Safe and transparent custody – CheckSig

TL;DR (aka Executive summary)

CheckSig ’ s hands protocol is based on a two level storehouse : the deepest level ( the frozen wallet ) is jointly controlled by the hardware security modules ( HSM ) of 1 ) a “ multi-sig authorization custodian ” and 2 ) a “ multi-sig federation ” of mugwump companies. From the frozen wallet, bitcoins can entirely move to a ) the cold wallet, a staging time-locked area for withdrawal controlled by the another “ multi-sig cold custodian ”, or boron ) the frozen wallet itself for a public proof-of-reserves. Both levels have catastrophe recovery HSMs that, while useless under normal operating conditions because of a time-lock, can be used to rescue the bitcoins if a monthly proof-of-reserves is missed. The process described below could be tailor-made for the segregate custody of a relevant customer, retaining the basic estimate of a “ distributed ” collaborative hands involving multiple agents. CheckSig besides boasts policy coverage ( provided by a leading european insurance group ) and SOC1 / SOC2 Type II attestations ( provided by an mugwump auditor ).

Bitcoin are controlled by the private keys that can transfer (i.e., spend) them.

If the secret keys are lost or stolen, there is no way to recover the consociate Bitcoins. Safe management of the private key is therefore of overriding importance for Bitcoin holders, but such activity requires sophisticate technical skills and domain cognition. private keys are normally stored in “ wallets ” ; however, “ hot ” ( on-line, internet connected ) wallets can be hacked, “ cold ” ( offline, internet disconnected ) wallets can be lost or stolen, and the PINs/passwords needed to gain access to wallets can merely be forgotten.

consequently, individuals may be uncomfortable dealing with their Bitcoin holdings ; even more if they consider issues such as inheritance ( how to ensure that children will inherit Bitcoin without having to partake individual keys with them ) and personal safety ( how to avoid violence and compulsion aimed at stealing Bitcoin ). Institutions besides, they have the above security issues ; furthermore, they are much required by law and/or inner regulation to entrust the management of Bitcoin holdings to a specialize military service supplier. That ’ mho why there are companies offering professional Bitcoin custody services.

Unfortunately, many Bitcoin custodians offer unsatisfactory solutions

  • Insufficient disclosure about their technology and process, often with the excuse that this is needed for “security” reasons (the so-called security-by-obscurity paradigm, rejected by all reputable cryptography and cyber-security experts).
  • Customers have no way to check that their Bitcoins are, in fact, really held by the custodian and have not “disappeared” for one reason or another.
  • Customers remain in charge of technical duties or risk management responsibilities.
  • Conflicts of interest arise for custodians that also provide trading services, as trading favours availability instead of security.

This is why CheckSig has decided to undertake a wholly different approach, designing its crystalline outdoors protocol for Bitcoin detention. The protocol includes patent-pending inventions, pledged to the Crypto Open Patent Alliance.

A new standard of transparency and security, by design

  • Avoid reliance on security-by-obscurity and, instead, defines a public standard that can be audited and reviewed by anybody
  • Provide periodic evidence of Bitcoin holdings to clients, so that they can be certain that their assets are where they are supposed to be

Our guiding principles :

  • no hot wallets, i.e., assets are never internet-exposed, neither remotely accessible, to make remote attacks unfeasible
  • minimize the risk of loss of funds through theft, error, or other mishaps
  • rely on the Bitcoin protocol for security wherever possible, rather than inventing new functionality or procedures
  • remain as “neutral” as possible regarding future changes to the Bitcoin protocol, working with the existing Bitcoin protocol functionality “as is”.

How it works

There are four main events happening in our hands process : deposition, withdrawal, proof-of-reserves, and calamity convalescence. Before describing them in detail, it is important to know that three main parties are involved :

  • Clients: the actual owners of the Bitcoins, who have decided to place their assets in CheckSig custody.
  • CheckSig: the entity which has the legal custody of the assets on behalf of the Clients. Inside CheckSig there are different kind of agents; as of November 2021:
    • three Frozen Wallet authorization agents
    • three Cold Wallet custodian agents
    • three Frozen Wallet recovery agents
    • three Cold Wallet recovery agents
  • Federation: independent companies, not owned by CheckSig; as of November 2021, there are six Federation agents:
    1. The Rock Trading: the leading Italian crypto exchange
    2. Intesi Group: a Certification Authority with deep Bitcoin knowledge
    3. SZA an Italian law firm that assists crypto companies
    4. Tinkl.it: a Bitcoin payment company
    5. Studio Avella: a chartered accountant with in-depth understanding of crypto assets
    6. A, so far, undisclosed dormant (i.e., inactive) agent

furthermore, CheckSig detention process uses two layers/wallets :

  • the Frozen Wallet, where Bitcoins are stored, managed by the Federation
  • the Cold Wallet, which is mostly empty (except during withdrawals), directly managed by CheckSig

Both wallets are comprised of professional-grade hardware security faculty ( HSM ) devices, provided by leading manufacturers : presently, Ledger ( the most reputable specialize seller ) and CryptoAdvance/Specter ( the most technically advanced one ). HSM devices are used to provide the digital signatures required for a Bitcoin transaction. A HSM device contains a secure element that perform the signatures using the secret key without exposing them outside its own boundaries, indeed preventing the larceny of the keys evening if the device is used in an unsecure or compromised environment.

1. Deposit process

In effect, depository is identical aboveboard : the Client moves Bitcoins to a BIP32 P2WSH “ address ” belonging to the Frozen Wallet and notified to the Client by CheckSig.

2. Withdrawal process

The withdrawal work cannot be performed by CheckSig without involving the Federation, to reduce the risk of internal CheckSig wrongdoings. At the like time, the Federation cannot initiate a withdrawal process, only CheckSig can. The withdrawal consists of two distinct Bitcoin transactions : 1. Bitcoins are moved from the Frozen Wallet to the Cold Wallet. This first “ unlock and/or redeposit ” transaction requires two steps :

  • CheckSig authorization agents must pre-authorize the transaction. This is accomplished when the digital signatures of two out of three (2-of-3) authorization agents are obtained. Each authorization agent provides its digital signature using a HSM device.
  • Then, the transaction must obtain the approval of three out of six (3-of-6) Federation agents. Each Federation agent provides its digital signature using a HSM device, customized (i.e., locked-down) to ensure that the signature can be produced only if:
    • The transaction has been pre-authorized by CheckSig authorization agents
    • The transaction unlocks Bitcoins to destination addresses white-listed in a previously approved list of addresses belonging to the Cold Wallet (and/or redeposits Bitcoins to Frozen Wallet white-listed addresses, see “4. Proof-of-reserves” later on).

At this stage, Bitcoin can only be moved to white-listed addresses : it is technically impossible to move them to any other arbitrary address and this prevents any opportunity of Federation agents stealing Bitcoins away from the CheckSig custody. For the time being, addresses are white-listed using HSM customized firmware and software ; CheckSig looks ahead to CTV ( check template verify ), the new Bitcoin Script operator being discussed among developers : CTV would remove the need of HSM customizations and would represent the definitive security seal of our detention protocol. 2. Bitcoins are moved from the Cold Wallet to the Client ( sulfur ). This moment “ adjourn and/or redeposit ” transaction requires the digital signatures of two out of three ( 2-of-3 ) CheckSig custodian agents, each signature involving a distinct HSM device held in a different safety box in a different deposit in a unlike city. It is with this second transaction that Bitcoins are effectively withdrawn from CheckSig and returned to the Client. Furthermore, the seclude transaction can only be performed with a four days ( more precisely 4 * 144=576 blocks ) “ fixed time stay ” after the previous unlock transaction has been confirmed by the Bitcoin net ; this is to allow for security checks ( see “ 4. catastrophe Recovery ” subsequently on ) : in the case of any problem, Bitcoins can be redeposited bet on to the Frozen Wallet. The dissemble of spend from the Frozen or Cold Wallet reveals the ( pre-image of the P2WSH ) locking script that protects the Bitcoins under custody. Since these transactions happens at least monthly, the scripts protecting the Bitcoins under custody are public on the blockchain, making CheckSig detention actually crystalline : everything documented here can be independently verified, avoiding any kind of security-by-obscurity ( see besides “ 4. calamity Recovery ” later on ). differently from all other custodians that have access to all the assets all the time, CheckSig has direct access to Bitcoins lone during the withdrawal process and lone for the amounts being recall. This being the merely residual attack open of the custody process, the withdrawal is covered by policy guarantees.

3. Proof-of-reserves

On a periodic ( at least monthly ) footing, an “ unlock and/or redeposit ” transaction is confirmed by the Bitcoin net, publicly documented on the blockchain and published on the CheckSig web site. The Bitcoins that are not unlock to satisfy secession requests are redeposited from the Frozen Wallet back to the Frozen Wallet itself. This is the “ proof-of-reserves ” provided sporadically to clients and auditors as evidence of the measure under detention and, crucially, to prove that CheckSig has not lost control of the Bitcoins held in the Frozen Wallet.

4. Disaster recovery

A catastrophe convalescence operation is activated when :

  1. The Frozen Wallet authorization quorum is lost, i.e., using the current 2-of-3 set-up, less than two out of the three HSM devices held by CheckSig authorization agents are functional/available. In this case, the risk is to lose control of the assets in the Frozen Wallet, usually representing all funds under custody.
  2. The Frozen Wallet Federation quorum is lost, i.e., using the current 3-of-6 set-up, less than three out of the six HSM devices held by Federation agents are functional/available. In this case, the risk is to lose control of the assets in the Frozen Wallet, usually representing all funds under custody.
  3. The Cold Wallet custodian quorum is lost, i.e., using the current 2-of-3 set-up, less than two out of the three HSM devices held by CheckSig custodian agents are functional/available. In this case, the risk is to lose control of the assets in the Cold Wallet, usually just pocket money allocated to the Cold Wallet to cover for transaction fees, possibly larger amounts during a withdrawal process.
  4. a malicious withdraw process has been initiated by CheckSig Frozen Wallet authorization agents and approved by the Frozen Wallet Federation agents; if the Cold Wallet custodian agents are suspected of colluding in an attempt to steal funds, the withdraw process must be reverted before the expiration of the “fixed time delay” that would make the Bitcoins (just moved from the Frozen Wallet to the Cold Wallet) available to the Cold Wallet custodian agents. In this case, the risk is not being able to stop the malicious withdraw process, losing the involved funds.

More specifically, there are two different kind of calamity recovery transactions.

  1. Cases 1 and 2 above: the disaster recovery transaction requires the digital signatures of two out of three (2-of-3) CheckSig Frozen Wallet recovery agents, provided using Frozen Wallet recovery HSM devices, each held in a different safety box in a different bank in a different city. These HSM devices are accessible to the CheckSig Frozen Wallet recovery agents only with the informed explicit approval of a notary, after an independent audit of the disaster scenario. The disaster scenario is evident when the Bitcoins in the Frozen Wallet have not been moved on the Bitcoin network for more than 36 days (more precisely 36*144=5184 blocks), i.e., a proof-of-reserves has not been timely provided. In this case, the Frozen Wallet recovery HSM devices can be used to sweep those Bitcoins anywhere (e.g., to a new custody set-up). The disaster recovery facility, along with the regular Federation control facility, is evident when an “unlock and/or redeposit” (i.e., proof-of-reserves) transaction spends from a Frozen Wallet address revealing the (pre-image of the P2WSH) locking script:
OP_IF     OP_PUSHNUM_3       OP_PUSHNUM_6 OP_CHECKMULTISIG OP_ELSE     5184 OP_CSV OP_DROP OP_PUSHNUM_2    OP_PUSHNUM_3 OP_CHECKMULTISIG OP_ENDIF
  1. Cases 3 and 4 above: the disaster recovery transaction requires the digital signatures of two out of three (2-of-3) CheckSig Cold Wallet recovery agents, provided using Cold Wallet recovery HSM devices. These devices are customized (i.e., locked-down) to ensure that the signature can be produced only if the transaction spends Bitcoins to destination addresses included in a previously approved list of Frozen Wallet addresses. At any time, the Cold Wallet recovery HSM devices can sweep the Bitcoin in the Cold Wallet, redepositing them back to the Frozen Wallet. The Cold Wallet four days (more precisely 4*144=576 blocks) “fixed time delay” does not apply here, as it only concerns Cold Wallet custodian HSM devices. The disaster recovery facility, along with the regular custodian control facility, is evident when a “withdraw and/or redeposit” transaction spend from a Cold Wallet address revealing the (pre-image of the P2WSH) locking script:
OP_IF     576 OP_CSV OP_DROP OP_PUSHNUM_2    OP_PUSHNUM_3 OP_CHECKMULTISIG OP_ELSE     OP_PUSHNUM_2    OP_PUSHNUM_3 OP_CHECKMULTISIG OP_ENDIF

Related Posts

Trả lời

Email của bạn sẽ không được hiển thị công khai.