Safe Self-Custody for All

At Bitkey, we’re committed to empowering individuals to safely and independently manage their bitcoin. Our hardware wallet has been central to this goal, offering a solution that’s both easy to use and hard to lose for those seeking full financial sovereignty.  As we look to the future, we see an opportunity to expand our reach and make self-custody accessible to an even broader audience.

Today, we’re excited to announce the release of our new white paper Unlocking Mass-Market Self-Custody: Secure and Private Smartphone Bitcoin Wallets. This paper details an innovative design for a smartphone-based Bitcoin wallet that aims to make self-custody both safe and user-friendly for the mass market. We recognize that requiring specialized hardware as a prerequisite to secure self-custody can limit adoption. While hardware wallets offer distinct advantages, not everyone is ready or able to purchase dedicated devices.

This isn’t a product announcement but an invitation to engage with our community as part of our commitment to open development. We believe in sharing our ideas before building them and releasing the code once completed. Your feedback is crucial as we refine this concept.

Turning Smartphones Into Secure Wallets

Smartphones are ubiquitous and integral to daily life, making them a compelling platform for Bitcoin wallets. The “holy grail” is to transform these devices into secure wallets that approach the security properties of specialized hardware setups. But let’s be honest—this is no small feat. Phones are general-purpose computing devices, always connected to the internet, and constantly carried around—conditions that expose them to risks like malware, remote exploits, and physical theft.

So, how can we leverage the convenience of smartphones without compromising on security?

A Collaborative Custody Model for Security and Simplicity

In line with the philosophy behind our hardware wallet, we believe that seed phrases are sharp edges that can lead to user errors and loss of funds. Instead of the traditional 2-of-3 setup used by our hardware wallet—where the hardware, phone, and server each hold a key—we’ve designed our software wallet to operate on a 2-of-2 model. This means both the phone and the server must collaborate to authorize a transaction.

But here’s the twist: to maintain true self-custody, the customer is provided with an encrypted copy of the server’s key share. With control over both keys, you can move your funds unilaterally if needed. It might sound counterintuitive to create a 2-of-2 wallet and then give both keys to the customer. However, the server key is provided in a very particular way—designed to be used only when you want to exercise your self-sovereignty and “escape” the wallet. We refer to this as the “Self-Sovereign Backup,” which we’ll delve into shortly, but first, FROST.

FROST

To enhance flexibility in our collaborative custody model, we utilize FROST (Flexible Round-Optimized Schnorr Threshold Signatures). FROST enables off-chain key management, enabling adding or removing key shares without the need for an on-chain transaction or a wallet “sweep.”  Avoiding wallet sweeps is crucial for cost efficiency and avoiding linking previously unconnected UTXOs.

By managing keys off-chain with FROST, we can seamlessly handle practical scenarios like repairing a lost key, periodically rotating keys for enhanced security, or adding new hardware to your existing wallet—all without moving your funds or compromising your privacy.  The FROST protocol is detailed in the whitepaper.

Designed for Security

We know that securing mobile devices is crucial, given their susceptibility to attacks. To address these risks, we’ve incorporated several security features into our wallet design:

Self-Sovereign Backup
The Self-Sovereign Backup is the most critical element to protect, as it provides full unilateral control over your wallet. This backup is encrypted to your phone’s secure enclave, meaning access is limited to the physical phone it was created on and the Bitkey-signed application. The app secures this key behind a time delay (e.g., 3 days) and a biometric scan after the delay. This multi-layered approach ensures that even if someone gains physical access to your phone, accessing your funds won’t be easy.

Delay and Notify
Delay and Notify is a core security system we currently use to protect sensitive actions in our hardware wallet. When a protected action is initiated—like changing a sensitive setting or starting a recovery process—the server imposes a mandatory delay, usually several days, before executing the action. During this period, you’ll receive notifications via multiple channels (email, SMS, push notifications) to alert you. This gives you time to notice any unauthorized activities and veto them before they take effect.  Even if an attacker gains control of your phone, they’d need to maintain control over all your communication channels for the entire delay period—a challenging feat. Over time, you’re likely to regain access to at least one channel, allowing you to cancel any unauthorized actions.

Vaults
Vaults offer an additional safeguard by allowing you to designate a portion of your funds to be stored with extra protection. Funds in the vault can’t be moved without going through the Delay and Notify process. This means that even if someone accesses your unlocked phone, they can’t drain your significant funds instantly. Only a limited amount outside the vault is immediately accessible, mitigating the risk of substantial loss.

Designed for Recovery

We understand that losing access to your funds is a nightmare scenario. That’s why we’ve built multiple layers of recovery options.  We’ll reference some cryptographic techniques below, if you want to learn more, please check out the whitepaper.

Loss of the Application
If you lose access to the Bitkey app on your phone, you can restore your wallet using a backup stored in your cloud account. This backup is protected by a combination of your user-defined PIN and an Oblivious Pseudo-Random Function (OPRF). OPRF combines a server-side process with your PIN to create a robust encryption key that resists brute-force attacks. This allows you to easily restore your wallet on a new phone while making it challenging for attackers who might have gained cloud access.

Loss of the Cloud Backup
If your cloud backup is lost or deleted, the app will detect this and re-encrypt the wallet data using the same PIN encryption process before securely re-uploading it to the cloud. This automatic detection and re-encryption help you remain protected, even if your cloud backup is inadvertently removed.

Loss of Both App and Cloud Backup
In the worst-case scenario where both the app and the cloud backup are lost, we leverage a feature also used in our hardware product called “Social Recovery.” This approach allows you to enlist trusted individuals from your personal network to assist in recovery. Through a protocol based on Portable Blind Cloud Storage and OPRF, each trusted contact securely stores your app key. Even then, your contacts don’t gain any access to your funds or sensitive information.

Designed for Privacy

One common concern with collaborative custody solutions is the potential loss of privacy since the server might need visibility into your wallet to function properly. However, we’ve implemented advanced cryptographic techniques to mitigate these concerns.

Descriptor Privacy
Your wallet descriptor reveals your entire transaction history. To protect your privacy, the server must not learn this information while still being able to sign transactions. We achieve this by: (1) assigning the mobile application the sole responsibility for generating and interacting with the chain code; and (2) using predicate blind signing to allow the server to sign transactions without learning which child key it’s signing for or recognizing the final signature.

Signing Privacy
Predicate blind signing combines blind Schnorr signatures with zero-knowledge proofs that make assertions about transaction attributes. This allows the server to enforce signing policies without learning any identifying information about the transaction itself.

Vault Privacy
For transactions involving funds stored in the vault, the server only signs for the funds outside the vault, adding an extra layer of protection. To preserve privacy while proving funds exist, we use a zero-knowledge proof system similar to the proof-of-solvency approach utilized by exchanges. This method allows the app to prove to the server that sufficient funds exist for a transaction without revealing any specific details about wallet balances or transaction history.

We Need Your Feedback

At Bitkey, we believe the best products are built in collaboration with the communities they serve. That’s why we’re sharing this design with you now. We want to hear your thoughts, questions, and feedback as we refine the concept.

This project is part of our broader mission to make Bitcoin self-custody as accessible and secure as possible for everyone. It’s not about replacing our hardware wallets—which will always offer a premium level of security—but about creating a solution for those who need something simpler, more affordable, and easier to access.

As we continue to develop this concept, we’ll be working closely with the community to ensure that the final product meets your needs. This is your opportunity to help us shape the future of Bitcoin self-custody.

We’re excited about what’s possible and look forward to sharing more as we continue this journey—together.