https://crocs.fi.muni.cz @CRoCS_MUNI
PV204 Security technologies
Bitcoin II. – Bitcoin hardware wallets, multisig, (CoinJoin, PayJoin)
Petr Švenda svenda@fi.muni.cz @rngsec
Centre for Research on Cryptography and Security, Masaryk University
https://crocs.fi.muni.cz @CRoCS_MUNI
Three main goals of bitcoin end-user security
1. Safety (against you loosing access to your funds)
– Backup of mnemonic phrase (paper, steel plate, Shamir)
– Native bitcoin script multisignature (2-of-3)
2. Security (against attacker trying to steal your funds)
– Hardware wallet to generate seed and manage secret keys
– Secure confirmation of transaction details (address, value, fee) on display
3. Privacy (against third party observing your actions)
– Use your own fullnode
– Practice labeling and coin control
– Use Coinjoin mixing (Wallet Wasabi 2, Trezor Suite)
2 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI3 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Masterplan for this seminar
1. OP_RETURN use for TimeStamping (short example)
2. Hardware wallet use (Sparrow + ColdCard)
3. Multisignature wallet use (Sparrow wallet as coordinator)
4. (If interested)
– Recovery of wallet into different client (Sparrow → Electrum)
– CoinJoin mixing (Whirlpool)
4 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
STORING ARBITRARY DATA ON
BLOCKCHAIN
6 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI7 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Storing arbitrary data on blockchain
• Your data has to be stored by all full-nodes forever!
– Writing nonsense messages / spam etc. is like carving into tree bark
– Always ask yourself what is the value of such storage and if it is fair to others!
• Bitcoin P2P protocol has some additional limitation rules about
transaction data allowing to propagate
– More stricter rules than Bitcoin consensus rules (what can be in block mined)
– E.g., 4MB NFT picture in segwit-discounted data is valid transaction and is
accepted once mined, yet nodes will not propagate such transaction into mempools
– These P2P rules are indication what network considers “good” behavior
8 PV204 | LAB: Multisig, HW wallet
Getty | Iryna Yeroshko
https://crocs.fi.muni.cz @CRoCS_MUNI
OpenTimestamps protocol (https://opentimestamps.org/)
• Prove that document existed at date X (at latest)
• Merkle tree of all submitted document hashes within given period
committed to Bitcoin blockchain (OP_RETURN, every ~10 hours)
– https://petertodd.org/2016/opentimestamps-announcement
• Currently free to use (only one OP_RETURN embed for all files)
– Client needs to remember own Merkle tree path + file => *.ots file
9 PV204 | LAB: Multisig, HW wallet
$ pip3 install opentimestamps-client
$ ots stamp secret.txt
$ ots info secret.txt.ots
$ ots verify secret.txt.ots
Assuming target filename is 'secret.txt'
Calendar https://alice.btc.calendar.opentimestamps.org: Pending confirmation in Bitcoin blockchain
https://github.com/opentimestamps/opentimestamps-c
$ ots verify secret.txt.ots
Assuming target filename is 'secret.txt'
Calendar https://alice.btc.calendar.opentimestamps.or
Calendar https://finney.calendar.eternitywall.com: Time
https://mempool.space/tx/5cfb6d1eee37cfd3dc51d01f8
https://crocs.fi.muni.cz @CRoCS_MUNI
SINGLE-SIGNATURE HARDWARE WALLET
10 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Steps today
1. Generate secret seed in hardware wallet
2. Backup it (mnemonics on paper)
3. Connect wallet with PC software wallet (receive and spend wallet)
4. Erase wallet, test recovery of mnemonics
5. Create receive-only mobile wallet (stack additional sats)
11 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Before we start…
• You have one hardware wallet per person, erase it afterwards
• Do not walk around with phones, cover mnemonic words by hand
• Hide your mnemonic words against any exposure
• VERY IMPORTANT!!!
– ColdCard is real hardware wallet (~$100)
– “Bricked” if correct PIN is forgotten unknown (no “reset” button)
– For this tutorial, always set PIN to 12 34 !!!
• (for real use with ColdCard you bought, always set to PIN only you know)
12 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Steps of hardware wallet usage
1. Prepare ColdCard hardware, generate and backup new wallet
– No computer required, everything happens on ColdCard device
2. Prepare Sparrow on PC with private keys stored on ColdCard
– Public information from ColdCard wallet is exported to Sparrow
3. Receive tBTC to ColdCard wallet (via Sparrow)
– No ColdCard required, only public keys are required
4. Erase ColdCard, perform recovery
– Real verification that your backup works
5. Send tBTC from ColdCard wallet (via Sparrow)
– Private keys on ColdCard required, checks and signing happens on ColdCard
13 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
1. PREPARE COLDCARD HARDWARE,
GENERATE AND BACKUP NEW WALLET
14 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Login into your ColdCard device
1. Connect via USB cable
2. Enter PIN Prefix: USE `12`!!!, press OK
– Write on paper shown words (what they are for?)
3. Enter rest of PIN: USE `34`!!!, press OK
4. Generate New Wallet, write on paper 24 words, verify 24 words
5. State: ‘Ready to Sign’ option shall be displayed
(later after wallet generation)
– Move to Advanced → Danger Zone → Testnet mode
– Change to ‘Testnet: BTC’
16 PV204 | LAB: Multisig, HW wallet
We will work with testnet BTC => need
to tell wallet to use testnet addresses
https://crocs.fi.muni.cz @CRoCS_MUNI17 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
2. PREPARE SPARROW ON PC WITH
PRIVATE KEYS STORED ON COLDCARD
19 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
• Sparrow Wallet https://www.sparrowwallet.com/download/(verify )
– Linux: Tools → Install udev rules
• sparrow -n testnet
• Prepare ColdCard wallet (see before)
• Connect ColdCard wallet via USB cable
• File → New wallet
1. Connected Hardware Wallet
2. Scan
3. Import Keystore
20 PV204 | LAB: Multisig, HW wallet
Create wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
4. Apply
5. Set password or leave empty
– (encryption of local wallet file)
• Local wallet contains only xpub
– *.mv.db file
– File→Open wallet
– Private key(s) are on ColdCard
Create wallet
21 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
3. RECEIVE TBTC TO COLDCARD
WALLET (VIA SPARROW)
22 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Task: send some tBTC from software to hardware wallet
• Exactly same procedure as for sending between software-only wallets
– Hardware wallet’s private key is not required for receiving
• Person with ColdCard shall receive one transaction from every other
person (PC1 and CC)
• Obtain his/her receive address
– Via messenger: CC → Receive tab → Copy address → send via Signal → PC1
– Via QR: CC → Receive tab ; PC1 → Send → camera icon → scan address QR
• Enter some sats into Amount box
– Observe visualized transaction below (more inputs may be added)
23 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
PC1 CC
24 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
4. SEND TBTC FROM COLDCARD
WALLET (VIA SPARROW)
25 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Task: send some tBTC from hardware to software wallet
• Person with ColdCard sends to at least one other person (CC → PC1)
1. Obtain PC1’s receive address
– Via messenger: PC1 → Receive tab → Copy address → send via Signal → CC
– Via QR: PC1 → Receive tab ; CC → Send → camera icon → scan address QR
2. Enter some sats into Amount box
– Observe visualized transaction below (more inputs may be added)
3. Click ‘Create transaction’, click ‘Finalize transaction for signing’
26 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Send some tBTC from hardware to software wallet
4. Connect ColdCard via USB
– Enter PIN Prefix, press OK
– Enter rest of PIN => ‘Ready To Sign’
5. Click ‘Sign’ in Sparrow
6. Click ‘Scan’ in Sparrow
• Note:
– Look for icon after is ColdCard connected
– If icon is not visible, try to reconnect
– If icon is visible but Scan fails, check
• ColdCard:Settings→Blockchain→Testnet: BTC
PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Send some tBTC from hardware to software wallet
7. Select ColdCard and click ‘Sign’
8. Verify on ColdCard’s screen (compare with your Sparrow)
– Amount, address, fee, changeback, changeback address
– Press OK if match
9. Click ‘Broadcast Transaction’
– Transaction is now complete, broadcast to network
PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
1. THRESHOLD SECRET SHARING
2. MULTISIGNATURES
3. MULTI-PARTY CRYPTO COMPUTATION
29 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Single signature
30 PV204 | LAB: Multisig, HW wallet
Signature Signature SignatureSignature
Multiple signatures
MPC signature
Signature
Analogically for decryption
(single person decrypts,
multiple people, k-of-n)
Shamir TSS
Share 3
Share 2
Share 1
https://crocs.fi.muni.cz @CRoCS_MUNI
2. Multisignatures
• Lock script constructed to require multiple signatures
(OP_CHECKMULTISIG)
– transaction valid only if multiple signers provide signatures for unlock script
• n-out-of-n or m-out-of-n, https://en.bitcoin.it/wiki/Multisignature
• P2MS, P2MS wrapped in P2SH
– https://learnmeabitcoin.com/technical/p2ms
31 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Task: Create multisignature wallet
• Form groups of three members
– (can be also done with three Sparrow instances on the same if you test alone)
– Make sure you can send short messages to each other (Signal/WhatsApp) or have camera
read QR codes
• Run Sparrow wallet on testnet (-testnet)
• Quorum 2-out-of-3 will be used (3 members, 2 enough to authorize)
• Every participant will create one keystore with knowledge of private key(s) and
then import remaining two xpubs (tpubs on testnet) for other two signers
• Some tBTC will be send to multisig wallet
• Cooperation of two members will be used to create new transaction
33 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Create multisignature wallet I.
• Every participant creates one signature key
• File → New wallet
• New or Imported Software wallet
1. Change ‘Policy Type:’ to Multi Signature
2. Set M of N to 2/3 (three signers, at least two required)
3. Set Keystore 1 as ‘New or Imported Software wallet’
4. Setup Keystore 1 as before (singlesig wallet, 12 words, Import keystore)
34 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Keystore 1 now created
35 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Create multisignature wallet II.
36 PV204 | LAB: Multisig, HW wallet
• Insert xpubs/pubs for other two signers (your group members)
5. Transfer tpub from your Keystore 1 to other two members
(Signal/QR code)
– Paste received tpubs into Keystore 2 and 3 (select ‘xPub / Watch Only Wallet’)
6. Set Derivation same as for Keystore 1 (m/48'/1'/0'/2’)
– For both Keystore 2 and Keystore 3
7. When all three keystores are filled, Apply button is enabled (click it)
8. Let one member to send some tBTC to multisig wallet
– Receive, send from singlesig wallet (do not send all funds)
– All members shall see new tBTC coming to multisig wallet
https://crocs.fi.muni.cz @CRoCS_MUNI37 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI39 PV204 | LAB: Multisig, HW wallet
Singlesig wallet Multisig wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
STATE: MULTISIG WALLET IS CREATED,
SOME FUNDS ARE AVAILABLE
CAN SEND TRANSACTION 2 OF 3
40 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Send transaction from multisig wallet (to singlesig wallet)
• Open any singlesig wallet (e.g., one of your group members)
– Generate new receive address Receive→Address:
1. PC1: One member goes to his/her multisig wallet and starts transaction
– Send → Pay To: paste singlesig address, set label and amount
2. PC1: Create Transaction → Finalize Transaction for Signing → Sign
– Partially Signed Bitcoin Transaction (PSBT) is now created
3. PC1→PC2: Transfer to one of group members (PC2)
– Option a): Show QR → variable QR displayed, scan from another machine
4. PC2: File → Open Transaction → From QR…
– Option b): Save Transaction → file *.psbt, load file from second machine
4. PC2: File → Open Transaction → File…
42 PV204 | LAB: Multisig, HW wallet
Person1
Person2,3…
https://crocs.fi.muni.cz @CRoCS_MUNI43 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI44 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Send transaction from multisig wallet (to singlesig wallet)
• (PSBT transaction is loaded in Sparrow wallet of second signer)
5. Check transaction parameters (address, amount, fee…)
6. If happy, click Sign button and 7. Broadcast
45 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Send transaction from multisig wallet (to singlesig wallet)
46 PV204 | LAB: Multisig, HW wallet
• (Signatures from multisig1 and multisig2 signers are visible)
https://crocs.fi.muni.cz @CRoCS_MUNI
• https://blockstream.info/testnet/tx/
• Paste Txid after transaction is mined
• P2WSH WITNESS SCRIPT
– OP_CHECKMULTISIG
47 PV204 | LAB: Multisig, HW wallet
Analyze transaction via blockchain explorer
https://crocs.fi.muni.cz @CRoCS_MUNI
Questions
• Which option is better for backup (not loosing possibility to spend)? 1-of-3 or 3-of-3?
• Which option is better against and attacker (prevent her to spend your coins)? 1-of-3 or 3-of-3?
• What are advantages and disadvantages of 2-of-3 vs. 3-of-5?
• Can you authorize transaction of one signer not available? Two?
• Can multisig participants see all funds locked to multisig wallet?
• What shall you do if one signer loses control of funds?
• What you need to do if you would like to add another signer into quorum?
• Why is multisig transaction bigger than the singlesig one?
• Can you say if funds are locked (UTXO) to multisig wallet?
• Can you say parameters of multisig before funds are spent? After?
• Is Taproot (P2TR) changing anything?
48 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI49 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
ASSIGNMENT 4
50 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Assignment 4 – analysis of Bitcoin transactions
• Analyze one block and related transactions from Bitcoin blockchain
– Every student will have different block equal to the UČO (e.g., block ‘4085’ for P.S.)
• Preparation:
– Download table from IS (hw04_task1_table.odt) and use it for Task 1
• Produce (2-3xA4) text solution for Tasks 2, 3, 4 and 5
– Provide answers to questions asked, add annotated transactions graphs…
• Submit before 18.4.2024 23:59 into IS HW vault
– Soft deadline: -1.5 points for every started 24 hours
51 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Assignment 4 – analysis of Bitcoin transactions
• Task1: Basic info about “your” block
– Fill into hw04_task1_table.ods file from IS and submit (ideally included into the report file)
• Task 2: Transaction with the largest WU size
– Find the biggest transaction by weight units, find its total size in bytes, discuss its purpose (inputs, outputs, any
other info you can find)
• Task 3: Multisignature transaction
– Find and discuss parameters of one multisignature transaction, annotate the lock and unlock script in details
• Task 4: Chain analysis of coinbase transaction from “your” block
– Analyze the spending graph of coinbase transaction. Try to analyze the source of other bitcoins used as other
input(s) with some of the coinbase tx output. Analyze at least 5 transaction hops (forward, backward for other
inputs)
– Draw graph, try to attribute entities, explain the likely meaning of transaction(s)…
• Task 5: OP_RETURN
– Find at least three examples of OP_RETURN in your block. Try to figure out what is the use of it? (Readable
string? OpenTimestamps?...)
52 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI54 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
IF YOU WOULD LIKE TO LEARN MORE ☺
55 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
RECOVERY OF WALLET (ELECTRUM)
56 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Electrum wallet - preparation
• Download Electrum wallet: https://electrum.org/#download
– Note: for real use, always verify PGP signature
• IMPORTANT: Run it on testnet, specify Electrum indexing server
– electrum.exe --testnet -1 -s testnet.aranguren.org:51002:s
57 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Task: Restore wallet created in Sparrow into Electrum
• Assumption: You have Sparrow wallet (testnet) created from last week
• Restore the master seed into different wallet software (Electrum)
– Note: Only master seed + standardized derivation path is required
– More detailed export including transaction labels possible
• Option 1: Using mnemonics words
– E: New/Restore → Standard wallet → ‘I already have seed’ → BIP39 words
insert_your_words_from_sparrow
• Option 2: Export from Sparrow wallet (including transaction labels)
– : File → Export wallet → Electrum → Export file => *.json file
– : File → Open → *.json file
58 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
OP_RETURN (ELECTRUM WALLET)
Note: Sparrow wallet does not have support for OP_RETURN yet
59 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Task: Store custom (limited) data into blockchain
• OP_RETURN instruction in lock script for provably non-spendable tx
– Script execution never TRUE, full nodes can drop from list of UTXOs
• Send via Electrum (Pay to)
– ‘OP_RETURN’ + ‘data’ (in hexa)
– 0 amount (sender only pays tx fees)
– 40 bytes, usable for timestamps…
• Locate tx on blockchain
– https://mempool.space/testnet/
• With 1 peer: Find three ideas what to include and why
– What information, how encoded, how retrieved, what are security benefits
60 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI61 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
OpenTimestamps protocol (https://opentimestamps.org/)
• Prove that document existed at date X (at latest)
• Merkle tree of all submitted document hashes within given period
committed to Bitcoin blockchain (OP_RETURN)
– https://petertodd.org/2016/opentimestamps-announcement
• Currently free to use (only one OP_RETURN embed)
– Client needs to remember Merkle tree path + file => *.ots file
62 PV204 | LAB: Multisig, HW wallet
$ pip3 install opentimestamps-client
$ ots stamp secret.txt
$ ots info secret.txt
$ ots verify secret.txt.ots
Assuming target filename is 'secret.txt'
Calendar https://alice.btc.calendar.opentimestamps.org: Pending confirmation in Bitcoin blockchain
https://github.com/opentimestamps/opentimestamps-c
$ ots verify secret.txt.ots
Assuming target filename is 'secret.txt'
Calendar https://alice.btc.calendar.opentimestamps.or
Calendar https://finney.calendar.eternitywall.com: Time
https://mempool.space/tx/5cfb6d1eee37cfd3dc51d01f8
https://crocs.fi.muni.cz @CRoCS_MUNI
WHIRLPOOL COINJOIN
64 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
CoinJoin implementations
• Wasabi wallet https://github.com/zkSNACKs/WalletWasabi/
– Centralized trustless coordinator, Tor, selected number of rounds executed within hours
• https://docs.wasabiwallet.io/using-wasabi/CoinJoin.html
– Wasabi 2.0 (beta) will offer non-equal output coinjoin https://blog.wasabiwallet.io/privacy-guarantees-of-wasabi-wallet-2-0/
– Anonymity set decrease over the time as people send their outputs to KYC exchanges
• Samourai Whirpool https://docs.samourai.io/en/whirlpool
– CoinJoin with variable number of rounds, centralized trustless coordinator
– CoinJoin runs until output is send away from Whirpool (days/months)
– If not fullnode then xpub must be provided => privacy risk, decreased anonymity set
• e.g., Samurai RoninDojo https://ronindojo.io/
– Clients: Samourai wallet / Whirpool cli, SparrowWallet (using Samourai code)
• JoinMarket
– No central coordinator, market Maker(s) run own fullnode and provide liquidity
– Coinjoin transaction creation is coordinated by Taker who is paying also fee (on-chain and to the Maker)
– JoininBox - JoinMarket cmdline-focused distribution https://github.com/openoms/joininbox
65 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Example Whirlpool CoinJoin mixing transaction (0.05 pool)
66 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Whirpool CoinJoin privacy mix
• Open your standard Sparrow single signature wallet (created before)
• Work alone – mixing participants are found automatically
– Connection to Whirlpool mixing coordinator is done via Tor
• Funds mixed are always available (you control private key)
– can be spend them anytime
69 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Samourai Whirlpool (CoinJoin privacy mix)
70 PV204 | LAB: Multisig, HW wallet
1. Click UTXO tab, 2. select one or more UTXOs
3. Click Mix Selected => Whirlpool wizard opens
4. Click Next until Select Pool, select 100k sats pool
5. Preview Premix, 6. Broadcast Premix transaction
https://crocs.fi.muni.cz @CRoCS_MUNI71 PV204 | LAB: Multisig, HW wallet
• Whirlpool fee – one-time payment to Whirlpool coordinator (Samourai)
– Based on pool size, NOT amount mixed (but smaller mixed UTXOs as result)
• Fee – mining fee to miners (based on actual blockspace demand)
• Premix #0, #1 … #N – initial premixed inputs of same size
– These UTXOs will be input to mixing rounds
• Badbank change – remaining sats which cannot be put into another
Premix #N+1 (as is smaller than mixing pool minimal size)
– “toxic waste” – this UTXO is still tied to original input transaction (~your identity)
– Do not merge with any mixed outputs (deanonimized)
Premix transaction TX0
https://crocs.fi.muni.cz @CRoCS_MUNI
Mixing procedure
• When TX0 is send to mempool, new UTXO(s) display in Premix tab
– Wait till TX0 is confirmed, multiple UTXOs created based on the pool size and mixed amount
• Automatically, new Whirpool mixing transaction is created
– New UTXO is displayed in Postmix tab
• As new blocks are mined, Postmix UTXOs are automatically included in
subsequent mixing transaction(s) – Mixes column
– Mixed unless wallet user send them elsewhere (continuous increase of anonymity set)
– Mixed when someone creates new TX0 (new UTXO is paying for mining fees)
• Sparrow wallet must run for active mixing
– Mixing is resumed automatically if Sparrow wallet is started again
• Funds can be spent anytime, options with improved privacy, send to another
wallet after defined number of mixes…
72 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI73 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Analyze mixing transaction
1. Analyze using Sparrow wallet visualization
– UTXO, symbol of magnifier , click topmost item Tx […]
2. Analyze using blockchain explorer
– Copy txid, use https://blockstream.info/testnet/tx/
• For mainnet transactions, other privacy estimation tools exist
– Always use Tor when accessing! (do not link your IP with transactions of interest)
– https://KYCP.org (single transaction, examples)
– https://oxt.me (graph of transactions, forensic analysis)
74 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI75 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Post-mix spending
• CoinJoin mixing breaks on-chain heuristics (input→output)
• Your UTXO is now private, but must be also used privately later
• Do not use mixed (Postmix) and unmixed (Badbank) UTXOs!
• Fake/real collaborative spent (PayJoin)
– Two or more people spending together (inputs from both, outputs to both)
– Simulated PayJoin (all inputs yours, but looks like collaborative spent)
• Coin control
– Whole UTXO send to new address (no change)
• Atomic swap – trustless exchange of UTXOs (even on different chains)
– Utilizes timelock – transaction must be finished by both parties till deadline, otherwise
cancel
76 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Postmix spent – simulated PayJoin
77 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Questions
• Does Whirpool CoinJoin require online connectivity?
• How many other participants are required?
• How many mixing rounds are enough?
• What is the difference between mixing pools?
• Who is paying for the mixing transaction?
• What happens if you create transaction using both Postmix UTXO
and Badbank UTXO?
78 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
COINJOIN / PAYJOIN TRANSACTIONS
79 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Analyze CoinJoin and PayJoin transactions
• Group of 3 students, share screen
• Example CoinJoin transactions
– https://nioctib.tech/#/transaction/92a78def188053081187b847b267f0bfabf28368e9a7a642780ce46a7
8f551ba (example from https://en.bitcoin.it/wiki/CoinJoin)
– https://blockstream.info/tx/c69aed505ca50473e2883130221915689c1474be3c66bcf7ac7dc0e26246af
c8 (example from Wasabi wallet https://wasabiwallet.io/)
• Example PayJoin transaction
– https://nioctib.tech/#/transaction/7104bae698587b3e75563b7ea7a9aada41d9c787788bc2bf26dd201f
d7eca8a2
• Analyze with https://oxt.me and https://kycp.org
– https://kycp.org/#/c69aed505ca50473e2883130221915689c1474be3c66bcf7ac7dc0e26246afc8
• Anything special in Lock and Unlock script?
• How can you find out if given TX is CoinJoin transaction?
• How can you find out if given TX is PayJoin transaction?
80 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI82 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI83 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI84 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Wasabi CoinJoin 1.0
• Equal output CoinJoin, mixed outputs all have same size, around 0.1btc
• Mixing performed in single round with larger number of participants (e.g.,
100)
• Untrusted coordinator required
– Operated by ZKSnacks company, but can be others
85 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Wasabi CoinJoin 2.0 (WabiSabi protocol)
• Non-equal output CoinJoin
– mixed outputs have different size, no (toxic) change
• Mixing performed in a single round with larger number of participants
(e.g., 100)
• Untrusted coordinator required
– Operated by ZKSnacks company, but can be others
86 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
SINGLE-SIGNATURE HARDWARE WALLET
88 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Before we start…
• You have only one hardware wallet per group
– Only one of you will have hardware wallet with Sparrow
– All others will have software wallets
• VERY IMPORTANT!!!
– ColdCard is real hardware wallet (~$100)
– “Bricked” if correct PIN is forgotten unknown (no “reset” button)
– For this tutorial, always set PIN to 12 34 !!!
89 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Steps of hardware wallet usage
1. Prepare ColdCard hardware, generate and backup new wallet
– No computer required, everything happens on ColdCard device
2. Prepare Sparrow on PC with private keys stored on ColdCard
– Public information from ColdCard wallet is exported to Sparrow
3. Receive tBTC to ColdCard wallet (via Sparrow)
– No ColdCard required, only public keys are required
4. Send tBTC from ColdCard wallet (via Sparrow)
– Private keys on ColdCard required, checks and signing happens on ColdCard
90 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
1. PREPARE COLDCARD HARDWARE,
GENERATE AND BACKUP NEW WALLET
91 PV204 | LAB: Multisig, HW wallet
Update firmware on all wallets, update demo pictures
https://crocs.fi.muni.cz @CRoCS_MUNI
Prepare your ColdCard device
1. Open sealed bag
2. Connect via USB cable
3. Read and accept conditions on small screen, press OK
4. Check the serial number match (screen, bag), press OK
– What is security goal of this check?
5. ‘Choose PIN Code’ option, press OK
6. Enter PIN Prefix: USE `12`!!!, press OK
– Write on paper shown words (what they are for?)
7. Enter rest of PIN: USE `34`!!!, press OK
8. Generate new wallet, write on paper 24 words, verify 24 words
9. State: ‘Ready to Sign’ option shall be displayed
10. Move down to ‘Settings’
11. Move down to ‘Blockchain’
12. Change to ‘Testnet: BTC’
92 PV204 | LAB: Multisig, HW wallet
We will work with testnet BTC => need
to tell wallet to use testnet addresses
https://crocs.fi.muni.cz @CRoCS_MUNI93 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Set wallet to use testnet BTC
94 PV204 | LAB: Multisig, HW wallet
If not set to testnet, then Sparrow wallet
will (later) not detect the connected
ColdCard during Sign operation
https://crocs.fi.muni.cz @CRoCS_MUNI
2. PREPARE SPARROW ON PC WITH
PRIVATE KEYS STORED ON COLDCARD
95 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
• sparrow -n testnet
• Prepare ColdCard wallet (see before)
• Connect ColdCard wallet via USB cable
• File → New wallet
1. Connect Hardware Wallet
2. Scan
3. Import Keystore
96 PV204 | LAB: Multisig, HW wallet
Create wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
6. Apply
7. Set password or leave empty
– (encryption of local wallet file)
• Local wallet contains only xpub
– *.mv.db file
– File→Open wallet
– Private key(s) are on ColdCard
Create wallet
97 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
3. RECEIVE TBTC TO COLDCARD
WALLET (VIA SPARROW)
98 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Task: send some tBTC from software to hardware wallet
• Exactly same procedure as for sending between software-only wallets
– Hardware wallet’s private key is not required for receiving
• Person with ColdCard shall receive one transaction from every other
person (PC1 and CC)
• Obtain his/her receive address
– Via messenger: CC → Receive tab → Copy address → send via Signal → PC1
– Via QR: CC → Receive tab ; PC1 → Send → camera icon → scan address QR
• Enter some sats into Amount box
– Observe visualized transaction below (more inputs may be added)
99 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
PC1 CC
100 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
4. SEND TBTC FROM COLDCARD
WALLET (VIA SPARROW)
101 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Task: send some tBTC from hardware to software wallet
• Person with ColdCard sends to at least one other person (CC → PC1)
1. Obtain PC1’s receive address
– Via messenger: PC1 → Receive tab → Copy address → send via Signal → CC
– Via QR: PC1 → Receive tab ; CC → Send → camera icon → scan address QR
2. Enter some sats into Amount box
– Observe visualized transaction below (more inputs may be added)
3. Click ‘Create transaction’, click ‘Finalize transaction for signing’
102 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Send some tBTC from hardware to software wallet
4. Connect ColdCard via USB
– Enter PIN Prefix, press OK
– Enter rest of PIN => ‘Ready To Sign’
5. Click ‘Sign’ in Sparrow
6. Click ‘Scan’ in Sparrow
• Note:
– Look for icon after is ColdCard connected
– If icon is not visible, try to reconnect
– If icon is visible but Scan fails, check
• ColdCard:Settings→Blockchain→Testnet: BTC
PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Send some tBTC from hardware to software wallet
7. Select ColdCard and click ‘Sign’
8. Verify on ColdCard’s screen (compare with your Sparrow)
– Amount, address, fee, changeback, changeback address
– Press OK if match
9. Click ‘Broadcast Transaction’
– Transaction is now complete, broadcast to network
PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Task: attack your setup with hardware wallet! (15 min)
• Imagine five different ways how an attacker can steal your funds from
your Sparrow single signature wallet with ColdCard
– Continue in Miro: https://miro.com/app/board/uXjVPaI0Mp4=/?share_link_id=697987574971
• Password: ‘fimunicz’
– Compare to situation without hardware wallet
– Discuss the cost and prerequisites of the different attacks
• Consider at least the following:
– Phishing? Physical attack? Logical attack? Side-channel attack? Malware?
Supply chain? …
105 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Questions
• Is wallet owner an attacker against embedded secure element?
• What protection is offered by air-gapped mode with memory card?
• Why newer ColdCard Mk4 has 2 different secure elements?
• Would hardware wallet with secure element but without display
provide same assurances?
• Can be hardware wallet firmware buggy? Can you find such
example? Compare its Trusted Computing Base to notebook.
• How to securely update the ColdCard’s firmware?
• How will you recognize fake ColdCard/secure element?
106 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Questions
• What is stored on a ColdCard’s secure element?
• Where are private keys stored? Are they stored or generated on
demand?
• What if you lose your ColdCard device?
107 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
LIGHTING NETWORK
108 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Get some satoshi via Lighting network
• I will send some satoshi to one member of your project group
• She/he will send corresponding fraction to each of the remaining members
• Poor-man option: Custodial wallet (beware, is custodial!)
– Wallet of Satoshi (Android, iOS), Setup time: instant installation and use
• Better option: Non-custodial wallet connected to hosted Lighting wallet
– BlueWallet, you need to have at least some on-chain btc (at least 30k sats == 0.0003 btc)
– Your wallet holds the private keys, but channels are opened by trusted service
– Setup time: Takes up to several hours before ready (on-chain transactions)
• Best option: Setup your own full node and own Lighting node
– E.g., Raspi4 + 1TB HDD + mynodebtc.com image + mobile wallet (BlueWallet, Zap, RTL…)
– Similar to previous option, but Lighting wallet now connects to your Lighting node
– Setup time: Days before your full node is synchronized, then several hours to open channel
109 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI110 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Getting some bitcoins (in general)
• On mainnet (real bitcoins)
– exchange, BTC ATM, beer for sats with friends, get paid in btc…
• Testnet (test bitcoins)
– electrum.exe --testnet , generate new standard wallet, get testnet address
(starts with m)
– Go to https://coinfaucet.eu/en/btc-testnet/, ask for coins to your testnet address
– Testnet explorer: https://blockstream.info/testnet/
• Regtest (local bitcoins)
– Complete blockchain on your PC, you are sole miner => mine them
– bitcoin-cli -regtest getnewaddress
– bitcoin-cli -regtest generatetoaddress 101 miner_address
111 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
MULTIGNATURE WITH ELECTRUM
WALLET
Note: This tutorial is achieving same results as tutorial with Sparrow wallet. Sparrow wallet
is overall more capable, leaving it here for historical reasons
114 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Task: using multisignature wallet (3ppl/room)
1. Create new 2-out-of-3 multisignature wallet in Electrum
– All three people in the group are participants (separate machines)
2. Send some coins from last week to multisig wallet
– Generate new receiving address
– Wait till included in block
• Analyze TX (from normal to multisig) via chain explorer - How lock script looks like? Why?
– Screenshot explorer, annotate
3. Send from multisig wallet back to standard one
– Why you need to generate PSBT?
– Is it safe to send PSBT via email?
– Who can broadcast transaction when 1, 2 and 3 signatures are made?
• Analyze TX (from multisig to normal) via chain explorer - How unlock script looks like? Why?
– Screenshot explorer, annotate
115 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Important: Use Electrum 4.2.0 or higher
• You need to have same type of address
– 4.2.0 is allowing only for segwit addresses
– Older version may allow for legacy addresses – can’t be mixed with segwit
116 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Creating multisig wallet (--testnet)
117 PV204 | LAB: Multisig, HW wallet
• If you already have wallet: File → New/Restore
– All three people performs the same process
• Save seed and masterpub key for yourself (cosigner 1)
• Get masterpub key from others, Add cosigner (2 of 3), (3 of 3)
• Finish creation of multisig wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Send from normal wallet to multisig one
• Generate receive address on multisig, send to it from normal one
• Optional: try using coin control
– View → Show coins, RClick on target coin → Spend
– Max button in Send will only take marked coin(s)
118 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Send from multisig wallet to normal one – first signer
• Generate receive address on normal wallet
• One signer creates transaction
– Save button saves partially prepared tx locally
– Pay button signs (partially) transaction, allows to Export
119 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Send from multisig wallet to normal one – second signer
• Open cosigner’s wallet
• Tools→Load transaction→From file
• Check target info and amount
• Sign loaded transaction
• Broadcast to network
120 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Questions
• Analyze your transactions via blockchain explorer
– E.g., https://blockstream.info/testnet/
– TX (from normal to multisig wallet)
• Can you figure that transaction was from normal to multisig?
• If yes/no – what is the advantage / disadvantage?
– TX (from multisig to normal wallet)
• Can you recognize that input was multisig? How and Why?
– How much was possible to save in fees by using segwit instead of legacy address?
• Which option is better for backup (not loosing possibility to spend)? 1-of-3 or 3-of-3?
• Which option is better against and attacker (prevent him to spend your coins)? 1-of-3 or 3-of-3?
• What are advantages and disadvantages of 2-of-3 vs. 3-of-5?
121 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
WASABI WALLET 1.X
123 PV204 | LAB: Multisig, HW wallet
Note: This tutorial is now outdated, Wallet Wasabi 1.0 and related coinjoin mix is going to be
retired soon (2024). Wallet Wasabi 2.x is the main production replacement
https://crocs.fi.muni.cz @CRoCS_MUNI
Wasabi wallet (testnet)
• Solo task (1 students / breakout room)
• Install Wasabi wallet from https://wasabiwallet.io/
– For real use, verify PGP signature
• Start it, go to Settings and change Network to TestNet
• Restart application
• Generate new Wallet
– Backup seed, password is used to encrypt seed (if none, what it means?)
• Wasabi forces you to set coin label (Why?)
• Send some sats to Wasabi wallet from your normal testnet wallet
124 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
COINJOIN WITH WASABI WALLET
127 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
Wasabi wallet – participating in CoinJoin
• Visit CoinJoin option
– Change Target to Anonymity Set: 2 (so mixing finish quickly)
• For real use, keep it 50!
– Enqueue Selected Coins into next round of CoinJoin
• Waits until registered and confirmed
• Keep your computer running
– The protocol is interactive, requires several rounds
• What have you got at the end?
• Investigate txid on chain explorer
– Use Tor, otherwise you will leak IP to TX mapping
128 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI129 PV204 | LAB: Multisig, HW wallet
https://crocs.fi.muni.cz @CRoCS_MUNI
BLOCKCHAIN EXPLORERS
130 PV204 | LAB: Multisig, HW wallet