SLP532 Bitcoin Seed Backups for Multi Sig with SeedHammer

Now many of us are familiar with the idea of using steel backups for our bitcoin private keys, but what about in the case of multi signature? And what about using machine engraving? Dax and E from the SeedHammer project join me to talk:

Why they are interested in this problem
Passphrase vs multi sig
Descriptor backup on steel
Seed Hammer walk through
Cost
Attack vectors
Changing standards
Where the project is going next

Links:

X: @SeedHammer
X: @btcDax
Site: S eedhammer.com
Github: https://github.com/seedhammer/seedhammer

Sponsors:

Swan.com (code LIVERA)
CoinKite.com (code LIVERA)
Mempool.space

Stephan Livera links:

Follow me on X @stephanlivera
Subscribe to the podcast

Podcast Transcript:

Stephan (00:01.768)
Okay, Dax and E, welcome to the show.

Dax (00:04.818)
Thank you so much.

E (00:05.09)
Thank you very much.

Stephan (00:07.052)
So today we’re gonna be talking about a range of things, mostly obviously this seed hammer concept, what are we trying to achieve here? And I think as part of this, we’ll try and help explain for newer listeners a little bit about some of the ways to think about backing up our keys, especially when we’re talking about the more secure setups. So I guess it’s normally a good place to start. Why, why are you doing this stuff?

Dax (00:29.802)
Mm-hmm.

Stephan (00:33.853)
What was the driving impetus for you guys? Obviously under I know you’re under a pseudonym But just as much as you’re willing to you’re comfortable to share without doxing your personal life

Dax (00:43.606)
Yeah. Yes, if I should go first, like, actually it was E who introduced me to the whole thing. He earned me some money once and then he insisted on paying them back in Bitcoin. And I went down the rabbit hole and you know, the usual way, you know, and then you start to…

Dig deeper into what is money and how is money created and why is hard money good? Yada, yada, yada. Yeah. And then at one point, and I think this, especially now when we might enter a new bull run, it becomes obvious to many people that have been stacking, sad, maybe a lot of people or plebs came on in 17 and so on. Now you’re looking at your stash and you are thinking, okay, this is actually a significant amount now in dollar value.

And if Bitcoin is going to be hopefully what we all hope for, then I think it’s very important that you take your custody of these coins very seriously already now, no matter if the dollar value is life changing or not for you. And the same goes for all of us, right? And that kind of moved us in this direction. I don’t know if you want to add something to that.

E (01:58.37)
Well, I would say that once you go down the rabbit hole of what is money, then you end up at Bitcoin and what Bitcoin is. I think you can say the same thing about self sovereignty. Once you realize that the only real way to store your real money is by doing it yourself. You go down this rabbit hole of how can it be done in a way? What is the most perfect? Not necessarily perfect, but what is the…

What is the end goal? What is the end solution of storing Bitcoin in a way that you can sleep well at night? And I think we both ended up at steel plates. And steel plates have this… They are very durable and they are hard to lose and so on, but they are very difficult to inscribe on by hand. And especially if you do want some kind of set up where you can lose some of the plates.

the usual two of three or three of five or something like that. At this time and the time when we began SeedHammer and I think still, there’s not really that much support for Shamir schemes. So we went for the Multistick route. And as you know, Multistick has the problem that you need to also keep your descriptor very almost as good, well kept as the seeds.

Stephan (03:20.116)
Yeah, okay. We’ll explain some of these terms, but go on. Yep.

E (03:24.286)
Yeah, okay. So the problem was really the descriptor for multi-stake and also just to have the descriptor for having a self-contained backup. So you don’t have to have a USB drive or something printed that you put on each share and so on. So that let us down on how can you engrave that by hand, you really can’t. And then the idea, yeah, especially the descriptor. So we came up with the machine.

Dax (03:39.682)
Yeah.

Dax (03:45.286)
We tried, we tried. We tried with these stamps, you know.

Stephan (03:48.508)
Yeah, yeah, yeah. So look, so yeah, before we get too into the technicals, I just wanna make sure we can get everyone to follow along. So let me just try to set the scene. Obviously some listeners are advanced, you know, you don’t really need this, but for the beginners and intermediates, maybe this will be helpful. So when we start with Bitcoin self-custody, typically you might start with a wallet and it tells you to write down 12 or 24 words. You can think of that like that’s your…

Dax (03:56.199)
Yeah, of course.

Stephan (04:14.748)
Master private key or it’s like an encode encoded version of your master private key If somebody gets that they get all your coins now people are normally taught to write down these 12 or 24 words and potentially back it Up and here. I’m holding up just as an example. Here’s the seed plate from coin kite That’s an example and people would go through and sort of hole punch with a puncher. Okay, these are the words but there are trade-offs with this also because In this example if I didn’t have a passphrase then if somebody gets this 12 this plate

Dax (04:41.576)
Mm-hmm.

Stephan (04:44.848)
Obviously, this is an empty one, but I’m just showing as an example if somebody gets this they can steal my coins or take my coins basically and so that’s where some of the conversation goes into more advanced techniques and so typically people are talking about things like One is using a passphrase. So they would have their single signature Bitcoin wallet with 12 or 24 words and an additional passphrase That’s one way that they might approach that now there’s trade-offs to that because now you’re creating another

single point of failure depending on your setup. And the other approach many people are doing is what’s called multi-signature. So this approach, for people who aren’t familiar, you can imagine you can have, let’s say, three Bitcoin hardware devices, and you need to spend out, you need to, in order to spend, you might set it up where you need any two of those three to be able to spend coins. And so this is one way that you can help reduce some of that single point of failure.

Dax (05:17.894)
Mm-hmm.

Stephan (05:44.264)
and give yourself some more security potentially, but there’s a little bit of added complexity. And so that’s where maybe a lot of people debate in the community, oh, what’s better, passphrase or multisig and things like this. And I guess we’ll get into some of that. So maybe let’s start with that question for you guys, Dax and E, do you have any views on the passphrase or multisig question?

Dax (05:54.739)
Mm-hmm.

Dax (06:07.254)
If I should go first, I would say the passphrase. I don’t use it personally because there is a risk that I forget the passphrase or that I will have a critical impact on my brain. So I cannot simply cannot remember it. And then the coins would be gone unless I have written it down somewhere. And I know you can do that in a password manager or so, but…

Dax (06:37.294)
The whole way we are thinking is we want a self-contained backup. But that’s also how we are personally. We want it to be self-contained with nothing that we need to remember and nothing that our heirs need to remember. That’s very important because if you have a passphrase and you do not give it away to your heirs in a way that they can remember it, the money are also lost. Where in Multi-Seek without passphrase, you can combine those two, but without.

You have a much more physical setup. You can tell or instruct your AS to where the actual steel plates are hidden. And that’s it. Especially with our system, we can get back to that later. It usually isn’t. You will also need the descriptor, which I’m sure you will explain about later. But…

Stephan (07:22.004)
Yeah, of course. And E, anything to add there on past phrase or multi-sig?

E (07:27.05)
I’m pretty much on the same page. If you have two parts of your seed, the BIP39 mnemonic seed words, and you have a passphrase, that’s, to me, that’s a two of two setup. And if you have a two of two setup, you might as well go to two or three or something, so you can have a little bit of redundancy. And also, I think it’s good to treat the parts the same. A passphrase is one thing, and the BIP39 mnemonic seed phrase is another thing.

I like the symmetry of just having seed phrases.

Stephan (08:01.12)
Right, and I am personally in the multi-sig camp as well, but I understand it’s a common thing in the community where there are some people who, and maybe there’s not like one size fits all, for everybody because it sort of does depend on practically how you use Bitcoin and what you’re doing with that. Yeah, especially which wallet.

Dax (08:05.483)
Hm.

Dax (08:16.696)
Also, which wallet you’re talking about? Is it your Luke one? Is it your deep cold storage? What is it?

Stephan (08:21.644)
Correct, right. And so I think for the sake of your deep cold multi-seek, so this is coins that you rarely ever access, you’re planning to sort of…

Dax (08:31.282)
Pass it on.

Stephan (08:32.168)
Yeah, pass them on or even if you do spend you very rarely would use this like into the spending like it might be like once a year once every few years that you actually plan to spend out of this setup. That’s where I think multi signature is a superior solution, but you do need to be careful about how you back this up. So let’s get into that and explain this. So as you mentioned, there’s this concept known as a descriptor. And so just let me kind of set the background here and then you guys can elaborate a little bit so

Dax (08:36.146)
Mm-hmm. Yep.

Dax (08:54.242)
Yeah.

Stephan (08:59.692)
Coming back to that 12 or 24 words that you wrote down, that is like your master private key for that particular wallet. So let’s say you’ve got a cold card and you might have another one that’s another device. Let’s say you’ve got a jade or something else. You can have a master private key for each device. Like you can have one for the cold card, one for the jade and one for some other devices. And then out of that, you can take what’s called the master public key for each of those devices. And you can think of it like Multi-Sig is kind of like

Dax (09:06.558)
Mm-hmm.

Dax (09:12.697)
Mm-hmm

Stephan (09:29.012)
we’re sort of combining or we’re creating a script that requires two of three or three or five or some quorum that you’ve set up. And what we can do is we can represent sort of like a map for those, let’s say you’ve got a two or three setup, you can have those three master public keys and they are represented in the descriptor. And there’s a little bit more than that. There’s things like script type and derivation path and a few other technical details, but the short version of it is

Dax (09:57.85)
Mm-hmm.

Stephan (09:58.784)
The descriptor, your output descriptor, or you know, some people call it like your account map, that’s your way of being able to find your coins. Because this is one of the other things, which is a little bit of increased complexity to do multi-sig. I would argue that complexity is worth it, but we just need to have a way of backing up that descriptor. And so, do you guys wanna elaborate a little bit on that or add anything to that?

Dax (10:22.495)
Mm-hmm. Yeah. I think it’s a great way to explain it. If I should add anything, I would say we are trying to take out that added complexity, especially from the point of view of those who need to use the backup. If I can show the product from a Seat Hammer.

Stephan (10:44.097)
Yeah, sure.

Dax (10:45.43)
Here we have the, in this example, 24 words. I don’t know if it’s mirrored, it’s mirrored on my screen. Anyways, here we have, yeah, here we have an example of 24 words. It could be, it could be 12 also and a cube representation. And that could be the 12 words in one of your devices. You just showed, I think a code card or a trace or something like that. Let’s imagine they came from that one. And then another plate, which would contain 24 words from one of the other devices. And a third plate would do the same.

Stephan (10:50.357)
Yeah, I can see it.

Dax (11:15.41)
But the problem is it’s correct. And we were of that misunderstanding in the beginning that two out of three is enough and it’s enough to sign a transaction, but it’s not enough to recover your wallet. So if you lose your, your Sparrow or Nunchuck or whatever, got your phone stolen or something and you haven’t backed it up, and many people would back it up on paper, for instance, like I have done here. If you don’t do that, or if you lose that part.

then your coins are gone. You cannot spend them because you cannot recover your wallet. So you can make a transaction that you can then sign with two of the three. And that’s where we are quite unique because on the flip side, on the backside of these plates, we have the descriptor, uh, split out in a clever way, because there’s not enough room for the full descriptor, it’s quite big. And that makes so that just like with the private side, that any two out of three is enough to sign a transaction.

Any two out of three of the back sides is enough to recreate the full map or the full descriptor. Technically how it’s done, that’s kind of each table, but that is like how we want to make something complex more simple. I just need to save three middle plates and to spend, I need to scan two of them. And also to recover, I need to scan only two of them and it works with nunchucks, bearer and many blue wallet and so on. And you actually just point.

point on these QR codes and in less than two seconds, you see your balance. And that’s quite unique because these will go through water or fire whatsoever. And you still have it. And you can also actually bear to lose one. And it also works for three out of five, for instance, and other setups. But, but that just kind of underpins what you just said. We have a technology here that is quite complex. Actually. One thing is how to set it up. You can get help from Unchain, CASA and…

guys like you, but then when you have the backup and you know, okay, and that was maybe also our issue, our children will be the one who gonna maybe use this backup one day and it needs to be bulletproof. And I can instruct my daughter to where those plates are. And I can tell her, take this software or whatever will be popular at that time and scan two of the three on the backside. Then you will see the balance. And if you want to move them.

Dax (13:42.538)
scan the other side and that’s it. And that’s the kind of simplicity we need as an industry to add to these technologies in order for this to work.

Stephan (13:54.06)
Great, so that’s a little bit of a walkthrough of the, let’s call it the multi-sig backup approach with steel plates. So that’s really what SeedHammer is making it easy for people to do, though I guess in practice, I mean, you don’t have to use that. Like if you are just using single signature, you could theoretically just do the one thing with the seed punching in an automated machine, but that’s kind of high level for people to understand what’s going on here. So.

Dax (14:14.442)
Of course.

Stephan (14:20.788)
we can think of this and it has multiple applications, right? So let’s talk a little bit about who might use this or who might need this, right? It’s not just your son or daughter or your children. It could be useful in a business context. It could be useful in the context of maybe you need to write instructions for your lawyer in relation to your will and your estate, your estate planning. There are different contexts of what, you know, you would use these steel plates for and they…

will be stored in different locations. So as an example, maybe you might have one at your home, one at a private vault, another in, you know, another hidden location, maybe a family member or another private vault. So this way you are distributing the location of these keys and of the backup information.

Dax (15:04.99)
And you could, yes, and you could even, if you don’t care about KYC and AML, which this can be KYC and AML free, our solution, but if you want, you can have one part stored with the on-chain or KSA or some other custodial service.

Stephan (15:22.816)
Gotcha. And so just to spell that out, could you just like walk us through as an example, the, so let me just kind of spell out how I’m seeing it and then you just elaborate a little bit on that process. So as I’m understanding this user, let’s say this person is a little more tech savvy, they know what they’re doing, they wanna set up, you know, two or three multi-sig and they go to Sparrow or Spectre or Nunchuck, one of these coordinating, you know, client softwares.

Dax (15:36.102)
Yeah.

Dax (15:41.534)
Thank you.

Stephan (15:50.848)
that can create a multi-signature wallet. We generate the master public keys and then they are able to use the seed hammer software and connect that with a automatic metal punching device. And then that is what creates those three metal plates that you just demonstrated for us. And then that in turn is what the user is sort of, he has to…

Dax (15:53.879)
Mm-hmm.

Dax (15:57.674)
Mm-hmm.

Dax (16:04.458)
Mm-hmm. Yeah. Yeah, I have the software running here.

Dax (16:14.6)
Yeah.

Stephan (16:19.892)
write some instructions for his heirs or the lawyer, the estate planning people, whoever it is, they have to leave those instructions there. But at least it’s, it’s sort of going to be in a standardized format. That’s, let’s say, ideally easy to recover 10 years from now, 20 years from now, 30 years from now, whatever it is.

Dax (16:24.769)
Mm-hmm.

Dax (16:38.879)
Yeah. That is correct. Assuming that the standards we are using are not duplicated, which they are, but we can talk about that later. Yeah. So, so, so anyone today that, not anyone, but I would argue a lot would ask persons like you and companies and Bitcoin consultants, I’m uncomfortable with having this much value hidden in those 12 or 24 words.

Stephan (16:44.433)
Right, we’ll get into that later, but yeah, just go on, yep.

Dax (17:06.921)
Because what if I lose those or someone sees them? You just need to see them like in a, or maybe they are made with a bad entropy. So someone is overlooking, actually surveilling that address. And then you move to Multisig. And right now, as it is today, it might be a golden field, but today’s Seathammer does not help people create their Multisig wallets. You can get help from companies and so on, or you can do it yourself. But you would always end up with someone telling you.

awesome procedure telling you, you need to save your descriptor. It is so important to save this descriptor. Save it with each share, even though if you punch it on metal and you have like three different metal plates, then have a paper like this, start with each of those. What if they all are into a fire? Then you should also have it digitally stored in the cloud and so on and so forth.

For us, that’s just not good enough. We want to be paranoid. We want to be, let’s say that we are locked out of our cloud service and all the three plates, it would never happen probably, but if they were into a fire, then the paper would be gone and so on. But it’s correct. We then go in and we are a tool, a big machine. I have it right here. It’s quite heavy. And this, the seed hammer machine is like a needler that hammers into the plate and you feed it with a Raspberry Pi Zero.

where you actually start by scanning the descriptors. So our open source software knows, okay, this is the wallet. This is how it constructed. As you said, we have all the information about the three shares, script type, so on and so forth. And then you just feed it with one of your 12 for 24 words. And then it knows, oh, that’s the share that is in this multisig setup. I will now start the checkout process, as we call it, where it guides you on how to set up the machine and hammer the first plate, so on and so forth.

And you talked a little bit about businesses too, and that’s, we, that’s, I would like to elaborate a bit about that. If you have a Seat Hammer physically now, I know that you and I are very much apart physically, but you could have a Seat Hammer at your place. I could have a Seat Hammer at my place and he could have a Seat Hammer at his place somewhere in the world. And we could jointly agree on that we create, each of us creates with as much entropy as possible, randomness, a seat that

Dax (19:32.362)
Only we know ourselves, but we could give each other or share with each other the public key from that seed. That wouldn’t do any harm. And then for instance, we would agree that you would be the coordinator. So you would feed those three public keys into Sparrow, for instance, or Lunchuk. And then you would send back the descriptor to us because the descriptor doesn’t know anything about the secrets about the private keys.

And now I could hammer because I could load this with the software and load my 12 words into the software and I could hammer my plate. You could load your 12 words with the descriptor and hammer your plate and you could do the same. So now we will share a two out of three multi-seq where no plates has crossed any borders, no information has crossed any borders physically because it’s also, that’s a downside with steel, it’s hard to travel with if you don’t want the security. Exactly.

Stephan (20:23.632)
Right, because you might be paranoid about going through an X-ray machine in the airport or this kind of thing. And actually one other point I do want to make here, for the paranoid, I guess it’s also possible to use Seed Hammer only for the output descriptor backup, right?

Dax (20:28.743)
Yeah.

Dax (20:38.802)
It is, but how is it? Correct me if I’m wrong. We have a version, so it will always start with the public part. So when it asks you to flip the plate and hammer the private part, you just disregard that part of the process. But you would need to initiate the hammering of each plate. You would need the 12 words for each plate, but you could just produce this, the backsides.

Stephan (20:47.862)
Right.

Stephan (20:52.877)
Gotcha.

Stephan (21:04.988)
Yeah, right, that’s what I’m getting at because I guess for the paranoid they may not want to ingest the private key into the SeedHammer device and they might want to think of it like, oh, I just want to have my separate 12 or 24 word backup for the private key and use the SeedHammer component only for the descriptor backup, only for the multi-seed component of that. Is that possible?

Dax (21:08.51)
this.

Dax (21:16.955)
Okay.

Dax (21:26.703)
I don’t think it’s possible today, is it E? No. Because of the work flow.

Stephan (21:30.451)
Okay, gotcha.

Gotcha. I understand.

E (21:34.402)
I guess we should add that this descriptor, what’s the reason we could put that descriptor at each plate? What is the reason that descriptor is less dangerous that the seed is that you need the descriptor to see your wallet balance, but crucially to sign your transactions. But if anyone gets hold of your descriptor, they can only, it’s only a privacy leak. They can see how much you have, but they cannot use it to do anything. Yeah.

Stephan (21:56.596)
Right, but they cannot spend knowing only the descriptor. So that might be another tool that some more paranoid hodlers or security setup consultants might wanna take. They may wanna take that step of having distinct backup formats for each thing. But of course, there’s complexity with all this, and I’m sure a lot of the user experience and things have to be sort of ironed out over time because it is very early, but yeah.

Dax (22:15.95)
Yeah, yeah, but yeah, and it is very early and I want to add just a quick note on this. We are working on, which you might saw on Twitter today or X, we are working on a version where you can fit the whole descriptor on each plate. So you wouldn’t, so any plate, any one plate would be enough to describe the wallet. And that would mitigate the issue because then you can just hammer it on one plate and disregard hammering the other side. And then we have the solution you’re asking.

Stephan (22:32.454)
Okay.

Yeah.

Stephan (22:43.308)
Right.

Dax (22:45.17)
So I believe it will come in the future, but we are still so goddamn early. This is the only multisig backup on steel that exists in the world at the moment. And, and we are also learning from our loved, like I call them our ambassadors. Those who bought the machine now, because obviously it’s $600 unit. You, it’s not something you do as a pleb with the 1 million SaaS, right? So, so we know who’s the target group at the moment.

Stephan (23:10.848)
Yeah.

Dax (23:13.922)
But I’m just saying, and we can get into that later, there is something in the future, very interesting coming up.

Stephan (23:15.894)
Yeah.

Stephan (23:19.636)
Yeah. Gotcha. And actually just for listeners who are curious, what is the cost? You mentioned it. I missed that earlier. What’s the cost for that broader, the bigger machine?

Dax (23:29.457)
The one I just showed, the seat hammer machine, yeah, $600.

Stephan (23:30.684)
Yeah, the big heavy machine? Yeah. Okay, gotcha. Yeah, and so, and obviously the cost for that, Raspberry Pi Zero is very low, right? It’s like maybe, you know, $20 or something.

Dax (23:40.102)
Yeah. And you don’t even need the enclosure. We just have it in an enclosure. It’s the same setup as the SeedSigner. We went through many iterations of the software. We started to build on the Spectre board, the Discovery board, but because of, I think it was logistic issues, we had to move on and we couldn’t move on to Raspberry Pi Zero at that time, it was under the COVID, so there was a lot of supply chain issues. So we actually ended up…

developing the full Seat Hammer system on a, on a fair phone like Android burner phone and it just felt wrong, but we had to move on, but at least to me, and I think it goes for you too, it feels wrong if we are this paranoid and security concerned as we are to deliver a product that needs to have the controlling unit on a piece of hardware that is meant to go online. It just feels wrong. So lucky enough.

We had a conversation with the Raspberry Pi foundation and all of a sudden they said, we can deliver now and we can deliver a lot. Okay. That’s better than doing it to the discovery boss because that is meant to be a development board. It’s not something that you can guarantee from any manufacturer will be like out there in X month or years. And we were quite certain that the Raspberry Pi zero, with

Stephan (25:19.212)
I see. And so I guess one area that, you know, may give some users a little bit of pause is the aspect of ingesting the full private keys into the device. So are you seeing this like maybe the paranoid users would get that smaller device, the seed hammer, I guess the Raspberry Pi Zero, and maybe they could, yeah, that smaller one, and then they would do this process, do the setup, and then actually like literally burn or destroy that device.

Oh yeah, I can hear you. It looks like you’ve run out of storage. Okay, recording has stopped. Um, let’s just pause it here and we’re gonna, yeah, just hold it here.

Stephan (00:02.308)
Okay, I think we just briefly lost you there, but while we’ve got you back now, in terms of the cost, one other question around the cost of the seed plate backup material, can you give us a guide there?

Dax (00:15.128)
For these plates, actually I cannot buy head, but I can go to our homepage, sheathammer.com, where we also sell the controller actually for US customers. But this is the most used plate. It’s for the 2-3 multisig.

Stephan (00:16.644)
Yeah, those small ones. Yep.

Dax (00:35.059)
And there we have like either a 9 pack or 18 pack bundle for 59 or 99 US dollars. And we have the bigger plates. We also have a minor credit card size plate which we are facing out. But we also have even bigger plates. They are like almost twice this size because we need more space even though it’s a partly descriptor. We need more space. That is for 3 out of 5.

Stephan (00:43.452)
Gotcha.

Dax (01:04.159)
and other setups. Just to elaborate on the material, it’s stainless steel, 316. Yeah, and we are actually right now, those plates are undergoing at an external company accelerated corrosion test. We wanted to see how they behave compared to normal stainless steel and compared to regular steel.

Stephan (01:28.888)
Great, yeah, that’s good to see. Normally, people do things like heating them up to do advanced aging processes to help simulate what happens over 10, 15, 20 years, etc. And yeah, so I guess these are all things that have to be built out. So bringing it back to the actual controller software and the controller unit, so I guess we’re calling that the SeedHammer controller. Can you?

Dax (01:36.227)
Mm-hmm. Yeah, yeah, exactly.

Dax (01:51.527)
Mm-hmm. Yeah.

Stephan (01:56.38)
Tell us a little bit about some of the security considerations there. Like as one example, there may be users who are paranoid about that little device holding private key material. And so maybe the more paranoid users would want to maybe do the process and then literally light that on fire or destroy that unit as an example. And maybe less paranoid people might be in a position where they’re using that same one for multiple people, which I don’t know.

Dax (02:07.434)
Yep, definitely.

Dax (02:14.94)
Yes, yes.

Stephan (02:25.54)
Personally, I wouldn’t be comfortable with that. But yeah, can you explain a little bit about that?

Dax (02:26.707)
Not a good idea. No. Every time you work with your seed, you need to treat it, even though it’s a multisig, I would still treat the seed as the biggest secret of my life. So also consider where it came from, because if it was generated online through some app, like where you could buy some coins and then, oh, save those 12 words, those 12 words have already been online. You cannot be sure that they are.

Generated with enough entropy and that there’s not a backdoor Yeah Created offline and that’s a whole other story with Diceware or whatever you want to do But let’s wait with that when you have to secure 12 words made with enough entropy totally offline It can feel very odd to put them into something digital Why we chose the Raspberry Pi zero is because it has no Wi-Fi module. It has no Bluetooth module and if you do not use the middle port then

Stephan (02:56.42)
Right, that it was always offline, right? That’s the important thing.

Dax (03:23.795)
Actually, the left side is only for power and the middle is for data. Of course we need the data part, but only connected to the big blue machine, nothing else. When you boot it up and you actually want to do something, we ask people to remove the SD card, so you take that out. Then at least one point of storage is removed from this device. Now you can put in your, your 12 or 24 words and your descriptor.

And stuff like that, and you can hammer things out and we can talk about what can be stored in the machine later. But let’s talk about this device now. Then if you are ultra paranoid and you haven’t read through the code, because our code is not even open source, it’s public domain, no one can ever own it. And of course, that’s what also make it a trustless that a lot of people hopefully have.

review the code and seeing that, okay, this is not actually writing to any elements because as he pointed out to me lately, what makes this stateless that it can’t save anything is by design from the code and maybe you could elaborate a bit about that.

E (04:32.312)
Continue your presentation. We can comment on that.

Dax (04:33.931)
Okay. But it’s something about that if you really want to, and you were evil, you could actually try to store the seed words on some kind of chip on the board of the Raspberry Pi Zero, nothing prevents you from doing that. I was off this stupid idea that, oh, it’s the stateless unit, just like the, let’s say when you have a Blockstream Jade in stateless mode, then it can’t save anything when you take the power. It’s totally empty of data. Only if the software is designed so.

A evil maid attack could maybe make a malicious part of your software or version of your software, which is why you should check our signature and stuff when you download it. But anyways, when you’re done with it and you’re really paranoid and I know that, and I think I did it myself actually, when I made my plates, I’d ran it over with the car, burned it and threw it out. And I made each plate with three different Raspberry Pis. And it sounds stupid to go to this extent, but if you’re storing…

What you want to pass on to your kids. Wouldn’t you regret if that little risk of something revealing your seed, you would regret it so much if that was enough to that you looked at a balance of 0.0. So, so you’re right, Stephan, destroying it afterwards is the super paranoid way to go. But in general, we are of the, of the idea that.

Never share your neither seat signer or seat hammer controller. Don’t share it with anyone unless like you’re doing it for family. I don’t know what, but you know, it is super, super important that you almost look at this device when it has known your 1224 words, look at it as a dirty object that you need to destroy, even though it’s stateless, has no wifi capabilities and the code is honest and stuff like that, just to be on the safe side, sleep well at night.

Stephan (06:31.836)
Got it. E, anything to elaborate on that there?

E (06:34.538)
Yeah, it’s just the question of hardware, what’s in the hardware, it’s very difficult. I think I would say possible to say what is in hardware and what can be stored and what cannot be stored. And I think the only reasonable, the only realistic thing you can audit is the source code. And the second, some kind of defense in depth with respect to hardware is what Csigner did. And we are also doing is to buy

to allow your Bitcoin software to run on common hardware because it’s much, much more difficult to make a backdoor specific for Bitcoin software in hardware that is sold in the hundreds of thousands or millions. So there’s a misunderstanding with respect to the seat signer that you can’t store anything. I believe, I certainly believe you can store it on the device itself. You don’t even need the SD card. The security from a device such as the seat signer or…

is that you can buy it from off-the-shelf parts. That’s the added layer of security.

Stephan (07:41.64)
Yeah, I see. Okay, and so let’s talk a little bit about some of the other security vulnerabilities of using SeedHammer. Now, there is a blog post, so listeners, I’ll put that in the show notes also, the attack vectors. So let’s talk through a little bit, just at a high level, can you explain some of the vulnerabilities of SeedHammer or the potential vulnerabilities that a user would have to think about?

Dax (08:05.839)
Yeah, we know our shortcomings. There was the sound at the beginning, the very first iteration. You could actually listen to the version of how they were hammered. Because when you deformate metal, you make a lot of energy or you release a lot of energy, which just comes out a sound here and deformation in the metal. That one we mitigated. He figured out a way to both produce cura quotes and words and letters that no matter the length of whatever you are hammering.

Sounds exactly the same and we analyze the sound profiles and they are on the on the millisecond the same So in that way for now, we have mitigated that part But still even though it’s an old industrial tech machine off the shelf and you can buy it yourself You don’t have to buy it from us and it only has a USB Connector in the back How do you know how do you as an ordinary pleb or even?

More than a player, how do you know, even though you can take off the top plate and look down, how do you know that nothing is stored in it? Because it has to hammer your word. So it will at some point in some stupid way have the instructions, even though it’s just instructions how to move XY on a plate. Things are sent to the machine and there’s no really good answer at the moment other than destroying it. I think that’s the best.

We are trying to mitigate it. We are trying to find a solution where you can totally trustlessly have a seed hammer solution where we mitigate this, but it’s still work in progress. And we know that’s one of the shortcomings. I know now we are in the very, very paranoid part of the scale. A lot of people make their seeds on hardware specific or Bitcoin specific hardware that I would argue is even more dangerous, maybe.

for that would be an attack point where an old industrial machine made for making nameplates for cars and forklifts and The very non Bitcoin specific product is not the biggest threat But it’s still if you are super paranoid and to the extent that we want to go We know that is a risk and we right now are annoyed with the fact that when people ask us How do I know how do I audit the inside of the machine? We are like, it’s pretty damn hard

Dax (10:26.923)
What I can say is you can find the manufacturer online. You can try to write them and say you want the version with Bluetooth or Wi-Fi and you want the version with memory. And you would say we cannot deliver that because it doesn’t exist. But that’s kind of the best answer right now.

Stephan (10:42.568)
I see. Any other vulnerabilities to discuss? I see from the blog post you’ve got a few others here. Radio waves, electromagnetic noise, and data exfiltration. So do you want to just elaborate on any of those?

E (10:56.098)
So the electromagnetic noise is the same thing that with the noise of the machine itself. It’s pretty noisy when it’s engraving. And as Dex said, we had to, or I created, well, we engraved the private part, the words on the QR code in a way that it engraves for exactly the same amount of time in exactly the same pattern for any seed. So you can’t just from the sound extract what is being written on the plate.

Dax (10:56.115)
I would let E do that.

E (11:24.746)
You can do that for the scripture side, but that’s less of a problem because it’s public. It’s a well, it’s not public, but you can’t really run away with your, if someone is listening to your device, then you can only see what the balance is, which is less of a risk. But with respect to electronic magnetic electromagnetic radiation, there is a possibility. We haven’t tried it, but there’s a possibility that the motors, the stepper motors that control the position of the of the of the engraving needle head.

and of course the needle itself, they’re pretty noisy, but they also emit electromagnetic radiation that at least in theory, if you were able to capture that nearby, then you could in theory deduce what the movements of the stepper motors were.

Stephan (12:17.344)
I see, yeah. Yeah, so certainly there are some trade-offs here. There are some aspects to be considered about, you know, how much extra risk is that person taking on by using a seed hammer as opposed to just keeping it all paper, but in a harder to manipulate or use format, let’s say. And…

Dax (12:28.459)
Mm-hmm.

Stephan (12:37.772)
Yeah, maybe for some users it’s just beyond the pale or it’s too far for them. Or maybe it’s more like they would be interested in SeedHammer for the output descriptor part only and not for the private key backup part. And maybe it would be sort of like using it only for the public key parts. So I guess that’s how I’m seeing it. Sure.

Dax (12:51.08)
Mm-hmm.

Dax (13:00.883)
I would like to point out one thing though. No matter if you are a hardware wallet, like Advocate or not, if you produce, no matter if it’s with the Seedhammer or it’s the Stigl QR, that’s another product. We are not affiliated with it. But when you have your QR on Stigl, it gives this added benefit of having stateless signers, so you do actually not need, at least for your lukewarm and cold stores, you don’t…

really need a hardware wallet. You can just produce your seats, produce your plates directly, everything offline, and then fund them. And every time you want to spend, you load via the QR, because that’s very easy. You load via the QR into a stateless signer. And that way, and me personally also, I can manage my coins totally without a hardware wallet. I could just use a Raspberry Pi Zero running the seat signer software, for instance. Again, it’s nothing.

What are you saying? No one solution fits all, but that’s an important point to make. And it especially became clear to us. And we also got it from our ambassadors, customers and partners that when we had this, was it a ledger who came out with some kind of backup of your private key? So there was this ledger, debuggle.

Stephan (14:20.824)
Right, ledger recovery, which is, there was a lot of discussion in the industry about that particular thing. There was a lot of, let’s say backlash amongst more hardcore users. I think ledger’s response is more like, oh, this isn’t for the hardcore people, but then there was still a question about, is that the right thing to push people into that pathway, et cetera, yeah.

Dax (14:25.587)
Yeah. Mm-hmm.

Dax (14:41.991)
Yeah, but it makes you question, oh my God, my Trezor, whatever, something, something I won’t mention a lot of names here because they are probably doing their best or they are doing their best, but just know that when you have those 12 words inside some electronic device, it might be able to exfiltrate it somehow. And by making a product as Ledger did, that is a recovery product, they publicly say that we can take this. And of course they can take it. It is, even though it’s in a secure chip, of course they can take it.

And they can promise as much as they want. And even though any company wallet producer is honest, if they have a backup service like that and you have a single seek and it’s stored somewhere in the cloud and you feel happy, now it’s not my own responsibility anymore, what if the government wants to access those data and put pressure on that particular company? So the company doesn’t even have to be evil.

external sources can be evil to the company that forces them to leak your data to them. So I think it’s a very important point. That’s why I’m a big proponent of stateless signers.

Stephan (15:47.672)
Okay, yeah, so yeah, I think that’s an area where people have to think about exactly what are they comfortable with. And again, for the different setups, right? Like maybe for your ultra cold, ultra paranoid setup, there are just certain things that you just, there’s certain lines you just never ever cross. And maybe for some lukewarm setups or maybe for like a business, sort of day to day use multi-sig, maybe for that setup, you’re comfortable with other risks. So I think that’s really where listeners have to sort of think.

Dax (16:03.915)
Mm-hmm.

Dax (16:13.107)
Of course.

Stephan (16:17.24)
about their own trade-offs, what’s appropriate for them. And even many listeners are builders, developers, educators themselves, so they have to sort of think for their own users or for their own customers or students who they’re teaching, what’s the appropriate response or approach for them. One other question people will probably have is around different standards and changing standards, right? And I know you did a thread about this. So let’s just talk a little bit about that. So…

Dax (16:26.848)
Mm-hmm.

Dax (16:42.507)
Mm-hmm.

Stephan (16:46.476)
I guess I’ll set some of the context and then you can give your answer. So one of the, I guess, responses that was seen online was this idea that, well, hang on, what about changing standards? So the underlying QR standard blockchain, you are as an example, what if that updates or changes or what if the industry shifts to a new standard that in 10 or 20 years, you know, people using that standard instead of the one that we’ve used to engrave, do you have any thoughts or response on that?

E (17:13.002)
Yeah, so the calming response to that is that there will be a, even with a very sudden shift, let’s say every wallet software suddenly doesn’t support the standard that we’re engraving with today, you will always be able to, not always, but for quite some time years, be able to download an older version that can restore your descriptor or read your seeds. So that’s the calming response.

There is a risk that, well, not risk, but there is an annoyance or an inconvenience in the sense that the plates may last for many, many years, but the standards, because the Bitcoin software community is still very young, the standards that we use to engrave the descriptors to all the data with go out of fashion or at some point becomes unsupported. So that’s, I would say it’s an inconvenience because there’s, I don’t see any point unless you’re.

cryogenically frozen for 100 years and wake up and you have to restore your place or something. So that’s the first response to that. And the second is that from thread we’re trying to avoid these, we’re trying to mitigate these problems by moving away from some of the less supportive standards. And we’re even trying to squeeze the whole descriptor in several ways, to hold the descriptor down on the backside of one plate or each of the plates.

even for the multistake setup, which makes us less reliant on particular standards for encoding or engraving or representing the descriptor. So yeah, that’s also, I would say, in summary, there’s always a risk for changing standards, but we’re moving towards more widespread standards instead of the one that was deprecated.

Stephan (18:51.452)
Gotcha. Yeah.

Dax (19:01.395)
Yeah.

Stephan (19:02.22)
Yeah. And yeah, to be honest, I think that’s a fair answer. Um, one other area is just to talk about Seedhammer as a project. I guess let’s talk a little bit about that aspect. Is this a for-profit company or is it more like an open source project? Not trying to be like a not for profit thing. Can you tell us a little bit about the structure here and what you’re aiming to do just more broadly with Seedhammer?

Dax (19:22.764)
Yeah. First of all, the idea came out of, yeah, as I said, in the beginning, necessity to do these things and help people when you look at the USD balance being like, well, bigger than I expected. And we believe that we need everyone who has the capability, need to help the industry by making the advanced stuff under the hood accessible for everyone.

Also, multi-sig, if we end up having multi-sig as the predominant, non-single point of failure technology in the future, we simply need to make some self-custody solutions that people can use and that the Earth can restore easily. And this is the first step. Seen from a business perspective, we are working full-time on it, both of us. And we even have more partners than you see here in the show, helping a great

helping a lot. And of course we would like to be funded and not from external funding. We would like to be funded by bringing value in a trustless way so that people want to pay for this. And as you know, everything can be done. Do it yourself. There’s even a do it yourself guide online made by one of our, yeah, he’s not a cashier, but he’s an ambassador. And we really just support that. But.

We see that we are from a business perspective, we reach the goal when we have a solution, when we can provide a solution where the only thing you pay for in our pocket is that we can sustain the software, of course, but also that we provide an easier way to get started. So instead of having to buy everything on five different stores online and waiting for two months for things to be delivered from, I don’t know where, that you have one single…

shop where you can buy or choose to buy the parts you want to buy from us. And you can maybe assemble some of the electronics yourself and stuff like that. You just want the casing from us or whatsoever. Like that’s the end goal to be able to make a trustless experience. And every time we put something in a cardboard box and ships it to someone, then we must have added value when we would like to take a little profit for that. And today, oh, no, there is not. But we…

Stephan (21:43.992)
Yeah, not that there’s anything wrong with profit of course, yeah.

Dax (21:48.203)
But we don’t know where this will go eventually. Of course, we hope that people will buy Seat Hammers in the thousands. But we also know besides the security issues that we are trying to mitigate at the moment, price is also a very big player in this game. And if we want to onboard every pleb out there, we need to get the price point significantly down.

And we also working to mitigate that. But again, it’s all work in process. And yeah, I think there will be ground for yet another talk in the future. But when and how we don’t know yet, but definitely we know that there are some things that will make this product even more accessible from a price point of view and also from, because we do get pushbacks from some of the ultra paranoid.

not only ourselves, but some of the ultra paranoid Twitter users. And we take it very seriously. And as we just talked about, we are well aware of these shortcomings. And we, I think we feel as not even as a company, but as persons that we have fulfilled our duty to the Bitcoin community when we reach that end goal of full trustlessness, verifiable and trustless.

E (23:07.406)
But your question was, was it for profit or is it just open source? And so that it’s a for profit.

Stephan (23:15.216)
Great, yeah, and that’s fine. As I said, nothing wrong with setting up as a for-profit company. And I think the other aspect, of course, we’ve spoken today a lot about some of the more paranoid questions, but let’s remember where a lot of people are today. They are custodial on exchanges or brokers or services out there. So I’d be very happy for them to even just start the process on single signature. And then, of course, I would like to see more people become

Dax (23:39.767)
Yeah, yeah.

Stephan (23:43.688)
confident, comfortable enough with advanced security techniques and of course using things like multi-signature once they’re ready for that. And so potentially if this helps more people go to using multi-sign instead of leaving things with a custodian somewhere, then I think that’s a good step for people. So, you know, you have to sort of balance the paranoia aspect of it with also having something that is usable and practical for a decent percent of the population beyond just that sort of 0.01%.

Dax (24:09.384)
Mm.

Stephan (24:14.017)
True, there’s ultra paranoid types. So I think you sort of have to find the balance there. So yeah, I guess any closing thoughts about where things are going in terms of Bitcoin and Bitcoin self custody?

Dax (24:30.588)
Yeah, the price is going up forever, right? But for the self custody part, I do believe that honestly, if you have a single SIG, then we need to teach people something about entropy, how to make a secure 12 words or 24 words. That’s very important. We just saw recently a guy losing 140 coins, even though he was a Bitcoin teacher almost or something like that.

E (24:32.518)
No.

Dax (24:55.239)
A good guy, by the way, but having those stamps and a hammer, there are many, many great solutions out there. That is a very good beginning to get those seeds created safely with a lot of randomness and put down on steel and never let these seeds touch the internet anyhow. But I also see solutions like ours, maybe not in one or two years, but maybe in five or 10 years range become more both accessible price-wise, but also more normal.

that you have some kind of equipment that is because the industry will develop and evolve will be more than secure enough for people to, to back up their, their like, because you can, you can look at this as a gold bar, basically. It’s just a gold bar made of steel, right? And I think there will always be two camps, those who want not to have the responsibility for their own stash and they will use services, those who want their middle part where they hold something and a service hold one part.

And then those who want to be totally AML KYC free and be totally self-sovereign. Yeah. So those two, three aspects I think will always be there, but I think it will evolve a lot.

Stephan (26:05.52)
Great, well I think that’s a great spot to leave it there. So listeners, I’ll put the show notes links, but seedhammer.com is the made one. Dax and E, thank you for joining me today. And yeah, let’s see what happens with this project.

Dax (26:19.243)
Thank you very much. Thanks for having us on.

E (26:19.29)
Thank you very much.

Leave a ReplyCancel reply