We discuss how to store bitcoin reliably and securely for the long-haul.
If you want to invest in bitcoin for the long-haul, you should address the thorny issue of how best to store them. Since people love stealing bitcoins from others more than just about anything else in this world, all storage systems must first and foremost:
The easiest way to achieve this goal is simply to destroy your private keys. So there must be a yin to requirement #1’s yang, which is to:
Storing bitcoin shouldn’t rob them of their best properties. So in addition, good bitcoin storage should:
And in case you need to leave the country in a hurry, or if you inexplicably wash up naked on a foreign shore, your coin should:
We realize #4 is ridiculous, but still, it’s fun to think about.
Achieving all four of these goals simultaneously is challenging, and most systems we looked at fell short on at least one of these axes. We’ll cover those later in this article, but first, we recommend a scheme to store your retirement coin, which is:
A brainwallet is an open algorithm that deterministically and statelessly converts a secret passphrase into public/private key pair. Typically, brainwallet algorithms are quite simple:
This attack should look familiar; it’s nearly the same attack used to crack compromised password databases. And indeed, brainwallets are insecure for the same reason that unsalted, unhashed password databases are insecure. Therefore, brainwallets ought to employ the same security measures as pasword databases:
We built WarpWallet, a security-enhanced brainwallet implemented as a standalone Web page. WarpWallet is more secure than standard brainwallets for two simple reasons: (1) it requests that each user picks a unique “salt” so that an adversary needs to crack each user’s brainwallet individually; and (2), it hashes secret passphrases using scrypt so that each guess by the adversary is expensive to compute.
With this WarpWallet primitive, here is the full algorithm for storing wealth:
sha256sum warp.htmlon the AGM to verify that the sum matches the sum you observed in step 2.
vicar formal lubbers errata. More on this later.
To redeem your coin, repeat the process, but transfer over the private key. Once you redeem a WarpWallet, never use it again. (Alternatively, you can use Bitcoin libraries to sign an transaction on your airgapped machine, transfer it to your networked machine, and inject it into the blockchain; we have yet to implement this.)
There are four main attacks an adversary can attempt to steal your coin: (1) infiltrate your machines; (2) break WarpWallet’s cryptography; (3) brute-force your password; or (4) guess your passphrase from your little “reminder” notes. Let’s look at all four:
For the first attack, assume the worst case, that the attacker has compromised all three machines. An attacker who has compromised your air-gapped machine knows your private key, but has no way to communicate it back (you should make sure to never connect your AGM back to the network). A compromise of your phone or your networked machine gives the attacker access to your public key, but that won’t allow a theft of your coin as long as the Bitcoin protocol holds. Of course, an attacker who controls your networked machine can also move your coin out of a Coinbase to an account of his choosing, but assuming you can transfer your coin to a WarpWallet before him, you are in the clear. Similarly, if the attacker controls all code running on all of your machines, you might not be able to run the real version of WarpWallet and instead might have trojaned version that only outputs keys that the attacker knows. We don’t have a great answer to this attack other than to check your version of WarpWallet against other machines, either by cryptographic hash, or by checking known input/output pairs.
The next attack to consider is a break of WarpWallet’s cryptography. WarpWallet works as follows:
salt||0x1, N=218, r=8, p=1, dkLen=32)
salt||0x2, c=216, dkLen=32)
private_keyusing standard Bitcoin EC crypto
We claim without formal proof that this algorithm is as strong as the stronger of scrypt and PBKDF2. As long as one of those algorithms remains secure, a brute-force attack is necessary to derive keypairs from candidate passphrases.
To quantify security against a brute-force attack, we make the following assumptions:
Note that WarpWallet uses security parameter 218, and the Litecoin system uses 210. Our analysis uses the following constants, but you can edit them as market conditions change:
|Price per Litecoin in USD|
|Litecoin Block Reward|
|Bits of WarpWallet Passphrase Entropy|
With these assumptions, the cost to break a WarpWallet is x. (See this page’s JS source to check our computations).
That’s a comfortable security margin for now. If there’s a news report that scrypt is broken, or of a significant reduction in hardware cost, you still have the cushion of PBKDF2 while you change to a different scheme.
Practically speaking, there’s an outstanding public challenge to test the security of WarpWallet. When the site was announced, we included 4 challenges that we knew to be solvable in short order, to prove that people would take the challenges seriously. They did. The remaining challenge is to guess an address with only 48 bits of entropy, and is uncracked since November 2013.
Finally, there is a risk that people who you physically interact with will find one of your reminder notes, recover your passphrase and steal your coin. The best defense agaist this attack is first, to make your reminder cryptic enough so that anyone who finds it won’t know what it is; and second, to not hang out with dicks who would steal your money.
When generating a passphrase, it’s nice to use an algorithm that produces a passphrase with quantifiable entropy. For instance, this page picks N words at random from the dictionary, and gives you more passphrase entropy for higher values of N. One can memorize passphrases like these if used them regularly, but since WarpWallets are used a couple of times per decade, you’re at risk of forgetting. We internally discussed easier-to-remember password systems, like interwoven lines from famous poems, words you made up when you were a kid, etc. Here, you are into the realm of security-by-obscurity. Whichever system you pick should look like the concatenation of random words to an attacker who doesn’t know your secret algorithm. For instance, picking a single line from an obscure poem isn’t a great idea, since words 3 through 10 probably supply almost no entropy. Concatenating the 13th word of eight of your favorite poems will look a lot more random.
The WarpWallet protocol described above should be secure. It is certainly free and accessible from almost anywhere in the world in a bind. The biggest question is will you mess it up. The mistakes we can think of are:
We’ve covered passphrase forgetting and reminders above. And you do need to work slowly to avoid careless mistakes in the coin transfer protocol. There will be a self-contained, public, and self-ceritifed version of WarpWallet available as long as GitHub is running or you have a checkout of our repository. We’ll sign all subsequent releases with our PGP key (ID: 4748 4E50 656D 16C7).
Software bugs are interesting to consider. When we built WarpWallet, we
implemented the algorithm twice, with two different software stacks, and
checked that we got the same answers. To run our tests, check out the
repository and run
npm install -d;
Still, you should take further precautions. After transfering the HTML to your air-gapped machine in Step 4 above, run some tests. Pick some throw-away passwords and hash them both on your networked machine and your air-gapped machine. If that checks out, and the results match, then generate a temporary password, transfer a small amount of coin to WarpWallet, and then the following day, transfer the coin back. Run these tests as many times as you need to feel comfortable, and then pull the trigger.
Above we asserted that our system is better than other competitors. Let’s take a deeper a look.
Many of us buy our coin from Coinbase since it’s a great company, with great engineers and they claim to take some serious security measures. But maybe you shouldn’t keep your coin there indefinitely. Coinbase is at best as secure as a non-FDIC-insured bank, and maybe less secure. Meaning, like banks it is susceptible to physical burglaries, ledger errors, and, though we shudder to think of it, personal extortion of key employees. Even more so than banks, Coinbase will magnetically attract XSS, CSRF, and phishing attacks. Though their security has been good to-date, it is an ongoing fight against determined, well-motivated adversaries. Finally, neither the FDIC nor any other body insures Coinbase, so unlike bank deposits, your coin at Coinbase disappears in the case of a “bank run” or a sudden business failure.
Anyone with a cable modem and some extra storage space can run their own wallet (either full or thin). Running your own wallet makes sense if you transact frequently, but leaves your long-term storage vulnerable, since your coin is susceptible to both theft and loss. Unencrypted backups trade-off loss-resilience for theft-resilience. Perhaps the sweet-spot here is encrypted backups. We came close to advocating that system before we realized we’d only feel comfortable with encrypted backups if they were copied to many different places. At that point, it’s the encryption—and not possession of the encrypted file—that keeps your coin safe. So in other words, you’d still have to remember a good passphrase, and in addition choose a good encryption system, manage files properly, and convince yourself that you’ll be able to decrypt when necessary. This felt like a lot of extra machinery that might eventually hinder recoverability without providing additional security.
Paper wallets and offline USB sticks are more secure against theft, assuming the machine you used to generate the wallet or store to USB wasn’t compromised. However, offline storage is vulnerable to loss. You can lose them in a fire; you can throw them out by accident. Some store offline wallets in safety-deposit boxes, but vault storage is expensive, inconvenient and can be confiscated in certain cases.
Using cryptographic secret-sharing, you can, for instance, split your wallet up into 7 pieces, any 4 of which can be reassembled to recreate the wallet. Imagine keeping some shares for yourself, storing some in your office, and leaving some with your family or mates. Such solutions seem elegant in priniciple but error-prone in practice.
Use WarpWallet and follow our step-by-step directions above to store your coin for the long haul.
Thanks to Chris Coyne; he is co-author of WarpWallet and editted drafts of this post.
There’s a discussion at HackerNews.