What does bitcoin custody look like today?
Secure bitcoin private key management is now critical for many private businesses, publicly-traded companies and individuals across the world who hold bitcoin. As of today, and considering a 75% market downturn since its all time high, roughly $405 billion worth of bitcoin is held in various ways. How does MicroStrategy hold its 130,000 BTC, worth approximately $2.2 billion? How secure is Grayscale’s bitcoin custodian holding 633 567 BTC, worth about $10.6 billion? What about the 65 publicly traded and private companies, ETFs and countries collectively holding 7.8% of all circulating bitcoins? How is custody risk managed?
Technologies such as bitcoin’s native multisignature (multisig) or other cryptographic schemes such as Shamir’s secret sharing (SSS) and multi-party computation (MPC) are generally employed. Most custody services are offered by trusted third parties as very few large organizations self-custody their bitcoins at the moment.
Regulated custodians, professional services firms, fiduciaries, traditional banks, groups of attorneys and private businesses are specializing in what is now a maturing industry: bitcoin custody. Of course, many of these custodial service providers have generalized their offerings to tailor to the broader digital asset, cryptocurrencies, and colloquially shitcoin industries. While some discussions will gloss over shitcoin custodial service providers, the interest is exclusively around the technologies employed by, and security models related to, bitcoin key management.
With employee turnover, risk of collusion, errors and omissions as well as outright fraud, small, medium and large businesses are exposed to new risks when holding bitcoin. Bitcoin is a bearer asset, so theft and losses are catastrophic and irrefutable. While custom insurance policies with bespoke coverage for private key management have been underwritten, capacity remains limited and material claim events inexistent. Most policies would cover pennies on the dollar in cases of claims for popular custodians, due to exclusions.
Before talking about insurance, how should one assess different custody models? What are the different security models available? What technologies are currently used? What are each of their benefits and limitations? What are the inherent risks in each approach?
In this brief article, we will attempt to explore the options available today for bitcoin custody.
Security requirements for bitcoin custody are quite extensive in scope. The private key management life cycle involves different phases where keys are generated, backed up, stored and used for signing transactions. Security threats involve network-based intrusions, social engineering, hardware deficiencies, supply chain attacks, more sophisticated side channel attacks and the infamous 5$ wrench attack.
External threats are numerous but internal vulnerabilities and personnel collusion are also remarkably usual in recent mainstream cases of theft and losses of bitcoin. Business continuity and disaster recovery procedures ought to be primary concerns for businesses holding bitcoin to mitigate and resolve security breaches consistently. Any custodian or custody technology provider should rigorously define the scope, severity and likelihood of vulnerabilities related to key management, with core concerns when it comes to the systems they run.
What are the main requirements related to managing private keys for a business? There are 5 essential considerations that should be taken into account. While that list is non-exhaustive, it is a good starting point for most large organizations looking to safely custody bitcoin.
How are keys managed? Where are the single points of failure? Is cryptography used, battled tested, deployed in other large scale and mission-critical production systems or is it a custom implementation? How is trust managed? Does security rely on corporate policies or technology? Are hardware security modules used? How are whitelisting, rate limiters and authorized signers enforced? Are there any certifications and audits? How are proofs of reserves and proofs of solvencies conducted? Is the technology stack closed source or fully open source?
How important is fast and frequent processing of withdrawals? Are there manual procedures involved or is it fully automated? Do keys need to be online or is signing fully offline?
How is the key management infrastructure and policy logic deployed? Does it rely on cloud providers or is it on premises? Are KYC or video verifications for signing part of standard security checks?
Can a customer recover their funds independently? Is there vendor lock-in? Can bitcoin holdings be viewed in another system?
How is training for personnel managed? Are there regular sanity and key health checks performed? Are the custodied bitcoin holdings accessible on dedicated hardware devices or via a web application? Are customers involved in the initialization of a custody account?
With most of the core concerns for bitcoin custody in mind, large scale custodians and custody infrastructure providers use various technologies deployed in their production systems to safeguard bitcoin holdings today. To clarify, a custodian has control and possession of funds, acting on behalf of a customer, usually in a highly regulated entity, while a custody infrastructure provider is solely responsible for licensing key management technology for other custodians.
Multi Party Computation - MPC
Appraised as an industry-shattering way to improve private key management, MPC is used in many large custodians such as Coinbase Custody, Fireblocks and PayPal’s Curv acquisition. Grayscale is relying on Coinbase Custody, which puts a significant amount of their customers’ assets protected by MPC today though exact figures remain unknown. MPC claims to remove single points of failure in traditional key management schemes as a private key is broken up into shares, encrypted, and divided among multiple parties. Each party holding a share can independently compute their part of the private key to sign a transaction without revealing the encryption to the other parties.
- Trusting a single hardware device or leaving keys online is no longer required to custody funds while leaving them more accessible than regular cold storage, which usually has delays for processing withdrawals.
- Governance models for authorized signers are much more flexible, which allows businesses with employee turnover to adapt dynamically.
- The most sought-after advantage is that it is agnostic to the underlying signing algorithm applied by the key, which makes MPC compatible with a plethora of shitcoin networks.
- While invented in the 1980s, MPC has had recent technological breakthroughs, which could make its cryptography hard to use safely and correctly over time.
- MPC is not natively based on the bitcoin network, adding an extra layer of abstraction for private key management, which adds uncertainty and risk.
- Vendor lock-in is a significant drawback as the implementations will vary based on each company using MPC, which hurts interoperability and recoverability for users.
- Most off the shelf HSMs are not compatible with MPC cryptographic operations
Shamir’s Secret Sharing - SSS
Splitting up a bitcoin private key into multiple pieces and later recombining them sounds interesting to get rid of single points of failure and add security for backups. Shamir’s Secret Sharing (SSS) has been implemented multiple times by wallet developers and with some custodians as occasional backup schemes. The additional complexity and lack of industry-wide standards despite some attempts may often end up reducing the security key management system.
For bitcoin, SSS enables the secure sharing of a private key where k out of n shares can reconstruct the private key. Possessing up to k-1 shares is not enough to find the private key or seed backup. Once some subset of the parts can be recombined to recover the private key, it can then be used to sign a transaction. SSS differs from MPC in that pieces need to be recombined to recover the private key to sign while MPC does not recover the private key but only a valid signature.
- Splitting a private key in different pieces protects each piece from revealing any sensitive information that may cause data theft.
- SSS is older and more reviewed than MPC technology, so it may be considered as more reliable.
- Lack of industry standardization and peer reviewed open source specifications.
- Added complexity in the cryptography may end up reducing the security of a system.
- Private key splitting and recombination for recovery create single points of failure.
- Lack of attribution for private key recovery means that it is hard to know which pieces were used to recover a private key, which makes reproducibility for audits difficult.
Multisignature - Multisig
Instead of splitting keys, multisignature technology uses multiple different keys to secure bitcoin holdings. Most custodial services, such as BitGo, Gemini and River use this technology, which is native to the bitcoin network and its protocol. Some companies such as BitGo have taken a stance against MPC as a default way to secure private keys, in favour of using multisig:
Multisig allows business operators to each have one unique key in a M-of-N scheme among other things, where only M keys are required to sign off on a bitcoin transaction. Being native to the bitcoin protocol, multisig is extremely resilient, robust and time-tested.
- Battle-tested and peer-reviewed cryptography that leverages native technology from the bitcoin protocol, which is used in many other production deployments in other industries
- Open-source standard for multiple market participants building secure key management
- Flexible key assignment to different authorized signers with compatibility to most HSMs to optimize for accessibility and security of funds
- Privacy limitations due to the public footprint of signing key identities on the bitcoin block chain when a multisig transaction is signed and broadcast though Taproot and Schnorr signature aggregation significantly limit that risk
- Not compatible with other shitcoins
Looking at the available technologies for bitcoin custody, there are many other considerations to think about when choosing a custody provider.
- Air-gapped systems where all the private keys are managed offline for the entire lifecycle, which are also referred to as cold storage.
- Hardware security modules (HSM) store private keys with a narrow API, which cannot extract the private key but only sign transactions and enforce spending policies.
- Multi-factor authentication (MFA) where multiple devices, passwords, time-based one-time passwords (TOTP) and other authentication methods are required to access privileged resources.
- Rebalancing between cold storage and hot wallets where private keys are connected to a network is often required for businesses using custodians for their main operations. Automating all processes for hot wallets where transactions and private key accessibility are important is a balancing act when managing cold storage vaults holding large amounts of bitcoin, where manual procedures are often required for signing off on withdrawals. A warm wallet is also often introduced as a buffer between them to optimize for accessibility of funds and security.
Holding bitcoin securely is no small task, and while there are a few sophisticated options available, simplicity in conservative implementations are always more prudent. Using bitcoin’s native multisignature seems to be the most robust, stable, flexible and accessible way to secure large bitcoin holdings. And yet, most large custodians today use other less-proven technologies, such as MPC, to avoid technical overheads of having to interface with multiple shitcoin networks.
Another noteworthy point is that most, if not all, organizations rely on trusted third parties to custody their bitcoins as the practice of institutional self-custody is not usual historically. While that may be a legal requirement for them in terms of separation of duties, there are alternatives where self-custody for organizations are being built to minimize counterparty risk coming from bitcoin custody. Companies such as Unchained allow collaborative bitcoin custody where different institutions hold keys to secure their customers’ holdings. Companies such as Revault also contribute to other security models using native bitcoin technologies to have funds delegation, emergency transactions and other security flows, which provide flexible custody policies while not relying on a trusted third party.