Multi-signature wallets for Bitcoin have been around for a number of years through software based tools such as Armory and Bitgo. Services such as Bitgo even allow their users to optionally store one of their keys with Bitgo to delocalize the key storage and decrease the likelihood of losing assets.

Typical 2-of-3 Multi-signature Wallet

Although the process of delocalization is helpful, the user still needs to control 2 of 3 keys. Even if these keys are stored on separate hardware wallets, a user will likely keep a plaintext recovery phrase for each of the keys. This creates a situation where the user has to physically secure the plaintext backups in one or more locations or risk losing the ability to recover assets. This in turn creates a physical attack vector which is hard to defend. The importance of this problem will only increase with the value and continued adoption of cryptocurrencies.

When considering new security topologies it is important to consider that there is a trade-off in security and ease-of-use. Most of these multi-signature, hardware, and paper back-up schemes are largely dependent upon air-gapped storage as a means to maintain security. Air-gapping cryptocurrencies is largely incongruous with the efficient instantaneous transfer of money, which is often cited as one of cryptocurrencies biggest advantages. I propose a novel multisig hardware/software security topology that will help eliminate physical attack vectors while also enabling always online access to cryptocurrency.

2-of-3 Blind-Key Multi-signature

The multi-signature system above is modified by the introduction of a hardware agent. The agent will always be online and can provide a second signature from a secure enclave for a user initiated transaction. The other two keys will still remain the same, one located on the user’s smartphone and one with a trusted 3rd-party, in this case Grid+.

Proposed 2-of-3 Blind-key Multi-signature Wallet

The next proposed modification to the typical 2-of-3 multi-signature system is to make one of the user keys unknown or practically unknowable to anyone. This unknown key is referred to as a blind-key. This means that it only exists in a secure hardware enclave, does not have a back-up, and is unknown outside of the enclave. This creates a topology that ensures a greater degree of safety to physical attacks against person or property.

The reasoning for the 2-of-3 blind-key wallet are as follows. If the user is in possession of 2 of the 3 multi-signature keys they are vulnerable to physical attack. Specifically, a person may break into their house in an attempt to compromise both the user agent as well as the user’s smart phone. Ideally these systems would both be protected by pins, which would prevent loss of funds. However, if both of these keys have a typical paper based plain text backup, a smart burglar would attempt to compromise the backups rather than the pin protected devices.

In the proposed 2-of-3 blind-key system, the user has possession of two keys with the third in possession of a trusted counter party. One of the keys can exist on both a computing device (smartphone) as well as in a plain text backup, while the other key only exists in a secure pin protected hardware enclave. If a burglar were to try and steal this user’s funds they would potentially be able to secure one private key and possibly the agent which holds the blind-key. However without the blind-key’s pin the thief would still not be in possession of the required keys to sign a transaction. To gain the necessary information the nefarious actor would have to compromise one or more pins through on premises surveillance and/or physical coercion.

The remaining issue that 2-of-3 blind-key multi signature security suffers from is the incentive for physical coercion of individuals to reveal their pins. This problem is similar to that posed by ATM bank cards.

Secure Enclave + Permissions and Withdrawal limits

The way that banks limit the incentive of physical attack on their card holders is by setting up account withdrawal limits which cannot be changed by an attacker. Therefore, in addition to a secure enclave, the agent also needs the ability to create and enforce account permissions. Most online providers of cryptocurrency based services such as exchanges use account permissions and withdrawal limits to provide a second level of funds security. This prevents or mitigates losses when an unauthorized individual gains access to a person’s account, because they are not able to move funds to an account which they control (limited by whitelist). Furthermore, users are only able to transfer limited amounts in any given period of time (limited by withdrawal limits). A similar account permissioning scheme can be used in conjunction with a 2-of-3 blind-key multi-signature system to deter an attack through physical coercion.

What is the enforcement strategy of account permissions? The creation of account permissions will originate in the secure computing environment of the agent device. The permissions will be duplicated on both the user’s smartphone as well as on the Grid+ secure signing servers. It is assumed that the permissions are not enforceable for the user’s smartphone if the phone or it’s backup key is compromised. However, the permissions would remain enforceable on both the agent and the signing servers. Therefore, no matter which key or device may be individually compromised, the other keys remain either hidden and/or protected by the account permissions. A compromised key could originate a transaction of large value but it would not be able to get a second signature from one of the co-signing devices/services, thus preventing compromise of the user’s funds. If a nefarious actor is aware that they will likely be able to secure only a few hundred dollars from an individual, the incentive to physically coerce that person is significantly diminished.

The proposed system of 2-of-3 blind-key multi-signature security addresses many of the physical based attacks on a user’s private keys. Coupled with account permissions and withdrawal limits, incentives of physical coercion are also significantly obviated. Furthermore, the proposed system allows robust storage of private keys while remaining always available. Finally, it allows the user to maintain control of their funds, at all times while also preventing them from being wholly dependent upon a counter party.

If you liked this article, follow Grid+ on twitter, join our slack, and sign up for our mailing list on gridplus.io!