Granular cold storage

For better coin logistics between cold and hot wallets

Separating cryptocurrency holdings into cold storage and hot wallet is a standard practice for digital asset custodians.

It reduces the risk: only the part of the funds required for day-to-day operations are ‘online’ — the computing device holding the keys to the hot wallet is connected to the other systems and ultimately to the global network.

Cold storage systems are not connected to any network (‘air-gapped’). To move the coins controlled by the ‘offline’ keys you have to physically interact with the device that holds the keys.

This is usually a fair compromise between convenience of operation and security — majority of the funds are held in a storage with reduced attack surface, while operative amounts can be moved quickly.

Coin logistics

This separation introduces coin logistics element into the picture, though. Moving coins from cold storage have costs — network fees, delayed service for customers, and the time of the people who operate the cold storage.

Because of the sums involved, people who can control cold storage often hold executive positions in the company, and their time is expensive. Multi-signature increases security, but then several people need to spend their time signing the transfer from cold storage.

Logistics is easier when dynamics of your hot wallet balance is predictable, and you can schedule hot wallet top-ups beforehand.

New deposits can go straight to cold storage, and you periodically move the amount required for the predicted withdrawals to the hot wallet.

If a lot of deposits usually coincide with a lot of withdrawals, you could have deposits going to the hot wallet, and send the excess to cold storage periodically. But you will increase the size of potential loss to theft this way, as thief or rogue employee can time their heist, and it is likely that they can pause withdrawals, and wait for the hot wallet balance to grow before they drain it.

If the dynamics of withdrawals from your hot wallet is not that predictable, which I believe is more common case, the logistics gets more complicated.

Unless your users are willing to wait for their withdrawals to be processed at certain scheduled times, you might face shortage of your hot wallet balance when particular user wants to withdraw large sum, or a lot of users want to withdraw smaller sums.

Users typically want their withdrawals to be processed quickly. Delaying the withdrawal will degrade the user’s experience with the service and could possibly mean monetary loss for them — for example, they might need that funds to perform a trade that will expire soon.

Stories of chasing down executives to sign off a transfer from cold storage to hot wallet in a scramble after sudden shortage of hot wallet balance are not unheard of in the industry.

Warm wallet

One measure to tackle this might be to make your wallet less ‘hot’ — put your online keys on a secured box that will only sign transactions if pre-defined spending velocity limits are not exceeded, and allow it to temporarily raise the limits if it gets the command to do so. Check that the command is signed by the CEO’s key, and ensure that the command will be executed only once. You can prepare several commands in advance, and store them as QR codes on paper, in a safe.

As an added measure, you can put this box behind TOR to make the attacker’s life harder — attacking neighbouring servers or upstream ISP would be difficult if they do not have the ability to do timing attacks against TOR network to locate your ‘stealth’ signer node.

You can also use hardware security modules (HSMs) to further protect your keys and limit-enforcing logic from physical tampering. You can reduce attack surface further by making the interface between the code running on HSM and the rest of the system as simple as possible, to avoid the complexities and potential vulnerabilities in operating system’s protocol stack.

The limits could also be adaptive — if you have a history of withdrawal activity for your wallet, you can analyze it, build a model, and make your withdrawal limit policy to change automatically to accommodate expected outflow.

If you make it harder to drain your hot wallet balance all at once, you are reducing your risk somewhat and thus can justify holding a bigger balance in this ‘warm’ wallet. Bigger allowed balance means simpler coin logistics.

But these measures will not change the fact that the keys of your ‘warm’ wallet are on the device that ultimately is connected to the internet. You reduce the attack surface, the risks of unauthorized access through network might be minimized, but still present.

Granularity of cold storage

Another possible measure is to make your cold storage granular. That means you can take only a small portion of the funds from your cold storage and ‘lift’ them to the outside world without exposing that ‘granules’ to all the risks associated with hot wallets. Only when you throw them into your hot wallet, they become active, and subject to additional risk.

Bitcoin’s native mechanism to divide the funds is UTXO. Each such ‘granule’ of bitcoin can be controlled by its own key. If you divide bitcoin in your cold storage into ‘granules’ of convenient size and associate them each with different key, you can handle them individually, and take a portion of the funds out of your cold storage without moving the rest.

When you throw UTXO ‘granule’ into hot wallet by deploying the associated key, it becomes active and available to spend instantly, because the transaction to move the funds was already included in the blockchain, at the time when the ‘granule’ was created.

You ‘lift’ the keys for UTXO from your cold storage by allowing them to be stored in slightly less secure location — like a safe that a middle-level employee can access (with appropriate access control and audit trail, of course).

Security considerations

Just putting the keys out there and hoping that your staff will do the right thing and won’t mishandle the keys or allow them to be stolen might not be very prudent.

You want that keys to only become active when they have been entered to the wallet that handles withdrawals, so the UTXO controlled by that keys will only be used for their intended purpose. This can be achieved with encryption of the keys, and/or multi-signature schemes.

In the simplest case, you can just encrypt the keys of your cold storage ‘granules’ with another key, that will be embedded in your hot wallet. Only the wallet software itself, or the person who have unrestricted access to its storage, can decrypt the keys of the ‘granules’ and spend them.

In multi-signature setup, the keys that are ‘lifted’ out of cold storage and entered into hot wallet, cannot be used alone. Spending that UTXO would require another key, held in a separate signer module.

When Schnorr signatures will be available to use with bitcoin, using such multisignature setup won’t even require additional network fee that is associated with multisignature bitcoin spending now. Paying that additional fee may be very well worth it, though, as it enables you to reduce the risks.

The entities that handle encrypted ‘granules’ and those being able to decrypt them should be separate, and fairly isolated from one another.

This works best with ‘warm’ wallet schemes described earlier.

Granular cold storage with ‘warm’ wallet

Let’s look at the possible setup that incorporates both of these ideas.

The ‘granule’ is decrypted within the HSM that enforces the spending limits before it signs the transactions. To spend the ‘granule’, another key is required (‘2 of 2’ multi-signature), and that key is held by another signer module that is also enforcing the spending limits. The second module connects to the main wallet system from behind TOR and is held in a location not disclosed to anyone besides top management.

In this setup, the maximum damage an employee with access to the ‘granules’ can do is increase the ‘warm’ wallet balance by throwing every ‘granule’ key entrusted to them, into the wallet. They won’t be able to overcome the spending restrictions, and the loss will be limited.

If someone can somehow extract the keys held by the signer nodes, they still have to force the employee that handles the ‘granules’ to enter them into the system, using a bribe or some sort of coercion. And the sum will not be more than the portion of the ‘granules’ entrusted to that employee.

Note that neither granular cold storage nor ‘warm’ wallet can protect against slow siphoning of the funds from the wallet over long period of time. This have to be detected by funds flow analysis, which can be complex. The damage and disruption caused by the small losses over time is not the same as a sudden bigger loss, though.

Preparation and planning

The disadvantage of granular cold storage scheme is that you have to prepare the ‘granules’ beforehand. You have to decide on the ‘granule’ sizes, and the policies to ‘lift’ them from cold storage.

You would need to track the number and size distribution of your unspent ‘granules’, so you will know when to create new ones. To make things simpler, you may choose only one size for the ‘granules’.

If you already have lump sums in your cold storage, or accept deposits straight to cold storage, you may need to create additional transactions to split, or consolidate variably sized deposits into ‘granules’ of expected sizes.

You choose the time when to broadcast these transactions, and you probably are OK to wait a bit longer for that transactions to confirm. You can set smaller fees, and broadcast when the mempool is less congested.

If you accept deposits in your hot wallet, and sweep the funds periodically to cold storage, you can create ‘granules’ at the time of the sweep. Your hot wallet will only need to know about the addresses for the ‘granules’. This is of course less secure option, as attacker who seized control of your hot wallet may swap these to the addresses they own. If your sweeps are automatic, you may discover this too late. This still can be mitigated by independent external monitoring of the wallet activity, but only to a certain extent.

Handling of ‘granule’ addresses

The addresses of the ‘granules’ is one more thing to store and handle. By using hierarchical key derivation, you can derive the keys (and addresses) for your ‘granules’ from one master key. You need to backup this key properly to be able to re-create all the ‘granules’ later.

I would advise against using BIP32 extended public keys with non-hardened key derivation to create ‘granule’ addresses. You might think of doing this to generate the addresses from extended public keys in less-trusted environments (like your hot wallet), to avoid the need to transfer the lists of pre-generated addresses. But if the attacker already knows your extended public key, and non-hardened derivation is used, the leak the private key of a single ‘granule’ will mean the loss of all the ‘granules’ created with that extended key. Please use hardened key derivation.

Advantages of granular cold storage

I encourage cryptocurrency services and software vendors to consider implementing the proposed scheme. It offers significant advantages:

Instant hot wallet balance top-up — the transactions that created the ‘granules’ are already confirmed, no new transactions needed

Less fees paid to top-up the balance — the ‘granules’ are created at convenient times when fees are low

Executive’s time is saved —authority to top-up hot wallet balance can be delegated. No more chasing top management and scrambles to the vault.

Paper trail — There are decades-old, well-tried procedures to handle sensitive paper documents. Encrypted ‘granule’ keys can be stored as QR codes in tamper-evident opaque envelopes, in a safe.

Granularity — ‘lift’ only the portion you need out of the cold storage

Portability — the keys for the ‘granules’ can only be decrypted within ‘warm’ wallet, and after the envelope with QR code is opened, this QR code can be sent over open channel such as messenger.

Keylessness — to ‘lift’ the funds from cold storage there is no need to access the master keys at all. Just move envelopes with ‘granule’ QR codes from the vault to the employee’s safe.

Deeper cold storage — due to granularity and keylessness you can access your cold storage less frequently, which means more security measures can be applied.

Implementation

If you are looking for tailor-made implementation of the described schemes, talk to us. We at Simplexum are working to help cryptocurrency custodial services to operate more securely and effectively. The flexibility of Simplexum payment engine allows us to offer solutions that implement warm wallets, granular cold storage, and a lot of other features.