This article explains the different degrees to which you can create and back up the private and public keys of your crypto wallet. Each stage adds either more simplicity or more security to the previous one. Ultimately, the last stage introduces the NGRAVE Perfect Key.
Stage 0 is the level where the user has to create a separate private and public key for each new crypto account. Stage 1 dives deeper into the concept of an “HD” wallet, with a master seed from which all private and public keys can hierarchically deterministic be derived (BIP32). This stage introduces a single code “master seed” consisting of 0s and 1s (or other, hard to memorize types of representation such as base58) to be remembered by the user, and which can restore all wallets and accounts the user has.
Stage 2 simplifies the previous one by removing the need to remember a very unpractical 256 values where each is either a zero or a one. It instead introduces a 24-word unique phrase (as initially proposed under BIP39) that corresponds to the bit format of the previous stage, and that the user can therefore also use to recover all private and public keys derived from the master seed. This level is the most commonly used one today, and its main goal is to make it easier and more humanly intuitive to write down and remember the master seed.
However, all these stages fail in fully satisfying the following requirements:
Generating a master seed that is and statistically unique, and truly random, and where there is no risk that anyone but the user has information on the key (without the user having to resort to his own permanently offline computer rather than his hardware wallet);
Backing up the seed in a durable way where, if the backup is found, the one who finds it has zero information on the key, and;
Providing a way to recover a lost backup without the risk of a third party gaining knowledge on the potential value of the key.
That’s why NGRAVE introduces a third stage with its own “Perfect Key”, and with it, a solution for each of the three challenges.
Stage 0 — Random Wallets With Each Their Private and Public Key
Asthoroughly explained in our previous article on the private key paradox, each cryptocurrency account consists of:
A public key: the address to and from which funds can be sent; and
A private key: the password that grants ownership and control of the funds associated to that public key
Now imagine you require five different bitcoin accounts for various reasons, but also an Ethereum (ETH), Ripple (XRP), Litecoin (LTC), or any other (you name it) account. The most basic way to do this would be to generate a separate private key for each of these accounts, ultimately resulting in you having to back up each private key separately if you ever want to retrieve the funds of the associated public key. And yes, most commonly, you would even do this “backing up” on a piece of paper. This stage is also called the “non deterministic random wallets” stage, as you derive each private key separately and so there is no predictable relationship between them.
The downside of stage 0 is clearly the non-existent structure, making it a practical pain in the ass for anyone with a few or more crypto accounts.
Stage 1— BIP32 and Hierarchical Deterministic (“HD”) Wallets
But what if just one single key would be able to (re)construct a whole array of private and public keys? This is possible and it is referred to as HD or Hierarchical Deterministic wallets, initially introduced in 2012 under Bitcoin Improvement Proposal (BIP) 32. It all starts from a seed generation process where a so-called master seed or root seed is made. It is crucial that this seed is statistically unique and completely random. In other words: the same process, let alone another one, should never be able to generate the exact same seed. This seed can be between 128 and 512 bit in size, in practice usually 256 bit, with the probability of a collision occurring close to 1/(2^256). Over the last decades, a lot of work has gone into building such “True Random Number Generator” or “TRNG” processes and today’s hardware wallets typically have a built-in certified TRNG chip to this exact objective.
When that master seed —let’s assume a 256-bit string of 0s and 1s — is created, the HD wallet will typically go through a one-way hash function that actually enlarges it to a fixed length of 512bits (this process is referred to as “serialization” and the function is called HMAC-SHA512). The left 256 bits of this string will serve as the “Master Private Key”. The right 256 bits are reserved for the “Master Chain Code”. What follows next is a bit more complex, but it all comes down to the fact that with these last values, it is possible to create a whole range of private and public keys in a deterministic manner, i.e. the master seed on its own can recreate the whole universe of private and public keys of all your wallets, regardless of the number of Bitcoin, Ethereum, etc. accounts you created from it. They just have to stem from that single root seed. If you want to understand the nitty-gritty details of how (parent) private and public keys are subsequently generated, and what the difference is between vulnerable “extended” keys and more secure “hardened” keys, you can continue here.
Stage 1: A True Random Number Generation (TRNG) process can create a qualitative 256 bit Master seed from which a vast amount of private and public keys can be derived.
Stage 1: Full key derivation scheme under BIP32 — Hierarchical Deterministic Wallets. (Source: BIP32 Github)
Stage 2–BIP39 and Mnemonic Seed Phrases With Words
Aconsiderable challenge of the previous stage is for the user to remember that huge string of 0s and 1s, 256 in total. That’s why in 2013, a.o. Slush and Stick of the Trezor team proposed a Bitcoin Improvement Proposal, namely BIP39, to simplify this. They proposed a list of 2048 (2^11th power) words from which unique combinations could be formed. A minimum of 12 (equal to 128 bits of security) to the currently mostly used mnemonic of 24 words (equal to 256 bits of security) can be constructed with these words. The rationale is that a mnemonic is superior for human interaction compared to the raw binary stage 1 string, as it is easier to write down and remember.
Stage 2: The 256 bit binary Master seed from which a vast amount of private and public keys can be derived, can be expressed in a combination of 24 mnemonic words.
Why A Stage 3 Is Required: The Limitations of Today’s Hardware Wallets & Mnemonic Seed Phrases
Today, mnemonic phrases are one of the most common ways to back up and protect a wallet. Hardware wallets — practically unanimously seen as the most secure alternative for protecting one’s cryptocurrencies — typically support this format. But mnemonics, as well as current hardware wallets and backup solutions supporting them, have their limitations.
1. For one, the status quo key generation processes come with the following fallacies.
Some self-proclaimed “hardware” wallets suffer from weak key generation. Examples are stripped Android phones that rely on outdated encryption modes such as the 1981 Electronic Code Book (ECB) mode, used by this and allegedly this hardware wallet. The advice here is to really avoid wallets with low quality key generation processes.
The ECB encryption mode is used for the key generation of this hardware wallet. The problem is a lack of diffusion. Because ECB encrypts identical plaintext blocks into identical cipher-text blocks, it does not hide data patterns well. In some senses, it doesn’t provide serious message confidentiality, and it is not recommended for use in cryptographic protocols at all.
Most if not all incumbents are entirely reliant on the internal TRNG (“True Random Number Generation”) chip for generating the seed. In hardware security, it has been argued that these chips have backdoors, so it is possible that there is 3rd party knowledge of the potential value of the user’s key. One of our advisors, legendary cryptography veteran Prof. Jean-Jacques Quisquater explained us in detail some of the backdoors in extremely secure hardware and chips, from the 1970s going into 2020. According to the Malwarebytes Labs 2019 State of Malware report, backdoors were the fourth most common threat detection for both consumers and businesses — respective increases of 34 and 173 percent over the previous year (full report here).
Backdoors remain an everyday phenomenon. Bart Preneel, Head of COSIC, commenting March 12, 2020 on an American bill that officially wants to limit the spreading of child pornography, by integrating a backdoor: “Backdoors are fundamentally insecure. If the police can enter, so can criminals. Our society has become dependent of digital communication, therefore it is essential to secure that communication with end-to-end encryption.”
In practically all cases, the user gets a seed phrase in a take-it-or-leave-it fashion from the black box that is the hardware wallet. One of the risks here, albeit small, is that the manufacturer keeps a database of all the keys they ever made.
Also worth mentioning is the particular feature of BIP39 where the last part of the wordlist serves as a checksum of the entropy contained in the preceding words. So, by default, BIP39 does not allow for the user to create their own wordlist. In practice this means it is only used with TRNG entropy input.
2. But what is more worrying are current practices of making a backup of the seed.
Most hardware wallet incumbents provide the user with a piece of paper to write down the words, and this has evolved into everyday humdrum. However, just spilling a few drops of water on such a “paper wallet” is more than enough to prove that this medium is really one of the least durable ways for protecting your secrets. Luckily, some metal forms have arisen and at least these are more durable. But the more profound issue persists: when someone finds the backup — regardless of the material it is made from — they find the key. Even if the paper or metal wallet would be split in two or more parts, if someone finds a part, they have at least some information that reduces the range of possible keys. Aside from some experimentation with Shamir Secret Sharing, so far, there is no solution that truly overcomes this single-point-of-failure characteristic.
Subscribe To The NGRAVE Academy
Knowledge for all levels. Join our newsletter to receive the latest articles.
3. When you lose your backup, it is game over.
Finally, there is an even greater challenge to overcome: what if you lose your backup? You then lose your keys and therefore access to your funds, forever? As it is, if you lose your hardware wallet, and you lose your backup, there’s not much you can do anymore. Your key is gone and so are your funds. Surely, there must be a way to overcome this?
Stage 3 — Beyond Mnemonic Phrases: The NGRAVE Perfect Key
OK, so where does all the above leave us? Apparently, somehow and somewhere we need to find a way to:
Generate your statistically unique, truly random master seed, with no risk that anyone but you has information on your key (without having to resort to a single-purpose, always offline pc);
Back up your seed in a durable way where, if the backup is found, the one who finds it has zero information on the key, and;
If the backup is lost, there is a way to recover it, without running the risk that a third party gains knowledge on your key.
Why the hexadecimal format of the master seed is better.
While NGRAVE is fully backward compatible with previous stages and so the user can still make mnemonics if desired, NGRAVE also introduces a third stage with its own “Perfect Key”. This key is the 64 character hexadecimal string (i.e. each character can have 16 possible values within the range 0–9 and A-F) equivalent of the 0s and 1s key in Stage 1 / the 24 word mnemonic phrase in stage 2. All three of these formats are 256bit long and can therefore easily be converted into each other. Hence, the NGRAVE Perfect Key can be used to create the same HD wallet as its bits or words equivalent.
The NGRAVE Perfect Key is the hexadecimal equivalent of its relevant binary or mnemonic word version of the master seed. Each of these creates the same HD wallet as described by BIP32.
Here’s the catch: whereas the hexadecimal format itself is not necessarily new, it allows for several breakthroughs in the practical use of a seed.
1. A breakthrough in key generation security
As previously mentioned, existing key generation processes are either weak, rely fully on the internal and potentially backdoor-ed TRNG chip, and/or provide the user with a rigid key directly out of a black box in a take-it-or-leave-it manner.
Advised by the leading cryptography research group COSIC, and legendary cryptographer Jean-Jacques Quisquater, the NGRAVE team has revamped the key generation process by i) executing it in a 100% offline setting with the NGRAVE ZERO hardware wallet; ii) relying only partly on the interior TRNG chip to bypass potential backdoors; iii) adding salts originating from environmental factors such as the user’s biometrics and ambient light (the latter an academically proven high entropy source), and; 4) making the process interactive so that the user can manipulate the key in a fashion that makes it extremely hard for any third party — including NGRAVE — to know the final key.
NGRAVE’s key generation process is done completely offline and relies both on the entropy generated by the chip as well as environmental randomness such as biometrics and ambient light. Finally, the user can interact with the key generation process, ensuring he/she is the only one to know the key.
The hexadecimal format of the master seed lends itself well for the user interaction flow. The generation of the NGRAVE Perfect Key is as follows:
Step 1: Create a PIN code (can also fulfill the role of a passphrase)
Step 2: Rest your fingerprint on the sensor, capture 3 images. The device will use the internal TRNG, the fingerprint, and ambient light via the camera.
Step 3: Hexadecimal master seeds are changing randomly and in real-time on-screen. This can be paused (“lock”) or continued (“unlock”).
Step 4: The key freezes and you can tap on one or several groups of 8 characters and shuffle these values at will, until you are satisfied. Doing this makes it really hard for any 3rd party to still know the value of your final key.
Step 5: Select the coins you want your HD wallet to create accounts for.
The NGRAVE Perfect Key generation process fully satisfies challenge #1: “Generate your statistically unique, truly random master seed, with no risk that anyone but you has information on your key (without having to resort to a single-purpose, always offline pc)”
2. A breakthrough in backup security
After the user has generated the hexadecimal seed, creating a strong backup is crucial. NGRAVE’s Perfect Key format allows for truly annihilating the master key into two completely random and absolutely undecipherable backup parts, removing the single point of failure problem of lower stages. NGRAVE built its very own backup named the GRAPHENE to make this a reality. It consists of two everlasting stainless steel plates that are resistant to fire, corrosion, water, shocks, and other adverse events.
The bottom plate is blank, while the top plate contains 64 columns, each having 16 hexadecimal characters (0–9, A-F) of the seed. A single column thus equals one character of the secret key with values on the plate arranged differently for every customer. And when plates are arranged on top of each other, an owner will use an embossing click pen to record the key by punching holes through the upper plate into the lower one.
After the user has generated his/her 64-character hexadecimal seed on the NGRAVE ZERO hardware wallet, he/she is asked to make a backup.
The GRAPHENE top plate with 64 columns and 16 hexadecimal (0–9, A-F) possible values for each column, resulting in 256bit security. And the lower plate after the respective holes have been punched through the overlay of the top plate. Each plate on its own is meaningless.
After the embossing process with the automated punch pen, the key becomes visible when both plates are placed exactly on top of each other.
This arrangement acts as an impenetrable cryptographic puzzle. The actual code is revealed only when the top plate, with its uniquely arranged characters, is paired with indents of the bottom plate. Even if two individuals have the same bottom indents, different top plates would still ensure that values associated with indent locations are different. By keeping plates separated, cryptocurrency owners will overcome the ‘single point of failure’ problem. An attacker that finds only one of two plates won’t have much use of it, which is an entirely new level of security compared to other backup solutions on the market.
The NGRAVE Perfect Key and GRAPHENE satisfy challenge #2: “Back up your seed in a durable way where, if the backup is found, the one who finds it has zero information on the key.”
3. A breakthrough in backup recoverability
The last challenge is recovering a lost backup. Today, if a paper wallet or its metal equivalent is lost, there is no way to recover the key. Unless, if the user has made a second, identical backup. The issue with this is that with each backup you make, there is another single-point-of-failure out there that can reveal your key to someone else that isn’t you.
It is important that, if the backup is lost, there is a way to recover it without the risk of any third party gaining knowledge on your key.
And that is where the GRAPHENE comes into play. The ability to split the Perfect Key in two agnostic steel parts, makes them a great candidate for solving the challenge. In fact, the top plate, while unique, comes with a unique recovery ID in the package, and can be recovered by NGRAVE when prompting the latter with that code. NGRAVE will combine the recovery ID with a second key only known by NGRAVE, to reconstruct the unique top plate configuration. The latter can then be sent to the user. Note that with the top plate only, NGRAVE has no information whatsoever on the value of the key. Also, the configuration is made with a TRNG process, resulting in more than 2^256 possible unique versions of the top plate (more, as there are 16 rows with each 64 random characters).
As a default, the bottom plate — a plain stainless steel sheet — is considered the responsibility of the user, and it is recommended that the user keeps at least one copy of the bottom plate. The rationale is that if NGRAVE would be able to recover this plate as well, it could reconstruct the full key, which would defeat the whole purpose of the GRAPHENE. Nevertheless, it is in fact possible to recover the bottom plate in case of loss, as is thoroughly explained in a post by NGRAVE and Chainlink, that takes it even further to situations beyond the grave (!).
The NGRAVE Perfect Key and GRAPHENE satisfy challenge #3: “If the backup is lost, there is a way to recover it, without running the risk that a third party gains knowledge on your key.”
Mnemonic phrases are today’s standard for backing up users’ wallets. This article explained in-depth the remaining shortcomings and challenges of both the binary and mnemonic formats. Working with leading experts in applied cryptography and hardware security, the NGRAVE team proposes to use the hexadecimal equivalent of the master seed. This format allows for a more secure key generation process, an improved backup with enhanced security, and a way to recover even a lost backup. When implemented as such, this hexadecimal format becomes the “NGRAVE Perfect Key”, a master seed that cannot be found or divined by any third party, and that is recoverable even in extreme scenarios, including posthumously. A true end-to-end secure key.