Initially published on Bitcoin Magazine.
Quite a lot of ink has been exhausted writing about El Salvador as the world’s first nation state to make bitcoin legal tender within its territory. Moving from a fiat to a bitcoin standard isan essential milestone in bitcoin’s global adoption. Whether this move will gain support is a debate of its own right. Bitcoiners will have discussions on this matter many times over as Nayib Bukele, El Salvador’s President, acquires a growing portion of the strictly limited supply of 21 million bitcoin. El Salvador's national treasury holds 1,801 bitcoin, according to Forbes, worth around $60 million as of today. Who will be next: Mexico? Argentina? Paraguay?
Holding bitcoin for a nation-state is a novelty. Trusting third-party custodians for holding bitcoin is common practice, especially for large financial institutions and publicly-traded companies such as MicroStrategy, which now holds 124,391 bitcoins on expenditures of $3.75 billion. For a sovereign nation-state with exposure to geopolitical risk, trusting a regulated custodian may not be compatible with its threat model. In the past, custodians for gold, such as the Bank of England, declined settlement of gold to Venezuela that had trusted them with their holdings worth more than $1 billion at the time. This is not to say that the censorship was good or bad, but worth mentioning here simply to highlight that it happened. Custodians can, and will, censor, seize and freeze bitcoin custody accounts if compelled to do so by regulatory agencies. Forward-thinking countries such as El Salvador must think about this and may not want to trust third party custodians with their national bitcoin treasury.
In this article, we discuss issues around bitcoin self-custody for a nation-state in 2022 and raise major questions around the topic of sovereignty. “Not your keys, not your bitcoin” holds particularly true for sovereign nation-states. It is timely to reflect on the best practices nation-states could adopt as they gradually move to a bitcoin standard in the coming years. Using a theoretical example, we illustrate how a nation-state could manage their bitcoin stack using wallets on self-hosted infrastructure to manage their keys on their own terms.
The First Domino
As a sovereign nation-state in Central America, The Republic of El Salvador is a political entity that is represented by one centralized government that has full control over its territory. El Salvador has a permanent population of approximately 6.8 million people, a defined territory of roughly 21,000 square kilometers (interestingly), one single government and the ability to form relations with other sovereign nation-states. El Salvador is part of the U.N.’s list of 206 sovereign member states. In its current form, El Salvador is a democratic republic, instituted by the 1983 Salvadoran constitution. It is led by the president of the Republic, Nayib Bukele, and a legislative assembly composed of 84 members all elected by universal suffrage, of which 56 are from Bukele’s political party “Nuevas Ideas.”
In a country with a fixed term limit and democratic elections, government officials come and go. Externally, while El Salvador maintains friendly relations with other sovereign states, its recent adoption of bitcoin as legal tender is creating tensions with international organizations. Some have argued that El Salvador adopting bitcoin as legal tender marked the beginning of a global de-dollarization process. Getting off the U.S. dollar can make for spicy international relations with the United States and its fiat standard, though that is not the topic at hand. Internally, governance can be quite complicated for a country to manage as different officials handle access control to the national bitcoin stack.
As briefly mentioned, a country has two broad options for managing its national bitcoin holdings: Either by trusting a third party custodian, or holding its own keys. Usually, and for practical reasons, trusting a regulated custodian that is well capitalized and recognized as a reliable counterparty would be the preferred method of storage currently. But as it is the case for gold, custodians for bitcoin have the capacity to sever the relationship with their customers shall they be required to do so by law. And law is by nature specific to a particular jurisdiction, which can also evolve over time. This is outside the control of clients trusting custodians with their holdings. For nation-states holding bitcoin, sovereignty should be a top priority.
Questions Around Custody And Sovereignty
So how does a nation-state hold its keys? Should it trust someone else for custody? Absolutely not. A truly sovereign state cannot rely on trusted third parties to safeguard its bitcoin holdings. On the other hand, building hardware, software and operational controls to hold its own keys is a complicated endeavor that requires a diverse set of skills. Such is not impossible, but it is expensive. On top of that, there are multiple considerations:
- How does a nation create and backup its private keys?
- Should a nation use multisig vaults or multiple singlesig wallets? A combination of both?
- How are backups stored? How is access restricted?
- What about signing? Are there withdrawal rate limiters? How many people are required to approve spendings?
- Who has the final signing authority? How is collusion protected against?
- Do they even run their own node to validate consensus rules and broadcast their transactions independently to the network?
An important prerequisite for all leaders of sovereign nations looking into bitcoin custody: “Trusted third parties are security holes.”
Trusted Third Parties Are Security Holes
Thanks to the writings of Nick Szabo, Mt. Gox and other scandals such as QuadrigaCX, it is accepted wisdom that trusted third parties are security holes. Nayib Bukele, president of the world’s first country to publicly adopt bitcoin as legal tender, surely knows this too. While using mainstream custodians such as BitGo, Gemini or even Fidelity Digital Assets is commonplace for corporations and high net worth individuals storing tens of billions of dollars worth of bitcoin, this avenue should seem out of the question for a sovereign state. And yet, it appears that El Salvador and other large bitcoin holders may not be in control of their own keys to this day.
Plus, most of the major custodians are regulated U.S. companies, trusts, and banks, which bears political risk in a world constrained by strict regulatory oversight by governments and more recently by global travel restrictions. In cases of litigation, the jurisdiction in which the custodian is regulated may have legislation that acts against its customer’s interests preventing resolutions and redeemability of their bitcoin IOUs that were issued by the custodian. Trust entities mitigate that risk, but it still remains non-zero.
What these custodians provide is an authentication and access control layer. As highly regulated entities, these entities safeguard important amounts of bitcoin with hybrid setups made up of human policies and information system security. Custodians allow client admins to view funds, but most importantly request withdrawals and will ask for video-based authentication, paired with SMS, email or hardware device 2FA. Problem is: bitcoin should not be locked behind closed doors for which you don’t have the keys, if you’re a nation state. That is true for sovereign individuals and companies as well.
Today, bitcoin is still relatively insignificant on the geopolitical scene with a monetary value oscillating around $1 trillion. If or when bitcoin hits $10 trillion, as it becomes the most prominent monetary base in USD terms, that will change. Regulated custodians holding hundreds of billions of dollars worth of bitcoin, let alone trillions, will be highly sought-after targets. Private gold ownership was deemed reprehensible with hefty fines and imprisonment in the U.S. after Executive Order 6102 was pronounced. Gold custody was much more centralized thereafter with the forced sale of private gold bullion. Bitcoin is no different from that angle if entrusted in the hands of custodians. Bitcoin custody accounts can be seized, censored and frozen.
Today bitcoin custodians are also narrowly covered by insurance policies with limits not exceeding 5-10% of the total assets they hold. Such a level of risk exposure seems inadequate, to say the least. Sovereign nation-states cannot accept such a risk, as they hold bitcoin in their national reserves.
Trust Minimization Is Essential
Restricting access control to bitcoin holdings, namely signing keys and backups, is the name of the game. Ideally, access may be governed by strong mechanisms that cannot be corrupted by power or greed. This is not the case with human policies. Policies are guides that can be followed at all times but that can also be modified, deprecated or simply bypassed. Errors can be made too. If policies can be corrupted or bypassed, they will most likely be. Power corrupts. What prevents collusion from happening, if a government cannot trust internal policies to protect its bitcoin holdings?
Bitcoin is highly secure, perhaps even close to being considered unbreakable as a monetary network. At the peripheries of the network, private keys that are used to move bitcoin can be utilized in different ways. Spending conditions from a bitcoin wallet are programmable such that custom rules can be implemented to withdraw from any wallet. Today, bitcoin’s scripting language is still limited in its abilities though it’s gotten better over the years and with recent software upgrades such as Taproot.
Improvements have come out such as projects like Miniscript, a language for efficiently writing correct bitcoin scripts for wallet spending conditions. Theoretically, using such technology, complex organizations such as governments could implement authorizations to spend bitcoin, where multiple officials representing Treasury and Labor departments, for instance, would be required to sign off on a multisig wallet, which itself is part of another multisig vault managed by the president and vice-president offices.
Another alternative could be to apply governance controls with a wallet setup that is hosted and managed by the government itself, allowing for flexibility while keeping spending conditions off-chain. Bitcoin wallet management should remain flexible and adjustable to different models of governance that will vary based on distinct governments looking to self-custody. As discussed, a sovereign nation may not want to outsource bitcoin custody, which may very well become a matter of national security in the coming years. Defending its own bitcoin holdings from external threats, a government may want to find a way to protect itself from internal corruption and insider theft: collusion.
- What happens if government officials try to steal and succeed?
- How is access control designed such that more than 3, 5 or 10 distinct people must collude together to steal funds?
Adding security by limiting access to funds comes with trade-offs. Bitcoin self-custody is optimized based on security, simplicity and sovereignty trade-offs. Usually, only two out of three may be fully optimized. Commercial custodians rank high on simplicity and security but may lack sovereignty features for the customer. Mainstream hardware wallets rank high on simplicity and sovereignty but may lack security where custom governance and group access controls are required. Where does that lead us? Solutions that rank high on sovereignty and security, that may be adding extra complexity for long-term bitcoin self-custody. Sovereign nation-states may be better off hosting their own bitcoin key management solutions, allowing for flexibility, security and full sovereignty on their holdings. Whether or not nation-states hold their own keys will determine if they truly have sovereign bitcoin reserves when they need them the most.
May a government use popular open-source products such as Specter, Sparrow or BlueWallet paired with hardware devices such as Coldcard, Trezor and BitBox? Unlikely. While these products are of the highest standards and state of the art when it comes to open-source bitcoin software and hardware, they lack the flexibility for complex governance models. They were also designed as consumer products, and are currently not built for enterprise or institutional applications that require custom controls, as mentioned previously.
What could be the preferred method for governments around the world to hold bitcoin? Let’s look into self-hosted enterprise wallet solutions:
Protecting The Entire Key Lifecycle
Let’s start with the basics: generating bitcoin private keys.
- How does one do it safely?
- What is a secure private key as opposed to a weak one?
Using a random number is a critical first step in bitcoin security. Good entropy is the starting point. Using closed-source hardware to generate entropy as the source of randomness for the private key is putting a lot of trust in the chip manufacturer or the company providing the service. A good practice would be to use a mix of physical and digital entropies to guarantee a strong basis for private key generation. If the base entropy is poor, all the remaining security measures around bitcoin key management could be all for nothing if it’s cracked at the root. It would be like using a weak password that is easy to brute force with repetitive trial and error attempts. Some hardware wallet manufacturers have closed-source firmware, which prevents anyone from auditing the source code to ensure good entropy generation. While auditibality is useful, true randomness of the seed is what matters to protect private keys from being cracked.
Once a bitcoin private key exists, it must be stored securely. Using a dedicated hardware device to secure it is usually the recommended method. Relying on different vendors can help reduce the risk of supply chain attacks by diversifying manufacturers.
- How does a nation-state pick a hardware manufacturer knowing supply chain attacks are possible?
- How much trust is required?
- Can generic hardware be used to secure keys?
- Can multiple vendors be used to source hardware?
As a nation-state is a politically exposed entity, there are chances that the manufacturers sourcing components and assembling their hardware devices would be co-opted to supply modified or spooked versions. Using open hardware as the basis to build hardware devices for private key storage can be an efficient way to optimize security. Assuming a nation-state cannot trust any hardware device manufacturer seems like a reasonable position to take moving forward, which increases the need for open standards in hardware design, especially chip manufacturing and entropy generation. What is the risk of relying on international manufacturers in times of lockdowns and supply chain disruptions? Another alternative is to manage and oversee the manufacturing of bitcoin hardware devices and build a national supply chain to avoid the reliance on external vendors.
After this point, what’s important is to think about private key backups for business continuity and disaster recovery planning, involving strict access control measures to prevent collusion and internal theft.
- How many people should be involved?
- What’s the level of permission that should be cleared for people to be involved in such a procedure?
- How is this procedure tested and regularly verified?
Generally, bitcoin key backup storage may not be controlled by the same entities responsible for the signing operations. Backups may be vaulted by distinct security providers in trust with several individuals in charge. Only a major event such as a destruction of keys at the signing operations may be able to trigger a recovery.
- How does one vet these people with access to backups ?
- How is the procedure documented and transferred to all and new staff?
- How is personnel turnover managed? How is access control regularly updated to ensure only the required personnel are in control?
All procedures may be performed with a number of registered agents so as to diminish collusion risk. Another best practice for backup management would be around key and backup access controls. It may be preferable for personnel dealing with backups to not ever be in presence of enough backups such that they could gain signing authority on a wallet. Operationally, a government managing a bitcoin wallet may want to have strict procedures that technically make internal theft extremely difficult to successfully perform.
- How are keys used?
- Should bitcoin be held in single-signature wallets or multiple-signature vaults?
- How many signers are required? Out of how many authorizing agents? How do they coordinate remote signing operations in distinct locations to avoid exposure to losses?
One option is to connect distinctly generated hardware keys into multi-signature vaults, such that custom approvals can be designed where multiple authorizations are required to withdraw bitcoin. As mentioned, governments, like companies, have turnover. As businesses, governments have complicated internal structures where multiple people should be signing off on withdrawals. Distinct from businesses, governments have a lot more public scrutiny and internal politics. Bitcoin holdings may have been collected from and will be used for the public. This form factor bears high responsibility and requires extensive measures to safeguard the underlying bitcoin from being lost or stolen. Designing a system that allows for key rotation when officials change roles in the securing of bitcoin is paramount.
- How often should key health checks be performed?
- When keys are deemed out of order, should a wallet be swept into a new one or a key simply re-generated into the existing quorum?
- To what extent should wallets be offline or online?
- Is cold storage the end-all-be-all for security? How available should funds be? What’s the risk of being online for a public wallet?
Most key management for large holdings tend to happen offline, disconnected from any network. The only activity that may be connected to a network is to update wallet and vault balances, transaction history or to share partially-signed bitcoin transactions, and broadcast signed bitcoin transactions. In other words, the generation, archival and storage (signing) of keys would be better off disconnected from any network, in a cold storage environment. Hot network-connected operations may be preferred for small operations where low-latency is needed for transactions to be signed, for instance. Should quorums of signers be different between hot and cold wallets?
Sovereignty Redefined Under The Bitcoin Standard
Governments that hold bitcoin may want to think about other nation-states in their threat modeling, as well as internal collusion. Off-the-shelf hardware and software components may be useful, but may want to be adequately audited, and may just lack advanced features for bespoke governance models. External threats, such as thefts and losses, may be as severe as internal collusion and errors made by officials.
When managing large amounts of public funds stored in bitcoin, the temptation to steal is high, which will trigger new attacks by sophisticated actors. Building in-house or deploying a self-hosted infrastructure to manage the entire key lifecycle appears to be a safe way to self-custody for governments looking to secure bitcoin in their national reserves.
- Who has access to the blueprints? How many people should be required to be “in the know?”
- What’s the right ratio of security versus complexity for managing wallet operations?
- Should governments be 100% independent or seek support in setting up their bitcoin custody department?
Does sovereignty mean going alone at tackling a hard problem such as self-custody for bitcoin? Perhaps it does. Companies like Knox think about these questions all the time. We can also help deploy self-hosted bitcoin enterprise wallet solutions for nation-states looking to be self-sovereign with their bitcoin holdings. What does it mean? Allowing entities to hold large amounts of bitcoin to safely self-custody by limiting counterparty risk. Using self-hosted bitcoin custody infrastructure, a government would be able to deploy bitcoin key management within its own jurisdiction with limited reliance on external vendors. How does it work under the hood? What’s the risk in deploying such a setup? Why is this practice not more generalized these days? Many of these questions still remain unanswered to this day.
As more nation-states adopt bitcoin while bitcoin legal tender laws are enacted, these concerns will be unearthed and addressed as a matter of national security and sovereignty. Moving off the fiat standard, governments will be incentivized to answer these questions as the notion of lender of last resort fades away. Centralized custodians will probably remain popular as a means to safeguard bitcoin UTXOs, while others may be nationalized or seized when bitcoin reaches a certain threshold of geopolitical exposure. Nation-states are better off being safe rather than sorry, and hold their own keys.