Ask HN: How do you use Bitcoin in a trustless way?
The following is what I got so far. I never used Bitcoin. So correct me, if something is wrong please.
1: Create a seed phrase with dices
2: Write it down on paper or carve it into metal
3: Buy a hardware wallet with no internet connectivity.
4: Never connect that wallet to any other device.
5: Type the seed phrase into the hardware wallet
6: The hardware wallet will display an extended public key
7: Install a software wallet on a computer with internet access
8: Type the extended public key into the software wallet
9: To do transactions: Create a transaction in the software wallet
10: The software wallet will show a hash of the transaction
11: Type that hash into the hardware wallet
12: The hardware wallet will show a signature
13: Type that signature into the software wallet
That's it.
As I understand it, there still is trust involved in steps 3 and steps 6:
3: There is not an easy way to check if the hardware wallet really has no internet connectivity.
6: There is no way to check if the hardware wallet really uses the seed phrase to create the extended public key. It could create an extended public key that the vendor can predict. One could test it a few times with throw-away seed phrases, but one would never be 100% sure.
86 comments
[ 4.5 ms ] story [ 162 ms ] threadOr, for example, what if all your communications and actions are being monitored continuously by state-level actors with cameras and hidden bugs, recording every keystroke? Or what if we are living in a simulation, and the malicious operators can extract data from your brain, or just alter reality at will?
But I think you can provide a "practical" level of trustless. That means that, if your adversary was powerful enough to steal your Bitcoins, then they'd be so powerful that they could destroy you in many other ways. So it's a moot point.
A practical solution to your question could be to take all the precautions you've said above, and then simply gradually increase the amounts you are transacting, using a variety of methods, and see if anything gets stolen.
Call it a bribe or a bug bounty or a tax. It's quite effective, because organizations are comprised of individuals, who are subject to human temptations. At least two federal agents independently stole funds from the Silk Road marketplace while investigating it, and they were imprisoned later
Say an attacker compromised a certain batch of Ledger wallets.
They might very well wait for a few years before they reap coins of the wallets. Because as soon as they do it for the first time, there will be an uproar and people will analyze whats up and transfer their funds to other wallets.
What if they're not the only one who compromised the insecure wallets? If they could do it, then probably someone else also could, and that other hacker could empty all the wallets first.
Meanwhile, users like you will be occasionally moving their Bitcoins around, sometimes to wallets that the attacker cannot access.
If an attacker just wants to make money, they're unlikely to wait for years to exploit an old vulnerability.
In the real world, most security vulnerabilities get exploited quickly, because they are very likely to lose value as time passes. You can find numerous real examples of this attitude, such as weak brain wallet keys which are exploited in seconds, instead of waiting and hoping that more money will accumulate in the address before someone else steals it
And, like I suggested already, a practical best case solution for the paranoid is diversifying your assets and security methods, so you can identify vulnerability sources early and be unlikely to lose everything
Edit : Bottom line though is that you cannot use Bitcoin in totally trustless way, I think. Nothing in security or in real life is totally trustless. So do your best to employ reasonable precautions and mitigations and then get on with your life
Hardware wallets like Ledger instead connect directly to a computer via USB to receive/transmit transactions to sign. They also transmit the extended public key to the wallet software so you don't have to type it manually. You have to trust the hardware wallet vendor to some degree.
Regarding, your comment on number 6, that's an interesting thought that I hadn't considered. Since you are not supposed to enter your seed on a computer, there really isn't any way to verify that the hardware wallet is really using the seed you provided and not some seed that can be predicted by the hardware manufacturer. I guess you could enter it on a hardware wallet from a different vendor, or on an air-gapped computer[0], and see if it matches.
[0] Make sure that the computer is never connected to the Internet again in case there was a key logger running and waiting for Internet connectivity.
I thought there are air gapped hardware wallets?
Without a keyboard, how do you enter your seed phrase?
Connecting the hardware wallet to the computer brings up a bunch of complex security questions.
I had to Google that and they do indeed exist. It seems they use QR codes to send and receive data. It's probably a step up from USB since you can visually inspect how much data is transferred. But then again, the device could theoretically transmit your seed to your computer camera and you might not even notice[0]. Probably a step up from USB in terms of security but at the cost of some convenience.
> Without a keyboard, how do you enter your seed phrase?
They have a very rudimentary virtual keyboard which takes forever to type.
[0] As part of the QR code itself, as a separate QR code that flashes too quickly to be noticed to the naked eye, encoded as slight pixel brightness variations within the QR code itself, etc. It could even exfiltrate the seed one bit at a time which would make it pretty much impossible to detect (but would take ~256 transactions to complete).
There are infinite ways to hide data in them.
For maximum security, the best would probably be to use an airgaped/secured/encrypted general-purpose computer and use a SD card to transmit transaction data. You could even use pre-bitcoin computer hardware if you are super paranoid.
Also, if I recall correctly, there are fully open source hardware wallets like Trezor. In theory, you could review the firmware and flash it yourself. You then just need to trust the hardware isn't backdoored to steal Bitcoin seeds. But that would require some rather large companies like ARM to get in the Bitcoin seed stealing business (and for your computer to be infected by ARM-developed seed stealing malware).
[0] https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...
You sign the hash; but you need the entire transaction to verify it does what you want (send funds to the expected addresses).
You can create the transaction hash on as many untrusted machines as you like. To make sure the hash represents the correct transaction.
Then you can enter only the hash into the hardware wallet.
That solves the problem of how to operate an air gapped hardware wallet!
I think this also does away with the "wallet publishes your seed via nonces" problem? I would hope signing the transaction hash is deterministic?
> I would hope signing the transaction hash is deterministic?
Not really. A signer can generate an arbitrary number of valid signatures for the same message, using the same private key because the signature algorithm requires a secret random number. There are ways to generate the signature deterministically by deriving that secret random number from the private key but AFAIK, the only way to verify this was actually done requires knowing the private key in the first place.
I believe you a malicious signer could iterate through valid signatures until the first n bits correspond to bits it wants to leak.
That's actually an even bigger problem that I hadn't considered before.
https://medium.com/@simonwarta/signature-determinism-for-blo...
That signing the transaction is not deterministic but involves a "random" number is indeed huge.
Now we are back to square one. The hardware wallet can phone home. No way to use Bitcoin in a trustless way.
Gist is you can create a transaction from any device that doesn’t have your private key … send that transaction via a QR code to your cold wallet, then your cold wallet can sign transaction and create a new QR code for the other device to use.
8. You can usually export it more conveniently. 10-13 is overkill. Most wallets have some reasonable way to move txes between hardware wallet and online system (like SD card). They don't really compromise the practical security and are a much better UX.
3. checking if hardware really have no internet connectivity is indeed a thing. You could use Faraday Cage to be certain. Some wallets like ColdCard are translucent so you can inspect the components.
6. It is maximally secure to generate seed phrase manually using dices and paper lookup table. If you enter it into two wallets from two different vendors, you can see if they generate same addresses.
There's one attack you're missing: Hardware wallets could possibly slowly leak your private key by biasing bits in the signatures by grinding nonce. It would take whole lot of txes, but it is theoretically possible.
There's also possibility of someone just analyzing the electromagnetic waves during hw wallet signing txes to extra a key. Very very sophisticated and unlikely, but since we already have the tin foil hat on... just invest in Faraday Cage. :D
For maximum tin foil hat security, use multisig between two or more different devices (and/or parties), signing in different locations.
Edit: Oh. And since you're so into it it's worth mentioning that using seed passphrase is always a good idea!
The "leak via grinding nonce" seems scary. That means signing a transaction is not a deterministic process? The same transaction can be signed in multiple ways?
What's the point of an attack that writes the seed to the SD card that you are holding in your hand and can possibly easily notice that something was written there and attacker has no access to it? Sure, it's theoretically possible but it's such a ineffective approach that it's highly, highly unlikely.
The hardware wallet using power consumption modulation to generate signal with electromagnetic waves that leak your private keys is far easier, stealthier and effective. With sophisticated equipment it could be detected from quite far away.
So I would worry about getting a Faraday's Cage, before bothering with not using SD card. :)
> That means signing a transaction is not a deterministic process
Indeed. Signing with secp256k1 consist of signer picking an arbitrary nonce. I'm not sure if that's the case with Schnorr Signatures that are used for Taproot addresses.
It can be hidden in file creation times, file modification times, file access times, file permissions and infinite other parameters of the file system. You can probably write a file to a arbitrarily chosen position on the block device and have it stil be a valid filesystem. So the position becomes the message.
The attacker has access to it if he in some way runs software on your computer. That might be the software wallet you use or some other code that got onto your machine.
"picking an arbitrary nonce" - that seems to be the biggest problem so far. So even an air gapped wallet can send out data to the world. Every bit it can send out halves the security of your seed phrase. So a tiny amount of data will quickly make it brute forceable.
I guess one could use some offline machine to copy over only the file with the signed tx to be certain. :D
> Every bit it can send out halves the security of your seed phrase.
The device still needs to produce valid signatures in a reasonable time, so practically it can only leak handful of bits at the time.
Yet, it's just random bytes. You could generate that with dice, and customize the wallet to take it as user input.
That's really cool. I had never thought of that.
All these points make me think that the best way is ditching the hardware wallet, and creating your own hardware wallet on a generic, airgapped PC where you write your own software (you always hear don't roll your own crypto, but in these case where you don't have to worry about side channel attacks, and you would do the random generation with dice, it should be fine).
In such case you're only relying on lets say, Intel, an airgapped generic Linux, GCC and maybe something else. But all these are things that would be extremely hard to modify in a way to affect your custom written software on an airgapped PC.
Plus the incentives to do some sophisticated but funny business on a commercial Hardware Wallet is quite high. While adding such sophisticated attack to GCC or Intel chips somehow would be extremely unlikely.
Add to this multisig with other methods, and the probability of some technical attack is so unlikely compared to a rubberhose attack, that it might as well be 0.
But it is even worse:
The act of signing the hash is not deterministic:
https://medium.com/@simonwarta/signature-determinism-for-blo...
So it seems that:
This is actually a realistic failure mode - hardware wallets do fail even if rare.
There will always be an infinitely recursive list of trust issues or potential attack vectors, they will just become less and less likely.
What if the hardware wallet is backdoored? Use a Faraday cage. What if both the hardware wallet and Faraday cage is compromised? etc.
A wallet like Coinomi on an iPhone is a secure enough platform to keep your crypto on.
To be totally sure you could do all the math on a piece of paper and send crypto to the public key you generated by hand.
Of course it’s possible to exfiltrate data even without dedicated wireless hardware (TEMPEST etc) so I guess build a faraday cage if you’re really paranoid.
Also: https://glacierprotocol.org/
You realize you could s/bitcoin/monero/ and OP would pretty much have the same relevance right?
What’s this?
Purchase: https://www.crowdsupply.com/sutajio-kosagi/precursor
If you think there is no way around trusting some party, then please name which party that would be. And why one cannot use Bitcoin without trusting them.
Just use traditional finance and traditional banks. Because then at least you will have more hope of getting transactions reversed if you get scammed by any of the elaborate and unlikely device subversion or middlemanning methods that Bitcoin transactions are also susceptible to (those methods that you've alluded to already here)
That's a very first world centrist view. In my country the banks/government have outright stolen people's money in the past[1]. Most people don't trust the banks here, with good reason. When you put your money in the banks, you are trusting the "system" with your money.
And for shitty countries, something like Bitcoin is more trustworthy than the banking system.
[1] https://en.wikipedia.org/wiki/Corral%C3%B3n
The most well known point of trust in 51% attacks. Lesser known is bitcoin master nodes. Even lesser realised is the trust that your client is connected to the broader bitcoin network (and not segregated somehow). This also assumes trust in your client, which can also perform all kind of attacks (such as not reusing R values: https://bitcointalk.org/index.php?topic=581411.0)
There's no such thing as no trust, only different threat models. I'd reccomend reading https://www.threatmodelingmanifesto.org/
a) Buy it on an exchange: You need to trust that the exchange won't just run off with/sell your real money/credit card details (but at least in the real world you have a chance of clawing back stolen cash)
b) Buy it via a service like localbitcoins, where you meet a stranger in an alley and hand them hard cash. Not very trustless!
c) Mine the coins yourself. But unless you build a bitcoin miner from scratch, you need to trust the hardware and software (how do you know for sure that it isn't mining to someone else's account?) And your miner needs to be connected to the internet, so hackers could get your coins.
There are no good trustless options. You have to accept some risk.
EDIT: I missed the only tried and true trustless way to get bitcoins:
d) Hack/phish/con someone else out of their bitcoins!
You're missing an easy and obvious option.
You plan to buy 10 Bitcoin (not saying it's a good idea): you wire tx enough to buy one on Gemini or Coinbase (or whatever exchange fits you), wait for the tx to clear, buy one Bitcoin, move it to your hardware wallet. Rinse and repeat 9 more times.
At any one time you're never exposed to more than 1/10th of the amount you planned to buy.
I think a lot of highly speculative investors but still cautious people proceeded that way.
There are even sites tracking the Bitcoin and Ethereum and whatnots addresses accumulating coins on a regular basis.
With typical currencies, you can exchange at a currency exchange counter at the border/airport or use your bank/credit card which handles the conversion behind the scenes. I suppose the equivalent for bitcoin is a bitcoin ATM or bitcoin credit card.
Either way, trust of everything outside of owning your coins is irrelevant to the exercise. If you're going to play devil's advocate, you need to come up with relevant counter examples.
There is no good solution.
You can specify multiple recipients, so you could send the leftover back to your secure wallet. But reusing adresses after a transaction is considered insecure (I don't know why).
Or you have a second secure hardware wallet, that can receive the leftover.
There are various solutions for that, e.g. multi-sig, Shamir's Secret Sharing, etc.
> 1: Create a seed phrase with dices
You can do that but you'll need a way to generate the checksum for the seed phrase. A 24 words BIP39 seed contains 264 bits (24 x 11 bits): 256 bits for the seed and 8 bits for the checksum.
> There is not an easy way to check if the hardware wallet really has no internet connectivity.
Indeed but you can at least open / disassemble some of them easily (there are even docs by the manufacturers explaining how to verify that the hardware wallet's PCB looks legit).
Seed exfiltration, even without connectivity, is an issue too.
And some hardware wallets are extremely noisy and impossible to use totally offline (there are mandatory firmware upgrades and mandatory connectivity needed to install the "apps" that allow to sign transactions), so you have to trust the vendor.
> There is no way to check if the hardware wallet really uses the seed phrase to create the extended public key.
Yes there is. Use an airgapped/offline computer which has physically no network connectivity options (no wifi / no ethernet / no bluetooth / no nothing), no HDD, booted from, say, a live Linux CD with contains for example Ian Coleman's BIP39 tools. Then you enter your seed and verify that the extended public key / keys derived is the same as the one shown by your hardware wallet. Data exfiltration from such a computer is still technically possible but I wouldn't worry too much about it: you power that computer for a few minutes, turn it off, and you'll be fine.
In theory, you could pick 23 words at random with 11 * 23 coin flips, every 11 flips representing an index in the dictionary. Now to find which 24th word passes the checksum, you could guess it in at most 2048 attempts on your hardware wallet :)
More realistically, it might be possible to develop a Ledger app that, given 23 words, finds the "checksum-passing" 24th word for you.
Ah that's an interesting thought: I don't know about other hardware wallets but indeed the Ledger allows anyone to develop "nano apps" and it doesn't seem crazy to write one that'd compute the checksum after you gave it the 23 words you got throwing dice (well, 23 words + the three first bits of the 24th word really).
Maybe it even already exists?
But as I understand the private key can be any number, so you do not need to even use the seed phrase technique to create a private key, or if you do it isn’t required that it has a valid checksum in order to operate on the network.
I so wish there was a USB stick on the market where you can toggle read-only mode with a physical switch. (And where you had reasonable confidence that the firmware is hard to attack, I guess.)
3: You measure RF signals to verify that there's no wireless connection of any kind.
6: You can verify the public key by using multiple devices from different vendors with the same seed.
Practically speaking, you don't need to verify everything yourself. It's guaranteed that any information about attacks will be quickly available, if someone is able to verify everything.
[0]: using a lead acid battery so you can disassemble it and verify it isn't bugged.