Custody Protocol

Bitcoin is a “bearer instrument” and, as such, it can only be spent by using secret (private) keys; if they are lost or stolen, there is no way to recover the associated Bitcoins. Safe management of the secret keys is therefore of paramount importance for Bitcoin holders, but such activity requires sophisticated technical skills and domain knowledge.

Secret keys are usually stored in “wallets”; however, “hot” (online, internet connected) wallets can be hacked, “cold” (offline, internet disconnected) wallets can be lost or stolen, and the passwords needed to gain access to wallets can simply be forgotten.

Consequently, individuals may be uncomfortable dealing with their Bitcoin holdings; even more if they consider issues such as inheritance and personal safety. Institutions too, they have the above security issues; moreover, they are often required by law and/or internal regulation to entrust the management of Bitcoin holdings to a specialized service provider. That’s why there are specialized companies offering professional Bitcoin custody services.

Unfortunately, many Bitcoin custodians offer unsatisfactory solutions.

  • Insufficient disclosure about their technology and process, often with the excuse that this is needed for “security” reasons (the so-called security-by-obscurity paradigm, rejected by all reputable cryptography and cyber-security experts).
  • Customers have no way to check that their Bitcoins are, in fact, really held by the custodian and have not “disappeared” for one reason or another.
  • Conflicts of interest arise for custodians that also provide trading services, as trading requires hot wallets and favour availability instead of security.

This is why CheckSig has decided to undertake a totally different approach designing its patent-pending transparent open protocol for Bitcoin custody.

A new standard of transparency and security

CheckSig’s custody protocol is transparent by design

  • it avoids reliance on security-by-obscurity and, instead, defines a public standard that can be audited and reviewed by anybody
  • it provides periodic evidence of its Bitcoin holdings to its clients, so that they can be certain that their assets are where they are supposed to be

Our guiding principles

  • no hot wallets, i.e., assets are never internet-exposed, neither remotely accessible, to make remote attacks unfeasible
  • minimize the risk of loss of funds through theft, error, or other mishaps
  • rely on the Bitcoin protocol for security wherever possible, rather than inventing new functionality or procedures
  • remain as “neutral” as possible regarding future changes to the Bitcoin protocol, working with the existing Bitcoin protocol functionality “as is”.

How it works

There are four main events happening in our custody process: deposit, withdrawal, proof-of-reserve, and disaster recovery. Before describing them in detail, it is important to know that three main parties are involved:

  • Clients: The owners of the Bitcoin, who have decided to place their assets in CheckSig custody.
  • CheckSig: The entity which has the legal custody of the assets on behalf of the Clients. Inside CheckSig there are three kind of agents:
    • authorization agents
    • custodian agents
    • recovery agents
  • Federation: External legal entities, independent from CheckSig; as of March 2021, they are:
    • Tinkl.it: a company specialized in Bitcoin payment systems
    • Studio Avella: a chartered accountant with in-depth understanding of crypto assets

Furthermore, CheckSig custody process uses two wallets:

  • The Frozen Wallet, where Bitcoins are stored, managed by the Federation
  • The Cold Wallet, which is mostly empty, except during withdrawals, directly managed by CheckSig

Both wallets are comprised of professional-grade hardware security module (HSM) devices, provided by leading manufacturers: currently, Ledger (the most reputable specialized vendor) and CryptoAdvance/Specter (the most technically advanced one).

HSM devices are used to provide the digital signatures required for a Bitcoin transaction. A HSM contains a secure element that perform the signatures using the secret keys without exposing them outside its own boundaries, so preventing the stealing of the keys even if the device is used in an unsecure or compromised environment.

Deposit process

In essence, deposit is very straightforward, with the Client just moving Bitcoins to an “address” provided by CheckSig and corresponding to the Frozen Wallet.

In case of a new customer, before sending the Bitcoins it is necessary to sign a custody contract with CheckSig that, in turn, will comply to its “Know Your Client” and “Anti Money Laundering” duties.

When the coins are received in the Frozen Wallet, CheckSig traces their origin in order to verify if they have been involved in any illegal activity. CheckSig does not accept “fiat” currencies (e.g., Euros) or crypto-assets that are not Bitcoins (e.g., Ether). If a Client does not have Bitcoins, she must first purchase them on a crypto-exchange. When Bitcoins are in the Client’s possession, if he is not sufficiently familiar with the technical aspect of transferring them, he will be assisted in the process by CheckSig customer care personnel.

Withdrawal process

The withdrawal of Bitcoins back to the Client(s) usually happens on a monthly basis and it is free of charge; if they are urgently needed, an “instant liquidity” withdrawal is possible but with a charge.

The withdrawal process cannot be performed by CheckSig without involving the Federation, to reduce the risk of internal CheckSig wrongdoings. At the same time, the Federation cannot initiate a withdrawal process, only CheckSig can.

The withdrawal consists of two distinct Bitcoin transactions:

  1. Bitcoins are moved from the Frozen Wallet to the Cold Wallet. At this stage, Bitcoin can only be moved to a previously approved list of addresses belonging to the Cold Wallet: it is technically impossible to move them to any other address (see below) and this prevents any chance of Federation agents stealing Bitcoin from CheckSig and its Clients. This first transaction requires two steps:
    • CheckSig authorization agents must pre-authorize the transaction. This is accomplished when the digital signatures of two out of three (2-of-3) authorization agents are obtained. Each authorization agent provides its digital signature using a HSM device.
    • Then, the transaction must obtain the approval of three out of five (3-of-5) Federation agents. Each Federation agent provides its digital signature using a HSM device, customized (i.e., locked-down) using a CheckSig patent-pending invention to ensure that the signature can be produced only if:
      • The transaction has been pre-authorized by CheckSig authorization agents
      • The Bitcoin destination addresses are included in the previously approved list of addresses belonging to the Cold Wallet (or the Frozen Wallet itself, see “Proof-of-reserve” later on).
  2. Bitcoins are moved from the Cold Wallet to the Client(s). This transaction requires the digital signatures of two out of three (2-of-3) CheckSig custodian agents, each signature involving a distinct HSM device held in a different safety box in a different bank in a different city. Furthermore, this second transaction can only be performed with a “fixed time delay” (currently about seven days) after the first transaction has been confirmed by the Bitcoin network; this is to allow for security checks (see “Disaster Recovery” later on): in the case of any problem, Bitcoins can be sent back to the Frozen Wallet.

Differently from all other custodians that have access to all the assets all the time, CheckSig has direct access to Bitcoins only during the withdrawal process and only for the amounts being withdrawn. This being the only residual attack surface of the custody process, the withdrawal is insured by SATEC Underwriting (Cattolica Assicurazioni).

Proof-of-reserve

The “proof-of-reserve” is provided periodically as evidence to clients and auditors about the amount under custody and, crucially, to prove that CheckSig has not lost control of the Bitcoins being held in the Frozen Wallet.

On a periodic (usually monthly) basis, using the first transaction of the withdrawal process, the Bitcoins that have not been requested back by clients are moved from their current “address” within the Frozen Wallet, to another new “address” still within the Frozen Wallet. This spend-to-self transaction, being confirmed by the Bitcoin network, is public on the Bitcoin blockchain and is documented on the CheckSig website as “proof-of-reserve”.

Disaster recovery

A disaster recovery procedure is activated when:

  1. authorization quorum is lost, i.e., using the current 2-of-3 setup, less than two out of the three HSM devices held by CheckSig authorization agents are functional/available
  2. federation quorum is lost, i.e., using the current 3-of-5 setup, less than three out of the five HSM devices held by Federation agents are functional/available
  3. custodian quorum is lost, i.e., using the current 2-of-3 setup, less than two out of the three HSM devices held by CheckSig custodian agents are functional/available
  4. an improper or malicious withdraw process has been initiated by CheckSig authorization agents and approved by Federation agents; this must be reverted before the expiry of the fixed time delay makes the Bitcoins in the Cold Wallet available to the custodian agents.

A recovery transaction requires the digital signatures of two out of three (2-of-3) CheckSig recovery agents, provided using HSM recovery devices, each held in a different safety box in a different bank in a different city. More specifically, there are two different kind of recovery transactions:

  • For the cases 1, 2, and 3 above: when the Bitcoins in the Frozen Wallet have not been moved on the Bitcoin network for more than about 36 days (i.e., the monthly proof-of-reserve has failed), HSM recovery devices can be used to sweep those Bitcoins anywhere to a CheckSig controlled address (e.g., a new different Frozen/Cold Wallet setup).
  • For the case 4 above: Bitcoin in the Cold Wallet can be swept at any time using HSM recovery devices, moving them anywhere to a CheckSig controlled address (e.g., back to the Frozen Wallet or to a new different Frozen/Cold Wallet setup). There is no fixed time delay, as that applies only to HSM custodian devices.