Will O’Brien is CEO and co-founder of BitGo, a bitcoin security company and pioneer in multi-signature technologies. In this article, he examines bitcoin security trends from the last year and looks ahead to what 2015 has in store.
2014 was a pivotal year in bitcoin security. Although the industry had a rough start to the year with the collapse of the largest bitcoin exchange, Mt Gox, trleading companies have made significant strides toward making the ecosystem more secure and ready to scale.
After experiencing incredible growth in 2013, in which the price of bitcoin grew from a low of $13.16 to a high of $1,165.89, the digital currency seemed poised for mainstream adoption at the beginning of 2014.
But all was not well at Mt Gox, the exchange with the largest trading volume in the world. By February, Mt Gox would file for bankruptcy citing the loss of 850,000 BTC.
The mainstream press pointed to Mt Gox’s demise as the end of bitcoin itself. How could a digital currency revolutionize the financial system if it can’t be secured properly? Fortunately, pioneering companies were already solving the challenges of security and new solutions began to roll out.
The year of multisig
Gavin Andresen, chief scientist of the Bitcoin Foundation, made a proclamation during his State of Bitcoin address at the Bitcoin 2014 conference in Amsterdam. He said without hesitation: “This is the year of the multi-signature wallet.”
What is ‘multisig’? Multisig is short for multi-signature, the digital equivalent of a safe deposit box.
A multisig bitcoin wallet uses P2SH (BIP16) and requires M-of-N keys (eg: two of three) to sign a transaction. The resulting address starts with a ‘3’ instead of a ‘1’, which is an easy way to tell whether you are using a multisig wallet or not.
[post-quote]
The first multisig wallet was launched in August 2013 by BitGo and many bitcoin companies have embraced this new standard, including BitPay, Circle, Coinbase, CoinKite, Armory, and GreenAddress.
Heading into 2014, the predominant model for securing bitcoins was single-key cold storage, in which a private key is generated offline and then stored in a vault.
While this is a good approach to preventing digital theft of private keys, it has put the industry in a cold storage ice age, where bitcoins are locked away and companies deploy off-blockchain transaction systems that are susceptible to the same manipulation that occurred at Mt Gox.
Cold storage also presents the possibility of loss due to user error or backup failures, even if the threat of theft is reduced.
Multisig is the first foundational infrastructure technology that will make the bitcoin ecosystem safer. At the beginning of 2014, only 0.02% of all BTC were secured with multisig; that number is now more than 5%.
Over the past year, there was a 79-fold increase in daily multisig transactions. In November, we saw the first ever multisig exchange come online, when TeraExchange partnered with BitGo for on-blockchain collateral management for its regulated swaps execution facility.
While we still need more adoption of multisig as an industry, 2014 was a turning point in implementing a better security model.
Bitcoin security in 2015
2015 promises to be a year of continued innovation to improve bitcoin security. Developments are already being implemented at limited scale, but 2015 will be the year in which we see them become much more central to the industry.
Here are some of the top trends to expect based on the progress made in 2014:
HD wallets
HD stands for ‘hierarchical deterministic’, a technique for generating private keys introduced in BIP32.
In an HD wallet, a new address is used for every transaction to maintain financial privacy and prevent others from identifying connected transactions on the blockchain.
Transaction signing policies
Your bank account has limits on wire transfers that require a second approval and your credit card blocks transactions that trigger their fraud filters.
Bitcoin as a core technology has none of these, but wallet providers and exchanges have already begun rolling out treasury protections and transaction signing policies such as spending limits, multi-user approvals and recipient whitelists.
Hardware devices and trusted computing
Trezor launched the first hardware wallet in 2014 and now other companies are following suit with hardware key fobs and hardware security modules.
Trusted computing is also entering the bitcoin ecosystem through companies like Rivetz. Advancements in hardware security will make it nearly impossible for hackers to get access to private keys.
Moving from multisig to multi-institutional
Multisig wallets require M-of-N keys to sign a transaction. Multi-user wallets require M-of-N users to sign a transaction with their respective private keys.
Additionally, multi-institutional wallets require those keys to be distributed to more than one organization, so that there is no opportunity for insider theft or targeted attack at one institution.
Industry standards and APIs
Best practices for security have been introduced by the pioneers over the last two years. The time is ripe for industry standards and API platforms to emerge, so that the next generation of companies can build on the work of the last generation, rather than reinventing the wheel.
As the industry forms standards, we hope to see other parties including regulators, insurance underwriters and auditors coming to the table in a spirit of collaboration.
Bitcoin security 2014, an infographic
Below is infographic, created at BitGo, to highlight some of the top achievements of 2014 and what we expect to see in 2015.
Security image via Shutterstock