SLP84 Stepan Snigirev – Quantum Computing Threat to Bitcoin and Next Generation Bitcoin Hardware Wallets

Posted in: bitcoin Posted on

Stepan Snigirev, Quantum Physicist and CTO of CryptoAdvance joins me in this episode to talk about the Quantum threat to Bitcoin, and we also talk about Bitcoin Hardware Wallets. This interview was recorded in person in San Francisco just prior to the Bitcoin2019 conference.

Topics covered:

  • What Bitcoin’s security relies on
  • Why the Quantum Computing threat against Bitcoin is overblown
  • How long until it might be a realistic consideration
  • Challenges faced by Bitcoin Hardware wallets today
  • What could be done better in future
  • CoinJoining and Lightning on a Hardware wallet
  • CryptoAdvance

Stepan links:

Sponsor links:

Podcast Transcript (Sponsored by GiveBitcoin.io):

Stephan Livera: Hi and welcome to the Stephan Livera podcast, focused on Bitcoin and Austrian economics. Today I’ve got a fascinating interview with the brilliant Stepan Snigirev, CTO of Crypto Advance. But first let me introduce the podcast sponsors.

Stephan Livera: Firstly, Kraken, they are one of the longest standing Bitcoin exchanges. They’re consistently rated the best. They’ve got a really high quality platform offering the best liquidity in the industry. They also have a very strong focus on security offering things like two factor authentication, no phone or SMS account recovery, so your account stays in your hands. They’ve got PGP signed and encrypted emails as secure communication if you wish. They’ve also got high priority 24/7 live chat and email support for urgent concerns. On the institutional and business solution side, they’re very popular there too, with customers from funds and asset management to trading firms to crypto businesses. They offer the highest available API rate limits. There’s also a Kraken OTC desk. Kraken offer five FIAT currencies and they also offer margin and futures trading. If you want to learn more and sign up, go to the Kraken link in the show notes.

Stephan Livera: My second sponsor is Unchained Capital. They’re a Bitcoin financial services company and they’ve got two main products. One of which is a two of three keys multi signature vault product and this is really good because it can help you distribute your keys and help protect you against that proverbial five dollar wrench attack and you can still maintain control with your two keys and reduce that single point of failure risk. And this can work well for individuals or of institutions. I’ve set up a vault with Unchained, I found it super simple and easy. If you create an Unchained vault you also get three free months of access to Safety and Immersive’s Bitcoin standard research bulletin. Unchained also offers Bitcoin collateralized loans, allowing you to get USD liquidity without selling your Bitcoins and not triggering a capital gains event. This could be tax efficient for a HODLer, enabling you to continue HODLing rather than selling Bitcoins. To learn more and sign up, go to the Unchained Capital link in the show notes.

Stephan Livera: This interview with Stepan Snigirev was recorded just prior to the Bitcoin 2019 Conference in San Francisco and it’s a really interesting conversation because Stepan is able to credibly explain why the Quantum Computing threat to Bitcoin is overblown. And we also talk about some of the work that he’s doing on hardware wallets. We talk about some of the challenges faced by hardware wallets today and the opportunities with hardware wallets going forward. And then we also talk a little bit about what he’s doing with Crypto Advance. With that said, on to the interview.

Stephan Livera: Okay, we’re live. Welcome to the show, Stepan.

Stepan Snigirev: Thanks. Thanks for having me.

Stephan Livera: Yeah, so look let’s just maybe just give yourself a bit of an intro just for the listeners.

Stepan Snigirev: Well, so I work in the Munich based company that is trying to build a hardware platform for Bitcoin and before I used to be a Quantum physicist, so I spent my whole life in experimental Quantum physics doing Quantum simulators, Quantum computers and so on. And last year I moved to Bitcoin full time because, well, it’s so exciting. Some times even more exciting than Quantum physics, yeah.

Stephan Livera: Yeah, fantastic. Look, and I know that has been a common topic in Bitcoin, people have a bit of fear around this whole idea of, “Oh no, Quantum Computing is going to come and is it going to destroy Bitcoin?” And so on. I thought it might be good to obviously talk with you about that. And I know you recently appeared on Peter McCormack’s show as well, talking about some of these topics. So we’ll see about if we cover certain aspects in a little bit more detail because obviously we’ve got the expert in the room.

Stephan Livera: I suppose, could you maybe just outline what is the basic … the so called threat?

Stepan Snigirev: Okay, so what people are scared of is mostly that the classical cryptography will be badly broken with Quantum computers and in theory it is true because there are certain Quantum algorithms that are much more efficient than classical ones. And if we could have a general purpose Quantum computer that is powerful enough to do this, then all the RSA, elliptic curve and other public key cryptography will be badly broken.

Stephan Livera: Right, so let’s break that down a little bit. Part of it is Bitcoin’s security is reliant on certain cryptographic assumptions, let’s say, and some of that … there’s different components of that. One of them relates to mining so that’s double SHA256. And the other interesting one is around transactions, so that’s, as I understand it, that’s RIPEMD160 and then SHA256 hashing.

Stepan Snigirev: Well, you’re talking about the hashing functions, but also another important assumption for security of Bitcoin is this private and public key, and so discreet log assumption. So basically if someone knows your public key, they shouldn’t be able to calculate your private key. And this is kind of the one that is very important for Bitcoin. Because mining and hashing, well we already have ASICS that are much faster than classical normal, general purpose computers, and then if the Quantum computers will appear, yeah, it will be slightly larger mining hashing power. But eventually it is not super crucial so yeah.

Stepan Snigirev: The thing is with hashing and with these elliptic curves there are two different Quantum algorithms and if you look at how efficient are Quantum computers comparing to classical computers it strongly depends on the algorithm that is used. For example, for hashing for SHA256, double SHA256 or RMD or whatever hashing algorithm you use there is an algorithm, Grover’s Algorithm that is kind of more efficient than classical but not super efficient. If you are talking about the complexity normally with hashing functions to guess the … well, mine the right block you need to brute force and with Quantum computer you can parallelize this brute force using this entanglement stuff and it becomes a little bit faster. But basically instead of 2 to 256 you will need to have the number of calculations that is 2 to square root of 256.

Stepan Snigirev: So it is an improvement, but it’s not like badly broken hashing functions, so it’s just a bit faster.

Stephan Livera: Yeah. Just to make sure I’ve got my understanding correct and also just for the listeners, what you’re saying there is part of Bitcoin’s security relies on there being this enormous search space and the fact that people must brute force, like literally just kind of trying to pick the needle out of a haystack, right? The equivalent of that. And what you’re saying there is using, is it Grover’s Algorithm? We are able to theoretically reduce the size or kind of search more efficiently, rather than literally needle in a haystack searching. But essentially if I were to simplify what you’re saying is while you can reduce that, it’s just not to the level that somebody could, given your public key, figure out what is your private key which would then able them to spend your bitcoins?

Stepan Snigirev: These are different problems. The hashing is determining this mining power and proof of work. With Quantum computers it will be more efficient, so probably all the mining tools will be replaced by the webs running Quantum computers and then Quantum computers will compete with each other. But still it’s fine.

Stepan Snigirev: The other problem is this public/private key problem and in here we have a Quantum algorithm that is very efficient. So basically if we have a reasonably large Quantum computer and you give me your public key, I can calculate your private key, well, very fast basically. It’s like all the assumptions that public key cryptography are relying on doesn’t work anymore. The problem is how easy, how hard it is to achieve and to build this machine, and so I think that people overestimate the threat, because damn, it’s so freaking hard. I mean you build a lab for five years, then hopefully it works, then you have some bright idea how to improve this Quantum computer a little bit. But still we are orders, orders, orders of magnitude below what we really need for that.

Stephan Livera: Right. And so can you give us a sense of what are the numbers that we’re talking about here, and like if it was even possible, how long would it be? If you even have an idea, or is it just we don’t even know.

Stepan Snigirev: Yeah. So right now the current kind of modern labs are operate with Quantum computers that have around 100 qubits and can make around 1,000-10,000 gates. Gate is basically an operation on the qubits, similar to CNOT on normal bits. This is where we are and we need to go to 10s of thousands qubits and millions of gates and we also need to reduce noise a lot, such that while we are operating this Quantum computer, this very complicated and entangled state is not destroyed.

Stepan Snigirev: I would say that even if we consider the Moore’s Law that doesn’t work on semiconductor industry anymore and we assume that number of qubits will increase every couple of years, then still we have at least a decade, I would say more, realistically three, four decades before the Quantum computer will be built that can break classical cryptography. Because, well, there are breakthroughs that are happening every five years or so, but still the field is very, very in the early stages.

Stepan Snigirev: Plus another thing, we will actually see how Quantum computers arises because there will be other applications that do not require this crazy amount of qubits. So we will see already a boost in artificial intelligence from Google and maybe some advances in superconducting field and material sciences and so on. So we will see that Quantum computers arises and become useful way earlier than they will be able to break classical computers.

Stephan Livera: Right. So you’re saying in some sense we’ll have warning signs? There will be a canary in the coalmine-

Stepan Snigirev: Yes.

Stephan Livera: … before the Bitcoin people would have to be worried at all, because there’ll be other things that break first?

Stepan Snigirev: Well, not like break first. But actually there will be other things where Quantum computers can be very useful for society, so we will see these developments and then we should at this point probably start worrying. But I still think that post-Quantum cryptography needs to be developed because developing new cryptography is also very challenging. And this probably what we should also talk about, like post-Quantum crypto is showing a lot of progress recently. But the problem is that still it is not ready for in production use, it’s still more like a research. And if you try to use post-Quantum crypto now then you will probably be much more vulnerable to normal classical attackers.

Stephan Livera: Right. And so the problem, I guess the challenge that you’re seeing there is that if somebody wants to make a Quantum resistant crypto coin and so on, the challenge then is that that coin may not be resistant against normal classical computer computation.

Stepan Snigirev: Yes, yes, exactly. There was a competition, I think by NIST, they tried to … well, they called for post-Quantum algorithms and I think that like 95-99% of them were broken with normal classical computers, just because developing new cryptography is extremely hard. And yeah, we should work in this direction, but we should not put real money on Quantum altcoins.

Stephan Livera: Because that’s the thing as well, right? There’s a few people who try to drum up some fear, right? Because drumming up fear is a good way to sell things, obviously, and then they come out and they say, “Oh, Bitcoin’s going to fail because of this Quantum problem and now here is my Quantum shitcoin.”

Stepan Snigirev: Yeah, and I think that better to, if you want to put money in post-Quantum crypto, better to support some real academic research. And with these altcoins, I wouldn’t consider them seriously unless they have an algorithm that is not broken for at least, I don’t know, five, 10 years. And that is also has efficient algorithms on classical computers, such that it is not vulnerable to side channels and all other attacks. Because even if you have a very good theoretical algorithm, implementation is extremely hard.

Stepan Snigirev: I mean do we need then, if you want to use a post-Quantum altcoin, do we need to put our private keys on the computer then? Because probably hardware wallets, for example, are not capable for any of that because it’s way too complicated. Plus all the side channels and other kind of attacks that are pretty common even for existing classical cryptographic algorithms. Do they take this into account? I doubt that, so I wouldn’t put money on post-Quantum altcoins.

Stephan Livera: Right. And another thing I was keen to ask you about around this whole idea of Quantum is, if there were to be these Quantum computers out there … And I think part of this is you were touching on this earlier is that we would know from other things, there would be breakthroughs in other advances of science. But hypothetically if somebody had this sort of computer and they were able to figure out your private key from your public key, we would have to change our whole model, right? Because in the past people have spoken about this idea of, “Oh, if you don’t …” What’s the word? “If you don’t kind of send your public key out then that’s a way to kind of help protect.” As though that would be a protection against Quantum computers, or at least some level of protection.

Stepan Snigirev: Yeah, so a few things here. First, we have in the address, not just our public key, but the hash of the public key and people think that it is a good protection or some kind of protection against Quantum computers. But the problem is that when you need to broadcast a transaction you put the signature and the public key, so you are telling to the whole world what is your public key, and if there is a Quantum computer that is efficient enough then this would be enough to calculate your private key and maybe replace the transaction with a larger fee or do some double spending. Especially if it is a miner. And if there is a Quantum computer doing this they are probably the miners, because-

Stephan Livera: They would have the incentive.

Stepan Snigirev: … yeah, you have additional mining power. So what they can do, they can see your transaction with the public key, you tell it to the miner, they calculate the private key and spend all the money to them instead of what you wanted. And they take all the money, they mine the block and yeah, so the whole blockchain will be screwed and this hashing part doesn’t help. And I think this is the reason why in Schnorr signatures we are not getting this pay to pub key hash, we are paying to the public key. Because this kind of protection against Quantum computer doesn’t really work, but it messes up a few applications. For example, there’s, well, the Taproot and combining with additional scripts. So it becomes hard with hashing and so we would better just use a public key and it’s fine.

Stephan Livera: Right. And I suppose, just to maybe replay some of that just to make sure some of the listeners can follow along what you’re saying. The theoretical attack in this, if say somebody’s got a Quantum computer, and let’s say Stepan, you put out a … you want to pay somebody with a Bitcoin transaction, they would read that transaction and they would see it as you broadcast the transaction, but before it’s been confirmed into a block they would then use the Quantum computer, so to speak, and try to reverse out the private key and craft their own transaction spending, say, those bitcoins to their own wallet. And if they’re a miner then they can obviously have … give their own transaction preference to come into a block, or they could alternatively give a really high mining fee, more than what you gave, to try and help their transaction be the one that gets mined into the block.

Stepan Snigirev: Yes, yes, exactly.

Stephan Livera: And then therefore kind of that’s the theoretical attack, but obviously as you’ve outlined there’s many reasons why that’s not a very realistic thing to think of as any kind of fear right now. And then the other point I think you were touching was around essentially there are different UTXO types and in the old days, in the first few Bitcoin transactions, I think they really were pay to public hash and then at the time-

Stepan Snigirev: Without the hash, yeah, so just pay to public key.

Stephan Livera: Yeah, sorry, yeah.

Stepan Snigirev: There were, I think, some of the Satoshi’s Bitcoins are on the address that are just pay to public key.

Stephan Livera: Yes, exactly. And then what happened is over time we had different UTXO types, so we had pay to script hash and we’ve got pay to public key hash, which is the one you mentioned there, and then some of the SegWit ones which were, I think, it’s pay to witness public key.

Stepan Snigirev: Pay to witness public hash, yeah.

Stephan Livera: Yeah. Right. And so then essentially what we’re getting at there is that moving to this new Schnorr proposal it’s sort of going to be going back to the kind of pay to public key model?

Stepan Snigirev: Yeah, but it will be pay to, not just to public key, but kind of smart public key, right? That also includes any kind of multi signature policies there and also discrete. So it is a pretty powerful update, I would say.

Stephan Livera: Yeah, in terms of the new functionality that’s going to be enabled. All right, I think that they’re most of the key things around the Quantum computer aspect. But I’m also interested to talk with you about what you’re working on with hardware wallets and Crypto Advance.

Stephan Livera: Look, I think let’s set some of the context a little bit and talk about some of the challenges that, as we record this today in June 2019, what are some of the issues that hardware wallets today are facing?

Stepan Snigirev: There are a few things. I think that, well, hardware wallets are great and some of them are amazing. One short ad at Trezor guys, I really like them and they’re doing a lot Coldcard, also very nice and Ledger have very good hardware. But as this field was developed, well, all these projects started in a way that, “Okay, we just want to keep our private keys safe and we don’t care about any complicated scripts. We just want our simple pay to pub key hash functionality.” And so it kind of stayed this way for years and now maximum that we can get from hardware wallets is normally pay into normal addresses using either normal scripts like pay to pub key hash, or at maximum multi signature. Nothing else.

Stepan Snigirev: But in reality the scripting language is pretty powerful and now we have new obligations that are used very often. For example, the coin joining transactions become pretty important because no one wants to expose how much money they actually own. Lightning Network is really rising and becoming more powerful and like … All the layer two solutions, basically. And they rely not on a simple script, but on some complicated approaches. In case of coinjoin you don’t have just your own inputs in the transaction, you also have a bunch of external inputs from other parties. On Lightning you also have all these time logs and-

Stephan Livera: CSV, so on.

Stepan Snigirev: CSV, HTLC’s and other things. And also what is very controversial for hardware wallets and unusual for hardware wallets, in Lightning you actually need to give out the secrets to the other party whenever you update the channel state. So it’s like what from the hardware wallet perspective looks terrible. You are actually sending out the private key out of there.

Stephan Livera: Yeah. So sorry, let’s just break it down a little bit, just for the listeners who are not as knowledgeable. Bitcoin, think of it like when you have a piece of a Bitcoin, a UTXO, an unspent transaction output, there are certain encumbrances placed upon that UTXO and the way that you may spend that UTXO is by satisfying the script, the locking script. And so what you’re getting at Stepan is that there are more advanced versions or advanced technologies that we’re coming out with now that allow things like different trees of spending. So an example might be you can either do a two of three multi signature spend, or … but that results in some kind of time delayed Bitcoin transaction, or you can have maybe a three of three and it’s automatically available now. So some of these more advanced scripting options, and I guess what you’re getting at there is that our … the hardware wallets that are commonly available right now don’t necessarily help the user do some of these more advanced functions?

Stepan Snigirev: Yes. So unfortunately at the moment if you use a hardware wallet you have to stick with the security model that the manufacturers and designers of the hardware wallet decided is good. And you know the Bitcoin community worries a lot, so some people are extremely paranoid and go really crazy with their private key management systems and others are kind of more like normies and they are fine with having a simple hardware wallet, or even maybe storing the private key on their phone.

Stepan Snigirev: The problem is on the cypherpunk paranoid range of people. And actually these are the people that also HODLers and HODLers of maybe large amounts, like maybe they are early adopters and they have the amount and they become extraordinarily scared of storing it on just a hardware wallet. So they want something else and they need to build it by themselves, because there are no tools available for doing it easily. Yeah.

Stepan Snigirev: And that is basically what we are trying to solve. We don’t want to fix to kind of force people to use a particular security model. We want them to make it according to their security. For example, provide a convenient toolbox that would allow people that are not super sophisticated in development, still develop something nice for themselves. Also to make the applets or apps for our hardware wallet to enable certain features. For example, we don’t think that we can support all types of application that will go there in Bitcoin. We are planning to support Coinjoin, Lightning, but maybe there will be something else new, for example, Statechains that recently appeared and other things. And would be nice to allow developers of these technologies to extend the functionality of their hardware to support that.

Stepan Snigirev: Yeah, so that’s why we decided to kind of name the project not a hardware wallet, but more like a hardware platform.

Stephan Livera: Right, okay. And I think let’s talk a little bit, I want to hit some of those common functions or pieces that go into making a good hardware wallet. So right now a lot of people talk about the secure element, right? And then there have been many attacks against hardware wallets and people talk about, “Okay, but have a passphrase.” And so on. Can you just outline some of the, maybe some of the attacks that we’ve seen? The successful attacks against hardware wallets over the last year or so?

Stepan Snigirev: Yeah, sure. And so I think that recently when I did this Recharge, I counted like 16 hacks over half a year. Not the hacks in the wild, but more like the vulnerabilities that were reported and it’s pretty crazy. It basically shows that even if you have awesome hardware, even if you have awesome software probably there is still a way to hack your hardware wallet, so nothing is perfectly secure.

Stepan Snigirev: And you just need to keep it in mind and actually be aware of the ways how exactly it can be hacked. There are currently like two approaches, what Trezor does, for example, they are completely open source and they are extremely good at developing the firmware and actually the protocol. But because of these ideological reasons as they want to stay open source all the way, they have to work with normal application microcontrollers. And it is a bit problematic because these microcontrollers were not designed for security, they are designed to be put in the, I don’t know, microwave or maybe your car or in the, well, kind of devices, but not on the security things. And because of that it is pretty vulnerable to hardware attacks. Basically this means that if you have your Trezor in the hands of the attacker then probably there is a way to hack it, even though we may not know it, the way right now.

Stepan Snigirev: And that is why they introduced the passwords and I think it is a very good mechanism for application microcontrollers. You don’t store your full mnemonic there, you have kind of your mnemonic plus you have a password that you enter every time when you need to access the device.

Stephan Livera: Yeah, so let me just explain that just for the listeners as well. Typically on the Trezor, you might, when you set that up, you might have a 24 word seed and you may also have a PIN on the Trezor. But then in addition to that there’s another, if you go in the advanced section, there’s a passphrase section and that, think of that like the 25th word, if you will. And so while the automatically generated 24 word seed comes from a set dictionary, the 25th word or the passphrase that you write is just your own choice. And now my understanding from some of these wallet attacks is that typically one of the responses is, “Well, you should use a passphrase.” And now there are various … there’s potentially some problems with that as well, because the problem then is the user now has to remember a very long passphrase to kind of make the security equivalent, and they just can’t do that.

Stepan Snigirev: Yeah, then it might easier to remember 12 or 24 word seeds and then every time when you need to make that transaction you just initialize your device and then after a transaction you just wipe it. This is a thing that some people actually do.

Stepan Snigirev: While the passphrase is okay, because there, well, you can choose whatever you want. The problem is that users normally pick weak passwords. The statistics, random statistics, shows that the entropy of the passwords is about 11 bits only, so it is still crackable with dictionary-

Stephan Livera: Attacks.

Stepan Snigirev: … attacks and maybe even brute force is the password is not long enough. For me, for example, I just remember the whole seed and I also don’t use existing hardware wallets though, so I am kind of not a normal person in that sense.

Stephan Livera: Right.

Stepan Snigirev: Yeah, so with these microcontrollers that are based on application, sorry, hardware wallets that are based on application microcontrollers passphrase actually makes a lot of sense.

Stepan Snigirev: Then we have hardware wallets like Ledger that have a secure element and basically these secure elements are industrial standard for security chips, so they’re extremely good. They’re very well designed, they have a lot of countermeasures against all these hardware attacks. And in that sense you don’t really need a password for Ledger, for example. So just having a PIN is enough because if you actually enter wrong PIN three times or, I don’t know how many times, then it just wipes the device, right?

Stephan Livera: Yeah.

Stepan Snigirev: So the problem though is that even if your hardware is very good and perfectly secure against hardware attacks, if your protocol sucks then you have problems. If you introduce the bugs on the software then it can be problematic and this is what we saw on the attacks on Ledger. There was one with this not verifying the change address recently and then there are hacks that Ledger thinks is not a hack with the [inaudible 00:30:07] thing, the taking control of the firmware that is running on the microcontroller that drives the display.

Stepan Snigirev: There are still ways to hack even the unhackable hardware, just using software or using maybe even a remote attacks. Just don’t think that if you’re using Ledger or Trezor or something else you are perfectly secure. You still need to consider how to make it better. For example, maybe using the multi signature is a good idea because it is much harder to hack multiple devices than find a hack for one of them.

Stephan Livera: Right. And this where, say, companies like Casa or Unchained where they’re offering this kind of thing, or you can do like a roll your own solution as well and typically a good piece of advice that you might hear from some Bitcoiners on this is that you might … you want to have multiple locations and you might want to try and vary your use of the different devices. Maybe you would use one Trezor and one Ledger and something else in your, one Coldcard, in your mix of multi signature to try and give yourself a bit more of a chance.

Stepan Snigirev: Yeah. So ideally you want to combine products from different vendors, because they have different teams and different bugs hopefully, that will be probably not discovered, not at the same times. So if you keep them up to date and if you use the products from different vendors then you are fine.

Stepan Snigirev: There are still questions about the support of multi signature, for example, Coldcard is releasing support of multi signature pretty soon and that’s great. Then we will have something to pair with Trezor. Trezor supports multi signature very nicely from the very beginning and the user flow is wonderful. Ledger kind of supports multi signature, it has some problems, but kind of okay-ish.

Stepan Snigirev: But it would be nice to see more hardware wallets that supports multi signature as well. And hopefully we will be one of them.

Stephan Livera: Yeah, excellent. I think one other thing is that, depending on the manufacturer of that wallet, they may have different level … a different level of time and focus on Bitcoin. For example, Trezor and Ledger, I know that they have had to spend engineering time on other coins and I think there’s a bit of a tension there because the Bitcoiners, the kind of hardcore Bitcoiners, they just want a Bitcoin only firmware. And I know, to my knowledge, I think the Trezor team are working on a Bitcoin only version as well.

Stepan Snigirev: Yeah, they’re considering it seriously. By talking to Trezor I found out that basically they are very Bitcoiners, so they don’t care about altcoins. Altcoins, they added support for altcoins when there were hard times and it was profitable and now it’s just very hard to drop them because, well, people will be mad at them, right? But I think that actually having Bitcoin only option of the firmware is a pretty good choice.

Stepan Snigirev: They are also working a lot on different additions to the security and to the protocol. For example, they are adding the SD card, so hopefully they will also have a complete airgapped mode. Plus they are using this SD card for other reasons like adding some extra entropy or breaking up. They’re also working on Shamir’s secret sharing scheme for your seed that is also great, because right now actually the weakest point in the security of the hardware wallet is your paper backup. Because where do you store it? And it is like in the plain text, either it is crypto steel or whatever, so it is just plain text and in one place. So this is the weakest point, and if we could have a Shamir’s secret sharing support that would help a lot because then you set two of three or five or whatever and then spread it across your trusted friends and family.

Stephan Livera: Right. Now, I recall, I think this was Andrew Poelstra on Marty Bent’s recent podcast, as talking about how maybe there’s a certain way to apply this and do this. But my understanding from what he was saying is that it’s actually not very … people should be careful about using Shamir’s because it might be more easily broken compared to using multi signature, because, say, it’s two or three pieces of one signature, is there a big difference there from the security point of view for the user? Like multi signature versus Shamir’s, basically.

Stepan Snigirev: Well, so as far as I understand the difference is that in Shamir you have a single key that you split and then whenever you need to sign with a normal ECDSA that we have right now, before Schnorr, right? You need to recombine it every time, so basically for every transaction you still have a single point where your full key exists and this is the problem. With Schnorr it will be easier, because there you can split the key into multiple pieces and then you can combine pieces, kind of parts of the signature into a single one. So still this means that during the splitting at the first moment, at the set up phase, you will have a full key somewhere, but, well, yeah there are obviously trade offs. But on the other hand if you have a multi signature, then you also need to back up multiple keys, right? There are always trade offs, you just need to see what fits better to your security model.

Stephan Livera: Right, yeah, sure. Okay, look, so let’s talk a little bit about your product. I know you’ve got a few different ideas that you’re working on, do you want to just go into that?

Stepan Snigirev: Yeah. What eventually we want at the end that will take some time, but still is to make a convenient consumer hardware wallet. Like for normal people maybe using the security model that we believe is fine, but it is easy to use. You just buy the device and use it as normal. Plus you have some extra functionality like coin joining, Lightning Network, complete air gap with QR code scanner, so like in that … Basically everything that we can do to make the user experience easier and still support modern Bitcoin development.

Stepan Snigirev: Also we want to allow people to write their MicroPython scripts for one of our microcontrollers in the hardware. So basically you will be able to put the apps from external developers there, but without really compromising security. What these apps can do, they can provide additional metadata to the transaction. For example, let’s say you want to do the coinjoin and by default the hardware wallet will show you just the full transaction that, “Okay, there are these 50 inputs 50 outputs. I don’t know how much you are spending, just looks like a mess.” So what this app can do, it can highlight a certain input and output and, “Okay, these are your inputs and these are your outputs and this is what you are actually spending there.” So just to make the user experience a little bit easier, without accessing secrets really.

Stephan Livera: Right. And as I understand it, it’ll have like a touchscreen.

Stepan Snigirev: Yeah, yeah, yeah. I think the problem right now is that the screens are too tiny on the hardware wallets, so what we have, we have a screen from, well, basically similar to what iPhone four has, I think it is exactly the model that they had. It’s enough to display your master public key, to display the signed transaction for the air gap mode. It also has a camera to scan unsigned transaction or anything else. And you can fit a lot of data there and, well, you can actually have the experience that people normally have with the smartphones, right? So you just scroll, navigate and do things like that. This is from the user experience perspective.

Stepan Snigirev: Another thing that we are doing before we release this product is actually we will release the developer board and the secure element. That’s our hope for the autumn, that we can give the developers the ability to make their own hardware, not only wallets, but any kind of Bitcoin powered devices. We are releasing the developer board and the secure element from Infineon and with our applet that allows to do all the Bitcoin related stuff, like key derivations, signing transactions with ECDSA, with Schnorr, hopefully Shamir secret sharing will be there and … Well, no, Shamir secret sharing you don’t really need to put there. We’ll see.

Stepan Snigirev: We are defining the API right now but hopefully it will be a tool that you can just put into your developer board or your device and start using it and that would provide all the convenient stuff that Bitcoiners, Bitcoin developers actually need. Because you know there is a smart card from Infineon that is … that they try to market as a blockchain starter kit or something, but it is completely useless. I mean they don’t have the key derivation scheme there, so you can use only one key or maybe 500 different keys. You don’t have some advanced signing features, well, you don’t have many things that you really need. We hope that we can make something useful for developers here and also it will help to build an enterprise solution that we are also targeting. So like companies that need to store their private keys in a very unique way and integrate the hardware to their security kind of mechanisms.

Stephan Livera: Great. So essentially you’ll have an individual hardware wallet and some enterprise hardware wallet solutions that you’re going to look at.

Stepan Snigirev: And also developer toolbox for tinkerers.

Stephan Livera: Yeah. And let’s talk a little bit about the air gapped idea that you are using, because it’s a slightly different model to, say, the Coldcard air gapped model. Can you just outline a little bit of how that would work with your proposal?

Stepan Snigirev: I think that there are actually some hardware wallets that use something similar, so we are not the first ones who are suggesting it. But the idea is very simple, you have your hardware wallet completely disconnected from the computer and you never connect it. You have your watch-only software wallet on your computer or your phone, whenever you need to make a transaction you just prepare the transaction, display the PSBT as a QR code that you scan with the hardware wallet, hardware wallet displays then all the information for you to verify and to confirm. And you scan back the signed transaction that you can broadcast. So basically it just works as a flip-flip and you’re done.

Stephan Livera: Yeah.

Stepan Snigirev: So you don’t need to enter the SD card into the slot and then find a laptop that supports SD card, so I think it is already pretty challenging at the moment.

Stephan Livera: Right, yeah. Let’s break that down actually, I think that’s probably a little bit complicated, so just for some of the listeners who might not be familiar with some of those terms. Let’s just say the private key lives on the hardware wallet.

Stepan Snigirev: Yes.

Stephan Livera: But the challenge is you do not want that private key to get exposed onto an internet connected computer, and so one way that you’re proposing to do that is to, say, have a watching only wallet, let’s say on your phone, for example, and that’s like, for example, where you put an xPub onto that phone. So the phone can know the balance but not spend, right?

Stepan Snigirev: Yeah. So it watch the blockchain, it sees the incoming transaction, it can prepare the information for the hardware wallet to sign stuff. It can say that, “Okay, these are the addresses, these are the amounts, this is how to derive the key that you know but I have no idea-

Stephan Livera: What the private key is.

Stepan Snigirev: … what the private key is.” Yeah. This is some information that you may find useful to sign stuff and also to display to the users like what are the change address? Why it is a change address? So then hardware wallet itself can use only this data without knowing anything about the blockchain to actually display everything properly and sign.

Stephan Livera: Right. And so what you’re getting at there is that the, let’s say, my phone that has the watching only wallet and it’s got the xPub in there and it’s watching the balances and I can use that to craft an unsigned transaction, and then what it can do is create a QR code that essentially contains that information, saying, “Ah, Stephan, do you want to sign this transaction? And it’s going to pay to this address-

Stepan Snigirev: This amount.

Stephan Livera: … showing you this amount.” And essentially then the hardware wallet has the camera which I would then kind of hold over my phone to read, to scan in that QR code and ingest that transaction through like a barcode scanner or a QR code scanner. And then on the hardware wallet, because it’s got like a proper screen, now it’s got a bit of a … It can show you, “Okay, do you want to pay x, y and z number of Bitcoins to this address?” And it can kind of show you that and then what you would do from the hardware wallet is hit, “Yes, sign that transaction. I want to do it.” And that will use the private key to sign that transaction and then again you’ve got to transfer it back to the phone to broadcast that. So can you outline that as well?

Stepan Snigirev: Yeah, yeah. And having our screen actually matters here because you can actually display the QR code with a signed transaction after it. So after you signed, you just show as a QR code as a full transaction that you can scan with your phone and then broadcast. Yeah.

Stephan Livera: Fantastic. So yeah, that’s a very different model and I think that could also be another way that people can help keep themselves a little bit more secure. Yeah, so I think the other, another big one is Lightning. I think most people would think, “Hang on, you can’t do Lightning hardware wallet. Like don’t you need to sign for whenever somebody’s routing through your channel, how would it work?” So can you outline a little bit there?

Stepan Snigirev: Well, first people will probably think that, “Why do you need a hardware wallet for Lightning anyways? Because they are small amounts, so I have … I’m fine having 100 euros or dollars on my phone, on the basically maybe not so secure computer, because it’s not a big deal even if I lose it.” But it is only like one side of the ecosystem, right? Because we also have people that are liquidity providers to the network that basically route all these payments and also we have merchants that are accepting the payments. And, for example, there are channels between, I think, between a Bitrefill and Acinq, of one Bitcoin or even more. And this already matters, I definitely don’t want to store even one Bitcoin on the online server that has a public IP address. And I’m, for example, not capable of maintaining the infrastructure security enough on the servers.

Stepan Snigirev: So yeah, to do the Lightning hardware wallet it is a little bit tricky because you need to be connected to the online computer. Our approach is that you have a, let’s say, a watch only Lightning node in the cloud or on your computer that can do all the heavy stuff like the networking, gossiping, getting the routing information and all other stuff that is not touching the secrets. And then all the secrets live on the hardware wallet, but here the trade off is you do need to keep the hardware wallet connected to the computer, because every time when you are routing the payment on the network you need to send this pair of transaction to the hardware wallet. Hardware wallet needs to provide that it is actually the amount of money of the user increases so we are earning some fees here or at least stays the same, and then it can automatically sign.

Stepan Snigirev: So this is another thing that we talked before, like automated functionality of the hardware wallets. It becomes more than just press to confirm thing, it has to be more like moving into the direction of banking HSMs and commercial HSMs, so smarter things. So yeah, that’s what we are also working on, two edge cases. Either you are completely air gapped and never connect the computer to the hardware wallet, or you can kind of have a warm hardware wallet that still have a bidirectional communication with a computer. But still the security, the attack surface, is very small in this case because the hardware wallet runs a very small amount of code and secure hardware.

Stephan Livera: Right. And so you see it like the business might have multiple different wallets, obviously, I mean that’s how most Bitcoin businesses today operate, right? They’ve got a kind of deep cold storage and they might have somewhat cold storage and then like the hot wallet. And so what you’re envisioning there is that maybe that hot wallet would be this Lightning hardware wallet?

Stepan Snigirev: Yeah, yeah. You’ll have a normal computer that runs all the kind of watch only functionality and then next to it in the same server rack you have this hardware wallet that works as a hardware security model to sign the transaction automatically, do all the stuff. And in this case for enterprises, for example, you don’t even need a screen actually. Well, you need to set it up according to certain policies and then you just plug it in and it just works.

Stephan Livera: Yeah, so there’s a lot to come for that, because a lot of these ideas are things where, for example, if you want to coin join, you pretty much … you’ve got to use Wasabi, Samourai or Join Market, there’s not really kind of other options, right? And then it’s kind of like if you want to do coinjoins, well, now you can’t do Lightning because it’s like none of the Lightning wallets have coin join, none of the coinjoin wallets have Lightning. It’s kind of-

Stepan Snigirev: Well, at the moment you can’t even do it because coin join want all the inputs and outputs to the same and Lightning uses the two of two multi signature scheme, so it’s not like a normal output. So you will be easily visible in the coinjoin transaction. But you can hopefully, in principle, you can do something like coinjoin for Lightning channels, where all the participants are actually opening the Lightning channels and then they are again look the same.

Stepan Snigirev: But yeah, the problem right now is that we are in a pretty early stage of development of these things, both Lightning and coinjoin and it’s more like proof of concept. We have software that works, but we don’t have like a common API and, for example, for the coinjoin I can’t just write a software wallet to connect to a Wasabi coin join server because, well, I don’t know where to find the documentation. As far as I know it is not very well documented at the moment.

Stepan Snigirev: I think that it would be nice to develop a certain standard on this and to split all the pieces to different parts. We already have a pretty good isolation of the hardware wallets, we have this HWI interface from Bitcoin Core that allows you to talk only to this module and then it translates to all the hardware wallets. Would be nice to have the same for software wallets and for the servers, such that I could connect to any coinjoin server for example and register my transaction there.

Stephan Livera: Yeah, so I think it’s some of this is like, even with PSBT, right? So PST is more of a recent thing, in the past there were individual companies or software solutions who did something similar, but now it’s kind of trying to find a way that people can standardize and then multiple coin join type wallets might kind of share their coin joining liquidity if that makes sense. Because otherwise right now Wasabi’s got their own pools, Samourai has their own pool. Obviously they’re running in different ways, but potentially in the future there is a possibility there that if there’s a standard for this kind of thing, then you could be using different wallets, but still in part of the same coinjoin pool, if that makes sense.

Stepan Snigirev: Yeah, I think that would be great. Yeah, there are problems with humans as usual. There is always some policy, politics and kind of personal relationships between developers of different wallets that may kind of limit this communication and development of common API. But I definitely want to live in the world where everything, well, all different software, well, not all but many different software, hardware and servers work together in a common way. So that would be awesome.

Stephan Livera: Right. And I think you also, you were also just touching on a couple really interesting ideas before about if we were to start doing things like, okay, an example would be, you’re doing a transaction and then the change could be opening a Lightning channel, things like that. Because obviously over time, if we’re all bullish on Bitcoin and we think more people are going to use it, the blockchain is going to get more and more used and we need to be very efficient in our use. And so I think you had few interesting ideas, do you want to touch on some of those? On what could be done in the future around more efficient use?

Stepan Snigirev: Well, yeah, so the first future improvement, as I say, that I am very excited about is Schnorr signatures, right? When everything will look the same on the blockchain, everything looks like a spend into a single public key. That is already very, very nice for privacy and the use of the space of the blockchain as well.

Stepan Snigirev: Then regarding existing scripts, yeah, what I don’t like currently at Lightning that you, in most of the wallets, you have like a separate balance. This is your on chain balance, this is your off chain balance and, yeah, you can only do Lightning up to this limit, you have to manage all these channels and stuff. It would be nice to actually use the space efficiency, so when I am spending the money to you, why do I need to have a change that is just returning me the money?

Stepan Snigirev: Maybe I want to do something else with that, either I can put the whole transaction in the coinjoin transaction, or I can even use this output to open the Lightning channel. And then what I can have, I can have all my money in Lightning channels and whenever I need to send the money to you on chain, because, I don’t know, you use Coinbase and you don’t support Lightning, I can just talk to my nodes, to my peers that I am connected to and say, “Okay, guys, I need to send some money there, and I will pay the fees. So let’s just close the channel and reopen it with a slightly smaller balance.” So yeah, I am sending you the money and I still maintain the channels and maybe I also rebalance it or make it a little bit more efficient. So that would be really cool.

Stepan Snigirev: But I think that we still need sometime to develop all these tools. Right now even the Lightning specification is continue developing and we are fixing a few things like how to make all these channels more efficient, how to pay without invoices or something else. But the future will be really, really, really nice.

Stephan Livera: Exactly. Look, let’s talk a little bit about your vision with Crypto Advance. Tell us a little bit about what some typical uses will be and what you think it might look like and maybe give us a view for the individual and a view for enterprise customers.

Stepan Snigirev: You mean the vision of the product or of the future of the company or what [crosstalk 00:54:50]

Stephan Livera: I mean like for the product as used by those people. So for an example, if you’re a home user and you might have the node at home, but it’s also coinjoining for you or Lightning at home, but you can control it with a remote control. That sort of thing.

Stepan Snigirev: Ah, okay. So like the different use cases for different people?

Stephan Livera: Yeah.

Stepan Snigirev: Well, for HODLers, this is the easiest one. For people like myself, I would use one hardware wallet in a completely air gap mode that is probably also using the multi signature with some other vendors where I store most of my life savings. Then I take some, I don’t know, 10% of that and put it into this warm hardware wallet that is connected to my node that is hosted somewhere in the cloud and I earn a little bit of fees on the Lightning network routing. Or maybe if there are businesses then, yeah, it stores the private key and allows you to accept Lightning payments as well. Because I think that everything will be done in over Lightning network, in the nearest future.

Stepan Snigirev: But right now also I could normal on chain transactions with … like large transactions also make sense to put on chain. Yeah, so the cold storage plus the warm storage, this is for me.

Stepan Snigirev: Then for more like normal people that are just entering the field, what I would probably like to have in that is what we are also working on that, okay, at least the custodian wallets that provide all the service and that maintain the infrastructure for the channels and everything. They have to run a secure hardware, so basically they can have the HSM or hardware wallet on their servers and the user can just register on his normal app and, yeah, store some bitcoins in there. Because this really helps to onboard people, they don’t want to buy a bunch of hardware or learn about the private keys, at least at first. So as soon as they get more deeper in the field they will start educate themself and then probably they will buy their own hardware wallet and so on. That is another thing.

Stepan Snigirev: Then enterprises, enterprises are completely different and I feel really bad that many enterprises and companies are currently using like normal, existing hardware wallets that are just lying somewhere in the safe. And this means that there is a person who knows the PIN code for this device, that basically controls all the money. Our hope is actually to develop a thing that can be integrated into their existing security model. For example, some companies use these smart cards to authenticate the users and they have different departments and user groups on these policies.

Stepan Snigirev: Why don’t we use the same structure to authorize Bitcoin transactions? Basically you can have a hardware wallet that stores the private keys, but in order to spend you don’t enter the PIN code, but instead you provide authentification from different people. For example, some accountant confirms the transaction pressing his Yubikey button and another, some security guard, also comes and enters some security PIN in there. So then you kind of have-

Stephan Livera: Controls.

Stepan Snigirev: … multiple, yeah-

Stephan Livera: Internal controls for the company, yeah.

Stepan Snigirev: … internal controls and you define who can do what. Yeah, so that’s the hope for the enterprise solution. Yeah, they all have very different security models and that’s why we are developing all these toolbox, because the same works for developers. Developers want something custom, like tinkerers, makers, but also like developers of the protocol as well and they want to too to play with new stuff, so it perfectly works for both enterprises and developers. Yeah.

Stepan Snigirev: Hopefully if we are profitable in the future, we will also be able to make an open source secure element, like really open source. So like manufacturer also has. Unfortunately it takes a lot of money, but it’s my hope that we can take the open source RISC-V core, for example. And what the problem with this RISC-V at the moment is that even though the core is open source, all the companies that manufacture these chips, they put a bunch of peripherals on top that is proprietary. So in total you have a chip that is half open, half closed. We would like to have a really like security focused chip, completely open source, ideally a verifiable, or even if it requires rapid movement. But it’s like further in the future. Yeah.

Stepan Snigirev: I think that with Bitcoin and with all this community we can actually change the status of the industry, status of the security industry that is discrete and kind of obfuscated by design. So yeah, we can make a difference, that would be awesome.

Stephan Livera: Fantastic. So look, who are you looking to hear from and what’s the next steps? How can they get involved with the developer boards and so on?

Stepan Snigirev: We are hopefully releasing the developer boards, toolbox and the secure element in autumn. October maybe, something like this. It will be pretty minimal and it will be also pretty expensive, because you know well, volumes cost money. But we would really like to have developers and community to start playing with this stuff and provide us with the feedback so that we can make it better and more convenient.

Stepan Snigirev: Then what else? If someone has interesting ideas, yeah, everyone should write me. Just write me. I am so happy to discuss all this stuff, over Twitter, Telegram, whatever. Regarding investors that are maybe interested in our company, also makes sense to talk a bit, but like if you really see the … our goal and share our ideas, because, well, not random invest and then quit. But more like from the community people.

Stephan Livera: Right.

Stepan Snigirev: What else? On this part I would have better Moritz here, but too bad he’s not here.

Stephan Livera: That’s fine, we can put the details in the show notes, so that’s fine. Listeners can find you and Moritz from there. Anything else you wanted to add or that’s pretty much it? I think that’s pretty much the key points.

Stepan Snigirev: I think that’s more or less it.

Stephan Livera: Yeah, all right. Well look, thanks very much. I think that was really educational. I think the listeners will get a lot out of that, so yeah, thanks very much for joining me.

Stepan Snigirev: Thanks very much for having me. I was really happy to chat about all this thing. Yeah.

Stephan Livera: I hope you guys enjoyed that chat with Stepan of Crypto Advance. Make sure you go chat with him and check out what Crypto Advance are doing. Also, just a quick shout out for one of my longtime listeners, Andrew De Marc-Angelo. He’s running Bloom Audio Store, which has really high quality audio gear. Andrew sent me a pro level pair of headphones, the Audio Technica ATH-N70X and they are truly a joy to use when I’m doing the editing for this podcast or just listening to music with a very balanced audio response. The sound quality is just on another level, so make sure you check out his store at BloomAudio.com. And obviously he takes Bitcoin for payment too.

Stephan Livera: If you want to support my podcast, make sure you rate and review the podcast on iTunes, five star reviews are very much appreciated. You can see the show notes on StephanLivera.com and subscribe there as well. Share the podcast out with your friends. If you want to advertise, contact me, stephanlivera@PM.me.

Stephan Livera: Otherwise, that’s it from me. Thanks guys, see you next time.

Leave a Reply