Turn every smartphone into a Bitcoin hardware wallet using Secure Enclaves
This post was first published on Medium.
We use the secure enclaves of iOS and Android devices to store Bitcoin private keys. The keys never leave the enclaves, providing the same security as hardware wallets. This essentially reverses billions of smartphones to secure Bitcoin hardware wallets. Users can authorize Bitcoin transactions using FaceID and TouchID.
Safe enclave
Secure Enclave is a special chip in Android, iPhone, iPad and Macs to secure biometric data such as FaceID and TouchID. The key feature of the Secure Enclave is that a private key is generated on it can not leaving the chip, providing maximum security as in hardware wallets such as Ledger and Trezor.
Private key in it can be used to sign messages securely. Messages are sent into the Secure Enclave, signed, and then the signature is returned. The private key during signing resides in the chip and is not stored in memory and is thus inaccessible from software. Permission to sign a transaction can be granted using a biometric authentication such as FaceID and TouchID.
Elliptic curve secp256r1
Secure Enclave supports a single elliptic curve, secp256r1, also known as prime256 and P-256. It is different from the elliptic curve secp256k1 which is used for the popular blockchains like Bitcoin and Ethereum.
Both elliptic curves are of the form y² = x³ + ax + b.
In secp256k1 curve, we have
a = 0
b = 7
and in secp256r1 case we have
a = FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF FFFFFFFC
b = 5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53B0F6 3BCE3C3E 27D2604B
Due to the lack of native support for secp256r1, all cryptocurrency wallet apps today use software signing, rather than hardware signing. Software signing is vulnerable to side-channel attacks that leak information about the private key.
Implementing secp256r1 on Bitcoin
Thanks to the expressiveness and scalability of Bitcoin smart contracts, we can implement secp256r1 efficiently, especially ECDSA signature verification, at the contract level. The signature is generated by Secure Enclave and enjoys maximum security. We then verify the hardware signature in a smart contract. Note that this does not require any fracture changes at the base layer, although it uses a different curve.
We modified the ECDSA verification implementation released before, switching from curve secp256k1 to secp256r1. It basically implements the standard ECDSA verification algorithm.
secp256r1
Backup
To be as secure as possible, Secure Enclave allows export keys, making it impossible to back up keys (unlike hardware wallets with mnemonics). If a smartphone is lost and damaged, the private key and the funds it controls are lost.
One solution is to create a 1 of 2 (or N) multisig wallet. One key can be generated offline and safely stored as in a cold wallet. The second key is generated inside the Secure Enclave. In case of phone loss or damage, the user can safely use their offline backup key to move the funds out of the wallet.
Please contact us if you are interested in building the first ever hardware signed Bitcoin wallet. Some other types of hardware security modules (HSM), to which hardware wallets belong, like Smart Card also support elliptic curves, so they also work as Bitcoin wallets.
See: Small Payments, Big Fun: Micropayments for Casual Games
width=”562″ height=”315″ frameborder=”0″ allowfullscreen=”allowfullscreen”>
New to Bitcoin? Check out CoinGeeks Bitcoin for beginners section, the ultimate resource guide for learning more about Bitcoin – as originally envisioned by Satoshi Nakamoto – and blockchain.
