete log problem. And the idea is that we don't know any way of un-doing particular mathematical operations over elliptic curves. And if we did that, it would mean a lot of things about cryptography and the whole internet would be broken. The cryptography that's protecting Bitcoin is like the same cryptography that protects the rest of the internet. If that broke, pretty much everything would break.

NVK: If the Bitcoin cryptography is broken airplanes start falling off the sky, electricity will stop being delivered, and the water will stop being delivered. Even your sewer likely stopped working in a big city. Essentially, everything in your life that maintains you alive, except from being out in the bush, depends on cryptography nowadays, and its geography.

Rijindael: Also, Bitcoin needs the Internet to work.

NVK: Well, there's radio.

Rijindael: Well, you can broadcast a transaction, but the miners are going to need the internet, right?

NVK: That's right. Everything in Bitcoin starts from entropy. That's why I wanted to start from there and address the original original FUD in terms of Bitcoin, custody. Now, let's dive into sanity and quality of entropy. If you have a bad or evil device or piece of software, it could create bad entropy to you either by bug or by a malicious intent. Just to oversimplify it, let's say you have a rainbow table, or a known bug and derivation. And, an evil piece of software or hardware wallet could theoretically start giving you either extremely weak entropy accidentally, or it could give you entropy that they themselves know some part of the entropy; which is kind of scary, right? Because they could give you entropy that they can then later derive it themselves, those keys, and then take your money remotely without you ever knowing what happened. I think it's important here to understand why people in this space are so adamant about you using software that is verifiable: so you can go look at the source code. You can build it yourself; not that everybody's going to do it. But people who have some notability, or people who understand it in this space are going to go look at the software because they understand it. They're either going to vouch for that piece of software, or they're going to say to that they're finding any issues with it. That means that when you're using your COLDCARD somebody else looked at that source code and knows that Coinkite is not sort of hiding some purposeful bad derivation there. Now another thing that goes in that sense is: why is it important to bring your own entropy? Because why trust the software itself at all? Why don't you just throw some dice, and input that entropy yourself into the COLDCARD? In my view, that's even a better solution. Or at least do it to prove it that the device does what it claims it does. And then you do a new one or some mix of it.

Good Guy Biker: That's why you use those chips on your devices, right? Because they're certified. They've been tested for entropy creation, right? I think there's the hardware is a big part of that too.

NVK: Yes, the thing though: I don't want to trust the trng, even though it is certified on a hardware device. Chances of that having a backdoor or being evil are low. If there is a backdoor, it probably is going to be state actor level try to do something. In my view, we don't like to trust it at all. What we do is we mix the entropy of different chips manufacturers that would of all have had to conspire together to do perform such an attack. And then on top of that, they would have to cheat our openly verifiable source code. If you add a dice roll on top of that, they can't really do anything about it. There are devices out there that don't have verifiable source code and they do depend on certification, so their security level does depend on that single point of failure. Let's call it that way. And we have seen this happening the world through time in terms of attacks on security systems, by state level attackers.

Good Guy Biker: The enclaves or chipsets that the Trezor use are easily exfiltrated using glitching exploits on some of the older models. The barrier of physically taking private keys from some of the older Trezor is a 15-minute YouTube video, a breadboard, and a few jumper cables. Whereas, with something like the COLDCARD, which uses multiple secure enclaves, it's incredibly difficult. You would need laminating or microwave equipment, and university-level laser equipment before you can accomplish these types of exfiltration. I think that's a big step: simple secure hardware.

NVK: That's one cool thing you get with multi-sig or a passphrase; is that you de-risk each key. Both Justine at Unchained Capital and Jamesons at Casa do source that entropy from different hardware wallets, which I assume you guys allow customers to pick, but you probably advise them to pick different hardware wallets. And on Casa's Keys app you will also have the app being one source of entropy as well.

Lazy Ninja: Also there there may be people listening right now that thinks this is tinfoil hat stuff that you don't need to pay attention to but there's a theory right now in the theft of Luke's coins, that somebody identified that his system has common vulnerability that's been reported publicly that the random number generator on that system is terribly broken.

NVK: This is where the rabbit hole of: 'please don't roll your own solutions' as a civilian is so important. Even as a programmer: don't roll your own solutions. Because your widow may not be able to recover from that or you are fallible, and your own solution has not had the scrutiny of the market to find those bugs that may be an even bigger problem.

Lazy Ninja: You're only one person, and it's just impossible to do the level of scrutiny needed on complicated systems to validate everything. Even sometimes looking at the failure, it's not obvious to you because these things are much more subtle. These errors than they appear when people sort of disclosed and it seems obvious, but when you don't know the errors there, it's really hard to see.

NVK: An air-gapped computer running an OS like Cubes or Tails is a great solution for doing Bitcoin operations, constructing transactions, and checking your wallet, but it is a terrible solution for handling private keys. General-purpose computers were not designed to hold secrets, they are extremely complex machines. Even if the OS is open-source, there are still 50 layers that are closed below that. Even Raspberry Pis are closed-source. Everything is closed. I think Lazy Ninja has some great commentary on the attack surface of general-purpose computers.

Lazy Ninja: I just want to make it clear that some of these advanced attacks are not purely theoretical. One of the things people sometimes do to protect themselves is to use an air-gapped computer with a hard drive that has never touched the internet. Obvious, the code had to get onto the hard drive at some point. The user does their stuff and then wipes the hard drive or something similar. However, a sophisticated attacker who has malware in the source code that people are downloading and putting on the air-gapped computer to set it up, can make it possible for the source code to cache private keys and other sensitive information to memory chips on the system that cannot be easily removed. For example, a private key could be cached to BIOS memory, and even if the hard drive is wiped, the key may still be stored in physical hardware on the computer that cannot be removed without destroying the computer. If the system is reinfected by the same virus, it can go look in those cache places and recover the information. These are advanced and tricky ways that attackers can steal sensitive information.

NVK: This is a trivial attack on something like a Raspberry Pi. It is possible because it has a bunch of proprietary, closed binary blobs running on the main micro and auxiliary systems. People trying to experiment with DIY solutions may use a curl to a bash script to build all the source code from the internet without knowing what packages are coming in to build that source code. They're not reviewing it themselves and not part of a package system where people actively seek to remove packages and have less attack surface. This is a huge amount of work that Bitcoin Core goes through, where it doesn't have dependencies. This means that when building the software, everything required comes in the same bundle and has already been reviewed. Most importantly, it is deterministically built so that when people claim the source does what it does, you can check byte by byte that your build is the same one. There is no room for anyone to change anything and do any shenanigans. We see mistakes where people try to do entropy without paying attention, using dice, dominoes or paper out of a hat and accidentally type in the same result. Every single bit of weak entropy space in Bitcoin is being watched and has already been derived. If you have a low entropy Bitcoin key, someone will take those funds from you. When talking about quality open source software, commercial software, and hardware in Bitcoin, a lot of work goes into making sure it's not exposing you to hacks or bad entropy. Craig, how do you manage packages and give advice to people using open source software wallets on a computer?

Craig Raw: The reality is that there are lots of dependencies and all of the noted difficult, but nevertheless, possible attacks are valid. If someone has the same access that you do when you run your bitcoin wallet, they have all the permissions to access the memory in which it is and pod drive. That's why we use hardware wallets, to have an air gap or a key sitting on a different device which is not running in the same memory space, or at least that an attacker doesn't have access to that. In terms of dependencies, the way to deal with it is to try and reduce them as much as possible and then review the ones that are there. This is the same approach that Bitcoin Core would take. However, the more common attack vector is malware sitting on your computer which has access to your bitcoin wallet and may have compromised your wallet.

Good Guy Biker: The number one reason that this is happening here in Canada is that the internet service providers' DNS lists are being hacked. As a result, a lot of local internet service providers are redirecting people to bad Electrum packages, images, or copies of websites. It's not just the GitHubs or repositories or bad tutorials that are sending people to these bad payloads, sometimes it's a case of AT&T being exploited.

NVK: You know, that brings me to binarywatch.org. It's a little project we put together recently. Essentially, it watches the binaries, which are the downloadable version of the software that is reproducibly built, ideally, or at least the binaries are signed. Most Bitcoin software, the binaries are assigned with the maintainers' keys. And people should always check the signature before they run software in general, but especially if it's Bitcoin software, to make sure that it is the actual software intended for them, not an evil version of that software. It’s @binarywatchbot on Twitter and it watches a lot of Bitcoin project binaries. And if they produce a bad signature, it will warn you. But you can always check it there. It's nice to have multiple people, multiple parties, double-checking the same thing, because they would have a good copy, a good known copy of that public key that was used to sign that specific software.

Lazy Ninja: And always make sure to check multiple maintainer keys because again, in the case of our friend, his PGP key was also compromised, which could have released bad versions.

Portland: I wanted to make a comment on random sources of entropy, specifically hardware random number generators. There are three things that must go right to implement them correctly. First, you must have a true random source of entropy on the silicon. This is the manufacturers' job. For example, STM, which is used in the Coldcard, has a hardware random number generator that I personally trust. However, it is also important to implement it correctly in software. This means using the correct code to activate it and obtaining random entropy from it. Lastly, there must be protection against a common vulnerability exploit, such as 2019 15847, where the compiler can optimize out the necessary instructions. This led to the Talos 2 situation, where a PowerPC processor had a great random number generator, but the library GCC used to compile to the architecture optimized out the total range of entropy possible. Even if the programmer wrote the code correctly, the compiler would optimize the entropy range.

NVK: It could even get funnier; for instance blockchain info back in the day was not randomizing key values, which is one of the nuances that go into building this. Essentially, there was a guy collecting Bitcoin from people who had a blockchain dot info wallet because they had a 404 error on random number.org. It was literally a 404 error because somebody was pulling random numbers from some random website that claimed to have random numbers to begin with. Programmers do all kinds of stupid things, but it's not always malicious. When there's a large install base, there are more eyes on it, more people trying to break it. It's economically interesting for people to try to break it, and those problems, bugs, they do come because people want bounties, people want fame. I highly recommend if you're interested in this topic, I had an episode of Bitcoin Review with Lazy Ninja, Craig and a few others on diving into wallets. I think we linked it on the nest. When conducting Bitcoin transactions, the more complicated your setup is, the greater the risk you are in. Smart people who are more familiar with the topic may be more vulnerable to these risks because they may use more advanced or customized methods to secure their transactions, which can also increase the chances of human error or oversights. For example, someone may use a custom ThinkPad laptop that has had all of its radios removed and is only used for Bitcoin transactions, but if they were to accidentally plug in a malware-infected USB device, their entire setup could be compromised. On the other hand, less knowledgeable people may use more standard and well-known security methods, such as using a hardware wallet and sticking to a single signature approach or seeking assistance with multisig through CASA, Unchained, Nunchuk or Keeper. This can be less risky because these methods have been widely tested and have fewer opportunities for human error. This is why we recommend using hardware devices specifically designed for Bitcoin transactions, and using "air-gapped" systems, where the device containing the secrets is not connected to the internet or other devices. This greatly reduces the chances of a security breach, and is relatively easy and inexpensive to implement. What other FUD that's reasonable but also so very unlikely to happen do you guys want to bring up?

Good Guy Biker: Quantum computer risk is a topic that many people are discussing. However, most people don't realize that companies like D-Wave, working on quantum computers, will not be the only ones to benefit from this technology. The entire industry will benefit and many people will work towards solutions for quantum hardening. This is not necessary right now, it's more of a "Boogeyman." In the worst-case scenario, if a Black Swan event were to occur, the node operators would likely roll back to a particular block before the event and implement quantum hardening.

NVK: One attack that is worth mentioning is multisig grifting. This is where a virus on a computer replaces the payout addresses on a multisig and the devices are not prepared to check. This allows the attacker to control the outputs and send the change to themselves. They may not be able to spend it, but the victim will not know where the change went. This can also be done with xpubs. If a victim has a large UTXO in their wallet and does not have good UTXO management, the change can be sent to an unknown address. This is where the attacker may try to grift the victim for money. This type of attack can happen with most wallets that are not as great in the market, as they are not prepared to deal with this type of attack.

Good Guy Biker: But you helped fix that with COLDCARD, didn't you NVK?

NVK: We enforce certain measures to prevent this type of attack. We don't give you a choice and we will give you a warning if there is something fishy, but we cannot know everything. There are ways of handling this type of attack, such as using a BIP that addresses this issue: BIP 129, Bitcoin Secure Multisig Setup (BSMS). This standard helps address some of that quorum knowledge by all the signers. However, all the signers are not the same, so it's important to have diversity in hardware signing devices and make sure that they have the best defenses in place. It's important to not use random hardware wallets that you heard are great on Twitter, but to do your research and make sure that you are using a reliable and secure hardware wallet. A lot of hardware wallets in the market are not commonly recommended and are mostly just Android phones from China in a different package, pretending to be very secure, but they are not.

Subscribe now

To best understand what’s going on under the hood, we will go through the process of setting up a Coldcard and using it.

The mechanics involved will be broken down at each step of the process. This way you will have a holistic view of the Coldcard’s security.

Using Your Coldcard for the First Time

Fresh from the Factory

Your Coldcard Mk4 will arrive in a sealed, tamper-evident bag. On it you’ll notice a number, which is unique to every Coldcard manufactured. There will also be a copy of this number included in the bag.

This same number will appear on the device screen when you turn it on for the first time, since it is recorded into the OTP (One-Time-Programmable) flash memory.

What is OTP Flash?

OTP (One-Time-Programmable) flash is a type of non-volatile memory (info remains even if the device is powered down) that can only be written to a single time. It is used for storing data that should not be modified after it is programmed. Unlike regular flash memory, OTP flash cells do not have the ability to be erased and reprogrammed because the circuit that erases them is not provided.

When an OTP flash cell is manufactured, it is programmed with all-ones and then you can clear some of the bits to zero. However, once a bit is cleared it cannot be set back to one.

Additionally, on this specific chip, an ECC (Error Correction Code) is applied and written adjacent to the cell during programming. The ECC allows for detection and correction of errors that may occur during the write process and prevents further writes to the OTP flash cell. The ECC value and the value itself are locked, making the OTP flash a secure and reliable option for data storage.

Benefits of the Packaging and Bag Number

• Proves that you are the one powering-up the Coldcard for first time.

• Enforces secure supply chain (not an intercepted package).

  • E.g., if you buy a Coldcard on Ebay, and it’s not in its bag, then you are in trouble.

• The bag cannot be replaced or resealed.

The goal here is to ensure that no one has intercepted your package and fiddled with it in any way.

Power ON

Once you’ve inspected that the bag in which it came in is intact and that the number written on it matches the copy found inside, you will plug your Coldcard to a battery using the USB-C connector.

You will then be faced with the bag number. As mentioned above, it’s stored in a secure area of the flash memory at the Coinkite factory and approved by a verifiable cryptographic signature used to identify themselves as the original source of this information.

Now, you may ask yourself, how can I trust this information? First, the bootloader (the computer program that handles starting a computer) will not run the device’s firmware (software that gives the basic instructions for how the hardware should operate and interact with other software running on a device) if it is unsigned or signed incorrectly.

Second, if anything were to be changed at the bootloader or firmware level, the red caution light would turn on, indicating that something went wrong (we’ll get into more detail later).

Securing the Device

If all goes well in the previous step, there’ll be a solid green light on the front of the device. Now that the Coldcard is up and running, we can proceed to the next step : deciding on your PIN and writing down your anti-phishing words.

The PIN has many roles :

• Access to your device and seed phrase (12/24 words) is protected by your knowledge of the PIN.

• It cannot be brute-forced (only 13 tries).

• Works with anti-phishing words to prevent Trojan devices.

• It’s tightly integrated with the secure elements, and their protection of the seed phrase.

The PIN is made up of two parts, a prefix and a suffix, each being 2 to 6 digits in length. After entering the prefix, two words, known as the anti-phishing words, are generated.

These words are taken from the BIP-39 word list and used as an additional security method to help prevent attacks, like an Evil maid attack, or a Trojan horse, where you think that you’re using your Coldcard but in fact it’s a fake one used to collect your PIN code.

Once you note them down, you can proceed by entering the second part of your PIN.

Note that if you enter the same prefix on a different, new Coldcard you won’t be getting the same anti-phishing words since each Coldcard device has a unique “secret” held within SE1.

Generating your Private Key

Hardware Brief

The main hardware components at play at this step are the secure elements (SE) and the microcontroller.

What is a Secure Element?

Think of it as a safe containing secrets that can work in conjunction with other elements found in your hardware device, if the proper clearances are provided. It can defend the secrets held within it against sophisticated software and hardware attacks. Data processed on a SE is isolated from software found elsewhere in the operating system.

What is a MCU?

The MCU acts like a little brain. But instead of telling your lungs to expand and retract and your heart to beat, it directs other portions of an electronic system.

The Coldcard Mk4, unlike its predecessors and other products like it on the market, has two Secure Elements (SE) : Microchip’s ATECC608B (which we will refer to as SE1) and Maxim’s DS28C36B (referred to as SE2), both designated by the arrows marked with “SHOOT THESE” on the front of the device. On the backside of the device, you will notice the Microcontroller (MCU), the ​​STM32L4S5VIT6, which is the large chip near the top

.

The Process

Now that your PIN and anti-phishing words are determined, the Coldcard Mk4 is ready to generate your private key.

A source of entropy, or randomness, is required to pick your private key. The Coldcard uses a True Random Number Generator (TRNG), found inside the MCU, to do so.

The entropy used for seed-picking is also seeded by a RNG from both SE1 and SE2. This means that 3 True RNG’s are involved: SE1, SE2 and MCU.

The number obtained is then run through a secure hash algorithm with a digest size of 256 bits, or the SHA-256. The goal here is to remove any bias the TRNG might have. For instance, if the ratio of 0 number bits to 1 number bits is known (e.g. 10% are 0 and 90% are 1), this process will address that and adjust the ratio to 50/50 - we call this “whitening”.

SHA-256 is one of the most widely used and secure hashing algorithms, and is core to Bitcoin, having secured trillions in $USD equivalent in transactions up until now.

You are not required to completely trust this process either. You have the option of using the dice rolls method instead to complement or replace this step.

Each roll of a D6 dice provides 2.585 bits of entropy. By adding 100 dice rolls, you will have the entropy necessary to be secure (you can even verify the mathyourself. It’s critical that you do the actual dice rolls for this to work and not fake it.

Once the private key is determined, it’s encrypted, then stored in SE1 and remains protected by your PIN. The advantage of storing it here is that it is physically separated from the MCU, which isn’t a device designed to withstand physical attacks.

Note that we do not want to trust SE1, which is why we encrypt the private key before storing it. The encryption is done with AES-256-CTR, using a 256-bit key determined by a combination of factors from SE1, SE2 and the main microcontroller.

This means that SE1 alone cannot decrypt the private key. Therefore, we can leverage SE1’s security benefits all the while not exposing sensitive information to it.

The mcu replaceable key is set once a new seed is stored in SE1. This is an additional secret held in the MCU that plays a role in providing a decryption key to gain access to the private key.

The MCU, SE1 and SE2 are needed to decrypt SE1’s copy of the seed, so we can just “quick wipe” by forgetting the MCU part of the key since the actual AES key is still unknown. However, you are limited to 256 wipes of this key.  

What is AES-256?

AES-256 is a type of encryption that uses a key with 256 bits (or 32 bytes) of length to encrypt data. It is widely deployed in all commercial crypto systems and many military ones as well. Being a 256-bit key, it is not feasible to brute force (guessing the answer through systematic trial and error).

Used for protecting all web traffic (HTTPS), your bank cards (Visa, MC, Amex) and nearly everything everywhere, you dont need to worry about AES being the weak link.

Remember, we are also using the physical protections of the SE chips (designed to even resist probing by lasers). Central to the design of the Mk4, is that both SE1 and SE2, plus the main micro need to be “fully cracked” to get the seed phrase out of a Coldcard.

Accessing the Private Key

Let’s say you close your device after setting it up for the first time and now you wish to use it again to sign a Bitcoin transaction. Accessing the private key involves communicating pairing secrets between SE1, SE2 and the MCU.

In other words, they must authenticate themselves to one another to establish an electrical connection between them to further exchange secrets and access the private key.

Each chip holds its own secrets and to reveal them takes some advanced cryptography (HMAC, AES-256 & ECDH):

• MCU : holds the pairing secrets, accessible only by bootloader. Also holds part of the decryption key for SE1.

• SE1 : holds the private key, but it’s encrypted.

• SE2 : knows Trick PINs and part of the decryption key that SE1 needs.

Once valid pairing secrets are shared between the chips, the communication between them is enabled to allow access to the private key.

Here is what the process looks like under the hood :

1. You enter a PIN;

2. The MCU authenticates itself with SE2 and checks if it’s a Trick PIN (SE2 doesn’t know the true PIN);

3. If it’s a Trick PIN, then it is activated;

4. The SE1, using the correct PIN, a public key signature and the ECDH setup, will authenticate itself to SE2. This will reveal SE2’s decryption key.

5. If it’s an incorrect PIN, a attempt counter is activated (you have a total of 13 login attempts);

6. The 3 keys are combined using HMAC(SHA-256) into a single decryption key used to decode the data previously stored in SE1.

7. Using both the MCU’s and SE2’s decryption keys, you now gain access to SE1’s decryption key, thus gaining access to the private key.

Other things to note :

• During operation, the main firmware asks for permission to the bootloader to communicate with the secure element.

• The sequence described above implements a data structure that is signed by HMAC generated by the bootloader.

• The bootloader code knows a secret, which it picks and keeps secret behind a hardware firewall held within the MCU.

• Secrets are encrypted using AES-256.

• The hardware firewall protects the bootloader from access from any other code running on the chip, no matter how it got there.

• The chips involved must complete a specific sequence using the pairing secrets, if one bit is off, nothing works.

What are HMAC & ECDH?

• Hash-based message  authentication code (HMAC) is an authentication technique that uses cryptography to verify that data is correct and authentic using shared secrets.

• Elliptic-curve Diffie–Hellman (ECDH) is a key establishment protocol using public-private key pairs, suitable for elliptic curve cryptography, where a shared secret can be communicated over an insecure channel.

Tough to Crack

Monitoring the communications channels between SE1 and SE2 and the MCU will not help you. All of their communications (even though only over a few millimetres of copper) are encrypted and authenticated.

The communications protocols between SE1/SE2 and MCU are quite involved, and any single bit error will prevent correct operation. Listening alone will not help you, and interjecting (introducing new hardware or devices into a system) does not help either thanks to ECDH and the encryption done with shared secrets between the devices.

Using a dual secure element model greatly improves the security of the Coldcard Mk4 :

• They do not share bugs and weaknesses since they are from different vendors.

• Provides dedicated, purpose-built secure storage for your seed words, physically separated from the MCU.

• Controls the LEDs so malicious software can’t change their behavior.

• Removes the possibility of resetting the device due to its heavy involvement in Coldcard operations.

What if the Secure Elements are Backdoored? 

The Coldcard Mk4 is designed with security in mind, and uses a number of different features to protect your funds even if one or both of the secure elements were to be “backdoored”, which means that it was compromised or tampered with by an attacker.

One of the key features that helps to protect against backdoors is the use of hardware-based security. The secure elements in the Coldcard Mk4 are physically separate from the microcontroller unit, which is the part of the device that runs the software.

All Bitcoin signing is done in the MCU using the same code (libsecp256k1) as in Bitcoin Core. It’s been reviewed by hundreds of coders, both good and evil. The SE’s hold secrets, but they do not manage your Bitcoin. This is key for protecting from backdoors in those chips, since we cannot review them. Because of the dual SE setup, a backdoor which leaks the secrets would need to exist for all 3 chips.

All communications with the SE’s are done with bootloader code that is set in the Coinkite factory, thus not upgradeable. The signature verification of new firmware is done by the MCU boot code, which isn’t changeable.

It’s worth noting that even the most secure device can be compromised, it’s recommended to follow best practices such as keeping the firmware up to date and regularly checking for suspicious activity.

Overall, the Coldcard Mk4 is designed to provide a high level of protection for your funds, and it uses multiple layers of security to mitigate potential risks and protect you even if the secure elements were compromised.

Using the Private Key

Now that you have access to the private key, you can use it to approve Bitcoin transactions. Approving or signing Bitcoin transactions can be done offline using a microSD card.

Once you have created a transaction on your wallet software, you then load it onto the microSD card and insert it into the Coldcard for verification.

To mitigate the risk that malicious software is trying to change the contents of your transaction, the Coldcard analyzes very carefully the contents of the file.

This includes:

• Verifying that the inputs of the transaction, or UTXO’s (Unspent Transaction Outputs) are valid.

• Verifies that the change going back to your wallet is valid.

What’s with the Hardware?

The hardware used and how it operates in the Mk4 has been discussed extensively in this article. The most crucial parts being the secure elements. 

Why are Secure Elements Good?

As mentioned before, MCU chips are not designed for security and built to withstand physical attacks like decapsulating, side-channels attacks, fault injection and more. They are intended for general purposes and focus more on functionality.

A secure element (SE) is a tamper-resistant hardware component that is used to store sensitive information, such as encryption keys and personal identification numbers (PINs), in a secure manner. Some of the key reasons why secure elements are considered to be good include:

• Security: Because the information stored on a secure element is protected by physical and logical security mechanisms, it is extremely difficult for an attacker to extract the information without detection.

• Isolation: The secure environment provided by a secure element ensures that sensitive information is kept separate from the main processing environment of a device, reducing the risk of data breaches caused by software vulnerabilities.

With regards to the ones used in the Mk4, they are essentially fixed function secure elements. This means that all the code is already pre-done in the die of the secure element, so that you can’t change it. You can only fix settings on it. 

As mentioned before, the SE doesn’t even see the seed. The (open) MCU does all the Bitcoin operations with the open source code and does the encryption of the seed— also open source — and then puts that encrypted seed inside the secure element.

Why are general-purpose computers not good for bitcoin private keys?

A general-purpose computer is a type of computer that can be used for a variety of tasks, as opposed to being designed for a specific purpose. They typically run a wide range of software programs. Examples include desktop and laptop computers, as well as smartphones and tablets.

General-purpose computers are not well-suited for generating or managing Bitcoin private keys because they are not built specifically for cryptographic operations. Bitcoin private keys are generated using a specific algorithm that requires a high degree of randomness, and general-purpose computers may not be able to provide this level of randomness due to the presence of other software and processes that could affect the key generation process.

Additionally, general-purpose computers are also more susceptible to hacking and malware, which could compromise the security of the private keys stored on them.

Here is an incomplete list of attacks that a general-purpose computer is exposed to.

In contrast, hardware wallets, which are specifically designed for generating and storing private keys, are considered to be much more secure.

Why are Raspberry PI’s not a good security platform?

Raspberry Pi’s are not typically considered to be a good security  platform for a few reasons. One issue is their lack of built-in security features, such as hardware-based encryption or secure boot capabilities. Being a general-purpose computer device, it does not have these built-in encryption and other security features to generate private keys and keep them safe. Additionally, Raspberry Pi’s are often used in  environments where they may be connected to untrusted networks or  devices, making them vulnerable to attack.

There are other important factors that help disqualify the RPi as a device to use for your Bitcoin security. Some are : lack of open documentation for the GPU interfaces (which does the system startup and initial boot loading and is closed source), it hides behind proprietary Broadcom chip, bootloader and drivers, the hardware abstraction layer (HAL) is at the mercy of Raspberry Pi, and has closed binaries from Broadcom.

The device is also not capable of securely attesting firmware signature. A user can download malicious software from a compromised website and the device can’t securely check the signature.

It can be a good device for hobbyists and tinkerers, but the fact remains that it would require an extra effort to secure it and it would not be as secure as a purpose built security device would be.

Oh no! Someone is Trying To Steal My Bitcoin!

This last section will cover additional aspects of the Coldcard Mk4 security architecture that will help defend your funds from malicious actors.

Trick PINs

Trick PINs, stored in SE2, allow you to enter a PIN code different from the one used to unlock it to deter a potential threat or prevent them from stealing all your funds. They include :

Duress Wallet

Entering this PIN would give you access to a secondary wallet where you can store some funds that you would be willing to lose when faced with a would-be thief. Note that a sophisticated attacker that is able to open the casing of the device and watch the electrical circuits could detect that this is a Trick PIN.

Long Login Delay

When this Trick PIN is entered, a countdown timer is shown and that time must elapse before being able to log in, thus gaining you time during an attack.

Brick Me

After entering this PIN, your device essentially self-destructs, destroying all secrets held within it.

Blank the Coldcard

This PIN clears the data within the MCU, resetting the device.

Genuine / Caution lights

The green light on the device indicates that the contents of the flash memory have remained unchanged since you last logged in with the correct PIN.

The light is controlled by the secure element and enforced cryptographically. This means that once all the checks between the bootloader and the secure elements are done and are valid, the light will turn green. Else, it’s a sign that your device might be compromised.

Any change to the flash memory of the MCU will also cause the red light to turn on.  

Anti-phishing Words

This feature protects you against a compromised Coldcard that might look like yours but it cannot know the two words generated by your device.

Your PIN prefix is hashed and that answer then goes through a HMAC/SHA-256 operation by SE1. That new answer is then converted into two words from the BIP-39 word list.

There are about 4 million possible word combinations and the bootloader also uses a rate-limiting feature where it would take 2 seconds to test each prefix, so about 93 days to go through all the possible combinations. 

Passphrase

The Coldcard supports BIP39 passphrases, allowing you to create an unlimited amount of extra wallets using your main private key by adding more words or characters to your seed phrase. Learn about it here.

This is the ultimate protection, since even if the Coldcard did lose its secrets, your funds would be safe without knowledge of the BIP39 passphrase. Similarly, if your backup of your seed phrase was found, the funds cannot be stolen without the passphrase.

The Firmware

The firmware and code used in the Coldcard are open-source, take a look for yourself here.

What else is that the bootloader will not run the main firmware if it is unsigned or signed incorrectly. This means only Coinkite Inc. can produce firmware that will run on this platform. This means that if someone else were to try to introduce their own code into your Coldcard, it either won’t work or the red caution light will turn on.

The only policy enforced by the firmware is the PIN attempt timeout periods. The code that does that is in a restricted part of the bootloader and cannot change.

Conclusion

By using this security architecture, you can rest easy knowing that it is currently close to impossible to breach the Coldcard Mk4. The use of two secure elements and a microcontroller for splitting secrets that are only accessible after going through extensive cryptographic handshakes greatly reduces the device’s attack surface.

Although the secure elements used are closed source, the code that runs on the device isn’t. Even if one of both of the secure elements were to be compromised, however unlikely that may be, your private key remains safe.

If you still don’t have a Coldcard Mk4, get yours now!

Documentation

• Mk4 Hardware Schematics and Bill of Materials (link)

• Physical Security Notes (link)

• Coldcard PIN Design and Operation (link)

• Mk4 Dual Secure Elements (link)

• Coldcard Firmware (link)

• Coldcard Mk4 Security Model (link)

• About 128 & 256 bit Encryption (link)

• AES 256 Encryption Algorithm (link)

• HMAC (link)

Follow Coinkite and Coldcard on Twitter to stay up to date with their products!

For further inquiries or to connect with the author, reach out to them on Twitter at @TristanBorgess

NVK: Craig, like us at Coinkite, essentially supports all forms of multisig and he's building multsig software. So Craig, I know this might sound like we're starting to pigeonhole people; but what are some reasonable multisig quorum choices in terms of m of n, that you personally think are good and not too complex?

Craig: Look, I think one thing to consider with multisig is the privacy aspect to it that you do reveal the details of your quorum when you spend. It is worth being aware of that. And if you have a very unusual, quorum setup, say, 5-of-11, or some something very odd, that's really going to stand out, and it will allow your spins to be more easily tracked on chain. I think that that's one of the biggest factors for me that I consider. And then taking that in, in mind that I believe, I'd be surprised if it isn't the most common quorum set up as a 2-of- 3. If you're doing that with your multistate, you are likely to be in a fairly large crowd, and it'll be hard to tell you apart. The next probable one, and Jameson probably knows this better than me, but I would suspect it 2-of-3 or 5. So that's probably next. And that kind of makes a lot of a lot of sense, both of those you can have a complete loss of 1 of those keys, so long as you still have all of the public keys, and you will be able to sign and move your funds just just fine. Obviously, with the 3-of-5, you then can have a complete loss of 2 of those keys. That's, I think the two that kind of stand up for me as as solving at least, you know, 80% of people's needs, when it comes to multisig. If you need more than that, you obviously have quite a unique need. You'll then have to consider all sort of that, but I would look at those two quorum sizes first

NVK: I think there's a reason why those two are chosen because they address most of the issues multisig is trying to solve, without getting too complex. And, there are some wallets out there that do 2-of-2, which I dislike. Because, now you're essentially getting the worst of everything. You're getting the complexity of multisig and the worst possible recoverability out of each secret. So, if you're doing 2-of-2, personally, I would recommend just doing single sig + passphrase. But, that would be a different discussion

Jameson: You can actually go to txstats.coinmetrics.io And they have this chart that's called P2SH repartition by type where you can actually see & count how many UTXOs and how many Bitcoin are known to be stored in different ones. And so 2-of-3 is the most common. Interestingly, 3-of-4 is the second most and then it's 2-of-2. I'm not sure what uses 3-of-4. 2-of-2; I think we can mostly agree probably Blockstream’s Green Wallet, and then 3-of-5 after that and I believe that they do have an out for their 2-of-2 two that's using essentially a lock time so that there is a way to recover even if you lose 1 of those keys and then you wait long enough

Justine: Now, in collaborative or assisted multisig, a third party, such as a trusted individual or institution, is allowed to hold one of the keys to assist in accessing the funds. This eliminates single points of failure and can be done independently, for example, by creating a multisig on a Sparrow wallet and having a trusted family member hold one of the keys. With Unchained, we do a 2-of-3 collaborative custody setup where you would hold 2 keys and we would hold 1 key. We also perform physical backups 2-of-3 times, where you as an individual hold 4 pieces of information, such as 2 signing devices and 2 physical backups of seed phrases. You can lose 3 out of 4 of those, and we can still assist you with your Bitcoin. So lots of error margin. This way, even if you lose some of the pieces, we can still assist you with your Bitcoin. We believe that this setup is the most secure option for most individuals, as it allows for multiple pieces of information to be secured in different locations. When you start adding more keys, it adds more complexity and often leads to people not properly distributing them and having them sitting in one place. That's why we offer a 2-of-3 key setup, which provides the necessary security without added complexity. We also offer Caravan, which is a wallet software that allows you to create your own multisig setup, and different quorums can be used with it. However, in the future, we may add additional quorums to accommodate different needs. As of right now, our standard is 2-of-3 keys. On the user side, you have your four pieces of information: two signing devices and two physical seed phrases. You're going to store these geographically in different places. We recommend using a metal plate to put these in four different places. What that looks like to you could be different. What we generally recommend for someone starting out is to take one seed phrase and put it away from all the others. This doesn't mean you're self-sovereign in your Bitcoin custody, but it means that you can't lose all pieces of information if you have a fire or flood in your house. The bare minimum is to remove one seed phrase and put it in a second secure location. These locations could be another physical home, an office, or a safety deposit box. We don't recommend putting all information in there because you shouldn't trust the banks. But with multisig, you don't have a single point of failure in that seed phrase, and nobody can access your Bitcoin with one. So you as an individual are storing that physically somewhere. And what that looks like could be whatever you want, such as buried behind the third oak tree hole on the left or behind your drywall seed phrase. It just needs to be four different locations is the optimal security setup on our end.

Jameson: We initially launched with 3-of-5 key management options, and then worked our way backwards to do a 2-of-3, which is easier to manage. Our thought process in deciding how to architect key management is that multisig is more complicated than a single key, so there's a lot more potential for errors. We want to constrain the design space to guide users down a limited number of paths. Within our system, there are different decisions that can be made, especially between the 2-of-3 wallet options. We offer a more convenient option with three keys, one on the phone, one with CASA, and one on a hardware device, or a more self-sovereign option using two different hardware devices with CASA as the third key. But of course, that creates a bit more onus on you, more responsibility to manage those backups. So one of the key differentiators between us and a lot of other multisig wallets is that we tend, as a default for the 2-of-3, to have the mobile key on the phone. Even if the phone device gets compromised, your funds will not be lost. We also do a secure backup of that key by encrypting it, putting the encrypted blob in cloud storage that can only be decrypted with the decryption key held on the CASA side. This creates a backup for that key, even if both sides are compromised. We are trying to make things easier for people to navigate the additional complexity, even with all the decisions that can be made. A very important aspect of our systems is that we offer support, because there is no single cookie cutter solution that works for everyone. Especially if you are going for a more complex multisig setup and are not familiar with adversarial thinking and key management, it is helpful to have someone to talk to and bounce ideas off of to understand the different trade-offs of the decisions you have to make.

NVK: And I guess I'll bring up Nunchuk. Nunchuk is a phone wallet that allows you to create multisig setups similar to Electrum or Sparrow, such as 2-of-2, 2-of-3, or 3-of-5. It is more of a DIY solution, compared to Unchained or CASA. Nunchuk uses a new product called TAPSIGNER for NFC transactions on the phone. This creates a different type of device with a different risk profile for multisig. Nunchuk also offers a signing service, allowing you to set a threshold for daily spending. If you don't want to use the service anymore, you can use your backup quorum to sign your money outside of the multisig service. This is a new type of non-custodial, assisted financial solution where a third party is involved in your spending to help prevent mistakes or limit daily spending. However, if you choose to leave the service, you can retrieve your quorum by using your backup keys, preventing the service from ever taking your money. This is a new concept in the field of money services

Justine: You made a really important point that many people confuse with multisig, especially collaborative or assisted multisig, that it doesn't mean you're locked in to a specific wallet provider. This is an important aspect of Bitcoin self-custody, as it allows self-sovereignty. It's important to remember that in Bitcoin, there are always trade-offs. And with multisig, you are adding complexity, which means you need to have a plan for self-sovereign recovery. When setting up a multisig, you will need a wallet configuration file. This acts as a blueprint for rebuilding the wallet outside of the provider. It's important to remember that this file cannot be used to spend Bitcoin, but it includes personal information, so it should be kept secure. When using collaborative multisig, you are trading privacy information. It's important to factor in the trade-offs and decide if it's the right fit for you. External recovery is important, so you should have a plan in place to prevent a single point of failure. Our company focuses on education, and we offer services such as a concierge service, webinars, and articles to help guide you through the process of setting up signing devices, learning about seed phrases, and recovering your keys.

NVK: We all agree that different people have different needs different solutions. I think that it all like even the same people might need different solutions. You want your spending wallet, your lightning wallet, maybe a warm wallet. I think we all agree that keys should never be on a computer or touch a computer, that hardware wallets work great, that multisig solves a lot of problems. We don't all agree that single sig + passphrase is great. But we do have some agreement on what where the faults lie. The big thing is that I want people to take out of this: don't get overwhelmed with solutions out there. You have time, you can test things. You can experiment with different services, you can experiment with different wallets. Most of the solutions are free. And then if you want to get into hardware wallets, and you can even build your own, there's solutions out there. I think it's important that people don't roll their own solutions, especially now their own cryptography. I don't think that's a concern anymore. But it used to be back in the day.

Jameson: If you got 50 bucks, or 100 bucks on Coinbase or Gemini, just go install Munn wallet, or Blue wallet on your phone and get it off and start playing with it. You don't have to go straight to buried behind the third oak tree. If you've got 50 bucks on Coinbase, you can really start small. It's worth saying over and over and over again.

NVK: That question does come up like every single time I do space somewhere. It's amazing to me how much people don't understand that they don't need like 12 out of 12 DVDs for 100 bucks worth for Bitcoin. You should be experimenting with Bitcoin. Don't go buy an asset with all your life savings until you understand how the heck that asset works.

Justine: I’ve also heard people telling me: ‘Well, you know, like, I only have 100 bucks worth of bitcoin, I don't really want to go buy this, this hardware wallet that's, you know, certain amount of money, it seems kind of crazy for the amount.’ You don't you don't have to! There's free mobile wallets, that can be your first step. I think the biggest takeaway from this is that it’s not all or nothing; take the steps. And we're kind of walking through the steps specifically, but you don't you don't have to spend money on an assigned device or hardware wallet. You can just download a mobile wallet, that's the first step. In my opinion.

Jameson: When you start getting more sophisticated, you also don't have to have one wallet. I have blue wallet on my phone. I also have, several multisig setup. You can think about partitioning your money where you have a really small bucket of money that's super easy to get to and very easy to spend, and then you have a bigger bucket of money that's harder to get to and harder to spend. And those things can change as your life does.

Justine: Just like we're not walking around with our life saving in our in our pocket, right? We take what we need to spend when we go get coffee or whatnot, and the other is secured somewhere. So yeah, the multiple wallets depending on your needs is it's totally.

NVK: Segregation is like hygiene in that sense. You're gonna have your savings account, your checking account, your credit card. You already do segregate fiat in all these buckets in your life. So why not do the same as Bitcoin? You don't want to be buying coffee with all your wealth.

Jameson: I think there is something interesting to be said about diversity and how to apply diversity from a security mindset. For example, one really common trope that we see is people coming to us who have, for their safety, diversified their funds across 5 or 10 different wallets. And some of these may be self custody, some maybe custodians, but their whole idea is: don't put all of your eggs in one basket. And my pushback against that is that yes, that type of diversity does, of course, reduce the chance that a single catastrophe will completely wipe you out and cause you to lose everything…but it can also be increasing the chance that you will have a partial loss and 1 or more of those setups will fail. One interesting aspect of multisig is that the diversity that you can add to the setup by having keys on different hardware manufacturer devices in different physical locations and basically different security properties around each of the keys. In that setup, security is actually additive, it creates a stronger and stronger setup, because it's essentially eliminating the single points of failure where if an attacker, for example, compromised the supply chain of popular hardware manufacturer, if your multisig setup is not using all the same hardware manufacturer, you're protected from that. Diversity can be good, but applied the wrong way, it can actually be harmful.

NVK: It's kind of fascinating. And it really goes to show why there is no fix all solution. Each set up is going to have different sets of trade offs. You could argue on one side that you want to have some diversity in your hardware wallets because in case one vendor is evil. Realistically speaking, it's would most likely to be a targeted attack against you that would maybe replace the hardware or something like that. But at the same time, even if you had multiple hardware wallets, the software update on some of them could break the multisig setup. It's unlikely to have full loss of funds, but you'll be it could be quite the quite the issue to go back to being functional. Each vendor is going to offer different thresholds and some vendors out there offer simply either no security, or illusion of security. Really crappy hardware. There's hundreds of hardware wallets. I'd say out of 100, probably 95 of them are absolute garbage and should never be used. And the guys from Ledger actually do a great job breaking hardware wallets. You should check out their Donjon blog, where they have broken hardware wallets and they tell us how long it took them to break them. And how much money breaking them actually costs. There's some hardware wallets that cost $10 to break and there's other hardware wallets that cost half a million dollars to break. Not all things are equal, just because they're the same category.

Proof of Keys vol. 3 coming next week

Subscribe now

This transcript is from a Twitter Spaces conversation held on January 3rd, 2023:

NVK: Why don't we kick off with maybe talking about what are the most common ways people lose Bitcoin? I will start with one example; one of the most common examples I see is people bamboozling themselves. People will screw themselves or their coins before they ever get hacked. People go out there and they'll hear an example from somebody that's either extremely smart or extremely dumb & sounds extremely smart. And they will have like a super complicated setup. You require many, many computers! They will do a super complex multisig and then the person can’t get the money out. Very good example of this: way back in the day was Bitcoin Armory. There's probably a lot of people on this call that have lost money on Bitcoin Armory. It was fantastically safe, so safe that many people never managed to get their money out. So what other stories do you guys see as very common ways people lose Bitcoin?

Dee: I'll go second here. When I first started, I was forex trading like an idiot. Someone was like: 'Hey, I have a trading platform, buy some, give me some money, and I'll double your money.' You know, the classic. And, they were only taking Bitcoin. So I was like: 'What the heck is that? Never heard of it? Well, I've heard of it, but never bought it? How does it work?' And they said: 'Oh, go on this exchange, buy some and then send it over, and I'll send you some back.' And, they were pretty smart. I started off with a small amount, and a few hundred bucks and gave him it. And surprisingly, they actually did double my money. And then that convinced me to give them a lot more money. And that's where I felt a culprit of what they did. But, I realized at that time that Bitcoin was immutable, and there's no way that I could get back my money. And it kind of hit me hard. I was really frustrated, obviously. But there was a user error, right? It was me, being an idiot, being greedy, and wanting more money at the time. I think people need to take a little bit of responsibility sometimes when they're handling their money. Obviously, I'm still a young guy and had lots to learn. And that sent me down the Bitcoin rabbit hole. And, here I am, right. And learning how to store my keys a lot more safe than I did on an exchange, right? So that's kind of my sob story.

NVK: It comes with some real pain to learn.

Dee: Yeah, absolutely, right? And I think a lot of people when they lose money, they get mad, and they try to blame someone else. But if you really learn about these things and store things properly and understand SHA256 encryption, then hopefully you don't have anything to worry about.

NVK: Yeah, thanks for that Dee. Justine?

Justine: Hey, I think you guys are on point. I generally think the majority of Bitcoin is lost by user error. At Unchained, and in personal experience, we deal with a lot of either newcomers to self custody, or people who've been dealing with single-sig, and this is kind of their first interaction with multisig. And what I found is there's just so much to learn about Bitcoin. It's the first time in history that we can truly own our assets and money, and that takes personal responsibility. It's like anything else - if you want to grow your own food or protect your home, there are skills you have to learn. Bitcoin is the same way, but it's new and people are used to calling the bank to handle things for them.

I think as a community, we have this all or nothing mentality, and we don't talk enough about the fact that there are many things you can do, and each person has to consider their own attack vectors and skill set. It's okay to take steps. In my experience, the problem is overcomplicating things or doing something because they saw it on Twitter, even if it's beyond their skill set.

User error, overcomplication, and passphrases that are too complicated for the user are the biggest threats. Outside vectors are also something to consider, but user error, overcomplication, and passphrases are the main issues.

NVK: That seems like there is a trend there. So, Lopp has this fantastic list of people who have been physically attacked over their Bitcoins. Jameson can you give people a little bit of a primer on that list and where they can find it?

Jameson: Yeah, sure. Well, it's linked directly from my main page on the physical Bitcoin attacks GitHub repository. I think it's easy for people to blow this out of proportion. Last I checked, I've compiled nearly 150 different attacks that I've come across and archived over the years, and this is actually a very small number in the grand scheme of things. It's probably one of the rarest forms of loss in the Bitcoin space, but there are patterns and things we can learn from it.

The most common event that causes this is people doing high value face to face cash and Bitcoin trades. Face to face OTC trades are risky because your counterparty may be a criminal and could assault you and take all of your money. A number of people who have experienced home invasions in the space are generally well known and flaunting their wealth on social media. This shows the importance of operational security and privacy in protecting yourself physically.

Getting back to the original question, I think one of the most common forms of loss is when you're not holding your own Bitcoin, you're keeping them with a third party. This opens you up to a multitude of forms of loss, whether it's the third party having an insider attack, being hacked, or the security system to access that third party account being compromised, usually through SIM swapping or password leaks.

When you have your Bitcoin with a trusted third party, you're still vulnerable to all of the same risks as self custody, plus a lot more because of all the things that can go wrong with the third party actors controlling access to those keys.

NVK: The amount of people who have put their seeds as a picture on their cloud storage for photos, it's insane.

Remember guys: 'the cloud' just means somebody else's computer. It's not like it's somewhere safe and it's actually yours.

Craig, you probably get a lot of a lot of support our feedback from users who have screwed up. I'm curious onto some of those questions.

Craig: I just want to echo what Justine was saying earlier: I think the number one cause of people losing funds, at least temporarily, is the passphrase. In my view, people don't seem to understand the difference between a passphrase and a password.

The major difference is that if you get a password wrong, the application very clearly tells you that you've entered it incorrectly, but a passphrase is different. People don't understand that every passphrase is valid and every passphrase creates a different wallet.

A Bitcoin wallet application will not remember the passphrase. The intent of a passphrase is that it is a random additional string that you can attach, which creates a different wallet. And once you have created a wallet with a passphrase, there's no way for the application to know which is the correct one to use. So that seems to be a very misunderstood thing.

Because many people are quite upset when they find that they have entered the wrong passphrase, received Bitcoin to that wallet, and then when they reload the wallet, they can't see the funds that they have received.

NVK: Tristan wrote a great "All You Need To Know About Passphrases" blog post.

People don't seem to understand that passwords can change. Think of passwords as just like a key to the wrapper, right? While the passphrase is the actual secret, it's part of your seed, and you can't change that. If that's wrong, that means you don't have the secret.

One great way of handling passphrases I find that people stop screwing up is: only use BIP 39 words for your passphrase. So pick 10 words and make that your passphrase because then you know what words to expect for the passphrase. That really helps and a lot of the wallets in the hardware wallets do have auto completion for BIP 39 words.

If you are making complex passwords for passphrases, like if you are adding exclamation marks and adding symbols, upper & lower caps… When you go look at that backup, especially if it was written by hand somewhere, it's going to be hard to know what is the cap or what is not cap. Maybe your family is trying to recover that later. If they don't recognize some character with your handwriting, you know, money gone.

Another thing you should definitely do with passphrases is once the passphrase is applied to a seed write down the XFP.

The XFP is essentially the identity of that wallet. So that means that when you're trying to recover, you have something to refer back knowing that it recovered correctly.

Jameson: The other nice thing about picking BIP 39 words and making a passphrase out of it is that it's unlikely that that's going to be related to existing passwords. A thing that I've seen a lot of people do is they'll say: "Oh, well, I have a really good password for my email, I can already remember that. So I'll just add some random characters at the end of it, or I'll add the word Bitcoin to the end of it. And that'll be my my wallet passphrase."

And then later on, they forget that they added stuff to their password, or they forget what they added. And to Craig's point, they still get a valid passphrase their wallet doesn't yell at them, but they can't get their Bitcoin, or something happens to them, they end up you know, dead or in a coma or something, and nobody knows their email passphrase or that they added this extra bit of hash to the end of it.

Justine: I had somebody who thought that a passphrase was just an additional layer and everything rolled back to the seed phrase. They told us they had solved inheritance by setting up a passphrase for each child, and upon their death, the seed phrases would be released. I asked if they were splitting their Bitcoin into all those wallets for the kids, and they said no, it would roll back to their main wallet created with the seed phrases. And I was like: that's not that's not how it works, you know…

I think there's something to be said about like passphrases are awesome. They're an awesome tool that you can use. But when it comes to security, maybe dig into a little bit. Don't use something so advanced that you don't understand how it works, and overcomplicate things. So just like hey, passphrases are cool. Read that read the article before you before you put your life savings behind it.

Jameson: Maybe contentious but I'm generally anti passphrase because I think as has been noted here, there are so many foot guns...

One way to look at it: it's kind of like adding a 2FA to your wallet. Now, the reason, or one of the reasons why passphrases are generally propagated as a good thing is because it's how you can protect your seed phrase backup.

If you have a clear text backup, having a passphrase that as a separate piece of secret data that is stored separately means if an attacker gets that seed phrase, they can't get all your money.

But what you've done now is you've essentially created this 2-of-2 scheme.

A 2-of-2 scheme can be pretty brittle. So you do have to be more diligent about making sure you have robust backups for both of those pieces of data.

NVK: That's great. So I disagree with Jameson. And, and a little bit of Justine too on this one. I am a passphrase lover. And you guys know that.

I think the biggest problem with passphrases is that when people are moving from single-sig le'ts say, like phone, wallet or from custody...The biggest problem is that people don't try and test their setups.

So when they set up passphrases, they just send their money without testing, and then, they have a higher likelihood of screwing it up.

And another thing too, is what I love about passphrase is that they protect you against the solutions that you're using to manage the seeds as well.

So for example, say a hardware wallet has a bug or a backdoor or something, if you're using a passphrase, there is a higher likelihood that the hardware cannot sort of like take advantage of you because it was not part of the generating that passphrase.

We can get into sort of like details on how that could happen in a million different ways. But I love that, but to their point, you are adding more complexity to your secret.

So if you are adding complexity, it is important for you to do a little bit of learning and deliver testing.

It is amazing to me that people just YOLO their first transaction to a new level, without trying to recover a backup.

I think out of all the simpler, extremely secure setups, passphrase is great. I think that once you start adding more complexity, like multisig and stuff, I think people doing that on their own often have a harder time. And that's where collaborative multisig and all that stuff start to kick in. For some people, that is a great solution.

Why don't we maybe start talking about different solutions. I think we are mature enough as a market now that this idea of suggesting everyone that there is only one set up, that is the greatest setup of all, that you only believe in that set up to be the greatest set up of all...

It's a terrible, terrible thing: shoehorning different people with different lives, they live in different places, different amounts of money, with different security thresholds, different risk profiles, into the wrong set up is actually a problem, huge problem.

It doesn't matter how secure that setup is, right? If a person just bought a few hundred dollars worth of bitcoin, you're telling them to do what 12-of-12 with 50 DVDs, and 10 laptops...it's absurd, right? That person will likely lose the money.

You don't want somebody with $100 worth of Bitcoin to go and make an account on the surface that helps them do things like multisig because it's not worth a few hundred dollars.

And then, you're gonna have people who have higher security and privacy privacy threshold, maybe they are in countries that maybe don't allow them to do business with the US.

But then you have family offices, right? Or you have people who already KYC, people with much larger amounts of Bitcoin that have no interest in becoming super knowledgeable about it, but they still want to be self sovereign. So, maybe collaborative, multisig is great for that.

Anyway, my point is: there's a lot of different people out there with a lot of different needs. I think just taking the leap to start. You have your butchered Bitcoin on a custodial Coinbase or something, getting the money out of there is the first step.

Who wants to talk about the literal first thing you can do with like 100 bucks off Coinbase?

Justine: Well, I was gonna say: should we take a second to talk about why storing on an exchange is not a good idea with the most recent FUD? I know it seems silly to even go there. But it's like, I feel like there are people now questioning: 'God, if I'm going to screw it up, maybe Coinbase is better than myself?'

I was going to kind of piggyback off of what Jameson said earlier, because I think that a lot of people, when they think about the risks with a centralized exchange, they're like, 'Oh, well, what are the chances that Coinbase is going to go under?' Right? What were the chances that FTX was going to go under?

But it's more than that. Most people's password security is terrible. Let's be honest. They're reusing passwords, they have some very minimal password that's securing their wealth on Coinbase.

And you can say 'Oh, well, I set up 2FA.' Okay, well SIM swaps are a pretty big thing. Your password and your 2FA is the only thing stopping somebody else from going in and accessing your funds.

And that's not on Coinbase. Coinbase isn't helping you. There's somebody logged in, they moved your funds, right? There's a million different reasons other than an exchange going under that you can lose your funds.

But more than that, one of the huge value outs of Bitcoin is that it cannot be censored. It's censorship resistant. You can truly own your Bitcoin, right? If it's sitting on an exchange, it's not yours. You are asking permission to use it every single time. The IRS can decide that you didn't pay your taxes properly. Even if you did, maybe there was an error on their end, and they can freeze those funds.

Maybe they don't like that you went to some protest about truckers and they can freeze those funds. There are a million different ways that you can lose access to your Bitcoin that don't include an exchange going under. Even though we've seen that recently, it's a totally plausible situation even for the big guys, right? So, yes, if you have Bitcoin sitting on an exchange, you don't own it.

Now, if you own $20 worth of bitcoin and you're like, 'Well, you know, I don't want to go through the process of buying a signing device and setting it up,' download a mobile wallet that, in my opinion, is the easiest first step, and it gets you comfortable with what seed phrases are.

Download a wallet, right? Download seed phrases, wipe the wallet, reload the wallet with those seed phrases, get really comfortable with it, send a little bit from your Coinbase account or whatever exchange you're on to that wallet, send it back, really practice with it and use it and get comfortable. In my opinion, that's the first step. And that's my pitch on why you should get your funds off exchanges at all.

NVK: What's fascinating now is that the Lightning's first base-chain wallet has really matured. You'll have your Muun wallet, Phoenix, and Breeze.

They're quite fantastic because if you only have 100 dollars worth of Bitcoin on an exchange and you want to take it out, these wallets do everything without even asking you to back up the backup until you're ready to deposit. They take base-layer Bitcoin and convert it into sats for LN, so you can play around with LN and the base layer, all within this very easily manageable experience. That's very new.

Even a few years ago, there were very few mobile wallets that were safe enough, secure enough, and had verifiable sources. And there are still people who aren't going to say a phone is safe enough for a lot of money.

I would highly recommend these wallets if you're brand new, you're not ready to do anything complicated but you want to take the coins off the exchange and it's around 100 dollars worth. Spend a little bit to play around.

Next, there are wallets that do have your seed and they might be desktop or phone based. They're not hardware wallets yet, but they will require you to do your seed.

What do you do with the seed? Remember, paper burns, computers can be hacked, phones can also be hacked and they also burn and break.

Consider getting a metal backup plate if you're going to work with seeds. There are many brands that offer these at various prices, they're fairly affordable.

Punching that seed into metal will give you an incredible amount of recoverability for almost no money. So if your house burned down, the chances of that seed still existing are very high. And if it floods, same idea.

Jameson also has a fantastic link where he tests these metal backup seeds by applying house-level fire temperatures on them and trying to destroy them with acid. Most of them survived pretty well. Is that true, Jameson?

Jameson: Yeah, I would say 40% tend to get straight A grades and survive all of my tests. But of course, it's the other 60% that you need to worry about.

Justine: I'm trying to use 'explain to me like I'm 5' language for people who perhaps are like: 'What the hell is a seed phrase?'

It is the physical form of your key and that is the essence of being able to access your wallet in the long run. It is extremely important to not give it access to the internet. So extremely important, extremely important to not give it access to the internet.

And by that I mean: do not take a picture of it with your phone, do not scan it and upload it somewhere. Don't put it in the cloud, keep it physical.

And then yes, I think a metal backup is the best step forward.

If you're just getting started, like I remember when I set up my mobile, I think it was Green Wallet. I love Green Wallet by Blockstream. I wrote it down in multiple different places until I could go and do a multisig or a metal backup.

Remember: you don't want single points of failure. That's the thing to avoid.

NVK: Just one last thing on those metal backup plates: one nice thing is most of those are set up for BIP 39 words, right?

If you do use passphrase and you do use BIP 39 words, you can have a separate plate and backup your passphrase on a metal plate as well: geographically distributed! Go put somewhere else, because that's kind of the whole point.

If you do have a fire or if you do die, people can recover from that metal plate without having to question if you were trying to make an 'I' or an 'L' on that word. So this greatly greatly de-risks recoverability.

Jameson: Two really quick things on that: something that's special and maybe not obvious about the BIP 39 word list is every word on there is unique in the first four characters.

You might see some seed plates or other products that don't have you write down the entire word. The idea is that with the first four characters, you can unambiguously identify what word it is.

And that also gives you a little bit of error correction; where if the last letter in your backup could be an 'I' or a 'J', right? As long as those first four letters are clear, you're good.

And then to what NVK just said about keeping your passphrase and your seed separate. In general, when you're thinking about resiliency against loss or against theft, what you want to think about is how many uncorrelated failures, you want to be able to survive.

If you have your seed backup, and you have your passphrase, sitting right next to each other, and somebody gets to them, then they get both things, right?

But if you have your seed phrase in one location and your passphrase, somewhere else, then they have to compromise two locations to get to it.

I think as you start dialing up, whether it's multisig, or SeedXOR, or different passphrase schemes, what you're really adding is you're adding the number of things that have to go wrong for you to lose funds.

I think that a good yardstick to keep in mind, as you're thinking about the spectrum of these different solutions.

Dee: We have a lot of different perspectives here, and some people love passphrases, and some people love multisig, and other setups, I think it's important that a lot of people will kind of try and put us in a box and think, you know, there's a one size fits all for everyone. And obviously, that's not the case for self custody.

If you have a large amount of funds and you're worried about someone coming to your door maybe multisig might be for you or a passphrase, of course, in a different location or something like that.

I just think a lot of people that are trying to flood the whole self custody thing right now are really trying to put us in a simple box that we just don't fit in.

Education is key here. That's why we're here right now. You're obviously going to be listing off a bunch of different ways to self custody. So choose one that might be the best for you. And just like Justine said: practice recovery.

I think a lot of people, they set it up, they clap their hands, they're done, they generate address, and send all their money right away. Whereas they don't know how to even you know, recover the funds.

Doing a simple backup on a COLDCARD, just in putting those seeds back in, and getting getting back to your wallet that you've generated, and making sure that you're accessing the correct wallet and stuff like that. So just something to keep in mind while everyone here is talking.

Justine: It's such an empowering feeling too. As somebody who's sort of taught myself random, self sovereignty skills before I got into Bitcoin, like how to make my own medicine and random prop: taking the first step gives you the confidence to move forward.

So just wiping that wallet that you've created and reloading it and be able to access that thing with that crazy word list that you wrote down is extremely empowering, and it makes you feel confident, and then it's a little less scary.

And I remember my first COLDCARD and I tell this joke all the time. It was like that crazy calculator that sat on my shelf that terrified me, right?

And then it was: just take the first step. I set it up, I wiped it, I reloaded it and was like: oh, that's, that's really not that difficult, right?

It's just, it's just about taking the first steps, you can't mess anything up, you haven't moved any money over, right? Like download a mobile wallet, write down those seed phrases, it doesn't have to be all or nothing. Bitcoin is a journey, take the first step.

NVK: A huge feature of Bitcoin and having a common protocol is that you are client-independent. Just like email, right? When you don't want to use your email client anymore, right? You can reset up that email somewhere else. And magically all the emails show up, right? Sure. You may have centralized it's on a server, blah, blah, blah.

But from just a user perspective, when you have your Bitcoin on a seed—it's not really in the seed, but let's just say it's in the seed—when you take that seed from one vendor, and you go to another vendor, right? So from one hardware wallet to another hardware wallet.

You should be able to just see that the money appears again, right? Because it's still out there, it's still the same secret. If you're doing it right, you can just wipe your wallet. And reload the wallet with the seeds and the money will magically appear again.

That's kind of like a huge advantage of this. If you are using solutions that are not using good standards, the money is not going to reappear somewhere else.

You're gonna have a very hard time looking for a derivation path on WalletsRecovery.org

There was a lot of sob stories in why that website was created.

Okay, so we talked about passphrase on single sig: that's a solution that scale for very little money to a f*-tone of money. A lot of people do like that solution for even a lot of money.

If you are doing that for a lot of money, please make sure you have a dedicated computer, likely running only Bitcoin software on it for when you do Bitcoin related operations, because you are more exposed to single points of failure.

If somebody gets hold of the total secret, which is the passphrase plus the seed, they could take all your money. You do want to segregate a little bit further in that kind of setup.

Now we got on to multisig. Or should we talk about the backup plates and Shamir secret and SeedXOR first? What makes more sense?

Justine: I think the seed splitting makes more sense as a next step.

NVK: Right, multisig doesn't make too much sense to split the seeds.

So now you have your your seeds in metal backups, right? That's clear text. And if somebody gets ahold of that, either of the two plates of your passphrase and your seed, or if you're doing just seed, then they do have access to your money.

So for that reason, Coinkite and Trezor have come up with two different setups in which you can essentially de-risk that seed by not having it in clear text.

There is Shamir secret, which is not my favorite, but it is fairly secure. And he does give you m of n, which means if you lose just one part, you don't lose it all. With SLIP-39 you're going to essentially have say three pieces of paper or metal with those words.

And then there is my favorite, which is SeedXOR. I made a little website called SeedXOR.com.

I'm not sure if we need to get too much into more detail of that. There's a lot of videos out there. BTC Sessions has some great videos talking about BIP 39 and also SeedXOR.

If you are doing single, singlesir or singlesig + passphrase, I highly, highly recommend you look into that:

Jameson: Two cool features of SeedXOR—one of them that NVK already mentioned—is that you can actually do it by hand.

I think any comp sci 1 student could write a little java program to do SeedXOR so it's fairly bomb-proof,.

You're not going to be reliant on finding a specific piece of software in the future to reconstitute your seed.

The other thing that's kind of cool about SeedXOR is that the seeds that you split your seed into can themselves be valid, but 39 seeds, which is also a cool feature.

NVK: Yeah, they are plausible, deniable.

It's funny you brought that up about the comp sci 1 because one requirement we had when we were creating that was that it had to be World War 2 level of complexity.

We had to work with modern computers for you to be able to do the operation in case we have nuclear holocaust. That was part of the spec.

A Brief on Private Keys & Wallets

Before we dive into the subject, let’s go over a brief primer on Bitcoin private key standards and how they have evolved over time. A private key is a 256-bit number, picked at random and defined by an elliptic curve, specifically secp256k1. At the end of this process, you get a very long string of digits (64 hexadecimal digits). Other formats for representing a private key also exist, such as WIF and WIF-Compressed.

In order to make this a bit more convenient to read, Base58 encoding is used to shorten the string of numbers and letters, as well as limit the ones that are used to avoid confusion to the human eye.

You can use any one of the above formats as the representation of your private key. However, there are notable differences in their respective generation and representation of the public key and addresses when it comes to wallets :

Nondeterministic (Random) Wallets

Initially, wallets generated several private keys randomly, each with its own public address. You’d use each address/key once and would generate new ones as needed. You’d have to backup every key, else you’d lose the funds associated with each one. As a consequence, people tend to reuse the same address in order to reduce the amount of effort required to use their Bitcoin, but this then raises privacy concerns. Bitcoin Core includes this type of wallet, however its use is not recommended since there are now better alternatives. This type of wallet is also known as a Type-0 non deterministic wallet.

Deterministic (Seeded) Wallets

This type of wallet allows you to have a single backup (private key) from which you can derive more keys, each with their own Bitcoin address. This means that if your wallet no longer works for whatever reason and you have the initial backup, you can recuperate all of your funds in one go.

HD Wallets (BIP-32/BIP-44)

A Hierarchical Deterministic wallet, introduced through BIPs 32 and 44, also generates multiple keys from a single private key, like the Deterministic wallet stated above. The difference is that each one of those keys can further generate their own subset of keys and so on so forth. Essentially, you have a master or parent key, which can then generate child keys, and they can then generate grandchild seeds.

BIP-39

Throughout all these different wallets, we are still dealing with really long strings of letters and numbers that are difficult for humans to retain and process. Then comes along BIP-39, a proposal which offers as a solution a way to convert those long strings of binary or hexadecimal digits into something that is much easier for humans to read and transport. This is the most popular implementation for private keys and most of you have probably already interacted with it.

Your private key is now represented as a set of words, usually 12 (128 bits of entropy) or 24 (256 bits of entropy) taken from a predefined list of 2048 words.

BIP-39 defines the creation of a mnemonic code and seed as a follows :

1. Create a random sequence (entropy) of 128 to 256 bits.

2. Create a checksum of the random sequence by taking the first few bits of its SHA256 hash.

3. Add the checksum to the end of the random sequence.

4. Divide the sequence into sections of 11 bits, using those to index a dictionary of 2048 predefined words.

5. Produce 12 to 24 words representing the mnemonic code. (Antonopoulos 2017, ch.4)

What is a Passphrase?

Now that we’ve covered the basics, we can better understand what is a passphrase and how it works when it comes to your Bitcoin wallet.

Thanks to BIP-39, which introduced human-readable words private key standard and is compatible with BIP-32, we can now use passphrases as an additional security measure.

Essentially, the passphrase is a set of characters, words, numbers or even spaces that extends our mnemonic private key. The passphrase can be entirely determined by the user which controls the private key, it’s not something that your wallet generates for you when initially rendering your private key.

When implemented, you can only access funds held within that wallet by entering your passphrase since adding a passphrase to your seed phrase generates an entirely new wallet.

It is not like a password or a PIN, since there is no such thing as an invalid passphrase. Each time you enter a different passphrase, you get a new wallet. If you change a single character, modify an uppercase to a lowercase or even add a space, you will get a new wallet.

It has many uses, which we will explore below.

Why Use a Passphrase?

When used and stored properly (more on this later), your passphrase can help prevent your funds from being compromised. If someone were to come across your seed phrase, normally they would just be able to sweep your wallet and transfer your funds out.

If the passphrase is enabled, the thief won’t be able to get away with it since they would also need to enter this additional string of information in order to access your funds.

Another interesting use case for passphrase is that it can act as a threat detection system. In order for this to work, you should first put a small percentage of your funds in your standard 12 or 24 word wallet with the rest of your funds protected by the passphrase. If your backup were to be compromised, you would notice because you no longer have funds in that wallet, thus giving you a chance to create a new wallet and backups and transfer the remaining funds there.

This system also offers you plausible deniability. If someone were to try and coerce you into giving them your bitcoin, you would just give up your standard wallet and hopefully get away with the majority of your funds and your physical integrity. You can push this even further by having a dummy passphrase that also contains funds, in case your aggressor is technically savvy.

How does a BIP-39 Passphrase work?

BIP-39 works with BIP-32, the proposal allowing for building complex trees of public and private keys. When you add a passphrase to your seed words, you are generating a master BIP-32 wallet key.

This new wallet can be identified by its extended fingerprint (XFP), a short string of letters and numbers. It’s important to note this fingerprint since it’s the only way for you to make sure that you have entered the correct passphrase.

Some Tips on Using a Passphrase

How To Add One?

Implementing a passphrase varies from wallet to wallet. Doing it on the Coldcard is quite simple. You even have the option of adding words from the BIP-39 word list directly instead of adding individual characters. Take a look at the guide here!

When To Use One?

This is recommended if you have an important amount of Bitcoin and want a setup that offers more security than just a standard wallet, but that is much simpler to create, operate and store than a multisignature wallet.

If you are just getting started, then it is best to first become familiar with a regular wallet, and as your Bitcoin stack, knowledge and comfort using Bitcoin increase, then it would be wise to explore this feature. The passphrase option is always available on your Coldcard device home screen, just don’t forget that by adding one, you will get an entirely new wallet and will have to move your funds there!

Final Notes

Passphrases are incredibly handy for augmenting the level of security of your Bitcoin private key. However, there are some important elements to keep in mind when deciding to use one :

1. Make sure that it is long enough to not be easily brute-forced. If someone gets their hands on your seed phrase, you don’t want them to easily guess your passphrase.

2. It is important to properly safeguard your passphrase, since losing it would effectively lead to the total loss of funds associated with that wallet.

3. Don’t store your passphrase in the same place that you would store your seed phrase or wallet PIN or password.

4. Don’t tell anyone that you have a passphrase (however, there can be exceptions with a loved one that you trust so that they can recover your funds easily in case anything were to happen to you).

References

Antonopoulos, Andreas M. 2017. Mastering Bitcoin: Programming the Open Blockchain. N.p.: O’Reilly.

Complete your Bitcoin Fundamentalist Starter Pack and find the most thoughtful gifts to #ThankAMaxi with our hand-picked Bitcoin Black Friday deals from only top merchants: https://bitcoinblackfriday.org

🥵 Hot Bear Market

According to Glassnode, ‘exchange balances are draining at historically high levels,’

Where are all these withdraws going to? Probably in one of our calculators.

🚀New Products

TAPSIGNER now up for grabs and fully compatible with Nunchuck mobile wallets

Listen to the playback of our TAPSIGNER ‘Ask Me Anything’ session

🕰️ BLOCKCLOCK Micro pre-sale discount ending soon!

Reserve yours now

👀 BLOCKCLOCK Mini spotted in the wild:

🧰 HARDCASE for COLDCARD

• Custom protective foam

• Unbranded to keep a low-key profile

• 4.5 x 3.25 x 1"

🎁 10% off Coinkite virtual gift via Bitrefill.com and the Fold app

🖼️ SATSCHIP pre-launch for artists

Bitcoiners don't buy JPEG that anyone can copy! They buy physical works of arts with unforgeable certificate of authentication —NVK

• We leveraged the firmware from the SATSCARD and TAPSIGNER to bring an authenticating solution for artists and art collectors

• Easily embed a flexible 1 inch square NFC chip directly into your physical work of art

• The authenticity of the piece can be verified by anyone, but only the owner can sign a transaction

• SATSCHIP Gallery is now live

🔩 New Tutorials

• MK4 setup tutorial by BTCSessions

• 2 of 2 multisig with 2 x COLDCARD signing devices, and bitcoin-qt as coordinator

💾 Firmware upgrades

COLDCARD Mk4 5.0.5

BIP-85 derived passwords:

• Pick an index number, and COLDCARD will derive a deterministic, strong (136 bit) password for you. It will even type the password by emulating a USB keyboard. See new areas: Settings > Keyboard EMU and Settings > Derive Seed B85 > Passwords.

• Added docs/bip85-passwords.md documenting new BIP-85 passwords and keyboard emulation.

• BIP-85 derived values can now be exported via NFC, in addition to QR code.

• Other enhancement:

  • Allow signing transaction where foreign UTXO(s) are missing. Only applies to cases where partial signatures are being created. Thanks to @straylight-orbit

  • QR Codes are now easier to scan in bright light. Thanks to @russeree for this useful fix!

  • Support import of multisig wallet from descriptor (only sortedmulti, BIP-67). Also support export of multsig wallet as descriptor.

  • Address explorer can show "change" addresses for standard derivation paths for both single and multisig wallet.

  • OP_RETURN is now a known script and is displayed in ascii when possible

• Bugfix:

  • order of multisig wallet registration does NOT matter

  • allow unknown scripts in HSM mode, with warning

CK-Tap Protocol 1.0.5

"CK Tap" is our command line tool for SATSCARD and TAPSIGNER.

This project also contains the public documentation for the NFC protocol used by the cards, and provides a full python library for coders.

Recent changes:

• New best practices docs: https://dev.coinkite.cards/docs/best-practices.html

  • Add ability to derive non hardened derivations w/ library...

  • 'sign_digest' accepts new 'fullpath' parameter where full bip 32

  • Added @SATSCHIP support

  • Shell output for backup cmd improved

  • Added 'card.product_name' string

• CK-TAP React Native Open Library built by the Hexa wallet team claimed the bounty released

• Added ability to derive non hardened derivations with library (not possible with card - card can only derive hardened path components)

• ‘sign_digest’ accepts new ‘fullpath’ parameter where full bip 32 string path can be passed

• Support added for SATSCHIP v1.0.0 product

• Shell output for backup command improved

• Added card.product_name string

• https://satschip.com/gallery and NFC reader + CLI program for artists to submit

🗞️ News for devs

Coding something amazing, aren’t you?

Leave us a comment about your latest software updates to receive a shout-out on the next 🎙️Bitcoin.Review podcast by NVK feat. ODELL

Leave a comment

Getting SATSCARD into the hands of builders

• To receive a sample, please email us sales@coinkite.com with a bit of information about who you are and what you plan on building with your new SATSCARD

• Shout-out to Mike Kelly for launching a new SATSCARD demo for authenticating into a venue and keeping a bar tap as creditless collateral

✨ Meme Domains

• https://signingdevice.com

• https://bitcoinbinary.org

• https://bitcointreasuries.net

• https://bitcoinuptime.org

🤝 Join our team

• Mobile Engineer (iOS + Android)

• Podcast and Video Producer (Part-time)

• Web Designer + Coder

In this ever-changing Bitcoin landscape, we're always working hard to build Sleep At Night Technology ™

We have some news you won't want to miss!

MK4 update

We are now 80% through shipping backorders 🚢🚢🚢

COLDCARDs MK4 are going out quick—now is the best time to get in line for reservations because the line keeps getting longer! 

Reserve your MK4 now

COLDCARD Software Updates

Mk4’s Firmware version 5.0.3 has many updates, most notably for Taproot advocates. Folks will be happy to know that P2TR and Bech32m are now deployed on COLDCARD MK4 as of 5.0.3. For the older Mk3, we have recently shipping an update, Mk3’s 4.1.5, with the same P2TR features.

And then… on Friday we released 5.0.4 for Mk4! It has numerous improvements focusing on the needs of Bitcoin developers, such as support for RegTest (for use on your own Regression Testnet coins) and major upgrades to our testing setup. From outside contributors, we have improved encryption for HSM users, documentation fixes, and better reproducible builds.

Yes! THREE releases in just one month!

Read more about it in Bitcoin Optech’s newsletter:

Coinkite Gift-Cards

You’ve asked, we’ve listened: Coinkite virtual gift cards are here.

Pay in Bitcoin KYC-free and receive the unique codes directly to your preferred inbox.

NFC compatibility

Are you building mobile Bitcoin wallets?

Get TAPSIGNER samples

Offer NFC capabilities to your users by integrating with Coinkite’s TAPSIGNER and SATSCARD. We also offer white-label solutions.

COLDCARD Mk4’s Firmware 5.0.4 has NFC improvements, upgrade.

New European reseller

The privacy focused fulfillment service Copiaro is now shipping COLDCARDs MK4 from Germany. Along with BTCDirect.eu, they make up the list of our un-official European resellers.

Top shout-outs

New tutorials from our community

In other news…

• BitcoinBinary.org has now a Build Bot and the 5K bounty was claimed 🎉

• Help us add more Bitcoin notable dates to Bitcoin.holiday

• BitcoinBounties.org now keeps a sum of all available bounties, 10+ BTC up for grabs.

• New team member: Welcome to C Funk a.k.a. C-to-tha’Funk for joining the ranks of Coinkite as business development manager! Since 2017, C Funk has been committed to orange-pilling the world by helping Bitcoin start-ups with building communities and developing partnerships. DM her on Twitter, Telegram, LinkedIn or Reddit to inquire about sponsorship and partnerships opportunities with Coinkite.

• Get tipped in Bitcoin on COLDCARD Telegram channel for great contributions

• Catch NVK’s latest interviews on YouTube:

It's an OPENDIME in an NFC card form factor with 10 times the reuse capacity.

Gift and trade #Bitcoin physically; maximize in person trade while minimizing trust between parties.

Learn more here

What is TAPSIGNER?

It's a Bitcoin private key on a card! You can sign mobile wallet transaction by tapping the phone. Your mobile wallet provides most of the wallet logic and TAPSIGNER holds the secrets. It's essentially a HW you can slip inside your regular physical wallet.

Learn more here

Some of the improvements include:

• USB-C Connector

• Unlimited Memory, no Bitcoin Transaction size restrictions

• NFC Tap for all data types, PSBT, Address, etc...

• New 2x secure elements design (multi vendor)

• New plastic

• Faster Processor

• ... and much more, details coming!

Shipping will be handled later when the device is ready for you.

Subscribe now

• Support “importdescriptors” command in Bitcoin Core 0.21 so that a descriptor-based wallet is created. PSBT files are then supported natively by Core, and the resulting desktop wallet can be used for spending (ie. create PSBT via GUI) and also watching. Translation: Easy air-gap PSBT operation with Bitcoin Core!

• Remove “m/0/0” derivations from public.txt and address explorer, since that path is obsolete and not used by any major wallets now. We can still sign PSBT files with that path, but it’s an unnecessary risk to show derived addresses for a type of wallet that doesn’t exist anymore.

• If PSBT input sections don’t contain the key path information we need, show a more specific error message.

Bug Fixes

• Any PSBT which provided the wrong pubkey (based on UTXO being spent) was not flagged as invalid, but instead we proceeded to do nothing. Now says “pubkey vs. address wrong”.

• If asked to serialize a partially-signed transaction, we did. Now fails properly.

• If multiple copies of the same BIP-39 passphrase were saved to a card, the menu would not display correctly and you might not be able to select your saved value.

Download the latest firmware

Get COLDCARD Mark 3

Video Tutorials

We have a growing library of video tutorials on Youtube … and we’re still adding more!

• Shows QR code with BIP-85 derived entropy value if you press (3) while value shown on-screen. Thanks to @opennoms for idea. Works with 12/18/24-words, XPRV, privatekey and even hex cases.

• Offer to show QR in other places:

  • Coldcard’s main XPUB, in Advanced > View Identity

  • Seed words, during picking process (before the quiz)

  • Stored seed words: Advanced > Danger Zone > Seed Functions > View Seed Words

  • TXID of just-signed transaction (64 hex digits)

  • Encryption password for the system backup file (12 words)

• We now grind a nonce so that our signatures are always 71 bytes or shorter. This may save a byte in transaction size, and makes our signatures identical to those produced by Bitcoin Core, improving anonymity on-chain. Thanks to @craigraw for detecting this.

Bug Fixes

• On a blank Coldcard, after importing a seed phrase using the Seed XOR feature, the main menu was not updated to show system is “Ready To Sign”.

• Red caution light could happen (a false positive) if a specific sequence of firmware upgrades and reboots occured in the right order. Issue could only occur once during lifetime of any particular Coldcard.

Download the latest firmware

Get COLDCARD Mark 3

Video Tutorials

We have a growing library of video tutorials on Youtube … and we’re still adding more!