Initially published on the blog of Knox Custody.
As the basis of all interactions with the Bitcoin network and its subsequent layers, private key management is the root infrastructure that allows for authentication and authorization, ideally without trusted intermediaries who are security holes. Securely accessing the Bitcoin base layer, the Lightning network and other protocols requires the correct use of private keys, which introduces the risk of errors, failures and thefts. In many cases, access to a portion of the Bitcoin network’s information space has been voided due to the irrevocable loss of private keys.
To this day, Bitcoin key management is still in its infancy, with users discovering security and usability tradeoffs. Sovereign and trusted models are emerging in the marketplace, offering optionality to individuals and a growing number of businesses looking to secure their Bitcoin holdings in offline storage. A new crop of companies and open-source projects are providing these novel cold storage solutions using multi-signature technology, transaction standards such as PSBT, and key recovery services, while legacy financial services providers are evaluating the development of services such as trusted custody. In the US, banks are now even allowed to offer bitcoin custody services, with the question remaining as to whether they should.
Now that public companies such as Square and MicroStrategy are using bitcoin as a corporate treasury reserve asset, businesses developing custody services such as Knox must be thinking about the evolution of key storage, including concerns around the development of resilient infrastructure. What security standards might emerge if the value of the bitcoin market jumps to $10 trillion? How will individuals, families and businesses hold billions of dollars worth of bitcoin? Will institutional market participants such as multi-family offices, endowments, sovereign wealth funds, insurance companies and pension funds be able to hold keys? What nefarious activity could centralized key management originate in the Bitcoin network? How will risk pricing and insurance develop, further expanding the market?
It seems that an open set of services, technologies and operations is gradually appearing to support a global market of Bitcoin key management services. In this brief article, we will attempt to analyze what we have come to understand as the layer zero of the Bitcoin protocol stack.
The Bitcoin Protocol & Layer 1
As commonly understood, the Bitcoin Protocol (BP) is an open source computer protocol that delivers:
- A provably scarce information space of 21 million units. Each BTC unit is further divisible into eight decimals places for a total of 21 quadrillion satoshis (1 BTC = 100,000,000 satoshis).
- A message or transaction relay network. It is protected by onerous proof of work energy expenditure along with ubiquitous verifiability for enforcement of the network consensus rules.
All users are voluntarily participating in activities on the Bitcoin protocol to leverage the assurances emanating from BP, whether it be:
- Inflation-resistance of the total sum of units controlled by the UTXO model (unspent transaction outputs), verified by all network node participants running the open-source client software. No one single user can arbitrarily alter the number of units and dilute ownership of others without abandoning the network.
- Censorship-resistance of transaction broadcast and settlement assurances. Voluntary proof of work is provided by profit-seeking transaction processing agents (miners) who earn compensation for their service to the network, administered by the Bitcoin protocol and network itself.
Each bitcoin transaction is clustered into a group of transactions, called a block, and broadcast to the network by a miner, which triggers a global UTXO set update. When this happens, the entire transaction history of the protocol is updated by the new block, and added to the ledger, termed the block chain.
The bitcoin chain of blocks is a timestamped sequence of these serialized data structures (blocks) connected to each other via cryptographic hashes.
The BP makes performance and other trade-offs to provide unalterable assurances.
- On-chain traceability, enacted by full nodes verifying the consensus rules, makes anonymity and privacy harder to achieve.
- Settlement assurances protected by POW limit transaction processing throughput, preventing low value transaction settlement.
Privacy and performance concerns, however, simply do not belong on the base layer and have been pushed to secondary layers, built on top of the Bitcoin Protocol—for example the Lightning Network Protocol (LNP) and sidechains such as the Liquid Network.
The Lightning Network Protocol & Layer 2
The LNP offers both throughput performance and privacy improvements via bi-directional payment channels that are cryptographically locking Bitcoin base layer UTXOs for availability. No new supply is ever created. No IOU is generated either. LNP allows for trustless, low-fee and instant clearing of Bitcoin transactions, by routing transactions in optimized paths.
Velocity and privacy in transaction processing come at the cost of settlement guarantees and verifiability, which are the responsibilities of the base layer. Batches of LNP transactions can be broadcast back to the Bitcoin base layer for further guarantees based on the risk tolerance and trade-offs sought by users.
In both the Bitcoin Protocol (BP), and the Lightning Network Protocol (LNP), keys are possessed by users as cryptographic assets to sign messages and broadcast valid transactions. Possession of a key makes the holder an owner with control over associated UTXOs for BP or HTLCs for LNP. Because keys are bearer instruments, key management is therefore a very sensitive activity due to the nature of Bitcoin and the non-reversibility of transactions. There ought to be an adjacent layer concerned with security rules, transaction standards and economic incentives to handle private key generation, storage, and transaction signing. This is especially true for participants investing in Bitcoin on behalf of others. We like to think of this set of activities under a shared ground of rules with security and financial protection guarantees, including minimized exposure to the counterparty risk of trusted custodial third parties.
Dissecting Bitcoin’s Auth Layer
A cryptographic key is a secret piece of information, that requires delicate handling to prevent unwanted exposure. Bitcoin key management can be dissected into three aspects: generation, signing and storage. The shared attack surface of all related activities ought to be minimal with specific risk management principles applied. We shared a registry for Knox custody risk management that makes reference to fundamental principles of trust-minimization as a custodian. Other non-custodial models, such as Unchained Capital’s collaborative custody are emerging, which do not hold the entirety of keys in a signing quorum, allowing Bitcoin holders to maintain sovereignty and independence from trusted third parties.
Either way, managing private keys requires strict risk isolation to prevent generalized failures, starting with a 100% offline requirement for key storage and signing. As there is no such thing as perfect security, understanding the causality of private key loss along with the severity and possibility of occurrence is a prerequisite to insurance. Once this kind of risk is adequately assessed, it can be priced and transferred using an insurance policy in exchange for premiums.
At Knox, we envision a blend of hardware, software, operations and insurance for key management to morph into Bitcoin’s authentication and authorization layer, where keys are created, stored and used for signing transactions according to emerging security standards. Further, the entire lifecycle of key management can be covered by insurance, if needed. In the future, physical sites may be operated by multiple independent agents to distribute the risk of key storage and signing, getting rid of centralized points of failures in custody, which has been a struggle for the first decade of the Bitcoin industry.
Before creating a cryptographic key to sign Bitcoin and Lightning transactions, high quality randomness must be attained, also termed entropy. Put simply, it is to ensure that no one can re-create the private key that is derived from this sample of randomness. Having a large random number as the source of a private key makes it extremely unlikely anyone can stumble upon it, re-creating a private key to steal bitcoin. Root entropy is the original input that must be probabilistically very hard to guess.
- The derived private key is created by parsing the initial entropy into an asymmetric function that will output a master private key.
- The master private key will be used as authoritative material to derive other keys using well-known hash functions, used for authorizing transactions and UTXO set updates in the Bitcoin network.
Deterministic computers can not produce true randomness because they rely on algorithms that are predictable. Using provable analog randomness is the first critical step in the instantiation of the key lifecycle, which is becoming a strong emerging standard for the management of private keys.
As a custodian, Knox currently has four different sites in three countries and two continents where private keys are created using a blend of physical and computer-generated entropy. All sites operate sequentially and in isolation, with different operators involved. In these sites, private keys are flashed onto Hardware Security Modules (HSMs) that will be transported over to other sites for future transaction signing — processing facilities (more on that later). High-quality entropy generation is a major factor in the secrecy of private keys, which is the ultimate goal for sound Bitcoin key management.
Protecting Private Keys
Once a high-quality private key has been instantiated, it must be stored securely, protected from both physical and network intrusion. Specialized devices such as HSMs are used to secure private keys. HSMs allow a reduction in attack surface by functionality simplification. The sole purpose of the device is to secure some secret information, which reduces the number of attack vectors commonly exposed in other generic devices such as a computer laptop.
Isolating hardware devices holding different keys in a multi-signature quorum is critical to preventing the sudden introduction of malware and undesired private key extraction, which can lead to theft of bitcoin. As the market matures, distinct hardware manufacturers offer products that reduce the risk of supply chain attacks and vendor-specific issues, allowing for true segregation of individual key storage. Bitcoin transaction standards are also emerging, allowing for interoperable signing methods across providers, removing vendor lock-in in the context of multisignature and transaction formats such as BIP-174 PSBT (partially signed Bitcoin transactions).
Hardware wallets should be stored in offline environments with no network connectivity to prevent intrusions from malicious actors. Cold storage setups are therefore the preferred mode of securing HSMs, requiring quarantine during the entire lifecycle of private keys, from generation to signing. Additionally, physical isolation to ensure hardware device integrity is another important property for custodial service providers. Knox currently has three different sites storing keys in vaulted HSMs to sign transactions: the processing facilities.
Processing facilities form the signing operations of bitcoin’s layer zero for Knox. Each facility hosts vaulted HSMs, which guard private keys offline for transaction signing. Each HSM is also required to receive an external signature to be able to sign a Bitcoin transaction, rendering quorums of processing facilities only responding to certain Bitcoin wallet owners, who happen to control other devices capable of requesting such transactions. We wrote more about Knox transaction signing here.
Distributed Offline Signing
Holding keys in air-gapped environments adds complexity in the signing operations, necessitating manual intervention with human staff. Processing facilities can be used as key storage and signing sites that act independently from each other, verifying certain wallet policy rules before signing. Today, Knox processing facilities operate 3 of 4 multisignature schemes where 3 HSMs hosted in 3 different locations are required to sign to make a transaction valid in the eyes of the Bitcoin network. Distributed transaction signing is important to make collusion extremely difficult for insiders who are operating the signing sites as a service.
In the future, bespoke M of N signing quorums could be constructed based on internal control and governance requirements of specific financial institutions. Bitcoin banks managing keys in shared multisig quorums will be able to collaborate to sign Bitcoin transactions, removing the dependency on one single entity for signing. This would allow for the permeation of censorship-resistance at the Auth Layer, which is fundamentally important for Bitcoin. If key storage and signing is centralized in a few custodians, then the Bitcoin network itself will be limited in its access for the users trusting them with their keys. Delegated signing is still a valuable service for businesses with complex governance models, but it has to be done with trust-minimization in mind.
Knox currently has one live instance of 3 processing facilities handling offline transactions. This model allows for collusion-resistant delegated signing, as each facility verifies transactions meet the bespoke wallet policies before the multisig threshold is reached, and the transaction can be sent to the Bitcoin network. In the future, as key management gets commoditized and new service providers join the market, many more processing facilities could be running in different cities for complete timezone coverage and jurisdictional risk diversification. This would allow for a more resilient offline key management layer with consistent uptime. Distinct entities and companies may be responsible for the operation of such sites to get the assurances of collusion and censorship-resistant signing. Different key storage agents collaborating in shared multisig wallets to sign transactions is a logical evolution of the Bitcoin auth layer.
Personal Key Recovery
Key storage and signing are sensitive operations. The ability to recover funds in the case of a failure of a processing facility or in any other case of service disruption is also critical. Key backups must be recoverable independently from the signing sites that hold the private keys. Archival vaults therefore need to exist in different locations, such that private keys can be resurrected using recovery procedures.
Knox Archival Facilities store encrypted shards of private keys that are held in distinct physical vaults, legally owned by clients for independent recovery purposes.
In case of a key recovery, agents can support Knox clients in the retrieval of shards to reconstruct private keys independently (with 2 out of 4 shards) from Knox, reclaiming the Bitcoin holdings. This portion requires human intervention with trusted recovery agents that are independent from the other signing agents, minimizing the risk of malicious actors colluding to prevent the recovery of funds.
In the future, Bitcoin private key recovery could be done in a “seedless” manner. Recovery may not require the back up of any private key, but instead use the remainder of the keys in a signing quorum to sweep a wallet and move all UTXOs to a new signing quorum. Different recovery methods are possible based on the risk tolerance of the hodlers, their acceptable threat model and their availability requirements.
Measuring Risk & Pricing It
With specialized custody service providers handling the signing, storage and archival operations of Bitcoin key management, there is an economic incentive to precisely measure the severity of different risks that may occur within the private key lifecycle. Developing models to express the probability of a risk event transpiring along with its severity in cost will allow custodial agents to price financial protection and get extensive insurance coverage.
Today, Knox has attained insurance that covers cases of theft and loss up to 100% of the USD value that is held under custody. This is a material achievement as the policy underwritten for this type of coverage protects Knox during the entire key lifecycle and includes most risks that matter in the activity of key management.
We will be writing more about the insurance coverage that relates to Bitcoin key management as this is a topic of its own. We believe financial protection for key storage and signing will exist natively in all custodians as the risks originating from this activity are too severe to be left uncovered.