After terrifying everyone with his prior SLP appearance re: hardware wallet security, Michael Flaxman rejoins me on the show to talk about his new multisig guide to help users secure their coins without any single point of failure. 

We cover:

  • What’s improved in the space since last year
  • Why you need to eliminate SPOFs (Single Points of Failure)
  • Comparison of current hardware wallets
  • Multi sig services vs DIY
  • Using Specter
  • Using Coldcard & Cobo
  • Seedpicker
  • Tips on maintaining the setup

Michael links:

Prior episodes:

Sponsors:

Stephan Livera links:

Podcast Transcript:

Stephan Livera:

Michael, welcome back to the show.

Michael Flaxman:

It’s great to be here. I’m a big fan of the podcast, so I love to be on it.

Stephan Livera:

Fantastic. Well, Michael, your first appearance on the show was a very, very popular episode and I think a lot of people took it as a bit of a nightmare episode, despite the cautions and saying, okay, look, let’s take an incremental approach to this, but I think now today we’ve got a really interesting topic and material to talk about today. So you’ve written this guide. What was the motivation for this guide?

Michael Flaxman:

So there’s two main parts to it. One is the general idea, that we think of Bitcoin as being the best money in human history, but the narrative is that it’s really hard to secure. And so we have these properties of money, you know, it’s scarce, portable to visible verifiable and Bitcoin should be more securable. We’ve seen Vijay talk about this a little bit in the idea of censorship resistance as a new criteria to evaluate money on every money before Bitcoin was equally censorable. Bitcoin is new in this sense that you can send it across the world and no one can stop you, but we also have security as a new consideration, and Bitcoin is the most securable asset in human history. You can’t three of five your gold. You can’t three of five, anything that’s physical, but you can do that with Bitcoin and you can interact directly with Bitcoin scripting language on the blockchain in a way that is truly magical.

Michael Flaxman:

And we’ll go into more detail about what that means. But it’s really one of the great features of this asset that I think has historically been a negative and in the future should be seen as a positive that we’ve hit that inflection point. And then from a practical perspective, I’ve just been obsessed with this problem for seven years now. My first Pycoin commit, a Python Bitcoin library in 2013 was on the source of randomness for new wallet creation. securing Bitcoin is something that I’m it’s an obsession to mind because it’s so terrifying if you’ve ever sent a large Bitcoin transaction. If you’ve ever moved funds, you get like the cold storage sweats. It’s a really scary experience that shouldn’t be scary and multisig really does change that equation. And we’ll get to that more too.

Michael Flaxman:

And then from this in the most practical sense, we did this episode SLP97 last year, and I just got hundreds of inbound queries from people saying, Hey, how can I secure my Bitcoin better? And it’s amazing that, even before I launched this guide that we’re going to talk about today, I was getting messages almost daily since then from people asking questions about their security. So I just felt like I had to give people a here’s how you do this guide. so that’s what this was born out of. Yeah, it’s pretty neat.

Stephan Livera:

Yeah. So this guide is a great guide and I mean, I’ve been a little bit involved here and there. So Let’s talk a little bit about the motivations with this thing. And I guess, you know, the key point that as a lesson from the earlier episode was around eliminating single points of failure and this concept of fault tolerance. So what’s fault tolerance. Why is that important?

Michael Flaxman:

So the idea of fault tolerance is that you can have some sort of mistake happen and it can be a really bad one and you can be okay and not lose any money. And with security, you’re only as strong as your weakest link. So you have to do everything right to scare yourself. Your attacker only needs to find one vulnerability. That’s this huge asymmetry. That’s why we always see bugs in software. And we always will see bugs in software because of this fundamental asymmetry. So much better than trying to be perfect is to be fault tolerant, to allow for some mistakes. And so to put this in some numbers, we usually use nines in computer science when we talk about uptime or reliability. So if you want to be 90% secure, that’s pretty easy. Like you can just sort of wander your way into Bitcoin and you know, read some stuff on the internet.

Michael Flaxman:

Some of it’s probably really bad information, Bitcoiners have gone down this rabbit hole, but you’ll not send your Bitcoin to the wrong person. You’ll not put your seed into a web wallet. You’ll not use a web wallet. You’ll sort of follow these best practices 90% of the time. And that’s pretty easy to follow them right 99% of the time, that’s much harder. I mean, humans don’t do things like that very often. But you’d be able to figure out and then 99.99 or 3 9’s, that’s pretty difficult. And if you want to get to four nines for a single key, well, now that’s very hard. So the idea with multisig is instead of being like 99.99, secure 99.999% secure with what you’re doing to guard your setup but doing it all in one key, you have multiple keys and you can be much more casual with each one.

Michael Flaxman:

So the trade off becomes really, really favorable because you can actually be almost a little reckless in how you set things up and still achieve a far higher level of security. So I think it really is the only free lunch. We talk about security and usability being a trade off. And that is generally true, but multisig is a difference in kind, not degree. It’s truly a one of a kind thing it’s magical and it’s available to all Bitcoin HODLers. So people should know about it and know it’s available. And in the past I’ve made a big point of saying that multisig security is additive. Meaning if you have three keys A, B, and C or we’ll keep it simple. We’ll say if you have two keys, A and B that is, you know, you have the security of both of them added together, versus if you were just using A, or just using B and in the naive bayes sense, it’s actually multiplicative because the air that you would need to have, or the vulnerability you would need to have exploited an A or B in a proper multisig scheme that say requires two signatures.

Michael Flaxman:

Well, that would have to be exploited in both of them. So if these two vulnerabilities were unrelated then the odds of breaking, both of them is now the product of that vulnerability, not the sum. So that is very extreme in terms of additive security. Now we have to assume in the worst case scenario that the vulnerability is the same in both places. And so maybe you’re only 2xing in your security quantifying. This is really, really hard, but the idea is that we move from a model to where you have to get everything right. Or you can lose money to a model where we say, here are the things that you have to get, right? You have to get three of five things, right? And you can make catastrophic mistakes and still not lose money. That’s a new and fundamentally different model.

Stephan Livera:

And with that, I guess one example, and some of this came up in the earlier episode is around what is the contributing software and what is the base of it? So for example, if maybe the different hardware wallets that you’re using, they’re written in different languages, they say one is in Python and one is using something else, right. That would be an example there where if you’re using different kinds of software or different hardware, then that’s where you’re getting that really multiplicative security benefit, right?

Michael Flaxman:

Yes. Although I would say that the language it’s written in is very, very low on the risk of things that I would be concerned about for losing money. So let’s talk a little bit about the loss and the cost of these losse to try to put it in perspective. And I want to talk about some very specific vulnerabilities that could be catastrophic. So just as a generic high level, it’s impossible to know how much Bitcoin is lost every year. There are sites that try to track it. But obviously it’s a somewhat unknowable thing. We don’t have a registry of all the Bitcoin holdings and a way to tell when people are saying that Bitcoin is really lost, obviously there’s already the common meme about private keys being lost in a tragic boating accident.I don’t know if that happened to you, but that’s happened to all my Bitcoin. I definitely don’t have any.

Stephan Livera:

that’s right.

Michael Flaxman:

So we can’t really know, we can look at HODL waves as a sense of when coins are moving and maybe these ones that haven’t moved in so long, never will. But even in the most extreme case of that, we have Satoshi’s coins, which is an enormous number of coins. We can’t know if those are lost or not. Maybe he, she, or they is just very patient. Maybe they never bothered to record the private keys. Cause 50 Bitcoin block rewards at the time were worth nothing. And this was just a neat experiment. So, you know, maybe, maybe it’s not even lost in the sense that they hadn’t been lost them. Maybe they never kept them in the first place. But as a general estimate, if you ask around, most people would say somewhere between 0.5% and 2% of all Bitcoin is lost every year.

Michael Flaxman:

And this is truly horrific for HODLers. It’s, it’s extra bad because it’s not evenly distributed. So that a hundred percent of HODLers lost on the small end 0.5% of their Bitcoin every year. That would be far superior. You know, you don’t want a small chance that you lose at all. You’d rather lose a little bit each year. And of course this is not available to us. It’s not a choice. It’s just the aggregate stat that we have. So if we looked at what this aggregate stat was of, say on the low end 0.5% per year, that’s sort of an equivalent to 0.5% inflation per year. We would not look at that as Bitcoiners and think that’s okay. And again, that scenario is much better than what we face because we all have this terrifying fear of losing a hundred percent.

Michael Flaxman:

It’s not that we’re evenly paying this price. Now there is this popular 4chan counterargument, that is well lost coins, reduce the supply. And that’s good for the remaining HODLers which is technically true. But really not valid for two reasons. First of all, stolen coins, don’t reduce the supply. A lot of the losses are theft. And second of all, it’s terrible PR. Bitcoin’s reputation, part of the reason why I’m doing this podcast is because we have this reputation of being an insecure asset. It keeps people from wanting to buy Bitcoin practically speaking, those who lose their Bitcoin are unlikely to rebuy it. And so it’s really not a good thing to have loss. So I want to start by zooming out and saying this is the problem that we’re trying to combat. And then maybe I could dive into some of the actual losses and what that looks like.

Stephan Livera:

Yeah, I see. And so I guess at a macro level, what you’re trying to get out there is essentially people might not feel as comfortable getting started with Bitcoin, or they might’ve lost some Bitcoin and then not rebought, I guess maybe the steel man would be something like okay, well look longer term. It’s not going to matter. They’re going to have to do it. But I think, maybe the counter of that would be something like, Hey, the more we can make this secure, the faster we can speed the transition into hyperbitcoinazation. And so if we’re focused on security and we’re trying to educate ourselves and educate our family and our friends on how to secure our Bitcoins, well, that arguably strengthens the system. So maybe let’s start with some of the single points of failure. So you mentioned how it’s very hard to get single signature right? What are some of those factors that make that so?

Michael Flaxman:

Yeah, so I wanted to start with just the one that is absolutely terrifying that the overwhelming majority of your listeners who use single key setups on their hardware wallets should be very afraid of, and hopefully this will motivate them to make a change. So there’s a couple of different things that hardware wallets do. And one of the most obvious things that we have to have it do correctly is generate your seed securely. We can think of this as a form of random number generation because your hardware wallet has some sort of random number generator in it. And it’s using that to generate your 24 word seed.

Michael Flaxman:

We know that this is really important. We know to guard these, Bitcoiners back them up,maybe they etch it into metal. They know not to share it, but the thing that’s really, really hard to do is to prove a source of randomness. And in fact, it’s almost impossible to prove, although we’ll talk about a proof that we are using in the multi-sig setup later we really can just observe a random number generator, you know, so the joke is like if I asked you to pick a number between one in a billion, and you had a random number generator that was doing this, and you pick the number seven, well, I would be pretty confident that your random number generator was broken. I couldn’t prove that, you know, one in a billion times it would pick the number seven, that’s a valid choice.

Michael Flaxman:

Certainly if I queried your random number generator 10 times, and it spit out the number seven, 10 times in a row, I would say, okay that’s really really unlikely. I mean, how many times does lightning have to strike in the same spot before you say something about that doesn’t make sense? But I still couldn’t prove it. It’s still statistically possible. Although at that point where it, you know, one in a number so big, our human brains can’t comprehend. So with random number generators observing whether they’re working correctly or not is in practice very, very hard, unless you have a way to query it a lot like that. With a hardware wallet that’s not really how it works. I mean, you boot it up, you maybe take it out of its packaging. You may plug it in, you go through some steps on screen.

Michael Flaxman:

The buttons are very slow. You’re setting up a pin and then it says, here’s your seed. And by the way, you’re not going to buy a hundred thousand of these and test it over and over again. So you don’t know about that source of randomness and almost none of these hardware wallets use reproducible builds. Uh, so there’s no way to know what firmware they’re running. And there’s no way to even confirm that if they were using a reproducible build, because unless it was with a secure element that you trusted, you wouldn’t be able to validate that build the point, being any person at that hardware wallet manufacturer either upstream where they made it or, an employee, who put the original software and compiled that to run on that hardware wallet who slipped in a vulnerability could be choosing your seed for you. And that would be impossible for you to detect, and this would be the ultimate retirement attack. So imagine I create a very reputable hardware wallet company. I run a malicious bit of code. I might even open source my code, so you can see what my code does, but that’s not the code that I run on that hardware wallet, which again, you have no way to verify. It spits out your 24 words. You write them down diligently, you’re transacting with them, just fine. Perhaps for years, and one day that employee says,

Michael Flaxman:

All right, I’ve looked at these hardware wallets. I know all, I mean, I didn’t look at them physically. But I’ve looked at the balances that have been accruing on these hardware wallets. And it’s now say a billion dollars and I’m going to steal it all. And they could do that without ever leaving their home without ever going into your cold storage. That is truly, truly terrifying in the single key sense. Every single major hardware wallet manufacturer has the ability to have done that for years. We cannot verify this and that attack could take place and it doesn’t have to be malicious on their part. In the paranoid version, they could be compelled by a government trying to destroy Bitcoin by getting people to use this, in the much more realistic option, somewhere upstream of them in their supply chain, somebody is clever and saying, Hey, I’m going to swap out their use of the random number generator for this seed instead. And I’m going to put in my seeds and I’m going to put it in, say a billion seeds so that you couldn’t manually detect this, back to this example of like asking a random number generator and getting the number seven back, I’ll just put a billion different seeds that are possible under these devices. No two devices will have the same one and I’ll be able to cash them all out at once. Now I don’t think that’s going to happen. That seems it would definitely be bad, but the incentive there is so unbelievably strong and we don’t have a way to verify that it’s not going to happen. We only have trust and Bitcoin is about getting away from trust and verifying ourselves.

Stephan Livera:

Yeah that’s a very scary attack, the long con or the retirement attack. Now, I guess one point that maybe the listener is thinking at this point, well, Michael, what about passphrases? Do passphrases fix this or not?

Michael Flaxman:

Yes. So passphrase certainly could, there’s a number of ways to mitigate this attack. I guess maybe we could go through all of them. One of the things to keep in mind is that multi-sig basically eliminates this class of attack. You could still do this kind of thing. And if you’re storing really large amounts with multisig, I would recommend you perform one or all of these mitigations. But the beauty of using proper multisig is that you don’t have to think about these kinds of things. And so I want to stress at each point when we’re going through these, like what could happen, scenarios that, if you were doing a three of five multisig or let’s keep it simple, you’re doing a two of three multisig. This only matters if two of your three hardware wallets are using compromised seed generators.

Michael Flaxman:

So if one of them has a compromised random number generator for the seed and two of them don’t, well, there’s no exploit to be had unless you publish your other seed. And that is enormously powerful. I want to talk about all the different defenses, what their trade offs are. But before we do any of that, most importantly, this is all kind of fine if you use proper multisig. And so this is an example of the type of thing that you can avoid. Okay. But going, but going into it yeah, so I’ll cut to the best answer and then we’ll work our way backwards to what people do I guess. And the best answer would be to be the random number generator yourself. So you can’t necessarily prove to anyone else that you’re an unbiased, random number generator, but you can prove to yourself that you’re an unbiased, random number generator real easily.

Michael Flaxman:

And the simplest way to do that is to print out your 2048 words and draw them out of a hat. And there is a little bit of a complication in there in that the 24 word is a checksum and it doesn’t have to be 24 words by the way. There are people that do shorter seeds. Obviously there’s a security trade off there, but the final word is a checksum. So that has to be calculated by computer. That’s pretty annoying. But if you were to put your 23 words pull 23 words out of a hat, use one of these free softwares like seedpicker, which is one we’ll go over in the future. I publish open source libraries in two different languages, one in Python, one in Golang seedpicker is written in JavaScript. I believe there are others, and I think there will be many other and the others in the future.

Michael Flaxman:

You can get that 24th word calculated and the xPub that you would need to be able to generate addresses. So if, you’re going to do single sig, which I think is only advisable for experts because there’s too many places where you could get it wrong, that is an absolute must. You have to get the random number generation on seed generation. Correct. And you can do it just by pulling words out of a hat. In practice, people don’t want to print out 2048 words, the software libraries aren’t super popular that do this. And so more likely people are either going to add a passphrase or they’re going to use dice. Those are the two most common ones. If you’re gonna use dice, you have to verify what you did. Because there’s two levels of things you’re worried about going wrong.

Michael Flaxman:

One is the hardware’s random number generator is compromised. And the other is that the software is just malware that’s completely lying to you. And it doesn’t matter what the hardware random number generator does because it’s just going to spit out the seed that it wants to give you no matter what. So in the case of a compromised random number generator than something like rolling dice can work if your software is doing what it’s supposed to be doing. But remember that we’re getting a device shipped to us with software on it, that we did not install. And it may or may not be doing what the open source published version one says it’s doing. It could be a different version of the software altogether. So if we really want to be sure of this, then we have to compile our own firmware, which is obviously complicated.

Michael Flaxman:

Requires some command line skills, is not a recommendable thing for most people. If you’re an expert, you might be able to pull off single sig this way. But for a normal user, you just want to buy a device from a company, do some basic validation that it’s real and get about your life. So you’re probably not going to do this. If you’re doing the dice thing and you can trust the firmware either because you installed it yourself, or maybe you bought it from the company at an event. Again that trust is only so good because it’s not just, the company doesn’t have to be malicious for this to happen. It could be someone upstream of them in their supply chain that found a way to load this firmware on. So it’s a little bit messier, but assume that you have good firmware and you want to run this process then if the firmware is really running the software that you think you are, then probably you’re just going to be fine because it’s going to take your dice rolls and do what’s called in cryptography XOR, or you can think of it as like blending it into the random number.

Michael Flaxman:

So a random numbers are always additive. You can always add two random numbers to one another, the method to add them is usually called XOR’ing the bits together. And that’s just literally, if you have two ones they, uh, go to a zero, two zeros, go to zero and a one and zero go to a one. Uh, actually I haven’t thought about bit flipping in a long time, but anyway so you could XOR bits that way. And that’s effectively what you’re doing is you’re just adding two sources of randomness together. So, um, if your firmware is good, then probably it’s just gonna work as designed. And so rolling. All these dice rolls will work. The, the scary part is, imagine your firmware is actually not doing what you think it’s doing and you roll all these dice and it just ignores all your dice rolls and displays you all this info on the screen, that’s irrelevant and then says your seat is good, but actually it’s not. So to be sure that your dice rolls worked, you have to do it again on another device that you trust and say and see that the two devices got the same output. And once you get into that land, it’s like, well, if you’re going to use two devices, just do multisig. That’s the whole point. You don’t have to have this level of extreme caution. You can just rely on the security of multisig in the first place. So I don’t love dice. I don’t want to say that they’re terrible. Um, but if you’re not doing it again on another device and verifying it, then it can be close to borderline security theater. And we have a lot of, we just like dice because it’s a natural human thing that we see them at casinos. And we kind of understand the randomness. But what we don’t understand is that those dice rolls need to map to those words. And that’s not something we can manually verify in, meat space. Whereas if we pull the words out ourselves out of a hat, then we can verify that those are the words we pulled out. And we just need software to tell us that that generates the same addresses, which any hardware, wallet, or software can do for you.

Stephan Livera:

Let me just walk that through, in an example, hypothetically, right? So, you know, I’m using the Coldcard and I’m doing the dice rolling function, right? Where you press four and you roll some dice and it changes the words of your seed. Right. But hypothetically, right. So being, you know, fully paranoid about this, what you’re saying there is it’s theoretically possible that, you know, the firmware was changed in some way or that such that you think, Oh, look, it’s showing me new words. Therefore I’ve got a new seed, but the reality is the guy who was, you know, pwning you upstream or whatever has set it up, such that even though it’s changing the words, those are still words that he knows and can use as part of his retirement attack, right?

Michael Flaxman:

Exactly. It would be trivial for him to have a billion different outputs that he was waiting for. And they would look random to you because we went back to this random number generator example where, you know I demonstrate how you can prove it, random number generators wrong. But if you have a billion outputs, you could spend a lifetime and you won’t be able to prove that that’s not random. And so you get the same output. And I want to clarify in this, I think Coldcard does many, many things, right? I like them as a product. I recommend using them in their multisig. I think they’ve done great things for the industry. I think they’re very transparent in many ways. It’s not a slight on them. This applies to everyone. So yeah, it’s not a specific issue to Coldcard. It’s a specific issue to single key signature schemes and relying 100% on something that you can’t verify.

Stephan Livera:

Exactly. Right. Okay. So let’s move on to other single signature single points of failure. So we also have to guard against exfiltration. And so I guess periodically we see some of these attacks, let’s say Ledger Donjon will do an attack and show our, Hey, here’s how we were able to exfiltrate the private key material from the device. Right?

Michael Flaxman:

Yeah. And so the biggest area, you see this is in the airgapped this is why I really like QR code based air gaps. And we’ll see this in the Cobo vault, which is a new product. Their airgap is spectacular plus it creates a great UX, but anytime you’re plugging a device physically into your computer, well, it’s definitionally no longer air gapped. The whole point of an air gap is that you have a gap of air surrounding the device. Um, an SD card is kind of like this middle area where it’s definitely better than USB cause the USB stack has so many more vulnerabilities. I mean, imagine in the worst case, for example, that, um, the hardware wallet you bought was not genuine. You plug it into your computer, it’s actually a keyboard because it’s a USB drive that you plugged into the computer and it takes over your computer and starts, um, installing malware from the internet.

Michael Flaxman:

And now your computer actually is malware infected as is one of your hardware wallets. That’s a scary position that could be in that’s avoidable if you don’t plug your hardware wallet into your computer. So, that’s just one example. One of many, many, a proper air gap means it is gapped by air and SD card is sort of like a pretty good cheater that gets you most of the way there. We did see in the case of Stuxnet that the US government was able to jump the air gap into the Iranian nuclear reactor, which is some crazy James Bond stuff. And an SD card and a USB pen drive are not exactly the same thing, but I wouldn’t want to rely a hundred percent on that air gap. Although it is definitely better than just keeping your seed on your software wallet.

Stephan Livera:

There’s also the secure element aspect. And, you know, on some of the attacks that they use, I do, again, this goes beyond me, but some of them use these things like, you know, differential power analysis and other ways to try and basically once you have the device physically that you can extract the seed out from it, and there have been attacks of this nature disclosed against, say the Trezor wallets and others.

Michael Flaxman:

Yeah. These are almost considered like a side channel attack because the fundamental cryptography isn’t broken, but there’s some side channel where you’re able to listen in. And so if you’re doing like ECDSA signatures there’s a lot of like arithmetic happening and you could listen potentially to what that workload sounds like for the processor and then determine from that pattern of noise. What the key was, realistically, I think this is very very low concern. Like if you’re looking at glacier protocol, you know, they’re running noisemakers and stuff I wouldn’t be too bothered by this, but again, this is where multisig is different and each device would be different. Each device would need an attack specific to it. I do remember reading some standards once about like computers that were on tables and how that sound traveled through the wood really far, which was kind of terrifying cause you know, a wooden table and wooden floor and it could travel through the table to the floor.

Michael Flaxman:

But again, this is like some extreme James Bond stuff. This is not what I worry about at all, if I’m using multisig, because I’m using different wallets by different vendors that are performing this stuff slightly differently. So just being tuned to listen would be pretty hard. Assuming it’s even possible it’s theoretically possible, but who knows if it’s practically possible. And the bigger one that we see with the secure element is the physical security. So the idea that like you, you want to know that nobody could have broken into your safe and found your Coldcard and then pulled the seed off it. And that is something that is, that is definitionally different between the devices with secure elements and the devices without secure elements is that in theory, the ones with secure elements, even if you had physical possession of the device, you wouldn’t be able to extract the secret.

Michael Flaxman:

And part of that is because the secure element it will be encrypted and in order to decrypt it, you need a key. Usually that’s on the secure element. And in order to get that key, you need to enter your pin. And the secure element will listen or will only allow so many pin attempts. So we kind of see this already. If you have like an iPhone, you can only enter your password so many times and you might have to wait some number of seconds between entries and then after some number of attempts, it might get wiped. So that is a very cool feature that certainly in the single key signature setup, if I were going to recommend one of those, I would want it. For multisig, it gets a little bit different because now you’re talking about breaking into multiple secure locations which has such an enormous extra burden.

Michael Flaxman:

You might want a pin as well. But the default, you know, in multisig, it is already so secure that I would be a lot less concerned about having a secure element versus not. And part of that goes back to if you have a pin, well, you have to remember that pin. So that’s another thing you have to keep track of and you need a backup and your backup is just going to be the seed phrase without your pin. So now you’re sort of back to the same problem. How can you have physical security on a piece of paper that’s written down with your seed phrase? Well, if somebody gets access to that, they’re going to see your seed phrase and you want to have a backup. So this is another example where multisig just gets you to a different level where you can say, alright, you need three of five of these.

Michael Flaxman:

That’s really hard to get, you know, they’re going to be in safe deposit boxes and safes at home and buried in a mountain. And, you know, places that only the person who set it up knows. So it’s not impossible that somebody could steal three of those. But it’s so much harder that instead of worrying about you know, pins and secure elements, we just worry about what are my 2 of 3 secure locations or my 3 of 5 secure locations. And I can think about it that way. That offline security problem is something that we’re already pretty good at. And we grasp intuitively and we understand, whereas the cryptography part is very hard if you don’t have background in it.

Stephan Livera:

Okay. And I’ve got two points here. I’d like to get your thoughts on here. So in relation to physical security and trying to get that right, I guess first, I guess just kind of a naive or not naive, but just one, one level of additional protection you could have is use things like tamper evident bags and so on, so that, you know, if you know, and you’re periodically checking, you know, the wallets or the devices such that, you know, if it’s been opened at least, so that’s at least something. And I guess the other point I would raise here just to get your thoughts as well is I guess, taking Casa seedless line, right? So the Casa, I guess the Casa approach on this would be something like, Hey, we’re using seedless. And the reason for that is if you keep these backups say the 12 words or the 24 words, that itself can become another point of failure, because if somebody gets that 24 words and you have no passphrase on that device, then that the attacker is getting one of your keys or one of your devices.

Michael Flaxman:

Yeah. So important nuance on what Casa does. So I’m talking about their 3 of 5 offering. If you’re going to consider Casa, you should 100% be in the 3 of 5 camp. But in their 3 of 5 , you have one key that’s on a software wallet, that’s your phone, they hold a key and then you have three hardware wallet, keys. The 3 hardware wallets by default do not have backup seeds, Casa backs up their key. And the one key that’s on your phone, you can back up it has a feature for you to do that. It’s the hardware wallet ones they don’t back up, because those are considered to already be designed around defending that. Although, you know, if you’re using like a Trezor, there is no physical security or, no assumption of physical security, you know, attacker with a hundred dollars of equipment, and physical access to that Trezor can pull the seed off of it.

Michael Flaxman:

Whereas, you know, if they were using like a Coldcard you know, that that would not be the case. So that’s an important distinction with those, but back to Casa seedless. So their hardware wallets by default. They do them seedlessly because they believe that the risk that you’re going to mess it up is higher than the extra benefit of the backups. Which I think is a reasonable trade off that reasonable people can disagree about. And most importantly, if you were to use that, it’s your choice. So their recommendation is to do it that way. Their instructions are to do it that way, but you set up your hardware wallet and you can back up that seed or not, as you see fit.

Stephan Livera:

And I guess that contrast with say the Unchained Capital model where, you know, you are keeping the backup seeds and it’s a two of three, but with backups and I guess in the, do it yourself model again, it’s a similar, you got to make that call on exactly how you’re going to do that. But yeah, anyway, going back to now some of the other potential single points of failure with single signature, we’ve got this one around malicious deposit addresses. So what’s the problem with this and how do we mitigate that?

Michael Flaxman:

Yeah. So these are sort of the two oldest tricks in the book. One is fake. You know, the first one we talked about is the fake seed, and that’s the one where we could see like billion dollar retirement attacks from every single hardware wallet manufacturer out there would be possible which is so scary. The malicious deposit address, we’ve seen different versions of this for years. I mean, early QR code generators for like the blockchain.info’s of the world and coinbase.com of the world.

Michael Flaxman:

People realized, Hey, I want my QR code generator to show my address and not your address, which is a really, really clever hack. And of course these sites are all well aware of this and they write their own software to generate their own QR codes. They don’t rely on a third party to, to render those QR codes. But it’s a great attack because at that moment, somebody is looking at using that address for a deposit. So that’s when you’d want to substitute yours with multisig. Well, I guess we’re talking about single sig for now. So you really want to make sure that your deposit address is yours. And, so you really need to do that on more than one device, because it would be so easy for a malicious device to substitute the attacker’s address for yours. And if you’re going to verify on two devices, again, we’re back to the multisig land where multisig is perfect for this. You can have two devices by two different vendors that are part of the same two of three quorum. And you can get that level of security without having to do one device extra perfectly, and put that seed on two different devices and check everything. So that’s another example of where multisig just gives you this for free.

Stephan Livera:

I guess the guidance around that is around making sure that you can check the device on check the address on your device. And I guess, depending on the device and the software you’re using, there are varying levels of support for this as well, right?

Michael Flaxman:

Yeah. This is something we’ll get to more later, cause in the multisig scheme, it’s more complicated and there have been a lot of advances here, which is really great. The other common, single-sig worry is about change your spend. So in Bitcoin, you know, we think of like, I’m going to send you $10. In Bitcoin we’re dealing with UTXOs, and I may send you a UTXO for 2 Bitcoin or I may spend a UTXO 2 Bitcoin with one going to you. And one is changed back to me. And so making sure that that one is change back to me and not changed back to my attacker is really important. And this can be very asymmetric because there, if I have a one Bitcoin UTXO that I need to spend, it’s my only UTXO.

Michael Flaxman:

And I want to send you 0.1 Bitcoin. Well, the change is going to be 0.9 Bitcoin. So the change can be 10 times larger than the spend. So I need to be sure that that change really does belong to me. And again, I could do this using multiple hardware wallets or checking my transaction with my private key in multiple places. But this is what multisig just does so well, we would get this for free if we were to check on two devices. And then the last one, which is the hardest one, I think is the randomness in the signature. So the way ECDSA works is you prove that you have had possession of the private key and the private key is just this number between 1 and 2 to the 256. And in order to give that proof, you use a, what’s called a nonce or a number used only once.

Michael Flaxman:

And you perform a cryptographic trick where you do something that is only possible if you had the private key and the nonce. The thing about it is if anyone else has the nonce and they have the signature, then it’s trivial to get the private key. And so you need to know that this nonce is truly random. And now we’re back to this problem of proving random, which we practically speaking is very, very hard to do. And so you could get a hardware wallet that, this is called a chosen nonce attack that inserts the attacker’s nonce. And you wouldn’t be able to tell until the transaction was broadcast and then they could potentially get that key. Now there’s a whole lot of asterix in all of this. You would get the key for that signature only, that doesn’t mean you would get all the other keys for that wallet unless you had their extended public key which some wallets by default, like Trezor and Ledger do send extended public keys out to remote servers when you boot them up by default. Advanced users can find a way around it, but by default that’s what happens with those wallets. So that is scary. So only in that.

Stephan Livera:

Small correction there, I think with Ledger, it is they don’t actually send the expo, but I think they just direct query the next 100 addresses. But I believe that’s correct for Trezor just, yeah, just so you know.

Michael Flaxman:

Thank you. Sorry. I don’t want to don’t want to yeah don’t want to misstate anything on that. And I could be not up to date on that. I haven’t tested the Ledger thoroughly in a while. But this attack on the chosen nonce attack, it is terrifying, but probably narrow. And again, almost completely solved using multisig because if you’re signing on two different devices by two different manufacturers, your attacker would have to compromise that the nonce or the random number generator usage on the nonce for both of those devices. And then that still only by default gets you the key for that transaction, which has a validly signed which was validly signed. So maybe it’s just going to get mined. And then, if there was no address reuse, then that key wouldn’t be protecting anything else. So maybe this attack could exist in the wild and it would not be a problem, but there’s so many ifs there and it’s so squirrely, if anyone has that xPub and that child private key, well then they are going to get all of your active, private keys. So then it’s that it’s horrifically bad. Again, multisig would just protect you from this proper multisig with multiple vendors. You don’t have to worry about this.

Stephan Livera:

Yea that’s scary. And so I guess just for clarity there, part of the reason for that comes down to hardened derivation versus unhardened derivation.

Stephan Livera:

And so my understanding here is Bitcoin core uses, hardened derivation, but basically what pretty much every other wallet in the space for usability reasons, uses unhardened derivation. And that’s what gives rise to the possibility of that. Right?

Michael Flaxman:

Well, so that what you said is technically correct. When you have like a hardened derivation on the child path, and then if somebody were to get that child private key, and then they would not be able and they had the xPub of the parent, they would not be able to get any of the parents private keys. So you do get that level of protection, but the way Bitcoin core does this versus the way wallets implement it, has to do with the derivation for change branches and receiving address branches. So basically you sort of have two functions in your wallet, you have addresses that you’re receiving from, and you have addresses that are just change for your spends. And so it’s a question of whether you harden, how you do the hardened derivation for those two things, because you might want to just have a receive branch where you like put a public key on a web server that’s kind of insecure.

Michael Flaxman:

And so that xPub could get leaked. And so you want that extra level of hardening. But fundamentally if you have a child xPub for say, a bunch of receiving addresses and then a child private key is reversed through a chosen nonce attack, then all the children there of that child xPub and that child private key when combined, would give you the rest of the child private keys for that branch. So there is, there is a distinction on where the hardening took place, but it’s way deep in the weeds. And the point is that you don’t want to say, well, it’s just my change or just my receiving that’s at risk. You just want none of these things to be at risk.

Stephan Livera:

Right. Yeah. And in fairness in practice, many of the wallets are not using hardened derivation. So, and that’s for a usability reason. So we have to basically try to protect against that chosen nonce attack. I guess the other big one here is around inheritance. so yeah,

Stephan Livera:

This is can be a bit difficult, right? Because many people in the space act as though we’re going to live forever when obviously that’s not true. And we have to think about what people are going to do when they pass it on to their children or their family or whoever. How are you thinking about the inheritance scenario in single signature versus multi signature?

Michael Flaxman:

Yeah, so inheritance is one of the ones that I think Bitcoiners have the biggest blind spot to. Whenever someone tells me their Bitcoin is super secure, I say, well, what happens if you get hit by a bus and nine times out of 10, they’re like, Ooh, well, I guess I’d be dead. So that’ll be okay. But in single-sig, it’s really hard. You have to, you either have to give your private key material to somebody while you’re alive and trust that they won’t spend it or lose it or be hacked, or you have to do some complicated scheme where you’re like, all right, there’s a safe deposit box that I have now, but it’s going to be yours. But now I’m worried that the banker’s going to look in the safe deposit box. So, you know, maybe that safe deposit box only has the seed phrase, but then the passphrase is somewhere else.

Michael Flaxman:

Or I’m going to give that to you, or I’m going to use you know, one of these dead man switches and it is not impossible, but it’s not trivial because you have to pass everything to somebody when you die and you want them to have none of it while you’re alive. In multisig, you can have a much more blended approach because you can say, okay, I’m 3 of 5. I’m going to give one to heir A and 1 to heir B or you know, a member of my state, a member, my state B, and those are gonna have two of my five keys. And then I’m going to have three of them. And one of my keys would be, say in a safe deposit box or with a trusted third party, it could be like an Unchained or Casa. It could be with a lawyer or accountant.

Michael Flaxman:

And the idea is there’s sort of a natural flow there. And maybe there is some room depending on the situation for collusion while you’re alive. But again, this is like your heirs colluding to get their inheritance. They’re probably the people that you want to have the money. So it’s a natural, smoother progression. And it just works really well. So it’s, it’s sort of the biggest one. If you, if you care about what happens to you, when you get hit by a bus, then multisig inheritance is great. I think it’s something a lot of Bitcoiners should care about. You can almost think about it as a free life insurance policy. You know, if your Bitcoin dies with you, that if you were able to find a way to make it pass along, you can kind of put a price on what that would be worth. Like if you have, you know, a million dollars in Bitcoin, you know, what a million dollar life insurance would cost you, what a million dollar life insurance policy would cost you. Now you can set it up by making sure your Bitcoin isn’t lost when you get hit by a bus. So there’s real value to be captured there. And I think that’s one of the biggest opportunities for the multisig service providers like Unchained and Casa because this is such a valuable thing.

Stephan Livera:

Yeah, for sure. Alright. Now we’ve got to think about Security vs Deterrence. So how should we think about that when we’re thinking about securing our keys?

Michael Flaxman:

Yeah. It’s so common when we talk about these things security is like an endless rabbit hole. You can go down, nothing is a hundred percent secure. Security is not a binary. There’s always going to be a yeah but, or I have this thing, or I prefer that the way I want to try to phrase it you can think of security as like a garage with a tall electrified fence, it’s topped with razor wire, there’s an alarm and surveillance system. There’s automated flame throwers. It’s surrounded by a of alligators and you’re defending a Honda civic like that car is not going to get touched. And there’s giant signs everywhere. Deterrence is parking that same car on the street and putting the club on the steering wheel, deterrence is rob the guy next to me, and that’s probably what’s going to happen. Because the car next to you, isn’t going to have the club.

Michael Flaxman:

And so your attacker is going to move on to that car, but if your car was a Bugatti or some, really fancy high end car, the club is not going to really do anything. And so that’s what a lot of these defenses are. They’re weak guarantees and they don’t reduce theft in aggregate. They just shift the robberies onto less suspecting victims, which to be fair are the ones that weren’t willing to do as much work to prevent it from happening. So, you know, maybe they didn’t care as much but multisig makes attacks impractical. And so we can reduce the aggregate number of attacks, which is the really cool part. So if you knew it was going to be this hard to steal someone’s Bitcoin, because they do all of this stuff, well, you might even try less and that’s pretty cool.

Stephan Livera:

Yeah. I like that idea. So it’s sort of like a herd immunity kind of idea, or a meta point, right? Like if it’s commonly used and a lot of people using multisig, well, then it makes it a lot more difficult then because the attackers are now going to have to think, okay, I’m going to have to go and compromise two places or three places to get it.

Michael Flaxman:

So you should really think about this in the context of what a company’s position is on multisig. If they make great multisig products, what they’re telling you is, look, we know we can’t be a hundred percent secure nothing is. We want to do everything we can to make your Bitcoin as secure as possible. We’ll work with other hardware, wallets and other software so that we can give you this additive or even multiplicative security if instead of hardware, wallet manufacturer says, well, yeah, but we have feature X, Y, or Z, and every hardware wallet has feature X, Y, or Z. So we don’t need it. You should be incredibly skeptical of that pitch because all hardware wallets, remember we started out, have the ability to have not been using the random number generation software as they were supposed to be, they could be doing that attack right now. They could have been doing that attack for years, and they’re just waiting for enough, billions of dollars of value to accrue before they walk away with the money. So, you know, they can talk about their advanced features. It’s all trust. It’s not verification and multisig fundamentally changes the equation.

Stephan Livera:

Yeah. So it becomes about the ecosystem and how the whole overall space is going. And we’ve had some developments in that. And, uh, I guess, yeah. So my next question to you would be how in your view has the hardware, wallet and multisig space evolved since SLP97 in August, 2019?

Michael Flaxman:

This is one of the things I’m most excited about. So we’ve just seen a ton of improvements in software hardware and the hosted services as well, although I don’t explicitly endorse them. I do think they have some room for improvement still to go. So, uh, let’s start with the software. The really exciting one is Specter desktop. You’ve done a great interview with Stepan and Ben. I’m sorry, I don’t remember the episode number, but that one was really good.

Stephan Livera:

205 I think, yeah.

Michael Flaxman:

205 and Specter desktop has great features it’s basically designed to be used, which I think is sort of the biggest thing that sets it aside from the others. It’s really simple. It’s it’s designed so that you don’t shoot yourself in the foot and it’s all designed around keys, a quorum of keys going into an address, or sorry into a wallet.

Michael Flaxman:

And then that wallet generating addresses and signing transactions. And it’s pretty straightforward that you can attach hardware wallets to it. You can attach your like you can, you can do something like seedpicker, which we’ll get to where you generate your own seed yourself. You put that in as part of your quorum. It has a, one-click binary it’s compatible with other standards runs off Bitcoin core. Even I submitted a Pull request to it that got merged in about a month ago or a couple of weeks ago that adds Merkle proofs, which is a really cool one for future use where you can, it’s not really designed to be used this way just yet, but in the future you could have a friend or family member who runs a Bitcoin core node. Who’s able to see your privacy information. But you wouldn’t have to run your own Bitcoin core. You could trust them for consensus rules. And then that would make your setup much easier, obviously that comes with risk. You should run your own Bitcoin core, but as a simpler one, you can use a Merkle proofs in Specter that way.

Michael Flaxman:

So Electrum has also made a lot of improvements, but I would describe it Electrum as less painful to use than it was before. I would only recommend it for expert users. It’s really challenging. There’s so many gotchas.

Michael Flaxman:

I think the expression that comes to mind as a popular one in cryptography you don’t want your cryptography to feel like juggling chainsaws while blindfolded, and that’s what Electrum can feel like there are steps, that are not so easy to use. I guess we’ll get to that later. But Specter desktop is just the product that was built for this. It really is great.I became an open source contributor to it because I like it so much.

Stephan Livera:

That’s awesome. We’ve also got a caravan as well by Unchained Capital.

Michael Flaxman:

Yes, this has come a long way. This timeline last year, I believe it only supported pub keys.

Michael Flaxman:

And you could put in a bunch of Pub Keys and generate a single address, and now caravan supports whole wallets. So you can put in extended public keys and it will generate you addresses deterministically. It works out the gate off blockstream.info as their backend, which obviously, you know, has privacy and consensus rule implications. But you can get started that easily or you can power it with your own full node, which is what you should do. That’s pretty neat. It doesn’t support the good multisig hardware wallets yet, although they have pledged to add ColdCard, and I know they’re looking at Cobo Vault. It’s sort of the best way to use the old gen hardware wallets for multisig. We’ll talk more about the newer better hardware wallets that are out there for multisig. And then Sparrow is a brand new piece of software. It’s only a couple of weeks old, and so I haven’t tested enough to endorse it and I have found a number of bugs. But it’s really cool to be able to like export your Specter file and just import it into Sparrow right away and see your addresses and verify that way. So that’s exciting.

Stephan Livera:

Alright. How about hardware wallets now?

Michael Flaxman:

Oh yeah. Okay. So the really big news in this is Cobo Vault. Cobo is new to the Bitcoin scene, at least they’ve been an altcoin wallet, which I didn’t think very highly of because I’m no fan of shitcoins. But they do have really spectacular gap. The device is and a Bitcoin only firmware now. If you’re doing any of this Bitcoin multisig stuff, you have to use that firmware. That is obviously not a full solution that’s problematic. But anyway, back to the air gap, their air gap is spectacular. They have a big old screen and the camera you can set the whole thing up without ever plugging it into a computer. You can verify receive addresses that way, and you can sign transactions that way and broadcast the transactions back to your computer using a QR code. So just absolutely pristine best-in-class air gap. And the UX on that is really good.There are some very real negatives of this. They are built on top of Android’s operating system. They do harden it, but that’s, you know, closer to a general purpose computer.

Michael Flaxman:

That’s not what we like to see for guarding private keys. they have open sourced, a lot of what they’re doing, but not everything and not everything. It leaves a lot of room because you only care about these very specific things like seed and address generation. You know I don’t really care if like the menu buttons are open sourced, so that is always of concern, but their constraint is that they use a secure element and all the secure elements are closed source and under NDA. So you can’t open source all of your code. They’re doing well within that constraint and that’s, what’s allowed them to build this great product but it does have this big asterix. I’m trying to think of the other Cobo tradeoffs but really I’ve just been impressed.

Michael Flaxman:

The biggest thing is they ship, you know, they contacted me after the last episode and said they wanted to add all the things that I was saying. I wanted to see in a BIP174, PSBT supporting hardware wallet, and they put out milestones for when they were going to do it for single key, for multisig, for adding testnet and a bunch of other stuff. And they’ve just chipped away at adding these features. And I love to see that. And I think having two that are good at multisig coldcard being the obvious one they invented BIP174, and they’ve been around for a bit longer having to is really a game changer because now everyone has to get on board, you know, they’re your two in your two of three, and everyone else is now in the position of, can they be added to that or not?

Michael Flaxman:

So it’s no longer this question of obscure feature X, Y, or Z. Is it possible to use you in a secure multisig and right now for most, but not quite all of the other hardware wallets? The answer’s no. So that’s something that I think is really going to change because we have a standard and everything’s using it. And we’re going to see more and more support. The next hardware wallet that I’m excited about is not a hardware wallet, it’s a software wallet. And it was also somewhat in response to our last episode, SLP97, it’s called seedpicker. It’s at seed picker.net. And it’s a cool one because I was just messaging with this guy Merland, I’m embarrassed. I don’t even know his name in real, in real life about his site. And he agreed to basically make it into a specter desktop multisig tool.

Michael Flaxman:

And that’s what he’s done. And he’s continued to iterate on it constantly. I mean pushes updates all the time. I think it’s getting pretty close to its terminal state just cause it’s really good. But the basic idea is it’s a lot like bit address.org. If your listeners remember that from five years ago, which was this site that I do not recommend, but it’s to generate a paper wallet, and you would go to this website and move your mouse or bang on your keyboard for randomness. And it would give you a private key and an address in a bunch of different formats and with QR codes and you’d print it out. And you could just sort of like use that for your Bitcoin, for receiving Bitcoin, of course, there’s address reuse issues when you want to go spend your Bitcoin. It’s really problematic because at that moment you have to load your WIF, your Wallet Import Format private key onto some software that you probably should have like had tested and set up really secure before you started receiving Bitcoin. And that notoriously caused problems for people if like maybe that software tried to sweep it before it was part of that new wallet and then their funds were in some weird place.

Michael Flaxman:

I know I had people come to me where their transactions stalled out in that moment, and they were just so confused as their funds were between wallets. But anyway seedpicker is like that, but without any of the negatives, so you are the randomness, you pull 23 words out of a hat. It also has a guide if you want to use like raffle tickets or other ways to do it so that you don’t have to print out 2000 words and draw them out of a hat. You put in those 23 words and it appends for you automatically, the 24th word checksum. And then it gives you the public key info that Specter desktop needs to coordinate your multisig. So that’s the SLIP132 version byte formatting, your root fingerprint for your wallet and the derivation path and all that stuff is stuff you don’t really need to know or understand.

Michael Flaxman:

You just hand it to Specter. And you’re good to go, but you have to be obviously concerned that this tool could be lying to you in the same way that I was saying before the hardware wallets could maybe, your seed doesn’t actually correspond or rather the extended public key information that it’s giving to Specter Desktop doesn’t correspond to the seed that you pulled out of a hat, you know, it could be just totally faking you. And so you want to confirm that on a separate setup. And so one of the things that I did to make this easier is I published some free open source software called human RNG or human random number generator. The joke being you are the random number generator. And I wrote this in both Python and Golang, just for extra redundancy.

Michael Flaxman:

And you could type in that same seed into that library and confirm, okay, do I get the same checksum? And do I get the same public key information? And if you got it in JavaScript, Python and Golang I would feel real confident that was good, but if you don’t trust it right, another implementation in other language run it against that would be great. And of course, all of this should be done offline on an airgapped machine. Never touched the internet, wipe it afterwards. You know I don’t want to see any of your information, to be fair. The seed picker one has a nice GUI and anyone could go ahead and use that. If you could use bed, address.org, you can figure out seedpicker.net. My stuff is command line only because it’s just kind of, that’s all I wrote for now, but I would like to put a GUI on it one day someday.

Stephan Livera:

Let’s the things to do. And how about some of the other hardware wallets?

Michael Flaxman:

Yeah, a ColdCard has fixed a bunch of bugs. There was a huge one having to do with extended public key ordering that was this like mystery bug that persisted for 11 months where sometimes the Coldcard, just like couldn’t verify, receive addresses on the screen. And that got merged about a month ago. The Trezor recently added support for stateless address verification that came through your sponsor Unchained. Their CTO Dhruv submitted a Pull request that added this functionality, I would say, badly missing functionality to the Trezor. So you can now with a Trezor prove that this Trezor is part of this quorum now. So, you know, if you have a 2-of-3 and you have a Trezor, or you want to know like, Hey, is my Trezor even included in this address?

Michael Flaxman:

Yes, I’m one of the two of three. Now there is an obvious negative here. You’re only one of the 2-of-3 the other two could be your attacker. So you need to verify that’s not the case and Cobo and Coldcard have some built in defenses against that. Trezor is stateless, so it doesn’t store the information of your other co-signers so that’s a huge vulnerability for using Trezor for multisig, but still it’s a big improvement from where they were before. And then Ledger has strangely come out kind of against multisig in a bizarre turn of events. And actually, I want to address that a little bit on SLP103 shortly after our last interview Charles their chief information security officer. I’m not sure if I’m pronouncing his last name correctly, Guillemet.

Michael Flaxman:

He said and I quote a tiny mistake can lead to massive loss at scale, and this is very concerning to me. And I thought this was a really bizarre thing for a security company to say, this was his response to a question about multisig. And they don’t really support multisig. They can’t verify receive address in any way. On spends they can’t tell what change is which makes sending very hard for anybody, but an expert user to verify. And it’s sort of a bizarre one. The only thing that I can think is that they offer this competing single sig product that works between other closed source ledger devices. So you could have a quorum of ledger devices use cryptography that’s totally outside Bitcoin or the blockchain to validate that like m of these devices have agreed and then they’ll sign a transaction that they broadcast on chain.

Michael Flaxman:

And that would support like hundreds of shitcoins. And those coins may not support on chain multisig. So that’s my guess at what ledger is getting at. It was very weird. I even called out one of the quotes from your episode and tweeted it out. And they said that they wouldn’t respond to. I forget the exact word. I think they called it a solipsism, which I wasn’t sure what that meant but they said they wouldn’t respond to it. And I think these are the exact types of things they should be doing. The other wallets are moving in this direction. the additive power of multisig is really cool that even if a wallet say like ledger is closed source, I don’t have a problem with that that could provide additive security in a multisig environment.

Michael Flaxman:

I think their stance is, is very bizarre and sort of uncharacteristic in the rest of the industry. So I hope that they will reconsider adding support for multisig in the future.

Stephan Livera:

Yeah, for sure. And also thoughts on the hosted services?

Michael Flaxman:

They’ve gotten much better too. So the big one is address verification. This was, I basically didn’t want to talk about these services publicly because I love multisig so much, but they, they didn’t have much in the way of address verification in the past and now they do. So that’s gotten a lot better. Unchained can verify, and you can verify address on your device with just a Trezor with Casa, they support Coldcard as well. Coldcard is sort of like the gold standard or at least the innovator for multisig. They invented BIP174, and they were sort of the first to do it well.

Michael Flaxman:

So Casa has the big advantage that you can use both Trezor and Coldcard, and you really should be doing multi-vendor multisig. Because again, the scariest attack would be that you buy two of one device and the random number generator on that wasn’t being used correctly. And then they, two of your three seeds have been compromised just because you bought two devices and maybe you’ve got them from the provider. Maybe they sent them to you. So there’s just so much room for tampering there. But so Casa does support both Coldcard and, Trezor neither of these guys support Cobo. I know they’re both looking into it and we’ll see when we get through again, into this guide about some of the advanced features Cobo has and why you really want to have that as part of your quorum.

Michael Flaxman:

I don’t do negatives with Cobo. I don’t want to say that it’s a perfect device. But for multisig, it’s just compared to what out what’s out there. It’s sort of like a must have for your quorum.

Stephan Livera:

Yup.

Michael Flaxman:

They alsom the hosted services and have gotten much better at sovereign recovery. So Unchained has the slick caravan tool and they have a little video on their website and you can see, like if we went out of business or we were malicious, this is how you get your funds unstuck, you know, with your two hardware wallets. And it’s like, as easy as you can make this. And then Casa will show you how to do it with Electrum.That’s really hard. I would say that’s expert only level stuff, but you can do it. And obviously it’s not a normal use case.

Michael Flaxman:

I mean, Casa makes money every month that you pay them so they’re not looking to go out of business or anything. So I think that’s okay. And if you, you know, if some crazy event happened and you had to pull out of Casa on your own and they were no longer responsive they do have the sovereign recovery instructions that are just difficult because of Electrum constraints, but they’re doable. So if you had to figure it out, you could probably figure it out. So yeah, those are my like asterix I think those services are about to be so good, especially when you layer in inheritance. But I think they’re just still not quite where I’d want them to be yet.

Stephan Livera:

Gotcha. Yep. And just another small correction with BIP174, I believe that was actually written by Andrew Chow, but to your point, I think it’s that Coldcard were the first to support it. And in terms of hardware wallets, and their wallet is natively PSBT. So that’s, I guess that’s the point were getting out there.

Michael Flaxman:

Yes sorry about that.

Stephan Livera:

Yeah, no, that’s fine. Just wanted to make sure Andrew Chow got his shout out because he did make it, and with.

Michael Flaxman:

And it is Andrew Chow’s HWI that powers Specter desktop, which allows for all this multi-sig stuff to be accessible to the masses. So maybe, maybe silent hero, not getting credit.

Stephan Livera:

Yeah, puts in a lot of work to keep that going. I think and now I guess the main counter argument, you know, when I talk to someone like Rodolfo CEO of ColdCard the creator of ColdCard, he might say, look you know, multisig is great, but a lot of people shoot themselves in the foot because there’s a lot of complexity with this. What are your views on the complexity of multisig and whether it is worth it?

Michael Flaxman:

Yeah. I remember once, Bryan Bishop, a Bitcoin core developer said this at Austin Bitcoin developer meetup. And I don’t know whether it was his originally or whether this is somebody else that he took this from. But he said that multisig doesn’t add any complexity. It just forces you to perform the steps upfront. And I think that’s really spot on. So you should be verifying your seed when you generate it on two different devices and single sig users notoriously do not do this. You know it’s gotta be single digit percent at best. If you’re doing single sig correctly, you should be verifying that twice. Well, you could just have two hardware wallets and create a seed twice that way. And do much be much more careless about your level of caution at each step. You know, whether it’s updating your firmware or are you going to roll dice or use seedpicker or just trust the thing because, Hey, you bought it from them at a conference and they seem reputable.

Michael Flaxman:

So I would say the main different, the main point that he’s making was true historically, but it’s just not true anymore. Multisig used to be really, really hard when it was, Electrum only when we didn’t have Cobo and when ColdCard had their integration with Electrum was not so nicely done and Electrum was for almost a year, did not release a new binary. So you had to build this stuff from source, from the command line, all of this stuff used to be hard. And I think all of his complaints were very, very fair then. I wouldn’t say that it’s easy now. I would say it’s intermediate now, but it’s getting easier.

Michael Flaxman:

And also in Rodolfo’s case, you know, he’s running a business and he’s dealing with the consequences of customer mistakes all the time. And so while they’ve done some really good things like implementing PSBT, they’re a business they have to focus on the present and not so much, you know, where the future growth is and the future growth is going to be in multisig. And they’re doing a great job at that too. So they’re going to sell devices. And I’m not saying that they’re built on the past, but they’re just focused on, you know, responding to the issues they’ve had in the last six months. And in the last six months, you know, people trying multi-sig have run into issues. A lot of those are just way better now. I mean, if you were trying to do it on Electrum and you now try it on Specter Desktop, it’s a different game.

Michael Flaxman:

If you were trying to do this on, you know, a Ledger and instead you try now to do it on a Cobo vault it’s day and night. I think try again and revisit that statement as time passes. But we’ve reached this inflection point now because everyone’s sort of using a standard, everything has to be coordinated across multiple devices and multiple software. And so we’ve ossified on a standard for the most part, there might be changes to it, but they won’t be backwards incompatible.So for that reason everyone used to be really afraid about building something that wasn’t going to be the way that other people would do it. And when hardware wallets would come to me and say, Hey, we want to do more multi-sig support, but we just don’t like, we want to just work with is going to be the thing that everyone uses. And now that equation has changed. Now, there is a thing that you can do a two of three with Cobo and ColdCard and a free open source software wallet. And that’s great if you want to layer on a Trezor, you can, although there are some hesitations, I would say that’s for expert users and there will only be more that want to be a part of that scheme and that want to improve how they perform in that scheme. So I think this is like so exciting. I could not be more thrilled.

Stephan Livera:

Yeah. So I guess I would summarize it as look, we’ve got a big increase and improvement in the UX, the user experience, and we are seeing some formation of a kind of standard in terms of how the wallets work, right. They’re using PSBT and the backup is like with specter desktop, you’ve got like that JSON file, JavaScript Object Notation file the end. So we’re sort of firming up around some sense of a standard and perhaps over the years it will become more and more commonplace.

Michael Flaxman:

Yes, exactly. And back to this idea that it should be like super simple. It’s never no Bitcoin transaction, single key sig or multisig is ever going to be like that straight forward. Bitcoin is a financial weapon. You should treat it like owning a gun. And if you’re going to self custody, you should educate yourself on safety and you should re educate yourself and you should practice.

Michael Flaxman:

Bitcoin is the insurance policy that money can’t buy, but you need to know how to make good on that policy. No one’s going to do that for you. So it’s gotten a lot easier. It’s getting better all the time. It’s going to get even better. But it’s never going to be as simple as like, you know, sending a tweet. And that’s okay.

Stephan Livera:

Yup. Before we get into the guide in a bit more detail, we’ve got the last point I wanted to cover, which is around, let’s say you just use Coldcard, single signature, and you use a long, say 6 or 7 word passphrase. Why should we still use multisig instead of that single signature set up?

Michael Flaxman:

Yeah. You’re solving a specific class of attack, which is the random number generator on seed generation. So imagine that your seed phrase was compromised. But you have the 6 word passphrase and that’s a long passphrase. So now you have to remember and store that that becomes a new bit of complexity in the multi-sig scheme that we’re going to go over. I do not recommend passphrases except for expert users. You know, if somebody has to break into 3 of 5 secure locations, that’s going to be really hard to pull off. Then only, once you think that’s a realistic concern for your threat model, because you’re storing, you know, a hundred million dollars in Bitcoin, okay, then you start worrying about passphrases, but for most people passphrases are not going to be a consideration in multisig scheme. In single-sig you would need to have a passphrase or it’s a very good practice, we’ll say it that way. So assuming it’s the full, that full 6 words so that it’s too long to brute force, and then you test that passphrase and seed combo on another device, because remember the easiest attack in the book is to just let you enter, you know, 24 word seed and a really long passphrase and ignore the whole thing and just show your attacker’s deposit address and not even use it in the first place. So you need to verify that on another device, if you did all of that, then you would solve all of the problems that had to do with the seed and receive addresses. But remember, that’s only part of the points of failure.

Michael Flaxman:

So you will have to recheck every time you do a deposit address on multiple devices, you have to be sure that it is, your change is going to you and not your attacker. Remember that case of, I send you 0.1 Bitcoin and 0.9 back to me, but 0.9 goes to the attacker and then we still have to worry about the chosen nonce attack or the randomness on signing, the K value in your ECDSA signature. So it’s that what you described for experts I think is good, but it’s very, very hard. And so I would say for normies you know, for an expert looking to store a small amount, I would say that makes sense. But for somebody who isn’t an expert, just use a multisig product, do proper multisig, which is effectively two or three or three of five using multiple vendors where no vendor controls the quorum of your keys. And if you do that, it becomes hard to mess up. Practically speaking, there’s a little bit of glue that you gotta, you know, run Bitcoin core and install this software and have these devices. So it’s not like easy, but if you’re tech savvy and you understand how these parts work, you don’t need to write code. You don’t need to be worried about like, what does this mean? And if I make one mistake, I’m going to lose all my money.

Stephan Livera:

Alright. So let’s get into the guide. So, I mean, you’ve written this guide, I’ve given a little bit of feedback here and there it’s called the 10X security Bitcoin guide. So let’s start with who is the target user for this?

Michael Flaxman:

Yeah. So you understand the key concepts in Bitcoin. You get the idea that there’s public keys and private keys that you sign transactions, that there’s this database of ownership called a blockchain that you run a node to validate that database and keep a copy. You kind of have to understand like what the parts are. You’re tech savvy, but you don’t write code. There’s no command line. But you are comfortable with software that I would say is somewhat in beta. And it’s weird to have like beta software and say, but yeah, this is really good for like a hundred million dollars. And the reason is because the security of your Bitcoin is enforced by the Bitcoin scripting language. So you’re getting the security of the Bitcoin network as far as making sure that those 2 of 3 or 3 of 5 signatures took place.

Michael Flaxman:

The beta software is going to be a confusing dialogue box, a button that’s in the wrong place, copy that doesn’t totally make sense, a difficulty running it on this operating system or that operating system, a cross compatibility issue. So it’s a weird thing to say, it’s beta, but it’s like totally more secure. So hopefully people will internalize or understand that concept. But you have to be comfortable with beta software. The idea that, you know, there could be some weird workaround or awkward thing here or there. You take security seriously. If you don’t care about security, single key is better for you. And you’re happy with the price point because if you want to buy the two hardware wallets, which is the absolute minimum a Cobo and a ColdCard, I think you’re at like over $200 already.

Michael Flaxman:

And then you do need a computer but you can use your main computer. You don’t need a dedicated machine for this. At each step, there are like more advanced things you can do. And so there are ways to harden your security and a dedicated machine is one of those. But the beauty of this massive multisig is that you don’t need to go to the nth degree because you have the security of multisig already, which is far, far more secure. So I call it the 10X security Bitcoin guide. I think in practice, most people who will use this are only going to get, you know, 3 to 5X greater security than their current setup, the 10x things like a dedicated device.

Michael Flaxman:

And you know there’s a lot of different steps for hardening, but a 3 to 5 X improvement is still fantastic. And it really becomes hard to ascribe like a dollar value to when you should upgrade your security. Some people go full tinfoil hat to secure a hundred dollars and others put $10 million on an open dime. So I can’t tell you, you know, this is the amount for you. A lot of people put a hundred thousand dollars into Bitcoin. They’re a hundred percent in Bitcoin. It’s all of their money. It’s their life savings. It would be catastrophic bad if something happens to them, some people write hundred thousand dollar bets and you know, couldn’t care less. And if it got hacked, it wouldn’t even be a big deal to them. So I can’t even tell you how to think about that. I can only tell you if you’re uncomfortable about it. This is the thing that works. And the security here is so much better than a single key setup.

Stephan Livera:

Gotcha. Yeah. So this isn’t for grandma, but it is for, let’s call it the tech savvy user. And I think many of my listeners would fall into that camp.

Michael Flaxman:

And multisig won’t prevent you from entering your seed phrase into a web wallet. You know if you don’t understand sort of the basics, multisig won’t catch you there. I guess the one asterix I would say on that is that you’d have to enter a quorum of your seed phrases into a quorum web wallets. So you’d have to do it multiple times, but if you were tricked to do it at once, you’d probably be tricked into doing it multiple times. Although I will say that I just have so many horror stories of people messing up their Bitcoin who’d know better. I think I remember once late at night I was well, the circumstances aren’t that important, I accidentally typed my private key into the search bar of a block explorer, which is just the dumbest thing that you could do.

Michael Flaxman:

Fortunately it was a Block Explorer that I wrote, so I felt very confident that it wasn’t doing anything malicious with it. I still had to sweep the funds immediately. But I was playing around with a Block Explorer, adding a functionality to support xPubs. So you could track a collection of addresses. And I was also doing some private key management stuff, and I shouldn’t have been doing those two things at the same time. And as I was testing search, I copy pasted a private key into my own search bar. And maybe that’s a bad example cause I’m just telling my own stupid story, but I know so many Bitcoin developers who’ve lost money in stupid ways. And so multisig does prevent you from in the sense that you have to do something stupid more than once.

Stephan Livera:

Gotcha.

Michael Flaxman:

That, by the way, it would be a great way for somebody to monetize a Block Explorer. Cause block explorers don’t make any money. So you could listen for like seed phrases and stuff. I bet that happens like one in a million page views.

Stephan Livera:

Damn, yeah.

Michael Flaxman:

If you’re looking to make the world worse, there’s your opportunity.

Stephan Livera:

So the guide makes use of as you’re saying to hardware, wallets, like the recommended is ColdCard and a Cobo plus seedpicker. So I guess one question people might be thinking is why use seed picker instead of a third hardware? Well, let’s say a ledger or a Trezor or something else?

Michael Flaxman:

Yeah. So you could use three hardware wallets. It’s definitely not a bad idea. There are some huge benefits to seedpicker. First of all, it’s free. So you can’t beat the price that costs nothing. Telling somebody that to get started, they have to buy three devices is just a bit much. And so 2 is less to buy than 3. It also is the only provable random number generator. So we get back to this. Well it’s the only one that’s designed around being provable. It’s sort of an end to end test like you put in the 23 words and everything else that comes out the 24th word check, the extended public key information that all is deterministic. You can do that many times. You can do it on many different softwares.You don’t even need, for example, the software to be open source seed picker is, and my complimentary library is called a human random number generator, HumanRNG,that I have ones in both Python and Golang.

Michael Flaxman:

Those are all open source as they should be. But strictly speaking, this is a functional test where you’re gonna input these 23 words and you’re to get a 24 word and extended public key info. And as long as you’re not connected to the internet and you’re not saving anything, you know, you’re wiping the computer afterwards, you could do this in as many softwares as possible and each time prove that, Hey, you know, I got the same output. This is valid. The only question mark is when I pulled these words out of a hat, was I somehow biased. And you can know that you didn’t do that. And also for a quick lesson in entropy, the 23 words is such a massive amount of entropy. One piece of feedback I’ve heard people say is that they’re afraid their 2048 word list.

Michael Flaxman:

Wouldn’t be perfectly well shuffled. You know, they’d cut up those words, put them in a hat, but maybe they’re still a little alphabetical here and there. It’s just so much more entropy than you need that you really don’t need to be concerned about this at all. I know for example, Stepan Snigirev of Specter desktop, he sometimes uses 12 word seeds for himself, to be fair, with a passphrase. So not exactly the same thing, but if you do the calculations on how much entropy it is, we’re talking about like a mindbogglingly large number. So you don’t have to stress about getting it perfect. Another step that you might not get perfect is technically speaking in the BIP39 and 44 spec, you should put each word back in the hat between times where you pull it out.

Michael Flaxman:

So like you could pull the same word twice in your seed and to do it right you should do that. In practice it’s kind of easier to pull them all out and put them on the table one at a time. And then have it that way. This is the type of thing where it’s like the beauty of these large numbers and these massive multisig is that you just don’t have to stress about it if you don’t put the numbers back in the hat. Sure. You’re not perfectly following the spec, but that’s okay. And that’s a good example of one of the many steps that gives advanced guides instructions in the guide where the default is just do it the easy way. But if you want to be advanced, you can put a number back or put a word back each time and write it down instead. And that’s okay. Too.

Stephan Livera:

One point though, I mean, yeah, the software is free, but if you want to use it in the proper way, like with a air gapped computer that you haven’t used for anything else and it’s internet, never been on the internet, well, then I guess you do have to pay for a cheap laptop to do that with, right?

Michael Flaxman:

Yeah. So this is one of the many asterisk on the guide. This is a great use of like a Raspberry Pi or some, or a really old laptop you have laying around. Bu the other thing you can do that is totally free as you can use your existing laptop and you can run this software and then you can wipe it.

Stephan Livera:

Like TAILS kind of thing.

Michael Flaxman:

Or even better is to use Tails. So Tails is an operating system called The Amnesic Incognito Live system or TAILS.

Michael Flaxman:

It’s designed to be used for the privacy paranoid, but it’s mainstream. So it like has Tor and a password manager, and some basic functionality that you could use it as like your real computer, if you were a privacy conscious type. But it wipes itself every time you shut it down and wipes itself quite thoroughly. So it wipes the RAM to prevent a cold boot attack. And it’s a free open source, popular software. It also comes with Electrum installed, which is kinda neat. But so you could, you could boot your computer using TAILS, totally disconnected from the internet. If you want to be paranoid, you know, take out the hard drive take out the networking card, but boot your computer with that calculate your 24th word and then boot it back into, you know, windows or Mac or Linux, whatever you’re running and go about using your computer, knowing that there should be no remnant of it. If you want to be a hundred percent sure. Obviously you need to have an eternally quarantined machine that you never reconnect to the internet that you encrypt the disc and that you wipe it. But this is accessible enough and the point of this key is to be your recovery key. So it’s your one key that is only if something goes wrong with the other two. And so it would be a good one to like put in a safe deposit box and say that that safe deposit box goes to your family. If something happens to you. And then you know, you can use that as part of your inheritance plan. So it’s not one that you actively use, but if you need to it’s there. And the real reason that we’re doing this is that two of two, would be a terrible scheme. So let’s say you did a two of two, and there was some problem with one of your hardware wallets, perhaps it was generating an extended public key that didn’t correspond to your seed phrase. Your funds would be permanently locked up. So by using a two of three where this is your third, if something were to go wrong, you have the ability to go into that safe or wherever and get that third key and then use that with one of your other two hardware wallets. So it’s a great backup. You can sort of sleep at night that if something happens, you’ll be okay.

Stephan Livera:

Gotcha. Yep. Okay. Okay and so we’ve done a lot of setup work, right? Talking through some of the context and why certain decisions were made. So I mean, you’ve sort of already touched on some of this, but in terms of coordinator software, maybe you just want to touch on why Specter and not say Electrum, or perhaps not, you know, being a wizard and using Bitcoin Core multisig and, you know, using the command line, like a true hackerman?

Michael Flaxman:

Yeah. Ao let’s start with Electrum. So Electrum, is that feeling of juggling chainsaws in the dark. There are UI gotchas everywhere. You know, it’s things like you’ll be on one page and the default radio checkbox at set up is checked. And when you hit next, it says error invalid choice. And you’re like, why did it trick me into that default check box that wasn’t usable? So it just has a lot of these, like, you know, things like that, the order of the keys that you put them in matters, I believe. And if you ask anyone who’s very tech savvy and has used Electrum for multisig, they will tell you that it technically worked, but it did not go well. Specter is designed around not having these problems. Another one that’s really big is Electrum has limited BIP39 support and deeply confusing messaging around this.

Michael Flaxman:

When you try to import a BIP39 wallet, it warns you that they might drop support for BIP39 in the future. Which is a very bizarre statement. I mean, if Electrum ever dropped BIP39 support, I imagine people would drop Electrum and switch to a fork of it that had BIP39 support. But even to use it, using Electrum, you can’t create a wallet when you want to import your BIP39 wallet, you paste it, or you type in that phrase, and there is no next button because it’s not compatible with their input format and you have to find there’s like a hidden options, BIP39 checkbox. So that is pretty bad because all hardware wallets use BIP39 and it is the standard. They had another standard previously that didn’t get as much adoption.

Michael Flaxman:

And I think they’re just they’re just like bitter that another standard is more popular and kind of refusing to support it. There’s also UTXO privacy issues. The default way to use Electrum is to query third party services for your balance and transaction history, those services, we believe to mostly be run by chainalysis companies that record share with the government. Now you don’t have to use Electrum that way, it’s recommended that you run your own Electrum server. So, and I do like that you can get started with Electrum for example, like offline usage without having to connect to any node. So, the fact that the default use is so horrific is not necessarily bad. It is a choice that people can opt into. Then for a while, the project almost seemed abandoned. They went to almost a year without releasing an update, and this has to do with like a bizarre thing in the way, they were doing their git branches, but they basically were operating with something called a dirty master branch, which something is sort of like basic software engineering. You never want to have a dirty master branch and they couldn’t push new code releases because they had this branch where they were trying to be a lightning wallet. And that’s, I think their focus now, they support lightning and that’s what they’re working on. But because they were trying to do that, they couldn’t release any new updates. And so people were trying to like use a coldcard for multisig, and they’ve got to build it from source for almost a year. I got so many like messages of despair from people saying like, please, I want to have multisig, but Electrum, doesn’t have a downloadable binary. I was at the time I was even thinking of hosting my own binary and signing it which is inherently sketchy that people would trust that, but at least they would have something that they could use. Then Specter came along and just solved all the Electrum problems and more. And that was it was very relieved when I was able to upgrade to that. And then you asked why not just use Bitcoin core multisig, like a wizard. And, there’s a couple of reasons not to what is still need to guard your secrets somewhere, and you don’t want that to be on a hot machine. So Specter is the bridge between the blockchain and your hardware wallets, but your hardware wallets guard, the secret, so they don’t leave the hardware wallet, and using the command line, it really does limit you to experts only. If you write code, you might be more comfortable with the command line, but, that’s an insignificant percentage of users. And even experts shouldn’t use the command line because poor GUI is how you make mistakes. You know, when I give that example of, when I stupidly copy pasted my own private key into a block Explorer, it’s because I had a file open where I could do that, and it would accept any input. You shouldn’t have a position where you could be in to make those kinds of mistakes.

Michael Flaxman:

And Specter actually does use the command line interface to interact with your Bitcoin core. Everything that Specter does under the hood is making RPC calls to your Bitcoin core and just organizing the data, displaying it. But it is effectively a way that you can be, if you want to use that term, you can be a wizard just by using Specter. So a Specter, I think is the perfect balance of this. It just nails it. It’s purpose-built for the task, and it really does a good job. The only negative I would say with Specter is that you do have to run your own full node, um, and hopefully in the future it’ll be easier to rely on a friend or family member’s full node that will come with privacy and consensus validation tradeoffs, but for many people that might be worth it, and that would make getting set up even easier.

Michael Flaxman:

That’s why I submitted that pull request that uses these Merkle proofs so that you can validate your transaction was included in a block without having to even have that block. It is also cryptographically, very cool Merkle proofs operate in of log n space and time. So they’re incredibly performant that will scale forever. And that was sort of, Satoshi’s cleverness in the original version of Bitcoin that he thought to put that in, even though the Merkle Proofs themselves didn’t come for much longer, he enabled the functionality from the beginning. And so that’s a really clever use that I’m like, I’m just really proud to have done that. I’ve been taking some personal time. I hadn’t written much code and a couple of years, so to just write something like that and have it get merged into an open source project, that was pretty cool for me. So I guess that’s Specter in a nutshell it’s pretty neat and it’s got a one-click downloadable binary. So if you haven’t used it yet.

Stephan Livera:

Fantastic. Yeah. So as I mentioned before, we’ve done a lot of the setup stuff now. So let’s now talk a little bit through the process. But I think listeners can already appreciate, we’ve already done a lot of the context. So now it’s kind of just pulling those right pieces together. So maybe you want to just start with what equipment do we need to do the 10X security guide?

Michael Flaxman:

Yeah. So the really big thing is you need these two hardware wallets and I’m recommending the Coldcard MK3 and the Cobo. I do look forward to a day when there are like, you know, 10 great ones and you can pick your flavor of which one you want and which one has the better air gap and the better open source and the one that’s more ideologically aligned with you or whatever it is. But right now I would say those are the only two that do multisig well. And so that’s the big expense. You need those two. You also need a laptop. Any low end computer would work, but you need a webcam and laptops just work really, really well. Because like, if you have to pick them up and scan a QR code, you can if you need to take them into a safe deposit box, they already are into a safe, into a vault.

Michael Flaxman:

They already have batteries in them. A laptop would be good, but it could be just a low end computer. The computer you already use is totally fine. You don’t need a dedicated machine, although it would be better. And then you need some paper and pen to write down seed backups and you need either a pen drive or, preferably DVD drive for passing around some public key information. But these are all pretty, pretty basic things. And then, Oh, if you’re going to use seed picker, you need the 2048 word wordlist. So you need a printer that can print out two pages of totally nonsensitive public information. And my hope is that in the future, this will actually become like a little mini business model or party favor, like your local Bitcoin meetup could have a little stack of 2048 note cards.

Michael Flaxman:

They don’t need to be full-sized note cards. I mean, teeny little words for drawn out of a hat and give that to people at the meetup. You know, they could be sold on Amazon that could be sold, over lightning network, like stickers, you know, used to be sold. You could be selling a pack of 2000 words. But if not, you just print out these two pages and get cutting with your scissors.

Stephan Livera:

So gotcha.

Michael Flaxman:

Pretty basic. Then you’ll also need a Bitcoin core node. And my recommendation is that you should just use a product like myNode or a nodl or Raspibiltz, because setting up Bitcoin core is a whole thing. But if you know how to do that, then obviously you need whatever level of hardware you want for your own Bitcoin core node, that could be a Raspberry Pi or you could want a really highly performant beefy machine. Maybe doing blockchain analysis too.

Stephan Livera:

Gotcha. And I guess you would, if you’re doing that set up, you would have to do, like once I think once small edit in the Bitcoin.conf file or otherwise, if you’re just using, say myNode, which actually already packages Specter well, then that makes it a bit easier as well. If you’re just looking for a bit of an easy way to get into it.

Michael Flaxman:

Oh, I didn’t know myNode is packaging Specter. That is awesome.

Stephan Livera:

Yeah. The premium version has Specter packaged to it. So basically you could literally just open up your computer and point it to the like on your internal network to the Specter address and basically run it that way.

Michael Flaxman:

Oh, that is really cool. Anything that just makes it easier to get set up, because one of the big points that’s so valuable here, and this specter is built around, this is that specter can’t move any money. It doesn’t ever see a private key. It’s designed to be untrusted. That’s part of the reason why it’s called Specter. It’s a joke that everything can be hacked. And so can this. And so you don’t have to worry about like being extremely careful in this. Now you should be worried because you know, it could still try to trick you and maybe you would fall for it, but in practice, you don’t have to have such level of paranoia or caution around your hot machine. You should be paranoid and cautious with your hardware wallets, but that makes sense people already are. So that’s really great that there’s a one click install. I did not know that, or deploy.

Stephan Livera:

Yeah. So that’d be another easy way for listeners to try this out. And now let’s talk about initializing and setting up hardware wallets. So I can see just straight off the bat, the fact that you’re using or recommending the Cobo and the Coldcard, uh, there’s an advantage there because that’s arguably less privacy doxing than the Ledger or Trezor setups where you have to initialize the device and then it, unless you are advanced, it has to call home to their server. Whereas with Cobo and Coldcard, you can actually initialize it offline with a wall plug and never computer connect it.

Michael Flaxman:

And one of the things that that sort of reinforces is this design around PSBT or BIP174 first both of these wallets first-class support for partially signed Bitcoin transactions and the mechanism there is that they don’t plug into your computer by default and violate the air gap, in order to interact. So when we talk about a ledger or Trezor being connected to a central server, we’re talking about it being connected to your computer via hard wire, and then that somehow phoning home. In the case of Cobo and cold card, that’s not how they’re designed to be used. So with the Cobo you can operate it with never plugging it in to your computer ever, which is really cool. And with the Coldcard, uh, that statement is mostly true with this asterix that in order to verify receive address, you do need to plug it in.

Michael Flaxman:

There’s an open issue for Coldcard for that. I really hope that they can do offline address exploration for multisig. They support it in single key sig so I hope they’re working on that. I hope it’s close. It’s sort of a complicated UX trade off, but the idea is that these devices are designed, designed to work without drivers, without installation, without phoning home. And that’s really, really cool. They both do have validation mechanisms. So, you know, the Cobo will give you some sort of proof that the device is legit, which you can do all over the air gap. I forgot the coldcard one I haven’t done it recently, but there is some level of proof. And that is really cool. So they’re just sort of have a different model because they were designed around a BIP174 PSBT style from the beginning, even though Coldcard was invented before PSBT they were thinking about it in this way that like data should come in and it should be signed. And the signed data be returned, not this device should be connected to your computer all the time. And BIP174, it’s just a serialization format for passing around the data. It’s not essential in and of itself except that it’s the standard that everyone,

Stephan Livera:

And we spoke about this before, but I guess just to kind of talk through the seedpicker initialization process. So as I understand you have that paper print out, or maybe you’ve bought it from someone, or maybe even, you know, online people will sell those pieces of paper. So basically you’d cut it all up and put it in the hat and draw out the 23 words. And on your, let’s say your TAILS laptop, or your eternally quarantined laptop, you put in those 23 words and get it to give you the checksum 24th word. And that becomes your third key in the set up. Right?

Michael Flaxman:

Exactly so you then write down those 24 words you know, for regular users, just on a piece of paper for advanced users, etch into metal. And then it’s seedpicker is going to give you this file that has the public key info for Specter desktop. And that’s your SLIP 132 formatted public extended public key, which is going to be in zPub format, your root fingerprint and your derivation path. None of that do you really need to know anything about, it just gives you a file and you give it back to seedpicker. Now you should validate all of it. So if you’re an advanced user, if you’re storing a lot you should run that same steps with another software package. I published open source ones in two languages and Python and Golang. I hope there will be many others and you could put in those seed words and make sure that you get the same extended public key information. But the basic point is that you just write down the 24th word, well all 24 words, and then you take the public key info back to Specter, either on a DVD drive, if you have a DVD-R or you could do a pen drive. So that’s the one thing that needs to come off of that machine before it gets wiped. You can have a whole ceremony where you go office space on it and beat it up with a baseball bat and burn it if you prefer.

Stephan Livera:

Haha, if you want to go hardcore yeah. And then now we’ve initialized our three hardware wallets or two hardware wallets and the seed picker. And now we’re going to do the coordinate multisig. So this is like the setup in Specter basically. So you basically feed into your spec to desktop. You create a new wallet and you’re feeding in that information and then Specter desktop, will give you that wallet file. And then the next step now is verifying receive addresses. So can you tell us a little bit about that?

Michael Flaxman:

Yeah. So basically we want to make sure in the perfect case, if we really, really care, we want to be sure that our receive address belongs to our hardware wallets to multiple of them. So let’s think about how this works and the attack, because it’s very weird concept to say that two of three of these devices own something. That’s not really like how our brains ever work in the real world. You know, there’s like a place somewhere and somebody owns it and possession is nine tenths of the law, as we like to say, and maybe there’s rules about who can go get that thing. But there’s sort of one thing in one place and multisig in Bitcoin is just totally different from this. There are two of three things and these things could exist anywhere in the world and there could be copies of them.

Michael Flaxman:

So what we want to know is that our hardware wallets, that we own three hardware, wallets, or two and seed picker, which is effectively our software hardware wallet. And we want to know that two of them are our Coldcard and our Cobo. And the third one is our seedpicker, because what a clever attacker could do before we receive funds is they could swap the address and they could trick us by showing us one hardware wallet that is a member of that two of three, that is ours. And then the other two seeds belong to our attacker. So we pull up on say a Trezor. We look at the address, the Trezor says, yes, this is a two of three, and I am one of it. And you deposit funds and boom, they’re instantly gone because the other two belong to your attacker.

Michael Flaxman:

So what’s nice about Coldcard and Cobo is that they both register the multisig as part of that setup. And they both keep track of that. So they both say there are three, I am these two or sorry, I am this one. And these are what the other two are. And then they can confirm that every single time you verify a receive address. Now, that’s not a guarantee because if that say Coldcard or Cobo was compromised and your computer was compromised, and you’re looking at a receive address and your computer is lying to you and your Coldcard, or your Cobo is lying to you. Well maybe it’s not the case. So maybe you don’t want to rely on that enough. Maybe you do need to get two of them in the two of three case. That’s a difficult one.

Michael Flaxman:

That’s sort of like a trade off that you would weigh on each deposit. So if you’re receiving like a really small amount, you might say, okay, my Coldcard, or my Cobo says, it’s valid. My computer says it’s valid. Although that’s connected to the internet, they all register the same quorum. I think I’m going to say, this is good enough. I’m just going to check the one of them, but maybe you’re, you know, Michael Saylor and you’re receiving $425 million. I think you definitely going to check at least two of them. And probably you’re just going to check all three cause you want to be really sure. And probably in that case, you’re doing three of five anyway. And I think we know that they’re doing custodial Bitcoin IOUs somewhere, but if he were doing it, he would be checking on a quorum of his devices.

Stephan Livera:

All right. And so now let’s talk about backups. So there’s a few different things to think about here. I guess there’s two parts, so sort of let’s split it up. We’ve got public keys and then we’ve got seeds. So let’s start with public keys. So how do we do backups on our public key easier?

Michael Flaxman:

This is one of the footgun areas for multisig that is a little bit hard. You have to know this, you have to remember, this is essential information. You must store all of your public keys and their related paths to be able to spend any of your funds. So you not only need the two of three seeds. You need three of three of your pub keys and related path information. And that’s kind of annoying because people tend to think, Oh, I have two of three multisig all back up. My seeds and I can, I can guard two of them and be sure that I’ll have two of them, no matter what, I got that.And I’ll put, say the pub key information with each seed. But I’ll just put the Pub key for that seed, with that seed.

Michael Flaxman:

And the problem is, is if you didn’t have all three of your seeds, well, would you have all three of your Pub keys and related information? And so the recommendation that I have in this guide is that unless you’re an expert user, you should put all of your pub keys with each of your seeds. So if you have a backup of seed A with that backup of seed, say etched in metal, on a USB drive, you have Pub Key, A, B and C and all of its related metadata. And Specter desktop makes that really easy. So one click export, put it on a USB pen drive, put it in the vault. But that is one extra step, 2 of 3 is not enough. You need two of three plus all of your Pub Key information. And this does present a new negative. That is unfortunate, which is that pub key information doxxes some of your privacy. So imagine this was sitting in a safe deposit box and a banker looks you up and says, “Oh, Stephan Livera that guy, he’s a Bitcoin podcaster, he’s famous. I bet he has a lot of Bitcoin.” And he drills the safe. Safe deposit boxes are a good place, but you know, nothing is a hundred percent secure and he drills the safe and inside, he finds a list of all your pub keys and he goes on the blockchain and he sees all the funds you have. That’s a little bit scary. Now we started from the premise that he drilled your safe. So, you know, that is already better than the single key situation where it was just, you had a, a seed phrase sitting there and they just stole all your Bitcoin, but now he knows, okay, this is how much Bitcoin you have. Maybe I know your home address or your work address. And I have one of your seeds. Now I’m going to go try to find the other one. So that’s sort of one thing that is not perfect. There is an improvement on the horizon for this where you could, uh, do some sort of a quorum system where you needed like two locations to be compromised in order to get any pub key information. Um, but that has to do with a longer discussion on BIP32 paths.

Stephan Livera:

And that’s probably a bit more advanced, right. But I guess the high level step and the high level way to think of this is do your set up and save that JSON file from Specter Wallet into a USB key and have three USB keys all with that same inaudible on file. And back that up in your, in all those locations, such that if you were to lose one of your seeds, you’re still okay. So long as you still have a spending quorum, i.e. Two or three or three or five. Exactly. I was careful to stress that point also in my interview with Stepan and talking about Specter Wallet as well, just to make sure everyone’s doing their backups correctly. So that’s pub keys. Now let’s talk about seed backups, right?

Michael Flaxman:

While we’re on the pub keys, I would, I would add, this is only, you know, they’re literally called public keys. This is only privacy information. So you can take that as far as you are comfortable with, you may decide I’m going to put that in my Dropbox, in my Google drive in my Mosey or Carbonite. might give a copy to my accountant or my lawyer,

Michael Flaxman:

You know, I might want a lot of copies of that out there. Maybe with some encryption, maybe not. You might be a person who is very private or says no way, do I want all those people to be able to see all my transactions or do I want, you know, Google or Apple’s cloud to be able to Snoop and see that? So that would be a personal choice.I think probably you want to err on the side of more backups than less, but maybe you just want lots of pen drives and that’s fine too. But you cannot, you have to have all of your pub keys to be able to spend any of your Bitcoin. So that’s really important.

Stephan Livera:

All right. And moving on to seeds now. So this is another example where depending on how you’re set up, you might be just writing it on paper or you might have it on a metal product and yeah, I guess you’ve just got to back those up as well. There any other tips you wanted to share on that? Or shall we move on?

Michael Flaxman:

Just a really big one that safe deposit boxes are a great hack. Not for all of your seeds, obviously in the m of n system. I wouldn’t want m of my seeds there, but maybe m -1. But they’re really great because they have a natural transfer if you die. So they’re really good for inheritance. So if you gave one seed to family member A or even better, they generated it themselves. And then you put another seed in a safe deposit box and you said, okay, this safe deposit box goes to family member A, if something happens to me, that’s pretty good. It’s not perfect, but it’s pretty good.

Stephan Livera:

And now let’s talk through the sending flow. So let’s say I want to spend some Bitcoin or I want to send it to myself in some other setup. What’s the flow look like there?

Michael Flaxman:

The flow here is actually awesome and really easy. Everything we’ve been talking about is all the negatives and the gotchas and what’s complicated.

Michael Flaxman:

The beauty is you set it all up so that it’s really, really easy. Basically, you’d go on Specter desktop, and you would say, this is what I want to send. You know, it’s like this much to this address because it’s connected directly to Bitcoin core. It can do a lot of the fancy Bitcoin core features when it comes to fee estimation or coin control or batching or whatnot. You put in the address, the amount and you hit this button that is create unsigned transaction. And that’s an important concept in PSBT stands for Partially Signed Bitcoin Transactions. And the idea is that these transactions have different states. So at the beginning, they’re just totally unsigned. And then you might collect one signature of say two that you need on one device, then you’d go do it on another device, and then you’re fully signed and you broadcast it.

Michael Flaxman:

And as far as collecting them on the devices, it’s really straightforward. You can do it on the Cobo just by scanning QR codes. It pops up on your screen and says like, Hey, do you really want to send X Bitcoin to address Y and that is like the UI that we all know and are comfortable with. You double checked to make sure that’s really the right address. It’s going to do all the change detection and that kind of stuff for you. And you hit send, and it’s going to send that signature back to specter and specter will say, okay, I’ve collected another signature. You go to your Coldcard and you do the same thing. Advanced users can do it over the SD card. Novice users will probably just do it through plugged in via USB. And on the screen of the Coldcard will be the same thing.

Michael Flaxman:

Do you want to send you know, X, Bitcoin to Y address it’ll verify the change for you automatically. So you don’t really have to think about that. You hit yes. And your signature is now sent back to Specter and Specter would say, okay, great. I’ve collected 2 of 2 needed signatures, hit the button to broadcast to the blockchain and off it goes. So that might sound like a mouthful, but it’s really go on specter, say what you want to send and then validate it on two of your devices. And Specter works really well because of this saving the state across multiple signatures. That may be one device is kept there on premise in your home or work. And the other device might be at like a safe deposit box or something like that. And because it’s keeping track of the state, you could save, okay, I’ve got 1 of 2 signatures. I’m going to take this, you know, piece of information in my safe deposit box and do a signature and then bring it back and now I’ll collect it and broadcast. And so this actually works very intuitively. This is the easy part.

Stephan Livera:

Fantastic. Now let’s talk a little bit about maintaining that set up over time, because I think this is another area where people might not think so much about it, and they’re just thinking, Oh, I’ll just set up the multisig and that’s it. But in reality, you’ve also got to maintain that through time. So, and I know the guided providers, so Casa or my sponsor, Unchained Capital, they have some form of a concept around periodic key checking or health checking, right. That you check yeah you periodically go and check that the hardware wallet, there’s been no bit rot, things like that. So do you have any suggestions around that?

Michael Flaxman:

Yeah. So the services are good because they can kind of force you to do this. Like, it’s almost like going to the gym, you know, nobody nobody’s like, Oh, today’s the day. I really am excited to go check my backups and make sure they’re still there. And by performing a signature, it’s sort of the ultimate proof because you’ve like used the private key. You don’t have to be so formal about it. I mean, you can just go visit your safe deposit box and like look and see that you have your seed still there. And that’s enough, like if the hardware wallet device failed well you could put the seed on another hardware wallet. So I like that they formalize it and have a process, but it’s sort of something that, you’re backing up your seed phrases for this very reason.

Michael Flaxman:

So if anything goes wrong with one of your devices, you can always load this into another device, even in the extreme, it’s not the easiest to use, but you could load this seed into Electrum and use that to sign. So it’s not so much about the devices and whether it’s still performing well, it’s really just about, do you have you know, M of N your seeds, and so you want to check all your seeds with some frequency, maybe you check monthly, you check yearly, you know, it depends on how you see the risks. Maybe you have a seed that’s buried in a mountain and it’s not so easy to dig up. And maybe you have a seed that’s sitting on your desk and you know, check it every day. That’s sort of a personal thing. But what you really want to make sure is that you have, those collection of all your Pub keys, which is going to be on your Specter, desktop machine and saveable as a JSON file. And you have M at least of your seeds, but really you should have all N of your seeds. So you want to go be checking that, but those are backed up on paper or preferably etched into metal.

Stephan Livera:

And now another point that has come up and we’ve seen recent examples of this, sometimes there are vulnerabilities disclosed in a hardware wallet, and then the vendor releases a patch for it. So for example, Trezor, there was like a SegWit bug and Trezor put out a patch and now, frustratingly that did, I think there were some cases where some of the downstream, there downstream impacts, let’s say to other companies let’s say Casa or BTCPay Server or other projects. So I guess this is another kind of thing we have to think about when we’re doing multisignature because there is a risk of your hardware wallet wiping while doing the firmware update. But I suppose to your point, that’s also why we have the backup of the seed.

Michael Flaxman:

Yeah. Never perform a firmware update, unless you’re sure you have all N of your seeds. If you only have M of your end seeds, meaning losing a seed would cause you problems. Definitely. I mean, first of all, get yourself to a system where you have all of your seeds, rather, you should always have all of your seeds. So like, you know, if there was a fire or flood or something, and, you know, you lost a seed, uh, immediate step one is that you need to have all of your seeds. You need to regenerate a new one and add it to your quorum and cycle out the old one. So that that’s the most important, but if you’re ever in a position like that, where you’re exposed, do not update your firmware. Cause that is the time when things can go wrong.

Michael Flaxman:

Now, this is another thing that I’ll point out that is good about the Cobo and Coldcard, BIP174 native design, because they’re designed around being air gapped and having the signature step be like very explicit. And one piece of data gets passed back and then the signature gets returned. Because they’re designed that way. They don’t interact with a web browser. There’s not like a Trezor bridge type situation that could be pushing a user to do an update. So in the extreme case, like Casa tells their customers not to ever update their firmware which is a little bit weird. I mean, you want to update and have the latest software always that’s a good security feature, but I believe that’s because Trezor pushed this firmware change that basically broke their customers access to their funds if they were to update.

Michael Flaxman:

And this gets into this nuanced and very detailed thing about BIP 32 paths, which is a much more complicated issue. As a rule you know, Bitcoin is designed to just work forever. That’s what’s really cool. Bitcoin is security conscious. It’s always backwards compatible. I can’t think of anything that I would say like you need to upgrade for, but upgrading is always a good, best practice. I’m sure there will be better user interfaces. And basically the idea is you shouldn’t feel like you’re in a hurry to update, but updating is still a good practice. If you’re using something like Casa or a Coldcard, you’re just, if you have a strong air gap, the device isn’t even going to know that it needs to be updated. That’s something that’s kind of fundamentally different. So updates are unfortunately nuanced.

Michael Flaxman:

Generally, you want to do it, but maybe you don’t want to be first and you definitely want to be sure it’s not gonna cut off access to your funds. But if you’re using something that’s designed around air gapping, then it’s probably gonna be less likely to affect you. And so that’s part of the reason why Coldcard and Cobo are what I recommend using. And I should say about that. I get nothing from any of these companies. Um, Coldcard has given me two of their devices. Cobo has given me two, but one is to give to another developer, although they did just say that they would send me another, uh, cause I want to use it for my personal Bitcoin, but I don’t get paid anything by any of these guys or nor for this guide or any of the software. I just love Bitcoin.

Stephan Livera:

That’s right. That’s great.Okay. So in terms of, I guess we’ve spoken through the guide there, we’ve given kind of most of the tips around how you know, you should maintain the setup in terms of outstanding problems or research or development that you’d like to see. Is there anything you can share there?

Michael Flaxman:

Yeah, so I think the really big one is going to be around BIP32 paths, cause it just touches a lot of stuff. There’s a security vulnerability where a wallet could, uh, hide your change in a BIP32 path that isn’t the one you were intending and this BIP32 path could, could actually be a very large number and it could make finding your change effectively impossible. And so you could be like ransomed to find your own change. That’s kind of the, the attack. And so that’s where a lot of the controversy is. And that’s part of the reason why, like, for example, address exploration in multisig on Coldcard, isn’t that well supported with the air gap. And if you allow for more paths then there’s more room for things to go wrong. What’s really cool with paths though, is you could use it for different protocols. So one for example is an inheritance protocol that I really want to see developed where you take a trusted third party.

Michael Flaxman:

And you say, Hey, I want this person to have one of my five keys. They’re a close family friend. I trust them. If something happens to me, they’re going to help my family get this Bitcoin. And I want them to be one of the keys, but I don’t want them to see any of my balances or transactions. I only want them to have access to that info if I get hit by a bus and they’re called upon to use their key in a transaction. And so you could see a mechanism in the future with multisig where that person has a key, you can think of it as like an xPub. But the path is something that you keep. And so you give that path to your family and you say, okay, if something happens to me, this person has one key.

Michael Flaxman:

They don’t know the path, take this info to them and they’ll have the path. And by the way, that will authenticate you as the heir, so to speak. But probably, you know each other. But it sort of adds a level of protection if you didn’t want to give somebody a key because they’re not good at private key security. But you didn’t want to give you know a friend access to see your coins in terms of a privacy perspective. Well, this is like a neat way to meet, meet in the middle. And if either one of them were hacked, uh, only if both were hacked, would they get one of your five keys? So I could see like these inheritance protocols morphing into some sort of collaborative custody. That’s not that different from like Unchained or Casa’s model of controlling one or more keys, but it could be anyone, you know, it could be your kids.

Michael Flaxman:

It could be like a service that maybe I could even see Bitcoin influencers saying like, Hey, I’ll guard one of your keys. And if you ever need me to use it, I’m going to take a 5% fee or a 10% fee, but you can immediately start increasing your, the size of your multisig. And from their perspective, it would just be one more path along a key they already guard. So right now Oh, and the other one with BIP32 paths is that if we use different BIP32 paths for every signature or for every wallet, then we could eliminate this situation or reduce the situation where somebody who gets one of your seeds can see your transaction history. Of course you’d have to keep the BIP32 path info separate from the seed. So it introduces some messiness. It would only really work if it was tied to an inheritance protocol. So there was extra redundancy there, but I could see that improving both privacy and security, which I really like.

Stephan Livera:

It sounds like that’s a little ways off right now. But it’s a potential future kind of research or development area that we might see. How about defense versus the chosen nonce attack? Do you see anything coming down the pipeline for that, or is it basically where we’re stuck with using multisig to stop that?

Michael Flaxman:

Yeah, for now I would say multisig is the only, it’s the only that I know that even really tries. For like personally in single cases in the past, I always inspect the K value code to see, like, how is that K value generated? Cause the best practice, correct way to do it is to use the hash of the private key. And that has an extra property that it’s deterministic. So that private key will always hash to the same thing. So the K value will always be the same. So if you perform the signature twice say on like two different devices that both have that private key, then you can guarantee that at least it’s using the same nonce. That you can just eyeball that. So that’s something that I’ve done in the past, but obviously that’s a very weak guarantee.

Michael Flaxman:

There is a protocol that Stepan of Specter has written about where you could ou could prove that your randomness was used in the nonce and that would be really cool. So if that gets released, then that sort of becomes like a must have certainly for single-sig, but even for multisig, it would be very neat to add that. Um, so that doesn’t exist yet, but that’s sort of the only one on the horizon, um, where you even see extra weirdness, because if you want to be a FIPs certified device and you’re at a certain level, I don’t, I don’t remember which level it is, but I think it’s like if FIPs 140 level three, then, um, you’re actually supposed to use a true random number generator. You’re not supposed to use a deterministic K value. So the true random number generator uses like a source of randomness that’s dedicated and supposed to be good at that. And that is good. The problem is you can’t verify it in the same way that you could with a deterministic nonce. So even some of the really good ones, then don’t use deterministic K values because they’re FIPs certified. So I just think the answer is going to be multisig on this because this is so complicated and difficult and multisig just solves it.

Stephan Livera:

But that’s just not really worth, or for most people it might not be worthwhile that rather than just using multisig.

Michael Flaxman:

Yeah.

Stephan Livera:

Also obviously the taproot soft fork is kind of under discussion right now. No activation has been proposed for it yet, but it may be, let’s say in a year or so, maybe we get it. And I know that taproot introduces a new, a whole new world in terms of possibilities. And so some of the guys at Blockstream, and I think other collaborators are working on what’s called MuSig2, which is like a new way to do multisig. But as I understand and again, a lot of this goes beyond me, but my understanding is Taproot can introduce more interactivity. And so that would change how people use multisignature and hardware wallets. So do you have any thoughts on what that would look like?

Michael Flaxman:

Yeah, so the last time I like dug deep into the code on this was maybe nine months ago.

Michael Flaxman:

Was a working version then, or proof of concept that could change. And I know there were some minor changes, at least since then. So I definitely not an expert. I don’t want to claim to know more than I do, but that version used these tweaking factors where you had an extra round of interactivity. Whereas in this setup, each person just presents or each device presents its public key and that’s just enough. And if you have these tweaks, then you have to each one has to present like a challenge that the other one responds to and proves that they used that nonce. So it effectively just makes it more of a pain to set up. So that that’s kind of negative. The flip side is you get these like really powerful spending conditions. So you can do any M of N in Bitcoin land under the current scripting, like beyond 3 of 5, 4 of 5 those types of situations the transactions get like very big.

Michael Flaxman:

Whereas in this when you use taproot, you can do like an infinite number or nearly infinite number of conditions. Cause you have like a Merkle tree similar to the way Bitcoin transactions are included in the blocks. So you can do, basically everything shows up as like 2 of 2, even if it’s two of three. So you get like three different, two of two branches, and then you reveal the branch to the correct one that you’re spending from. So if you’re spending from like AB you reveal the branch to AB and it’s a 2 of 2, but if you were spending from BC, you reveal the branch to BC and that’s also 2 of 2 it’s just B and C. So that’s like a very neat thing cryptographically, and you could have like an enormous number of spending conditions. But keep in mind, we already can do these with like OP IF and OP ELSE.

Michael Flaxman:

So like, it would be totally possible right now to have a script template where you said, okay, for the next you know, say five years, I want these funds to be guarded with this 3 of 5. But after that for the next five years, I want them to be guarded by this 2 of 3. And after that, as like a fail safe, just any, you know, this one of one is good enough. And after that, you know, for the next, like now we’re at 10 years or 20 years in the future for emergency recovery, like any one of these, like of all the keys that we just talked about, say these I guess that was nine different options there, any one of the nine would be enough for like emergency recovery and you could already do something like that. You just pay a big transaction fee and you’d like reveal a lot of that information when you go to spend. So these improvements are definitely improvements and they are better. And you would get better transaction fee savings, and there’s a little bit more privacy. But in terms of, for security, you want multiple hardware vendors that support this, and we’re just taking years to get the basics out.

Michael Flaxman:

I think it’s going to be a really long time before we have a multi-vendor hardware wallet support. I would love to be wrong about that. But I don’t think it’s like, as far as the use case that this should hold anyone up. If you’re caring about securing your Bitcoin, but Taproot is going to come along in some number of months or years, well, it doesn’t stop you from upgrading then too, but the hardware wallet support is going to be very poor. I would imagine for a long time when it does get merged in if it does get merged.

Stephan Livera:

Yeah. It’ll be a process there.One other topic that is interesting is around QR codes. So there’s been some discussion that, and perhaps this is one of the responses from some of the people talking about hardware, wallets, and multisignature particularly is that if you were to try to transmit a PSBT through a QR code, and let’s say it’s a very big transaction that might now require multiple QR codes. And so there’s a little bit of research being done. I know the Blockchain Commons guys like Christopher Allen and some of the other guys are working on this idea of having like a GIF that transmits through QR codes to get, to get more data through. Do you have any thoughts on that? And you know, the essential, how essential that would be, particularly if it’s a big transaction.

Michael Flaxman:

Yeah. So this basically exists now and is in the setup that I recommend. That’s pretty awesome. So specter desktop will relay QR GIFs to Cobo and it just works. It’s like really cool. The problem tends to come around inputs because if you have like inputs take up a lot of space. So if you have a lot of inputs, you’re going to have a lot of data, too much data doesn’t really fit in one QR code and so Cobo supports this and I imagine others will in the future. And it’s, it’s just so much better than the alternative ways. So the USB stack is like terribly insecure. Stuxnet showed us that SD cards could be vulnerable. Although SD cards are better than USB pen drive. So Stuxnet was on pen drives, that’s an important distinction. But QR is just like, great.

Michael Flaxman:

And, it is true that the more data you pass through a QR code, the less verifiable it is. Cause like, if it’s a QR gif, that’s a hundred images. You’re probably not going to validate what that is. You’re just going to hold it up and it’s going to run whatever it does. And at some size you do have to worry about these vulnerabilities. Cause like maybe there’s a buffer overflow and the QR code is going to take advantage of that. And then it’s going to give it software to run that’s malware. But in practice, we’re talking about like very small amounts of data. And this only matters in these like hundred input situations that are incredibly rare. You know, most people do not have a hundred UTXOs and if they do, they’re not using them in one transaction.

Michael Flaxman:

So it’s not a zero risk, but QR GIFs were great if you’ve ever used a QR based hardware wallet, it is a magical experience once you do. You’re just like, Oh man, this is what every hardware wallet needs to be.

Stephan Livera:

Yeah, that’s cool. And I guess even in that large or high number of inputs scenario, what you could do again, not optimal, but in order to save your funds, you could periodically consolidate or just break it down into smaller transactions in terms of inputs if you really needed to. So I guess it’s not like the end of the world, but you know, it’s yeah, that’s just there also, I guess, as this space grows up, right, right now Bitcoin is tiny, right. We’re talking $200 billion market cap. And so on, you know the open source, secure element, I guess that’s kind of like you know, people are kind of chasing after this idea potentially in the future. Like once the space grows up, does that in your view help much or in your view, it’s like, it doesn’t matter that much if you make if you take the right steps?

Michael Flaxman:

Yeah. I mean, that would be really cool. I would, I would love to see an open source secure element that said multisig makes this not a big deal. We can already prevent against so much by just adopting good multisig and it’s now available. So historically it was like a theoretical thing, but now it’s just real. In order for these secure elements to be useful they have to have pins and that’s part of their whole magic is that you only have so many attempts and then this thing’s gonna lock you out. And so that’s what gives you your physical security, physical security requirement kind of changes in a multisig world where you’re probably just going to keep seed phrases in multiple places laying around you know, safe deposit box and buried in a mountain type thing, but still there’s no encryption. Somebody who sees that seed phrase can just use it. You know, you could do the deniability with passphrase, but the point being that for secure elements to like really be useful, you need these pins and then the pin presents a new issue. So I think open source secure elements are the type of thing that like, we will see it happen at some point. It will be awesome. I’ll want to have that as part of my quorum. But it won’t be like a game changer.

Stephan Livera:

Gotcha. High level if we were to just kind of summarize. So what we’ve spoken through is like DIY multisig, right? Doing it yourself. What’s your sort of high level view on doing this DIY style versus using the guided providers, such as Unchained or Casa?

Michael Flaxman:

I think the guided multi-services are really good versus custodial services for both large amounts and nontechnical users. So you know, think like a wealthy individual family office, MicroStrategy is like a great example, they’re sitting on a bunch of Bitcoin right now.And so I kind of think about the guidance services is like that’s a great first step to get off of custodial. They make it way easier for newbies. They have this incentive to push their best practices. So things like the health or key check to make key rotation, really easy that’s like a scary moment where you need to not mess up the most. And in theory, they’re really good for inheritance. There are some KYC issues with that. If they need to know who to cosign for, if something happens to you, then they need to know who you are.

Michael Flaxman:

And so obviously there’s KYC with one of these services, at least if you’re going to go the inheritance route. So they do offer a lot of these good things. There’s kind of like an asterix in my mind about where they are right now in that it’s just limited hardware wallet support. So Unchained doesn’t support Coldcard or Cobo and Casa doesn’t support Cobo. And then there’s generic things that if once they’ve fixed that there’s some generic things that you should be aware of. You’re going to give up all your UTXO privacy with one of these services. They have to be able to see all your transactions and balances and they make your life a lot easier. So that’s sort of the trade off, but you can’t use them without giving up your UTXO privacy, Casa will let you use them like totally anonymously.

Michael Flaxman:

Like you can just give them a fake like, non your name, a domain email address. And you can sign up that way so that’s kinda neat, but they’ll still know all your transactions. And they also have to be careful because these services are kind of in a position to trick you. If you really know what you’re doing, you’d catch them. But if you really know what you’re doing, you probably would be doing it yourself. So an example of this is that, like, let’s say it’s a two of three and they mailed you one of the hardware wallets, and that hardware wallet is a Trezor that doesn’t register the rest of the quorum. When you go to verify deposit address, which they show you on their website and you verify it on the Trezor well you verified 1 of 3, but they could have the other two.

Michael Flaxman:

Now, I don’t think that they would do this. There’d have to be a lot of people in on it.This is only when you’re depositing, but it’s an example. That’s like, Ooh, I don’t want to be in the trust business. So you kind of have to be like a customer of theirs and be skeptical. Like it’s not great if they’re mailing you, the hardware wallets directly, like you should be buying them from the manufacturers. And so there’s a lot of these little details where they’re just going to want to do it the easy way, because it’s easier for you. And like, they know they’re not trying to trick you. But your security model can start to blend a little bit. If they’re giving you the devices and they already have the seeds on them, and they’re showing you the deposit addresses on the screen, you know, it starts to be like, well, how much of this is me? And how much of this is them?

Stephan Livera:

One other point I was just thinking about now as well is when you are accessing your set up. So let’s say, you know, we do this set up and you’ve got the three different keys distributed into three different locations. I suppose you also have to think about how you’re actually doing the signing process because you wouldn’t want to, well, you wouldn’t necessarily want to have a quorum in one place at any one time. Right? And so the difficulty then would be, how do you access back to your Specter when you’re at the remote location or unless the setup is like, you have Specter at your home and you have three separate locations and you individually kind of go get, key 1 bring it back to your home and sign it and then put it back in the location, then go get key 2. You see what I’m saying?

Michael Flaxman:

Yeah. It’s unfortunately a tricky one that everyone has to like think through these locations for them. And it might even be in an extreme case that you have like different wallets. So you have one, that’s your serious HODLing, your savings account, so to speak that is 3 of 5. And that is a real pain in the butt because you have to go to three different locations. Maybe one of them is your home and one’s your work. So maybe two of the locations are like, not that hard, but the third one is tricky. And you might want it to be tricky because you might want to be like, well guarded in the event. I know Bitcoiners when there were hurricanes in Florida that had to evacuate with their Bitcoin on them and that’s very uncomfortable. So, you know, you might want to have some you might want to be so well distributed for geological events or emergencies, but then if you need access to them, well they’re really geographically, far away.

Michael Flaxman:

You don’t want to be having to fly to another country to sign a Bitcoin transaction. So it can be a tricky one and you might need to preplan, okay, this one is my long term. This is for my children. You know, 3 of 5 and the five are all over the place. And this one this one I’m going to do some shorter term trading, or maybe I have business, that gets paid in Bitcoin. And so I have to spend and receive Bitcoin regularly. And for that, maybe I’m only two of three and one of them’s at home and the other one’s at work or a safe deposit box, and that’s going to be enough. Or you might even in an extreme case, do two of three and keep two of the keys in one location. Obviously you introduce a single point of failure. But maybe one of them is just a hardware wallet that you keep on your key chain. And the other one is in a safe you have at home. And maybe that’s good enough for you. That’s kind of your own business.

Stephan Livera:

Yeah, sure. But I guess then the other thing is accessing back to your Specter while you’re remote, right? Like, so let’s say, and maybe some of this can be eased by the node package devices who set up like a Tor hidden service that you can access while you’re out. But I suppose that’s another area where you’ve just got to think about how you’re gonna, how you’re going to phone back home to your own Bitcoin core and Specter set up to actually do the setup, because you might be out remote where your key is and not being able to bring it back to your home, where your node is or whatever.

Michael Flaxman:

Yeah. In practice, you know, if your Specter is on a laptop than if you need to do something really important, like, you know, fly somewhere and put a key in a safe deposit box, like you could just bring the laptop with you, cause there’s, there’s no private key info that is on that laptop. And specter is really good about aggregating signatures. So you know, you grab one from one place and one from another. But where you’re going to get into tricky ones is if you’re going to sign like many transactions with one key in a location that you traveled a long way to, and you don’t want to travel there, like once for each transaction, you want to do a bunch of transactions, but for whatever reason, it’s not a batching situation, maybe there’s a privacy element, you know, you could get into something weird like this, where honestly your easiest answer is just put Specter desktop on a laptop and take it with you. And any edge case you can solve.

Stephan Livera:

Yep. No, that makes a lot of sense. So I mean, we’ve spoken through it, I guess. Are there any points where you think, you know, the guide needs some work or improvements, what are you looking for in terms of contributions as well?

Michael Flaxman:

Yeah, so I would love contributions. This has been a Herculean effort I should probably stop creating like tons of work for myself where there isn’t a revenue model. So PRs, are very welcome. There’s all kinds of areas that have little to do’s or fix me nodes. If you want to add more screenshots document things, add more detail or explanation, links to other sites, you know, there’s all kinds of great tutorials and places where you can get, learn more. I’m trying to be the most streamlined thing where I give you more info if you need it, but not overwhelm. And so pull requests very welcome. The underlying software all has lots of room for user experience improvements. So I expect that these things are gonna keep being improved and iterated, and then the guide will have to be adjusted for that. My design is terrible if you’re a designer and you want to make it pretty that’s all welcome. So yeah, pull requests definitely welcome. I would prefer this isn’t just me.

Stephan Livera:

Excellent. So I guess maybe just a quick high level, I guess, let me summarize a few of the key points just for listeners, just to make sure it’s all clear. So essentially you’ve got to get those two different hardware wallets and have either an offline computer or use TAILS for your seed picker. You’re creating that multisignature using Specter, desktop and Bitcoin core. If you want that easy, you can use say myNode or one of those node packages. And then you create the multisignature you back it up with that JSON file. You make sure, you know, you’ve got that well distributed, uh, and I guess kind of the key points are kind of just checking the addresses on the device when you do those transactions, like receiving and spending and so on. And then, yeah, just periodically checking the setup. I guess those are some of the high level, summary points, I guess. Anything else that you wanted to kind of remind listeners?

Michael Flaxman:

I think that’s well said, it sounds scary or daunting. And I certainly understand that reaction. The thing that I cannot stress enough is that multisig allows you to make massive mistakes and, or at least one, potentially many and not lose funds. So you don’t have to be totally freaked out at every step that you’re doing it wrong. Whereas in the single sig case, I think you do. As much as this seems like a lot blast through it, you know, you don’t have to be like as paranoid as you would be about, say updating firmware in a single-sig situation. It’s much more casual and that’s great. You can just focus on the Bitcoin stuff and not on the details.

Stephan Livera:

Yeah. And I guess one other thing you could do is let’s say you’re already sitting on single signature right now and you’re paranoid and you’re like, Oh, what do I do? Well, what you could do is just try this multi-sig guide with a small amount, like try it with $10 just to get comfortable with it. And then over time as things improve, as you become more confident in it, then that’s when you could start to more seriously use it for larger values.

Michael Flaxman:

Definitely. And one of the ones, a good example of opportunity to put new stuff in the guide, Testnet is a great place to do this. Cobo recently added support for testnet, Coldcard has had it forever. And so you can do all of this on testnet. I highly recommend it, testnet is free. You should practice a ton. And so yeah, I should have showed a lot of with that test net is your friend. You should definitely use test net.

Stephan Livera:

Excellent. All right. So listen, as you can get the guide at, it’ll be in the show notes, obviously btcguide.github.io and Michael, where can people find you online?

Michael Flaxman:

His way to find me is on Twitter. It’s @mflaxman and good luck storing your Bitcoin.

Stephan Livera:

Thank you very much for joining me.

Michael Flaxman:

Take care.

Comments (2)
  1. Thanks for a great discussion. Michael, would you be able to comment on legacy wallets like Bitcoin Armory. Are they still secure or is it time to move on?

Leave a Reply