Slush Operator Announces USB Wallet Project

Marek Palatinus, commonly known under his forum handle Slush as the operator of mining.bitcoin.cz, the oldest mining pool in the Bitcoin community, has just
Marek Palatinus, commonly known under his forum handle Slush as the operator of mining.bitcoin.cz, the oldest mining pool in the Bitcoin community, has just
Op-ed - Slush Operator Announces USB Wallet Project

Marek Palatinus, commonly known under his forum handle Slush as the operator of mining.bitcoin.cz, the oldest mining pool in the Bitcoin community, has just announced that he, in collaboration with Pavol Rusnák (stick), is starting up a new project: a Bitcoin hardware wallet that works by connecting to a computer via USB. The primary motivation behind the project is security. There have been cases where Bitcoin users lost thousands of dollars – in one extreme example, half a million – because the computers on which they were storing their bitcoins were infiltrated by viruses. One could argue that these thefts were the fault of a few particularly negligent individuals, but the evidence suggests otherwise. For nearly a decade, botnets of computers taken over by viruses have existed that are millions of machines strong, and even in Finland, which a study by the Norwegian security company Norman found was the least computer virus-ridden country in the entire world, over 24 percent of PCs were infected. Security is not getting any better either; in 2006, security expert Bruce Schneier was quoted as saying “I don’t think, on the whole, we are winning the security war; I think we are losing it.”

When the most private information that there is on a computer consists of funny cat pictures, the issue is of little concern. When the computers in question are storing codes that can be irrevocably redeemed for the equivalent of hundreds of thousands of dollars, however, security becomes a much greater concern. So far, the Bitcoin community’s recommendations for dealing with wallets of such value have been sensible: put a small amount of money on a traditional client to be able to spend it at will, and store the bulk of the funds in an offline wallet either printed out on paper or on a separate machine so that the private keys never touch the internet. However, there is a major problem with this setup for the average user: it is not easy to set up or maintain. Most people do not have the technical knowledge or the inclination to figure out how to carry out an offline transaction, thus anyone attempting to push Bitcoin as a way of storing a significant quantity of savings is often fighting an uphill battle.

This is where the as of yet unnamed USB Bitcoin wallet comes into play. The wallet is a hardware device roughly the size of an iPod Shuffle (3×3 cm) which includes a chip that can generate new addresses from a seed and can use any of them to sign a transaction. To send a transaction, the user must connect the device to a computer (in future versions, possibly also a smartphone) via USB, enter the address and amount on the computer, and ask the Bitcoin client on the computer to send off the unsigned transaction to the device. To protect against viruses, the user must then confirm the transaction by pressing a button on the device, and the signed transaction will then be sent back to the client to be published. The private keys never leave the wallet in the process.

The protocol also has several other features which make it convenient to use. First of all, the process of generating addresses on the chip is based on the hierarchical deterministic wallet proposal drafted by Peter Wuille in February 2012. All private keys are generated from a single root private key which can be written down during the initialization phase, so even if the device is lost, the funds can still be recovered. Elliptic curve mathematics also allows the algorithm to have another interesting property: there is a root public key corresponding to the root private key, which the device freely divulges upon request, such that from the public key one can generate all the addresses that the device can, but without being able to spend from the addresses. A Bitcoin client can easily generate all of the addresses that the device can spend from, and can present to the user a view of how many bitcoins he has in which addresses just as easily as if the client actually owned the addresses in question.

The protocol also includes an optional mechanism to make transactions require a PIN, and the device itself is designed to be tamper-proof so that even if it is stolen, it will be extremely difficult for the thief to recover any private keys or coax the device into signing transactions. Aside from manually brute-force searching through all possible PINs, the only way to crack the device, Slush writes, is to “brush the chip with the precision of nanometers and read the bits using an electron microscope.” In short, long enough for the user to realize that the device is gone and use the root private key to move the funds to a temporary location.

Finally, the device also supports another kind of security through multisignature transactions. Multisignature transactions allow you to create an address such that bitcoins sent to that address require multiple private keys to sign, which can be kept at separate locations or even by separate individuals. Complex schemes like signatures from 2 out of a given 3 private keys being required are also possible. Thus, if you are not willing to entrust the security of your funds to one device entirely, there is always the option of using it as only part of your wallet security arsenal.

The main drawback of the device is portability. Although it is only 3×3 cm in size, it also requires a cable to actually connect to a computer or phone, making it impractical to carry around in one’s wallet. The possibility of including USB and micro USB connectors was discussed, but rejected because having either moving parts or a connector sticking out would make the device much more subject to wear and tear. To Slush, however, the device’s sub-optimal portability is not much of a concern; he writes, “the major purpose is not to make payments mobile. The major purpose is to make them safe.”

Also, the device cannot, by itself, be used on an arbitrary computer without setup. Although there is no need to have a specific operating system or install any drivers because the device will use the same interface to communicate with the computer as standard USB keyboards and mice, the protocol does require a Bitcoin client to be already present in order to function. Specifically, at least in the near future, this means Multibit or Electrum; these are the only two clients whose developers have agreed to cooperate in implementing their part of the protocol. The Satoshi client and Armory may join in the future, but unfortunately, online clients like Blockchain will not, as HTML5 offers no way to directly interact with devices on a low level. Fortunately, Multibit and Electrum do not require installation, so they can be stored on a USB key kept along with the device, and then loaded directly from USB when needed. In the future, there is the possibility that the device will itself contain a client in some way, but that is not in Slush’s immediate plans.

For now, the intent is on simplicity, not features. Slush has already contacted a security company which will do a full review of the code, with thorough tests covering every line – something which, outside of large research institutions and corporations, is only possible with a very small codebase. Every added feature introduces complexity, and therefore a possible attack vector into the device, something which Slush is intent on minimizing. So far, the device is still in its early infancy; nothing close to a full product is available, and there is still the potential for significant changes to the design before the product is released. Currently, the device is set to be released simultaneously as two products: a custom hardware solution for common users, and a shield for the Raspberry Pi for the more technically inclined. The technically inclined also receive another bonus: the code for the device will be completely open source. If the project succeeds, it represents a significant step forward for Bitcoin security. Decoupling Bitcoin security from computer security is a necessary step if Bitcoin intends to be truly secure for the average user, and, along with multisignature transactions, physical wallet devices like this project will be a vital step in getting us there.