Thursday, August 23, 2018

If you can’t provision a good hiding place for your hardware wallet seed phrase… maybe you don’t need to back it up in the first place. (Use multiple wallets plus pin instead)

Hiding stuff is hard. Too easy, and an attacker can find it. Too hard, and you may wind up hiding it from yourself. Or from the people that should inherit if you die.
This is the dilemma of people who hold their bitcoin in hardware (HW) wallets, where the ultimate backup is the seed phrase. For the purposes of this article, we are talking about bip39 compatible HW wallets, of which the two top contenders are the Trezor and the Ledger Wallet.
From conversation with large bitcoin holders, I think there is a population of users that would like to be “in control” of their crypto assets, but is uncomfortable with the idea of hiding the seed phrase in the event of an ultimate failure scenario.
The obvious thing is to hide the seed phrase in a safe deposit box.
1) bank safe deposit boxes are starting to become hard to come by (long waiting lists)
2) maybe you don’t trust the bank
Here’s a thought.
If you
  • want quick access to high value bitcoin wallet
  • are bad at hiding things (can’t keep seed phrase safe)
  • are bad at, or too lazy for, high paranoia computer security (no offline computer, no live cd boot)
  • don’t trust your bank — or the government — not to swipe your bitcoin
The following is a solution such that you don’t need to keep the seed phrase backed up *anywhere*.
The trick is, instead of backing up the seed phrase, you set up multiple HW wallets with the same seed phrase, and then destroy the seed phrase.  Keep main wallet handy, backup wallets in car, office, and give a few other backups to friends for safe keeping.  Friends can’t do anything with just the wallet, they need second factors (pin code for trezor, plastic card with long code for ledgerwallet).
Keep the second factor(s) somewhere safe yet obvious — and separate from hardware wallet — in case you have a head injury or something and forget the pin, or you die and your heir needs to dig up the bitcoin. Ideally a safe deposit box. Even if bank employees are crooked, they can’t access coins with just the second factor but no HW.  Safe deposit box should be accessible by heirs if you die.  An easy, no-lawyers, hacky way to do this is to have joint account for box but keep both keys.  Your heir will have to drill the box to recover pin code if you die.  An evil heir could have box drilled without your permission… so don’t have an evil heir.
Now, a few words about second factors. Trezor wallet second factor is a pin, which can be memorized.  Ledger wallet second factor is a long code printed on a plastic card, which really can’t be memorized unless you take up some strange hobbies.  Trezor can get away with the simpler second factor because it has a built in screen.  So all things being equal, Trezor is more convenient.  But all things aren’t equal, because Trezor is about $100 and you can get ten el-cheapo hw.1 Ledger wallets for the same price.
To keep costs down but security high, you could use Trezor as primary wallet and Ledger as backup.  Since both HW wallets use bip39, their word lists are compatible. You will need ledger starter bootable usb to reset the seed on the ledgers, which is a little more work, but not a deal breaker.  Keep all second factors in the bank box — both Trezor pin, and all Ledger security cards. For the Ledger wallets, take care to clearly label which device is paired to which card. Or if money is no object, I would just use Trezor for all backup HW wallets, using same pin for every device.
If all HW wallets are destroyed the coin is gone, but then again if the seed phrase is forgotten or destroyed, same thing. Hardware does wear out, so you need to set a calendar item to test hardware every six months or so, and replace all wallets every couple years. This involves moving coins to new seed phrase, since you don’t have old phrase any more.
A superficially similar, but inferior, approach would be to write down the seed phrase and keep several copies of it distributed among your friends, but use a (memorizable) supplementary pass phrase on top of this, and keep a backup of the pass phrase in the safe deposit box. (Note that supplementary pass phrase is Trezor only.  Ledger does not currently support this feature of the bip39 spec.)
I don’t like this though.
The main advantage is cost.  Paper wallets among your friends, and a pass phrase in the safe deposit box, saves you from having to buy multiple HW wallets.
But, it’s a lot less safe.
  1. with the hardware backups you retain the ability to move bitcoin immediately if the main wallet stops working.  My thinking is that with seed phrase backup only, one might panic and enter the seed phrase on an unsafe machine, rather than wait for new hardware to arrive in the mail.
  2. supplemental pass phrase can be stolen on compromised computer, whereas second factors cannot.  Pin number is scrambled on trezor screen, and the Ledger security card is just additional entropy that is paired with the device (nothing for hacker to sniff).
So with seed + pass phrase, the attack is merely stealing one of the backup seed phrases (or betrayal by friend) plus stealing the supplemental phrase by bugging the owner’s laptop.  Pin number which is stored only in owner’s head plus very secure place (like safe deposit) is much, much safer than supplemental pass phrase.
To summarize it all, you can keep bitcoin safe on a hardware wallet plus a few backups, without storing the seed phrase anywhere.  If you are bad at hiding things, but don’t mind a bit more work at setup time, plus more work testing HW wallets and moving to new wallets periodically, this might be a good way to keep your bitcoin safe. Or at least keep your peace of mind that no one has gotten to the seed phrase. Trezor as main wallet keeps things convenient — just need to memorize a pin code. Handful of Ledger HW.1 backup wallets with same seed saves on costs.
Keep calm and bitcoin on!
UPDATE: One potential flaw is that you are not guaranteed access to coins on forks if you don’t have the secret. In the case of BCH both trezor and ledger did support the fork without seed phrase, but this is a case by case thing. (More comments below.)

Tuesday, August 21, 2018

How Satoshi Could Sell his Stash without Tanking the Bitcoin Price

Satoshi Nakamoto, the anonymous creator of bitcoin, is believed to hold up to 10% of all bitcoins in existence, from his mining operation in 2009 before bitcoin was on the scope of anyone outside a handful of cypherpunks on a mailing list.
The market concensus is that these coins are lost. Backup failed, paper wallet got wet in the 2012 Tsunami. Something destroyed those coins forever.
But they are not burned — an operation that Satoshi could have performed, to prove the coins were unrecoverable — by sending to an unspendable address.
The “lost” coins are priced in. If they are ever found, and the consensus is broken, the result would be catastrophic for the bitcoin price. There are monitoring scripts watching the suspected “satoshi” addresses, so any movement would be news instantly.
Can satoshi ever sell his coins, without rendering them worthless?
In fact, there *is* a way satoshi nakamoto could move his “lost” coins without tanking the bitcoin price. A way to retain ownership, whilst reassuring bitcoin owners that no sudden moves will destroy their investment.
The means to accomplish this became possible in November 2015, with the activation of the OP_CHECKLOCKTIMEVERIFY protocol op code, CLTV for short, or as it is popularly known, OP_HODL.
This transaction op code makes it possible to send bitcoins to an output that only become spendable after a set amount of time has past. OP_HODL was widely hailed as a necessary building block for lightning network, a technology in-the-works that would enable bitcoin transaction volume to safely scale many orders of magnitude. With lightning, funds would be locked up for a short amount of time (usually under a day) while clearing nodes shuffle funds between themselves in a risk-free way before eventually settling funds. But CLTV is just an op code. It doens’t care what it’s used for, or how long the lock times are.
Using OP_HODL, satoshi could (for example), move 1% of his coins to an address that is spendable immediately, and spread the other 99% between outputs spendable between one one week and ninety-nine weeks in the future.
As the coin lockouts expire, satoshi could either dump his coins gradually, tumbling them of course to preserve anonymity, or send them unspendably into the future again with a rolling lockout, reassuring the market that there will be no sudden moves from his end. Depending on his lifestyle needs, I suppose there would be a little of both.
There’s already a lot of eyes on the “lost satoshi coins” today, but this is nothing compared to the attention public “hodl” addresses would get if satoshi followed this plan. In effect, satoshi would become like the bitcoin fed, the de facto prime influencer of bitcoin monetary policy. The weekly rebalancings would be one of the prime indicators of what the future would hold. And of course, the end game here would be an orderly liquidation with funds finallly widely distributed.
I don’t know if this can really be accomplished while maintaining anonymity, but it would be fun to try.
It’s heartening to see how the bitcoin technical evolution can be repurposed into tools that can secure its long term stability.
So if you are worried about satoshi selling his coins: keep calm and hodl.

If you can’t provision a good hiding place for your hardware wallet seed phrase… maybe you don’t need to back it up in the first place. (Use multiple wallets plus pin instead)

Hiding stuff is hard. Too easy, and an attacker can find it. Too hard, and you may wind up hiding it from yourself. Or from the people that...