Today we’d like to propose a brand new form of self custody, the Time Locked Multisig wallet. While the explanation for this new type of wallet setup is a bit different, it solves one of the only remaining critical flaws we have in today’s self custody setups.
We will first compare the existing self custody wallet setups together with their benefits and flaws, slowly moving up the chain towards our new Time Locked Multisig (TLM) proposal as this will help explain why it’s necessary.
Contents
Self Custody Overview
Software Wallet (Single Sig)
Whether you’re using a mobile phone or a desktop computer, this type of self custody wallet is made up of a software program (also called a hot wallet) that stores your single private key. We are assuming you write down your seed phrase on a piece of paper and store it safely at home.
While these wallet setups are incredibly convenient, the phone / computer is connected to the internet meaning the biggest risk comes from hackers. It’s very common to hear of people being hacked and having all their funds stolen. A recent example of this is Rick who lost 25 bitcoin.
We only recommend storing “pocket change” amounts in this type of wallet. As you’re severely at risk of hackers gaining access to your private key and draining your wallet, you should only store very small amounts of money in it, similar to how you might view your in real life wallet.
Pros & Cons:
- You can spend funds at any time
- Simple setup and user experience
- Only 1 seed phrase to backup and nothing else
- Completely free as all components are software based
- Extremely risky to use due to large hacking exposure and single points of failure
Funds At Risk From:
- Hackers that breach your phone or computer
- Thieves that physically steal your phone / computer
- Thieves that physically steal your seed phrase backup
- Private key being generated with poor entropy and isn’t entirely random
- Software wallet program having a built in backdoor, is malicious or has a major bug
- Both phone / computer dying and your backup cannot be accessed or doesn’t work
- Both phone / computer being destroyed at the same time as your backup (fire / flood)
- Thieves break in / kidnap you, use physical duress and force you to give them your funds
Note: While a Passphrase (BIP-0039) does help mitigate some of the risks surrounding thieves stealing your seed phrase, it also introduces other single points of failure. For example, many people have forgotten their passphrase, lost it or have had it destroyed.
Hardware Wallet (Single Sig)
A huge upgrade! You buy one of our top rated and reviewed hardware Crypto Wallets and use it to generate, store and manage your private key. This specialized hardware device is purpose built to protect your private key and is never connected to the Internet ensuring it’s far more resistant to hacking.
This hardware device interacts with your Software Wallet program and we assume you write down your seed phrase on a piece of paper (or maybe engrave it in steel) and store it at an off site location such as a friend or families house, your work office or a holiday home.
While you’re now very safe from hackers, there are still other potential risks as it’s still a single point of failure. Even with a copy of the seed phrase stored off site, if someone gets a hold of that seed phrase or it’s generated in a predictable way, you’re done for.
We recommend that anyone storing funds that they don’t wish to lose purchase and setup a hardware wallet. We also recommend that you keep a copy of your seed phrase in a secure, off site location.
Pros & Cons:
- You can spend funds at any time, so long as you have your hardware wallet device
- Mostly simple setup and user experience
- 1 seed phrase and a hardware wallet PIN code to backup
- Moderate cost ($60-$300 USD) as it requires a hardware device
- Mitigates most hacking risks, but still has a number of single points of failure risks
Funds At Risk From:
- Thieves that physically steal your seed phrase backup
- Private key being generated with poor entropy and isn’t entirely random
- Both hardware wallet dying and your backup cannot be accessed or doesn’t work
- Both hardware wallet being destroyed at the same time as your backup (fire / flood)
- Thieves break in / kidnap you, use physical duress and force you to give them your funds
Hardware Wallets (Multisig)
The current gold standard. You have a 2-of-3 Multisig Wallet setup with all the private keys stored on hardware wallets from different vendors. You’re immune to hackers and all sorts of single points of failure such as vendor specific bugs or supply chain attacks.
While this type of setup protects users from virtually all types of attacks, it’s more costly and more complicated to properly understand, setup and manage. We assume you have a 2-of-3 multisig setup using 3 different hardware wallets from 3 different vendors (eg Jade, Passport and BitBox02) and store each of the seed phrase backups (as well as a copy of the wallet descriptor file) at three separate, secure locations.
We recommend that anyone storing significant investment funds use a multisig wallet setup. While it’s more complicated and costly to do, there’s been a number of cases of people loosing millions of dollars worth of funds due to forgetting their passwords or losing their single signature hardware wallet. Multisig eliminates this single point of failure risk.
Pros & Cons:
- Complex setup and user experience
- You can spend funds at any time, so long as you have 2 hardware wallet devices
- 3 seed phrases, 3 hardware wallet PIN codes and 3 wallet descriptor files to backup
- High cost ($180-$900 USD) as it requires 3 separate hardware devices
- Mitigates most hacking risks, single points of failure risks and vendor risks
- Can enable inheritance planning scenarios if you want
- Requires the user to learn how to operate multiple hardware wallet device workflows
- Increased complexity in creation, storage and management means users can make mistakes
- Multisig transactions are larger (in kilobytes) and thus, cost more in Transaction Fees
Funds At Risk From:
- Thieves break in / kidnap you, use physical duress and force you to give them your funds
The Road To Perfection
After 15 years of bitcoin, these are the main ways most people as well as serious companies with hundreds of billions of dollars of bitcoin, self custody their funds.
As you can see with that last dot point, even multisig wallets still don’t fully protect your funds under extrema risk scenarios. This is a critical flaw that no one seems to be addressing in a sufficient manor.
Self Custody: A double Edged Sword
We want users to have full custody and control over their funds with no trusted third parties and Bitcoin can give you that capability like no other asset can. But with great power comes great responsibility and even with a multisig wallet setup, criminals may still knock at your door and do you harm to get at those funds.
Fully seeding that control to a third party that specializes in secure custody and protection of valuable assets like a bank solves the problem, but now we’re just back at square one trusting third parties.
Worse still, if everyone eventually allows banks to custody their massive bitcoin funds in the future it opens the door to seizure from governments or confiscation of funds due to whatever “reason” the bank comes up with.
New to Athena Alpha? Start today!
Space Locked Multisig
It’s recommend with a 2-of-3 multisig wallet that you store each of the keys at separate locations. This locks you out of being able to spend any funds until you physically go and retrieve a second key from some distance. This distance can be small or large and can be thought of as a “spacial lock” on your funds.
If it’s a small distance, say 10-100 miles away, then it’s moderately effective as a deterrent when dealing with the physical threat of duress. However assuming we’re talking about significant funds here, criminals can just drive you at gun point to where ever the second key is located and still steal all your funds.
If it’s a large distance, say 1,000-10,000 miles away in a different country, then this does make it all but impossible for the criminals to tag along as they’d have to pass through country borders which usually have numerous armed guards. However now you cannot access your funds without complying with local government rules. Access to your funds is now at the mercy of the state, which isn’t the best result.
In order for a space locked multisig setup to fully resist this type of physical threat of duress, it must force the attackers to pass through a location with specialized security and protective services. Armed guards. 24/7 surveillance. Steel reinforced locked vaults. In essence, a bank.
Not only that, but they must not be able to get 2 of the keys without passing through at least one of these types of locations. For example, if you keep 1 key at home, 1 in a bank vault and 1 at a families home they can just use your home and family keys.
For full protection, you must keep 1 key at home and the other 2 in a bank or banks. This however then lands us straight back at square one again as a private bank company now has your private keys. If so forced by the state, it can seize all your funds.
Time Locked Multisig
As it seems clear that limiting your control over the funds in the space domain doesn’t work, we would like to propose a new type of multisig wallet setup, one that limits control using not just space, but also time. We call this a Time Locked Multisig (TLM).
A TLM functions just like a regular multisig wallet, but adds further restrictions on when funds can be spent. Let’s have a look at how a 2-of-3 TLM might work:
- Funds are time locked for whatever period the user desires, for example 1 year
- Even if you have 2 keys, funds are not spendable until the time lock expires
- If all 3 keys are used, the user can override the time lock and spend the funds immediately
So why the extra complexity? Well imagine you put a time lock on your 1 BTC UTXO that says it can only be spent after 1 year. You store 2 of the keys in regular environments such as at your home and a friends place.
The 3rd is stored in a location that is specialized in protecting valuable assets. This could be a bank, a bank safety deposit box or any other third party company that has a bank grade level secure location with 24/7 armed guards and check points.
Note: While many people detest banks now, taking deposit of and protecting valuable assets like gold is one of the main reasons they were created and has been a valuable service for many thousands of years. There is also no need to trust the bank as they only have 1 key, which is not enough to spend any funds.
This setup fully protects you from a physical duress attack. Even if a gang of criminals breaks into your home and holds a gun to your families head demanding “all your Bitcoin” they only have two options to get it:
- Retrieve 2 keys from separate locations and wait 1 year for the time lock to expire
- Retrieve 2 keys from separate locations and then also break into a bank grade secure location to obtain the 3rd key so they can override the time lock
This we think is enough security to stop even the most motivate criminals. These time locked coins are also fully provable via on chain, Immutable data too. So even with a gun to your head, you have iron clad proof to show them that even with 2 private keys in your hands, you can’t send the criminal any funds.
Furthermore, if the criminals break in and steal 2 keys, you simply go to your bank and get the 3rd key. With all 3 keys you can now override the time lock and instantly move the funds to a new address. Meanwhile the criminals 2 keys cannot send any funds until the 1 year time lock is up making them worthless. You would also do this if you wanted to spend your 1 BTC instantly.
As the bank company only ever has 1 of the 3 keys it’s also useless on its own, no amount of government control or seizure can take your funds. If that same bank bans you or withholds access to your 3rd key for any reason, you simply wait until the time locks pass and you have your funds again without having to trust any third parties.
While in our example we’ve locked up 1 BTC for 1 year, you could splice and dice the amounts and time locks however you wish! For example, that same 1 BTC could be time locked in four separate UTXOs:
- 0.5 BTC spendable after 1 year
- 0.25 BTC spendable after 6 months
- 0.15 BTC spendable after 1 month
- 0.1 BTC spendable after after 1 week
After each tranche of coins passes its time lock and becomes spendable, you can then spend them with just 2 of the 3 keys and “refresh” the time lock. Another way is to have a rolling stock, so that 1 BTC is spliced up into 10 x 0.1 BTC UTXOs and time locked in rolling 1 month intervals.
If you have a 3-of-5 TLM, then you would still store 1 key in a bank grade protective environment and you would need 3 keys to spend funds (after the time lock has expired) and all 5 keys to spend funds instantly. If you lose a key at any point, you’re funds are still safe as you can spend them after the time lock expires.
Future Self Custody
12 years ago mobile wallets didn’t exist. 10 years ago seed phrases, hardware wallets and multisig wallets all didn’t exist. Who knows what amazing tech we’ll have in another decade.
TLMs take the excellent spacial locking that geographically distributed private keys provide and combines it with temporal locking to prevent all known threats whilst still ensuring full self custody is maintained and no trusted third parties are required.
This type of multisig setup doesn’t exist at the moment, but as best we can tell, it doesn’t require any soft or hard forks of Bitcoin to enact. New wallets like Liana (which is in Beta at the moment) already use time locks for different reasons and Blockstream Green already has some server side time locks via their 2FA implementations that are similar in nature to this.
Obviously TLMs would only be for those with serious funds, just like regular multisig is now, but as bitcoins price inevitably increases and it gains major widespread use we expect instances like below to only increase in frequency.
This Monday, a middle-aged Swedish couple was tied up in their home and robbed by 4 masked men. They were physically abused and threatened with their own kitchen knives. They were tied up for hours and one had to be escorted to the hospital via helicopter.
One of many in Sweden
You’re Not Setup For Serious Physical Attacks
A final point is that while we suggest this setup for those with “serious funds”, depending on who you are, that might not be nearly as much money as you think it might be. While most might instantly assume it’s only for high net worth individuals or businesses with millions or even billions of dollars worth of Bitcoin, you have to think about it from the thieves point of view.
Even a moderate amount of bitcoin (eg. 0.25 BTC worth ~$9,000 USD) is a lot of money to a lot of people and will motivate many criminals to do some horrendous things. As long as the above tactic works and rewards the criminals with thousands of dollars, the behavior will continue and likely flourish.
Maybe you’ve got guns a plenty and scream “come get some!” while you lather yourself in mud to avoid their thermal cameras, but even that might not be enough for a group of armed criminals given you’ve effectively got a bounty on your head equal to how much bitcoin you custody.
Multisig obviously helps, but again, criminals motivated by a huge bounty (even a few thousand dollars) could hold your family hostage while they force you to take them to retrieve the other keys. You likely are not specialized in armed conflict with a bank grade home and even if you’re a full on Command Sergeant Major in the army, there’s only so much 1 person can do against literally unlimited others.
TLMs we think, if implemented with a simple and clear user experience, could potentially become the standard way people self custody their bitcoins in the future, just like how hardware wallets are now. If everyone implements it as part of a normal Bitcoin savings and investment strategy, then it will significantly help mitigate this final major risk of physical duress.
If it’s eventually cheap, easy and everyone does it then fewer and fewer attacks will be successful which will discourage future instances. This will in turn ensure more people, both rich and poor fully self custody their funds without seeding the job to trusted third parties.
