Ai-Fi Counterseal WalletCounterseal Wallet & Threshold Signature TechnologyWallet SecuritiesCountersealHardware WalletWiredAir-GappedAi-Fi CountersealCounterseal ConstructionDownloading Counterseal Software Pairing of 2 Counterseal Signers/SealsBIP32 Compatibility and Backup of SeedsAi-Fi Counterseal OperationsArchitectureCounterseal Vault as the Last Line of DefenseCounterseal Supporting Electrum WalletElectrum/Counterseal ConfigurationElectrum/Counterseal Transaction ValidationCounterseal on TailsCounterseal Supporting BlueWalletCounterseal under Ai-Fi Domain SecuritySecondary Signer on Ai-Fi HomeServerThe Primary and Secondary Signer/SealConnecting to a Full NodeThreat Model for the Rich and ParanoidThe Low Hanging FruitsTamper-Evident Hardware & SoftwareAnatomy of a Electrum Wallet AttackAppendixCounterseal: Historical NotesCreation of Counterseals
Cryptocurrencies are digital assets that use encryption techniques to publicly regulate the generation of units of currency and verify the transfer of funds in a decentralized and trustless manner. The crypto investors have total control over their own transactions, the flip side of which is the lack of support from any regulatory authorities for risk mitigation. Needless to say this market exposes individual investors to much graver financial perils without providing any safety net for them to rely on. As a consequence, bitcoin hacking has grown into a daunting criminal enterprise because if the private keys of your Bitcoin coins are compromised, the attackers can steal all your coins without leaving much trace. As the famous expression goes, Not your Keys, Not your Coins.
The following crypto-related entities are considered vulnerable to criminal attacks:
The first 2 entities are fairly straightforward to understand the criticality of their protection as their compromise would spell the total loss of your valuable assets. Most hardware wallets aim to solve the protection of the first, while the second is getting less attention, quite odd considering its devastating consequence if it happened. The entity 3 is less obvious but has increasingly become a concern. For some people entity 3 is the all consuming issue at the top of their priority list.
Due to their critical importance, there has been a wealth of hardware products addressing various aspects of the crypto coins and their associated wallets.
Our Counterseal technology focuses primarily on the attacks on the first 2 critical secrets. We provide much more flexible protection to your crypto assets than hardware wallets and solve the second hot potato issue as well. For the protection of the third intangibles, we will touch upon it only briefly. For a complete privacy and security infrastructure, you will find interesting those technologies and tools offered at our ai-fi.net web site.
A seal is traditionally used to close records by any type of fastening that must be broken before access can be obtained, producing an impression upon wax, wafer, or some other substance capable of being impressed. It is not a secret preserving (encryption) method but a tamper resistant mechanism employed during the delivery of sensitive information, against which there are many known attacks. The invention of the "counterseal" scheme in the 18th century provides a robust improvement over the single wax seal method by adopting redundant pairs working together to ward off the "hot knife" attack. You may be interested in taking a read of a brief historical background of the counterseal in the Appendix.
The nomenclature "counterseal" used here simply indicates the arrangement that two independent "signers" are required to create a single Bitcoin transaction signature. It is not based on the popular multi-signature scheme producing multiple signatures, but an application of the latest Threshold Signature technology to the Ai-Fi Counterseal Wallet. It is the modern software realization of the old counterseal method with the added advantage of placing those two logical seals separately and independently in order to avoid single points of failure. In the context of cryptography, the individual "seal" is implemented by a pair of crypto key "shares" each consisting of a private and a public component. The components of all linked seals jointly produce the public key for a single wallet account, whereas the private key shares remain physically distributed over multiple devices without ever needing to be joined for producing the private key. Those private keys or key components are therefore never exposed simultaneously and used only for producing "signature shares", which are pieced together at the end of signing rounds to create the transaction signatures for the wallet. Otherwise put, the private keys in a Counterseal Wallet are nowhere to be retrieved or stolen and signatures are rendered without the need to explicitly reproduce the private keys. The initial key share generation is described in the appendix.
On the other hand the Hardware Wallet may be considered as the ancient single seal solution prior to the invention of the "counterseal" with all the perils in trusting a single piece of hardware. Among all the risks in relying on a single implement for secret hiding, the possible loss event of the hardware is the most severe. Additionally, although the recovery seed of the complete hardware wallet may be exported for recovery purposes, it is still also embedded in the wallet which may be exploited when the attacker manages to get their hands on the hardware wallet. As an answer to those issues, the counterseal scheme splits the key vault into multiple implements to avoid the potentially catastrophic event when the only hardware is compromised.
In the following we will describe how the Counterseal Wallet is configured at "unboxing" and how the signatures are obtained by applying both seals.
At the end we offer a threat model for comparing the hardware wallet with our counterseal scheme.
Most popular low-cost hardware wallets are simple hardware devices typically with a USB wire or some types of wireless connectivities connecting to the host where the front-end wallet runs on.
An air-gapped hardware wallet/vault is more sophisticated and does away with any wire or network connectivity to the blockchain-facing front-end wallet. It stores the seeds and all the private keys (hence all the coins) in the air-gapped device that signs the transactions manually, usually assisted by the displayed QR code. It is naturally "cold" in the sense that it doesn't function without the PIN code, manual access and button activation. Nevertheless it may be operated remotely if the QR code images or imported/exported files are transmitted remotely.
The Ai-Fi Counterseal is also a key vault like those air-gapped hardware wallets, except that it splits the hardware key store into 2 independent parts. It is composed of two independent components, usually in software, running on separate devices, which, when working together, supports a variety of front-end watch-only crypto wallets and offers up an unparalleled set of protection and usability through built-in redundancy.
For interfacing with Bitcoin wallets, it follows the Bitcoin HWI (Hardware Wallet Interface) with the Primary Signer responsible for interfacing externally with those Bitcoin wallets, which is based on an air-gapped design relying primarily through manual QR code scanning in both directions across the air gap.
The Counterseal vault is to store the key information of your crypto coins and to conduct transaction signings under the Counterseal scheme or joint signing involving multiple redundant signers (2 of 2 for now). The key information in the vault does not include any of your private keys as such, only distributed bits and pieces ("shares") sufficient to conduct the signing when combined.
The operations of Ai-Fi Counterseal Wallet are diagrammed above, with the Primary Seal working with the wallet and the Secondary Seal the cooperating partner on a separate device. The word "seal" adopted here indicates the protection afforded by the secret shares kept by two separate signing parties, which is not to be confused with the crypto key pairs. Both seals must be presented and online in order to successfully assemble the signatures for blockchain transactions. We sometimes use "seal" and "signer" interchangeably.
In the current implementation we designate our mobile phones as the "leading" partner, or primary, in the Threshold Signature logic. The Secondary Seal is to run on a separate device, "signature only", without the means to affect the terms of any transactions such as the transfer values or the "inputs/outputs". Even if the secondary seal was compromised, the worst damage inflicted would be the denial of service without the possibility of producing incorrect transactions or losing crypto coins.
We support the open source Electrum Wallet and BlueWallet in the first release with many more to come.
Go to https://www.counterseal.net and press the "Get Started" button on the top right.
The Primary and Secondary Seals work together to generate the full set of Counterseal functions.
Since the Secondary Seal must be securely bound to the Primary, there is a Pairing process at the outset, during which the Secondary Seal displays a QR code for the Primary to scan, if it is not yet bound to it to establish the trust relationship manually through the TOFU (Trust On First Use) authentication. Once paired and bound, the Primary and the Secondary will be mutually recognized with each other through two ID key pairs, which are used later for establishing a TLS-strength secure connectivity needed for Threshold Signing. The Primary may be required to re-connect and re-authenticate itself if either of the network addresses changes, by repeating the process of the Primary scanning the QR code displayed on the Secondary.
If the Secondary Seal is installed on a Windows 10 platform (as a service), its management panel may be found in the Windows system tray. Uninitialized Secondary Seal will display the following pairing QR code to kick off the initialization:
Note that in the management panel of the Secondary Seal the "Display Transaction Details" option is turned on by default. More on this option will be described later.
Once the pairing completes, the vault of the supported crypto coins is represented as below:
The "Master Public Key" is displayed on the face of the "wallet card". Before the transaction signature can be carried, the primary and secondary must be "in sync" in order to be ready, under which condition the public keys on both signers are identical. The upper right icon is for displaying in QR code the public seed address for the key store of the supported coin type to be used in the binding process, which binds a crypto wallet (Electrum, BlueWallet) to the vault. The "QR scan" icon on the lower left is for importing the transactions from a supported wallet in an air-gapped fashion.
More details on the actual internal steps, or the Key Generation of the Threshold Signature Technology, conducted during pairing is provided here.
Ai-Fi Counterseal Wallet is BIP32 conformant and follows the BIP32 convention on the account level and supports multiple "accounts" through Extended Key, each of which is composed of a single external keypair chain. The top 4 levels supported are m/84'/0/0.
Internally the Ai-Fi Counterseal Wallet/Vault does not store any private keys and therefore provides no counterpart of standard BIP 32 Master Seed and Master Node in the counterseal scheme. As a consequence, an Ai-Fi Counterseal Wallet may not be exported to traditional wallets and vice versa.
Although not a standard deterministic wallet, Ai-Fi has a customized backup procedure for storing the Counterseal "seed", based on which the Counterseal Vault may be fully recovered. Both the Primary Seal and the Secondary Seal have their own seed for recovery purposes. Due to the complexity of the Threshold Signature scheme that dictates many rounds of cryptographic steps to guarantee its security, the backup data is much more involved and difficult to be condensed into straightforward mnemonic passphrase. For their safekeeping, it is recommended to store them (or one of them) as Ai-Fi Krypton Tokens in the Ai-Fi Incognito Cloud, which are based on the Ai-Fi pseudonymous cloud storage design, wherein your files are protected by a cryptographic key pair of similar or stronger strength than that of your Bitcoin accounts recorded in the Bitcoin blockchain. Since your dealings with Ai-Fi.net is account-less and keyless, the Ai-Fi Incognito Cloud is completely pseudonymous like your Bitcoin coins. Please refer to its documentation for more in-depth discussion of this scheme.
The backup scheme takes advantage of the inbuilt counterseal redundancy and generates two separate backup "tokens", one of which may be written down on paper (the "paper vault"), which you may rely on the safety of your home or a bank safe deposit box for its protection if so chosen. The other backup seed recovery file may be either maintained privately (in your local storages) or sent to the Ai-Fi Incognito Cloud as an Ai-Fi Krypton Token protected by a strong passphrase. Under this backup arrangement, there are no single points of failure and is completely trustless, eliminating even the possible concern about the involvement of Ai-Fi as a service provider in its management of the Ai-Fi Incognito Cloud.
Architecturally the interfaces between the crypto wallet and the counterseal parties (Primary and Secondary Signers) are air-gapped without relying on any network connectivity. There is no network connection required between the wallet and the signers, which allows both of the signers/seals to function offline in order to ward off possible remote online attacks to the greatest extent. This also affords the flexible binding between the crypto wallets and the signers. Use Electrum as an example: the Electrum generates a transaction, which is represented either as a QR code or in a file format. The Primary Seal/Signer collects the transaction by scanning the QR code or accepting the transaction file from Electrum as an "export". After the signature is successfully rendered by the primary and secondary signers, the resulting signed transaction is imported back to the wallet in the reverse direction either through a QR code or a file via the same channel, which is then broadcasted to the Bitcoin blockchain by Electrum.
Note that the example wallets documented here (Electrum and BlueWallet in the first release) is "watch only", which is not able to conduct transactions without the participation of both signing seals in generating the required signatures.
Since the front-end wallet (Electrum and BlueWallet) is where the user typically gets their visual feedback and is subject to phishing or malware attacks, the actual transactions passed on to the Counterseal Vault may not match what is being displayed on the wallet. Be sure to carefully examine the transfer amount and the transfer input/output addresses and satisfy yourself that there are no discrepancies between what is displayed on the front-end wallet and the Counterseal app on your mobile phone. Any defects would indicate a phishing attack with disastrous consequences.
For the popular Bitcoin wallet Electrum, the standard Counterseal configuration is diagrammed above with both the Electrum and the Secondary Seal hosted on the same Windows PC. The Secondary Seal may be placed on another device of yours to create yet more redundancy.
In the Electrum application, when first creating a wallet, select "Standard wallet" and then "Use a master key" in the Keystore selection screen to indicate that the keys are from an external key vault. On the "Create keystore from a master key" screen, scan the QR code displayed on the Counterseal Primary Signer (by tapping the "wallet card" on the counterseal app on your mobile phone) in order to initialize the Electrum key store from the air-gapped Counterseal vault, as illustrated below:
After the keystore is initialized, the normal flow of Bitcoin transactions may commence. For instance, the example "Send" transaction is formulated and "exported" (red circle below) to the Primary Signer through the QR code as illustrated below with the Electrum screen on the right and Primary Signer left:
The transaction signature request received by the Counterseal app will display its transaction outline (left) for your confirmation. Make sure the highlighted Electrum data (Inputs, Outputs and associated amounts) are identical to those in the confirmation screen of the Counterseal app. Be sure to verify every single digit displayed on both sides of the air-gap. This is one of the most important steps in the counterseal process. If successfully validated (visually), all three components (Electrum, Primary Signer, Secondary Signer) must all be compromised for our Counterseal application to be defeated, an extremely unlikely scenario. This is the strongest defense obtainable among all the wallet applications on the market.
The Primary Signer then requests the Counterseal signature from the Secondary Signer and displays the QR code below when the countersealed signature is successfully constructed:
Depending on the complexity of the transaction, the counterseal signing may require several steps and trigger multiple frames of QR codes. After the successful signing of the transaction, Electrum collects this signed transaction (in QR code format) by going to the "Tools" ==> "Load transaction" ==> "From QR code" to read the transaction back. Once imported, the transaction is ready to be broadcasted to the Bitcoin Blockchain.
Note that in terms of interfacing with the Electrum wallet this Counterseal scheme is quite similar to how the "offline paper wallet" is handled. Although involving more components due to inbuilt redundancy, the Counterseal signature scheme works similarly as those popular hardware wallets for interfacing with the Bitcoin wallets. Look up the documentation for the Electrum wallet for other relevant information.
The software for the Secondary Seal typically runs on standard PCs or desktops. For peace of mind, we also offer a highly secured "live Linux" TAILS-based system on a USB stick for running the secondary seal in order to avoid possible tampering of the secondary device. This multi-factor secure setup is highly resistant to tampering (both hardware and software) due to the built-in redundancy and the live nature of the underlying highly defensive malware-free Linux. The link between the primary and the secondary is securely protected by TLS once the two signers are successfully paired.
The built-in air-gap between the wallet and the primary seal is not being utilized in this configuration. To adopt this configuration the user ought to rule out any concerns of malware or possible compromises on the mobile phone. The "Display Transaction Details" option is turned on by default on the Secondary Seal. You must apply the same validation of transaction details to both the BlueWallet and the Secondary Seal for similar reasons as described previously.
For comparison with the hardware wallets, you may jump to the threat model sections for a discussion.
There are several advantages in adopting the Ai-Fi Counterseal Wallet:
The actual deployment of the counterseal scheme involves some tradeoffs:
The Primary Seal is hosted on your mobile phone. The Apple iPhone is our top choice, with Android from reputable vendors a close second. We believe the carefully implemented Sandboxing, the iOS and iPadOS keychain in the Secure Enclave, the system level key entry, and the approval process of the Apple App Store are sufficiently strong to ward off almost all the malware on iPhone that are relevant to our wallet (even Norton, the security company, states "... thanks to Apple's safety precautions, it is extremely rare..."). Apple's attention to its security hardware is also fairly well recognized once its Secure Enclave Processor is "demystified". Needless to say some elementary precautions on owning the iPhone must be duly observed. A general understanding on the hacking risk on various device types may be found here.
Make sure the platform where the Primary Seal runs on is not "jailbroken" and is not managed through an Enterprise App Program that bypasses the rigorous Apple App Store review.
The Secondary Seal is given the following options, each requiring specific software implementation:
These are examples of implementation platforms for the secondary signer, each having its specific vulnerabilities with malware being the primary concern. Clearly the live Linux on a USB stick (TAILS) and the Raspberry Pi hardware (Ai-Fi HomeServer) are much less likely to contract malware. However, the built-in redundancy has substantially enhanced the secondary signer's tolerance for faults or attacks. Unless both the primary and secondary components are thoroughly compromised, the Zero Knowledge proof built into the Threshold Signature scheme would discover any attack incident and report/log accordingly.
For those secondary signers that have no attached display, a web server is typically built in so the secondary signer may be contacted through a browser interface, which helps in the initial pairing process (primarily the discovery of the secondary signer) and the connectivity reestablishment later on after pairing. All subsequent transactions between the primary and the secondary seals are conducted directly (authenticated and encrypted) and end to end.
We believe that the DIY route is the only way to bring you peace of mind. We recommend to all users of Ai-Fi Counterseal Wallet to create their own wallet in order to eliminate our reliance on any third parties. The production is not complicated once they understand the architecture diagrammed in the previous section. "In Open Source Software We Trust."
Note that both the primary and secondary seals may still be independently compromised regardless of how carefully they are managed. Nevertheless, the chance of success in hacking both seals individually at one time is extremely low, and less likely still where some attacks of physical nature are required if mobile devices are chosen to host both seals. We are in the opinion that this risk is lower than any other wallets on the market, be it software or hardware.
TBD (Ai-Fi Central required)
The biggest physical bank robbery, which took place in Brazil in 2005, was worth “only” $69.8 million. On the other hand, in 2019 alone criminals got away with $4.26 billion worth of digital coins, according to one report. None of the hacks have taken place on the blockchain itself. As far as thieves are concerned, exchanges are where the money is. Most low hanging fruits for hacking settle within popular exchanges and other commercial enterprises offering cryptocurrency services. Protecting one's crypto assets is an exercise of how not to trust or rely unnecessarily on any institutions. Incidentally, trusting no one is what motivated the original invention of Blockchain after all.
Adopting blockchain technology requires taking control of our own finances, which comes with specific responsibility and pitfalls. If we decide not to entangle ourselves with any custodial services, we must face the task of safekeeping our keys stored in our crypto wallets and their recovery seeds. Since seed recovery is less frequently applied, it has not been given sufficient attention by the blockchain industry, whereas the hardware wallets have gained a large following. It doesn't take much to recognize that hardware wallet manufactures are low hanging fruits for hacking. On the personal level, targeting individual hardware wallet devices, the "Evil Maid Attack" and "Supply Chain Attack" are well-known attacks. This is not to mention that the manufacturers need to be trusted not to attempt the "Supply Chain Attack" themselves, countering the "Trustless Principle" of the blockchain movement.
Some hardware wallets on the market touts Tamper Resistance or Tamper Proof guarantee. The detection of tampering would sometimes even trigger the self-destruction of the wallet. Unfortunately unlike open source software, most of those tamper-resistance design is not publicly disclosed. The track record of "tamper Evident technology" is nowhere close to perfection, which is well documented here, here, here and here. The title of the last and latest article on hardware vulnerability is titled "Intel SGX defeated yet again". Some would even go so far as to say that the risk of tampering is self inflicted due to the reliance on a piece of hardware. This dependency on hardware is further aggravated by the fact that the cryptographic seed resides physically on the device itself. It is game over and all your crypto assets are forever lost if this single point of failure is compromised. A YouTuber "LiveOverflow" has dedicated a series of videos titled "Hardware Wallet Research" investigating this particular issue which we found illuminating and quite enjoyable to watch.
The never ending news about Intel SGX hacking just had a new report: "Stick a fork in SGX, it's done: Intel's cloud-server security defeated by $30 chip and electrical shenanigans". One tends to believe that those relatively inexpensive hardware wallets on the market are based on much less rigorous designs than SGX.
Obviously a software implementation does not remove the risk of hardware tampering, especially when the software is designed to run on public platforms (Windows, Mac, Linux, iOS, Android). However, the vulnerability to hardware/software tampering in our Counterseal scheme is greatly reduced by requiring joint actions from multiple devices (at least two "factors", or multiple points of services) based on the tried and true redundancy principle. Most notably, the Threshold Signature scheme adopts the "zero knowledge" proof in verifying critical exchanged messages, which actually proves that a maliciously broken party will not gain any useful information for launching subsequent attacks past compromise or be able to evade detection for any failed attempts. The Threshold Signature scheme is one of those glorious achievements of technology such that adding additional components to a system actually enhances its overall reliability and fault tolerance. This is not even to mention that Ai-Fi Counterseal Wallet does not store its seed within the wallet itself, which is the weakest link in the hardware wallet operations.
Aug 31, 2020: "Bitcoin Holder Loses $16 Million in BTC to Well-Known Scam"
Nov 13, 2020: "Electrum Malware Scam Scalps $32,000 in Bitcoin"
It is hard to believe that the above two Bitcoin holders are victims of the same Malware scam. You can find out the details on their respective hacking reports. We just want to outline the defense mechanisms built into our Counterseal signature scheme. The attack scenario is fairly straightforward:
How is the Counterseal supposed to work in defending this fairly effective attack?
A seal is traditionally used to close records by any type of fastening that must be broken before access can be obtained, producing an impression upon wax, wafer, or some other substance capable of being impressed. The "hot knife" attack is common, by cleanly delaminating the wax seal for mold casting and illegal reproduction. The use of the counterseal, displayed above, involving two separate stamps where a second stamp is imposed upon the reverse of a main or usually larger seal, is an effective means to prevent the obvious "hot knife" attack. Removal or incorrect application of any one of the two seals would invalidate the sealed record altogether. For self-proclaimed history buffs, The picture below illustrates how the pair of seal stamps on each side of the final wax seal are applied:
The Ai-Fi Counterseal Wallet is a special "2 of 2" realization of the threshold signature technology, with the primary seal (signer) and the secondary seal belonging to the same owner or under the same administrative domain. The secondary signer is equipped with a screen to display the QR code for various interactions with the primary, which is a mobile app running on either the iOS or Android phones. Both signing parties are on the same LAN (at least during the initial pairing rounds). The "pairing" of those two signers is established according to the principle of TOFU (Trust On First Use) by the primary scanning the pairing QR code displayed on the secondary signer if not already bound. After the successful completion of the pairing process the identities of both parties are mutually established, based on which a secure TLS channel may be constructed on demand between those two parties.
There are three steps involved in setting up a counterseal wallet (after the parties successfully bound to each other):
Secret Share Generation: Each signer independently generates its own sub-share (not private key) or segment for the aggregate counterseal assembly without revealing them to each other. All necessary data required for transaction signing are negotiated and synchronized during this phase.
The resulting public keys will be known to all parties but the private keys are never fully constructed or even required for signing. Only signature-related information is exchanged among the parties during subsequent rounds.
Secondary Signer Deployment: Once the involved parties are securely bound to each other and all key shares are integrated and synchronized, those two signing parties don't need to be online or connected until the signatures are required. We will discuss more on the placement of secondary signer.
Distributed Threshold Signing: Before the transaction initiation, the primary and the secondary signers need to reestablish their encrypted and authenticated counterseal channel. The crypto wallet (BlueWallet for the first release) would initiate the crypto transactions, which are formulated and passed around for partial signatures that are pieced together at the primary signer at the last stage of the signature round. Under normal network conditions, any incorrect move by either party would generate an alert/incident-report. The primary and secondary signers are only allowed to perform the signature without the ability to alter the transactions.
The crypto wallet (BlueWallet), the front end of the wallet, typically resides with the primary seal and operates effectively in watch-only mode, which relies on the backend Ai-Fi Counterseal Wallet (vault) for signatures exclusively. The interface between the crypto wallet and the primary signer follows the HWI standard.