Photo by Silas Köhler on Unsplash
Before we get into it, just wanted to quickly touch on the difference between custodial and self-custody in Bitcoin.
Custodial services involve a third party holding onto your bitcoin on your behalf, which can be convenient but comes with added risk. Self-custody, on the other hand, means you are responsible for keeping your own bitcoin secure, which may require more effort but gives you full control. If you haven’t read part 1, you can read it here.
To secure your bitcoin holdings, it's important to take self-custody by holding the keys yourself. Hardware wallets are the most secure option for storing bitcoin keys. We'll explore the different options available within Single Signature (SingleSig) in this article.
Remember your bitcoin is not stored on the hardware device, your bitcoins are on the network (completely open and transparent). The thing that is stored on the hardware device are your bitcoin private keys. It’s these digital keys that enable you to transact with your bitcoin on the network (that is if you can keep them).
SingleSig
SingleSig wallets use one private key to sign off on spending bitcoin and are easy to set up. However, there are risks, such as the single point of failure if the key is lost or stolen. It's important to store the key physically as a seed-phrase to protect your bitcoin.
Before diving into the concept of MultiSig, I believe it would be beneficial for us to explore some of the various methods that individuals commonly use to enhance the security of SingleSig setups. It is intriguing to note that there is a wide range of approaches that people take when it comes to modifying their SingleSig security.
For some individuals, they opt to create makeshift strategies to strengthen their SingleSig setups. This may involve implementing additional layers of security or following unique protocols to safeguard their keys. On the other hand, there are those who rely on industry standard tools to enhance the security of their SingleSig setups. These tools may include encryption software, biometric authentication systems, or hardware security modules.
By understanding the different methods that people utilise to modify SingleSig setups, we can gain valuable insights into the diverse approaches that exist in the realm of cybersecurity. This knowledge can also provide us with a broader perspective on the various ways in which we can potentially enhance the security of our own SingleSig setups.
Makeshift SingleSig modifications
It's important for Bitcoin holders to be cautious of simplistic techniques for protecting their funds, such as copying the seed-phrase, encoding it, splitting it into pieces, or creating multiple SingleSig wallets. These methods have their own drawbacks that may not be immediately apparent. Let's discuss them briefly.
Multiple copies of your seed-phrase
Copying your seed-phrase can help prevent the loss of access to your bitcoin, but be cautious as it can also increase the risk of theft if someone finds one of your copies.
Seed-phrase encoding
Some SingleSig users may encode their seed-phrases to prevent theft, using methods like altering words with a secret formula or hiding the seed-phrase in a larger set of words. However, while a more complex encoding strategy may decrease the chances of theft, it also increases the risk of making a mistake or forgetting how to decode the information, potentially leading to the loss of access to bitcoin.
Splitting of your seed-phrase
Arguably the most common makeshift SingleSig modification, Seed-phrases can be split up and stored separately as a security measure. Often employed when leaving bitcoin to family in a will. The will contains half the seed words and a trusted party the other half. This is so that the entire seed isn’t registered in death proceedings by legal teams who don’t understand bitcoin. Remember though, if a thief acquires even a portion of your seed-phrase, they could be closer to stealing your bitcoin. This approach can make it difficult or impossible for you to access your bitcoin if any section is lost.
Setting up multiple SingleSig wallets
It's smart to avoid keeping all your bitcoin in one wallet to reduce the risk of loss or theft. While spreading your bitcoin across multiple wallets can help avoid losing everything, it also increases the risk of losing a portion of your wealth if any of the wallets are compromised. It's easy at this point to say “this is all a little too complicated, this isn’t for me”, but hang in there read on for ways to protect your entire bitcoin balance with reduced risk.
Industry standard SingleSig upgrades
There are standardised tools available to address risks with SingleSig wallets, such as BIP 39 passphrases, Seed XOR, and Shamir’s secret sharing. Each option has trade-offs to consider.
Using BIP 39 passphrases
When generating a bitcoin key, you can choose to add a passphrase for extra security. Passphrases are additional characters added to the seed-phrase and provide protection against theft. This feature was introduced in 2013 as part of BIP39. If a key is built with a passphrase, it will always be required to access the funds. This added layer of security can be used instead of seed-phrase splitting and also allows for a decoy wallet to protect a smaller amount of funds.
Passphrases are crucial for accessing your bitcoin, but if you lose or forget it, you could permanently lose access to your funds. Simple passphrases are easy to guess, so it's important to use a strong one. However, trying to remember a strong passphrase is a common way people lose their bitcoin.
Coinkite’s Seed XOR
Coinkite has introduced a new solution called Seed XOR, which allows you to split your seed-phrase into multiple unique 12 or 24 word seed-phrases. By storing these new seed-phrases separately, it adds an extra layer of security and the option for decoy wallets. Each resulting seed-phrase component can also be used as a key for a new SingleSig wallet with a smaller amount of funds.
Seed XOR functionality is available on Coldcards, but you can also do the math on paper. However, be aware that Seed XOR has drawbacks that increase the risk of losing access to your bitcoin.
SSS - Shamir’s secret sharing
In 1979, Adi Shamir created Shamir’s secret sharing (SSS) algorithm, which splits secret information into multiple pieces called shards that can be combined to reproduce the original secret. SSS allows for creating a quorum where only a portion of the shards are needed to produce the secret. Trezor hardware wallet creators, Satoshi Labs, introduced a standard for using SSS called the “Shamir backup” in SLIP 39.
However, SSS has a weakness where all shards must be in one place when reassembling the secret, posing a temporary single point of failure for SingleSig wallets.
BLOCKSTREAM GREEN - 2FA PROTECTED ACCOUNTS
One way to upgrade an existing SingleSig setup is to use your existing seed with a passphrase on a Blockstream Jade (hardware wallet) and use the Green Wallet (software) from Blockstream to generate a new wallet (account) using their 2FA Multisig Shield solution.
With this solutions, one key is held on your device and another on Blockstream’s 2FA servers, enabling you to protect your wallet with two-factor authentication. Timelocks or a third backup key ensure you always retain full ownership of your funds. If you do go down this route, be sure to move your BTC to the new “2FA Multisig Shield” wallet and maybe leave some BTC on the old wallet as a decoy.
** In our next blog (Part 3) on self custody, we will look at ways to mitigate these single point of failures when we dive into MultiSig wallet setups.
If you haven’t yet followed our "platform verified” strategy - Rational Active Allocation, you can do so with as little as £20 per month. This is a custodial solution aimed at those just starting their Bitcoin journey.
DISCLAIMER
This publication is general in nature and is not intended to constitute any professional advice or an offer or solicitation to buy or sell any financial or investment products. You should seek separate professional advice before taking any action in relation to the matters dealt with in this publication. Please also note our disclosure here