ColdCypher: a new secure backup protocol for xpubs
What is ColdCypher?
ColdCypher is an open source protocol for backing up and safely storing your multisig xpubs on the bitcoin blockchain. Transaction fees are paid using Lightning invoices to protect your privacy, leaving no on-chain footprint traceable back to your identity.
Why would I need this?
Let's look at a commonly used multisig wallet: a 2-of-3 quorum. We need two keys to sign a transaction, meaning it's okay if one of the three gets lost. What not everyone knows, however, is that keys actually come in public/private key pairs, and while it's fine to lose a single private key, we absolutely cannot afford to lose its corresponding extended public key, or xpub for short. If we did, we'd be locked out of our bitcoin forever, Laura!
So what? Just don't lose your public keys, then.
Currently there is no user-friendly way to back up public keys that will stand the test of time. While private keys can easily be translated into English words using BIP39 and stamped onto metal, few bitcoiners are protecting their precious xpubs with this same amount of effort and security. Most will store them on an SD card or solid state drive, but with a limited lifespan of only about 10 years or so, that's not enough time to protect your bitcoin for your grandchildren.
I can derive the public keys from my private keys, so who cares?
If you don't lose any of your private keys, this isn't a problem. But the whole point of having a 2-of-3 multisig wallet is that you're mentally prepared to incur one key loss. If your backup plan is to simply re-derive all of your public keys, you're ngmi.
Okay, now I'm freaked out. What can I do?
All electronic media - hard drives, solid state drives, SD cards, CDs, even "the cloud" - won't last forever and cannot withstand fire, flood, water, or shock. For significant amounts of bitcoin, your best option is to use a metal engraver to etch your xpubs onto steel or alternately, use ColdCypher with the coldest storage there is - the immutable bitcoin blockchain.
I'm in. How does ColdCypher work?
For a 2-of-3 multisig wallet, ColdCypher creates three on-chain transactions to store each one of your xpubs in an OP_RETURN. Once these transactions are confirmed, they're not going anywhere, and your grandkids will thank you later.
You're spamming the blockchain!
Forget tail emissions or demurrage, ColdCypher is projected to singlehandedly support bitcoin's emerging fee market + security budget. Just kidding, ColdCypher only needs 729 vBytes of block space to protect your bitcoin for decades to come.
I don't want my xpubs visible to prying eyes.
Your data is safely encrypted. If you lose xpub1, you'll need both xpub2 and xpub3 to restore it. This means that a single leaked xpub will not reveal to the world that you're a user of multisig and cannot be used to find the other two.
I don't trust ColdCypher with my xpubs.
ColdCypher is open source, and we don't store your xpubs on our servers. Transaction fees are paid using BOLT11 Lightning invoices, so your privacy is protected from on-chain analysis, too.
I still don't trust ColdCypher.
ColdCypher is not only an app - it's also a protocol. You can follow our steps to do your own secure backup without ever using our website.
I have a bitcoin company or application, and I'd like to integrate this into my product.
Go for it! We'd love to see ColdCypher become an industry standard.
I'm a developer. Can you tell me the technical details?
ColdCypher uses the following steps to back up xpubs in a 2-of-3 multisig quorum:
-
Remove all prefixes (e.g. "xpub"), and decode your extended public keys from base58 into binary.
-
Prepend each binary buffer with its corresponding new, shortened prefix:
xpub: 0000h
ypub: 0001h
Ypub: 0002h
zpub: 0003h
Zpub: 0004h -
You should now have 3 sets of 80 bytes of binary data ready to be encrypted and pushed into 3 separate bitcoin transactions.
-
Using xpub1 and xpub2, create a 2-of-2 P2WSH multisig wallet.
-
Send a transaction to the first receive address (0/0) of the wallet from step 4 with an OP_RETURN that contains xpub3 encrypted with SHA-256(xpub1 + xpub2)*.
-
Using xpub2 and xpub3, create a 2-of-2 P2WSH multisig wallet.
-
Send a transaction to the first receive address (0/0) of the wallet from step 6 with an OP_RETURN that contains xpub1 encrypted with SHA-256(xpub2 + xpub3).*
-
Using xpub1 and xpub3, create a 2-of-2 P2WSH multisig wallet.
-
Send a transaction to the first receive address (0/0) of the wallet from step 8 with an OP_RETURN that contains xpub2 encrypted with SHA-256(xpub1 + xpub3).*
* The AES-256 encryption keys are the SHA-256 hash of the two sorted, concatenated xpubs. Using AES in CBC mode, the initialization vector (IV) is set to the first 16 bytes of the transaction's first input: its 4 byte vout prepended to the first 12 bytes of its txid.
Acknowledgements: I would like to thank Portland HODL and his love of P2MS.