At Bitkey, we’re committed to empowering individuals to safely and independently manage their bitcoin. As the team continues to ship improvements to the core product experience, we’re exploring ways to evolve and expand self-custody technology and its various applications. Last week, members of the engineering team published a white paper that details an innovative design for a smartphone-based bitcoin wallet that aims to make self-custody both safe and user-friendly.
This isn’t a product announcement but rather an invitation to engage with the Bitkey community as part of our commitment to open development. We believe in sharing our ideas before building them and releasing the code once completed. Your feedback is crucial as we refine this concept.
Design challenge: How could we turn smartphones into secure wallets?
Smartphones are ubiquitous and integral to daily life, making them a compelling platform for bitcoin wallets. The “holy grail” is to transform these devices into secure wallets that approach the security properties of specialized hardware setups. But let’s be honest—this is no small feat. Phones are general-purpose computing devices, always connected to the internet, and constantly carried around—conditions that expose them to risks like malware, remote exploits, and physical theft.
So, how could we leverage the convenience of smartphones while still providing strong protections against common attacks?
A collaborative custody model for security and simplicity
In line with the philosophy behind our hardware wallet, we believe that seed phrases are sharp edges that can lead to user errors and loss of funds. Iterating from Bitkey’s 2-of-3 setup used by our hardware wallet—where the hardware, phone, and server each hold a key—we’ve designed a method for a software wallet to operate on a 2-of-2 model. This means both the phone and the server must collaborate to authorize a transaction.
But here’s the twist: to maintain true self-custody, the user is provided with an encrypted copy of the server’s key share. With control over both keys, you can move funds unilaterally if needed. It might sound counterintuitive to create a 2-of-2 wallet and then give both keys to the user. However, the server key is provided in a very particular way—designed to be used only when a user wants to exercise self-sovereignty and “escape” the wallet. We refer to this as the “Self-Sovereign Backup,” which we’ll delve into shortly, but first, we need to touch on FROST.
What is FROST, and how can it be leveraged?
To enhance flexibility in our collaborative custody model, we utilize FROST (Flexible Round-Optimized Schnorr Threshold Signatures). FROST enables off-chain key management, enabling adding or removing key shares without the need for an on-chain transaction or a wallet “sweep.” Avoiding wallet sweeps is crucial for cost efficiency and avoiding linking previously unconnected UTXOs.
By managing keys off-chain with FROST, we can seamlessly handle practical scenarios like repairing a lost key, periodically rotating keys for enhanced security, or adding new hardware to an existing software wallet under this design—all without moving funds or compromising privacy. The FROST protocol is detailed in the whitepaper.
Designed for security
We know that securing mobile devices is crucial, given their susceptibility to attacks. To mitigate these risks, we’ve incorporated several security features into our wallet design:
Self-sovereign backup
The Self-Sovereign Backup is the most critical element to protect, as it provides full unilateral control over a wallet. This backup is encrypted to a user’s phone’s secure enclave, meaning access is limited to the physical phone it was created on and the Bitkey-signed application. The app secures this key behind a time delay (e.g., 3 days) and a biometric scan after the delay. This multi-layered approach ensures that even if someone gains physical access to a phone, accessing funds won’t be easy.
Delay and notify
Delay and Notify is a core security system we currently use to protect sensitive actions in the Bitkey hardware wallet. When a protected action is initiated—like changing a sensitive setting or starting a recovery process—the server imposes a mandatory delay, usually several days, before executing the action. During this period, a user receives notifications via multiple channels (email, SMS, push notifications). This gives them time to notice any unauthorized activities and veto them before they take effect. Even if an attacker gains control of a phone, they’d need to maintain control over all communication channels for the entire delay period—a challenging feat. It’s likely that the targeted individual will regain access to at least one channel, allowing them to cancel any unauthorized actions.
Vaults
Vaults offer an additional safeguard by allowing you to designate a portion of one’s funds to be stored with extra protection. Funds in the vault can’t be moved without going through the Delay and Notify process. This means that even if someone accesses an unlocked phone, they can’t instantly drain significant funds held in a Vault. Only a limited amount outside the vault is immediately accessible, mitigating the risk of substantial loss.
Designed for Recovery
We understand that losing access to your funds is a nightmare scenario. That’s why we’ve built multiple layers of recovery options. We’ll reference some cryptographic techniques below, if you want to learn more, please check out the whitepaper.
Loss of the application
If a user loses access to the Bitkey app on their phone, they can restore their wallet using a backup stored in their cloud account. This backup is protected by a combination of a user-defined PIN and an Oblivious Pseudo-Random Function (OPRF). OPRF combines a server-side process with a PIN to create a robust encryption key that resists brute-force attacks. This allows the user to easily restore their wallet on a new phone while making it challenging for attackers who might have gained cloud access.
Loss of the cloud backup
If a user’s cloud backup is lost or deleted, the app will detect that fact and re-encrypt the wallet data using the same PIN encryption process before securely re-uploading it to the cloud. This automatic detection and re-encryption helps ensure that users remain protected, even if a cloud backup is inadvertently removed.
Loss of both app and cloud backup
In the worst-case scenario where both the app and the cloud backup are lost, we leverage a feature also used in the Bitkey hardware product called “Social Recovery.” This approach would allow you to enlist trusted individuals from a user’s personal network to assist in recovery. Through a protocol based on Portable Blind Cloud Storage and OPRF, each trusted contact securely stores the user’s app key. Even then, trusted contacts don’t gain any access to a user’s funds or sensitive information.
Designed for privacy
One common concern with collaborative custody solutions is the potential loss of privacy since the server might need visibility into one’s wallet to function properly. However, we’ve implemented advanced cryptographic techniques to mitigate these concerns.
Descriptor privacy
A wallet descriptor reveals its entire transaction history. To protect a user’s privacy, the server must not learn this information while still being able to sign transactions. We achieve this by: (1) assigning the mobile application the sole responsibility for generating and interacting with the chain code; and (2) using predicate blind signing to allow the server to sign transactions without learning which child key it’s signing for or recognizing the final signature.
Signing privacy
Predicate blind signing combines blind Schnorr signatures with zero-knowledge proofs that make assertions about transaction attributes. This allows the server to enforce signing policies without learning any identifying information about the transaction itself.
Vault privacy
For transactions involving funds stored in the vault, the server only signs for the funds outside the vault, adding an extra layer of protection. To preserve privacy while proving funds exist, we use a zero-knowledge proof system similar to the proof-of-solvency approach utilized by exchanges. This method allows the app to prove to the server that sufficient funds exist for a transaction without revealing any specific details about wallet balances or transaction history.
We Need Your Feedback
At Bitkey, we believe the best products are built in collaboration with the communities they serve. That’s why we’re sharing this design publicly. This project is part of our broader mission to make bitcoin self-custody as accessible and secure as possible for everyone. It’s not about replacing our hardware wallets—which will always offer a premium level of security—but about ideating ways to expand access to self-custody.
We want to hear your thoughts, questions, and feedback as we refine the concept. Message us at bitkey@block.xyz.