Leak and Loss Alarms for Bitcoin Wallets
This is a proposal that I wrote up few years ago (and emailed to Coinbase as a feature suggestion), but never published.
Suppose you’ve got a bunch of bitcoins, and you want to keep them safe.
There are two classes of threat that you need to worry about:
- Data loss
- Theft
You’ve got to somehow store your wallet’s private key(s) such that 1) you’re sure you can retrieve the private key when you need to, and 2) no one else can get to the key.
Whether you do it yourself or trust a wallet service, you want both of these conditions to be met.
It seems to me that, unfortunately, these two goals tend to trade off against each other. Making your private key easy for yourself to recover (e.g. making lots of copies of the key) tends to make it easier for others to steal, and making it hard for others to steal (e.g. storing it on a flash drive in a safe at the bottom of the ocean) tends to make it harder for yourself to recover.
I propose a scheme to make it easy to verify that you can still recover and spend all your coins when you need to, while limiting your risk of theft. The only catch is that you have to find two third parties whom you trust not to collude together against you.
The system I have in mind is as follows (where Wallet Corp and Coins R Us are fictional online wallet services):
1) At the request of a customer, Wallet Corp and Coins R Us each generate a new private key. The customer also generates a new private key, and they all share the associated public keys with each other. The private keys are not shared and each remains known only to the party who generated it.
2) The three public keys are used to create a multisig address requiring 2-of-3 signatures to spend any coins sent to that address. The customer sends their bitcoin hoard to this address.
3) The public keys are also used to generate traditional single-key addresses. The customer sends a small amount of bitcoin (likely proportional to the total amount to be protected) to each of these three addresses. These amounts act as bait for alarms and represent the only value at risk if any one of the private keys is compromised or lost.
4) On a regular basis, Wallet Corp and Coins R Us each sign statements containing recent, not-predictable-in-advance, easily verifiable, public information (e.g. winning lottery numbers or blockchain hash values) to show that they are still in possession of the private key that they generated.
The signed statements demonstrate that the private keys have not been lost. The amounts sitting at the single-key addresses demonstrate that the private keys have not been compromised.
If an attacker discovers one of the three private keys (and assuming they don’t think they can discover one of the other two keys before anyone else discovers the key they already have), they will be motivated to send its coins to another address they control as quickly as possible.
This will alert the customer that the coins behind the main multisig address are no longer completely safe, and would be at risk if either of the other two private keys were compromised or lost. Unless the attacker is able to carry out successful simultaneous attacks on two of the three parties, the customer should have plenty of opportunity to re-secure the rest of their coins.
If the customer discovers that they have lost their own private key, they can authenticate themselves to Wallet Corp and Coins R Us and request signatures on a transaction to a new address. If the customer wants to move the money stored at the multisig address for some other reason, they only need to contact one of their two wallet providers.
With this system in place, you no longer have to trust that you (or your wallet providers) are safe from hacking or data loss. You only have to trust that your two wallet providers won’t collude against you, and that two out of three of you lose your data or get hacked at the same time.
I imagine that wallet providers could offer this service for a small fee, or free to anyone who stores more than a given amount in their regular wallet.
Some additional notes:
1) Users of this service would also have the benefit that if their wallet provider was temporarily unavailable for any reason, they could still access and send their coins by getting a transaction signed by both themselves and their secondary wallet provider.
2) The scheme could be extended to more than three parties, with arbitrary m-of-n signature requirements.
3) Even if only Wallet Corp offered this service, and there was no Coins R Us to act as the 3rd party, customers might still feel their funds were more secure if Wallet Corp implemented a system like this internally, generating and storing two of the three private keys rather than just one. In this case it would be ideal if the procedures and pieces of infrastructure used to generate, store, and sign transactions with the two private keys were kept as independent as possible.