Cypherock
  • Introduction
  • Design Decisions
    • The balance between security and convenience
    • Cypherock X1 Hardware architecture
      • Using ultrasonic welding for the X1 Vault enclosure
      • Encrypted NFC communication for X1 cards
      • Using Javacards instead of MicroSD
      • Choosing USB vs QR Code
      • Why the X1 cards are not upgradeable
    • Cypherock is BIP39 compliant
    • Private keys should be near to impossible to extract
    • Conflict between trusted parties should not result in unauthorized access
    • Using Shamir Secret Sharing vs. Multi-sig
      • How is Shamir Secret Sharing implemented within Cypherock X1
      • Why Cypherock has a default 2/5 threshold scheme
      • Rejected Key Schemes
    • PIN Protection on Cypherock X1
      • Difference between backing up your PIN vs. Seed Phrase
  • Security Overview
    • Introduction
    • Keylabs - Third Party Security Audit
    • Remote Attacks
    • Physical Attacks
      • $5 Wrench Attack
      • PIN Brute Force Attack
      • Evil Maid Attack
      • Flashing Malicious Firmware
      • Side Channel Attack
      • Supply Chain Attack
  • Cypherock X1 Features
    • Eliminate messy paper backups
    • Open source with secure elements
    • Use Cypherock as a seed phrase vault
    • All-in-one Portfolio Manager
  • Getting Started
    • Download cySync
    • Import Seed Phrase from existing BIP39 compatible wallet
    • Generate a new wallet with Cypherock X1
    • How Cypherock generates your 24-word seed phrase
    • Best practices in keeping your X1 cards secure
      • Use the protective card sleeves
      • Geographical Seperation
      • Choosing your guardians
    • How do I know I am not locked-in to using only Cypherock X1
    • How do I know my Cypherock X1 is genuine?
      • Email 2FA for Product Authentication
    • How to recover your Crypto assets in the case of loss or theft
    • What happens to my Cypherock X1 if Cypherock goes out of business?
Powered by GitBook
On this page

Was this helpful?

  1. Design Decisions

Cypherock is BIP39 compliant

PreviousWhy the X1 cards are not upgradeableNextPrivate keys should be near to impossible to extract

Last updated 1 year ago

Was this helpful?

To make key management compatible, most of the wallets implement hierarchical key derivation. A hierarchically derived wallet generates keys using BIP39 and BIP32 proposals in the following

fashion:

ENT--> Mnemonics--> BIP39 Seed--> Master Node--> Purpose Node--> Coin Node-> Account Node--> Change Node--> Address Index Node.

ENT stands for entropy bits and is generated using XOR of hardware-based TRNG from STM32L4 which has a NIST-compliant Deterministic Random Bit Generator (DRBG) & random nonce generated from Atecc608a secure element(FIPS 800-90 A/B/C RNG) in the X1 Vault. Its length may be chosen anywhere between 128 to 256 bits with increments of 32 bits.

CS stands for checksum and represents the first bits of sha256(ENT). The CS bits are appended after ENT which is represented as ENT||CS. In ENT||CS each group of 11 bits represents a number between 0 to 2048 which represents a unique word in the BIP39 wordlist. The group of words represents mnemonics, also called seed phrases, which are used to recover a wallet in case a user wants to regenerate keys on a different machine.

From the above table, it could be noticed that Mnemonics and ENT are interconvertible. In Cypherock’s implementation, we apply Shamir’s secret sharing algorithm on ENT. In a standard HD wallet, different key pairs are used for every transaction, and the derivation of private keys from mnemonics is a one-way operation. Hence to make backup simple and easy we apply SSS on ENT instead of any private key. Applying SSS on ENT also enables us to derive mnemonics on reconstruction.

Shamir's Secret Sharing scheme is applied separately to each byte of the ENT and GF(256) is used as the underlying finite field. Bytes are interpreted as elements of GF(256) using polynomial representation with operations modulo the Rijndael irreducible polynomial ​x8​ + ​x4​ + ​x3​ + ​x​ + 1. We apply 2 of 5 Shamir’s secret sharing algorithm where the secret byte is considered at index x= 0 and the subsequent shards are considered at indices x=1, x=2, x=3, x=4 and x=5 of the finite plane. The coefficients of polynomials are generated using the hardware-based random number generator. A user-defined password is used to symmetrically encrypt the secret byte array before transferring them to the X1 Cards. The data stored inside each X1 Card is as follows:

  1. Wallet Name

  2. The double hash of the password

  3. Password encrypted shard

  4. Nonce

  5. Shard Index

  6. Scheme

  7. Checksum of the data

We use chacha20 for encrypting the shard with the hash of the user-defined password. is used to authenticate the decrypted shard. Double hash is used for password verification inside the X1 Cards. Although the X1 Card uses EAL6+ secure element, using a double hash of password for authentication and hash of the password for symmetric encryption ensures that even if the data inside the X1 Cards gets breached, getting original shard remains tremendously difficult.