Cypherock X1 - Shamir's Secret Sharing based Hardware wallet

[rohanagarwal7]

Cypherock X1 is a new kind of hardware wallet that never stores the master seed as a whole anywhere permanently eliminating most of the attack vectors associated with the current hardware wallets. Cypherock comes with 5 hardware components - 1 X1 Vault and 4 X1 Cards. The X1 Vault is the main computational device used to perform transaction signing and verification. It comes with a screen, 5-way joystick and connects through USB-C. The X1 Cards are Smartcards and communicate with the X1 Vault through encrypted NFC. Each of the 5 components store the 5 Shamir Shares individually. In order to construct back the master seed, you need the X1 Vault and any one of the X1 Card along with the PIN if set (2-of-5 Shamir's Secret Sharing).

https://imgur.com/a/HnYMQ7X

Product Features

• It is BIP39 compliant wallet. Unlike other wallets, there is no need for the user to write the 24 recovery words or the seed phrase anywhere. Although there is still an option on the device to view the seed phrase through the device + card + PIN (if set)
• No Single Point of Failure in private key storage as the private keys are never stored permanently in a single place giving it 10x more security than other hardware wallets.
• Most of the hardware wallets today only allow the user to store one seed phrase per hardware. Cypherock X1 allows the user to store upto 4 different wallet seed phrases on a single Cypherock X1. Generate new wallets or use any of these 4 slots to backup your existing hardware and software wallets, thereby using the Cypherock X1 also as a seed phrase backup manager. You can protect each with a different PIN for each seed phrase. I have discussed about this use-case on this thread - https://asktom.cf/index.php?topic=5457147.0.
• It is going to support a non-KYC inheritance service that will allow your assets to be recoverable by your loved ones without Cypherock ever in a position to compromise user's assets. More on this soon!
• There is inherent protection against loss. As along as you have access to 2 out of the 5 components (either 2 X1 Cards, or 1 X1 Card and the X1 Vault), your assets are accessible. You can lose upto 3 components at the same time and still be sure that your assets are recoverable.
• It is the most trust minimal wallet compared to the rest of the options today. Unlike the other popular wallets where the user needs to trust the manufacturer that they will not push a malicious software update. With Cypherock X1, there is an additional protection against this problem since the X1 Cards once shipped cannot be updated by us. Hence even if there is a malicious software update hypothetically, it could only compromise the device but never the cards.

Security
1. It is open-source - https://github.com/cypherock.
2. It is audited by Keylabs that have found vulnerabilities in Ledger and Trezor hardware wallets before - https://cypherock.com/keylabs.
3. X1 Cards have EAL 6+ certified secure elements. You can set a PIN protection on top of them individually.
4. X1 Vault have a dual chip architecture and uses ATECC608A secure element, the same secure chip used by Coldcard.
5. It is one of the few hardware wallets with a reproducible builds as verified by WalletScrutiny - https://walletscrutiny.com/hardware/cypherockx1.

Website - https://cypherock.com

This is in continuation to the thread - https://asktom.cf/index.php?topic=5429275.0. The OP of the thread has left the company.

Thanks @dkbit98 for supporting this.

[o_e_l_e_o]

No Single Point of Failures as the private keys are never stored permanently in a single place giving it 10x more security than other hardware wallets.

This is just factually incorrect. One of the main weaknesses of every Shamir's secret sharing scheme is that they all have a single point of failure - the device which creates the shares in the first place and the device on which the shares are brought back together in order to recover the original secret. This is one of the biggest disadvantages of SSS over multi-sig, which (when used properly) truly has no single point of failure.

There is inherent protection against loss. As along as you have access to 2 out of the 5 components (either 2 X1 Cards, or 1 X1 Card and the X1 Vault), your assets are accessible. You can lose upto 3 components at the same time and still be sure that your assets are recoverable.

How? Let's say I am an average user, lose my vault, and you have gone out of business so I cannot purchase another vault. How do I recover my seed phrase from two or more cards? Bear in mind I am an average user who is unable to manually extract data from NFC cards, unable to clone and compile github repos, and so on. How do I recover my coins?

With Cypherock X1, there is an additional protection against this problem since the X1 Cards once shipped cannot be updated by us. Hence even if there is a malicious software update hypothetically, it could only compromise the device but never the cards.

You or an attacker doesn't need to be able to compromise the cards. I have to use the device to recreate my seed phrase in order to sign transactions. Compromising the device is sufficient to compromise my wallets.

[Yamane_Keto]

• There is inherent protection against loss. As along as you have access to 2 out of the 5 components (either 2 X1 Cards, or 1 X1 Card and the X1 Vault), your assets are accessible. You can lose upto 3 components at the same time and still be sure that your assets are recoverable.

If only 2 cards can access my coins then I need to protect the cards too, so if I lose 2 cards that means I lose my coins, and if I need X1 Vault with one of the cards then there is a central point of failure which is X1 Vault.
In addition, NFC is a short-range wireless connectivity which adds more problems because of wireless connection.

Can I extract wallet seed from the X1 Vault?

• It is going to support a non-KYC inheritance service that will allow your assets to be recoverable by your loved ones without Cypherock ever in a position to compromise user's assets. More on this soon!

Does this mean that it is similar to Ledger Recovery but is non-KYC? I advise any HW service to stay away from the complications of inheritance or the possibility of the user recovering his seed because it means that a third party will keep part of encrypted seed, which contradicts all the concept of hardware wallets.

[satscraper]

No Single Point of Failures as the private keys are never stored permanently in a single place giving it 10x more security than other hardware wallets.

This is just factually incorrect. One of the main weaknesses of every Shamir's secret sharing scheme is that they all have a single point of failure - the device which creates the shares in the first place and the device on which the shares are brought back together in order to recover the original secret. This is one of the biggest disadvantages of SSS over multi-sig, which (when used properly) truly has no single point of failure.

Agreed, despite the fact that basic procedure for SSSS is well-defined, AFAIK,  there is no standard for its algo/protocol.  Consequently, implementation can vary across different systems, potentially leading inconsistencies.  That is why any specific device-based or software wallet employing  SSSS presents  a single point of failure resulted from lack of standardization.

[rohanagarwal7]

This is just factually incorrect. One of the main weaknesses of every Shamir's secret sharing scheme is that they all have a single point of failure - the device which creates the shares in the first place and the device on which the shares are brought back together in order to recover the original secret. This is one of the biggest disadvantages of SSS over multi-sig, which (when used properly) truly has no single point of failure.

It means no single point of failure in private key storage. The only point of failure comes when the user is actually transacting with the X1 Vault and the card. Even in that case, the private key only exists in the temporary memory during transaction signing and the private key as a whole never touches the permanent storage. Also in most multisig wallet cases, if a single user is operating it, whether we like it or not, the user is using 2 wallets at the same time at the same place which defeats the purpose of multisig. And again, we are trying to build the best possible wallet for securing a single seed. You are free to use Cypherock X1 as part of a multisig wallet setup as well. Rather than comparing us with multisig wallets, a fair comparison is actually other hardware wallets.

How? Let's say I am an average user, lose my vault, and you have gone out of business so I cannot purchase another vault. How do I recover my seed phrase from two or more cards? Bear in mind I am an average user who is unable to manually extract data from NFC cards, unable to clone and compile github repos, and so on. How do I recover my coins?

We are building an open source Android and IOS apps that will do this. Here is a sample prototype for the same. Regardless, if you have the X1 Vault, you can always view the seed phrase with the help of another card. Also, we have answered this question on our FAQ page - https://cypherock.com/faq

You or an attacker doesn't need to be able to compromise the cards. I have to use the device to recreate my seed phrase in order to sign transactions. Compromising the device is sufficient to compromise my wallets.

Never did we say that this was enough. Compromising the device to steal the assets is not enough since the user will still need to use the cards along with the device atleast once. The PIN protection on the card is separately enforced on the card itself and the card have end-to-end encrypted session-based communication with the device. Which means, it also authenticates the device during communication.

By no means this is perfect but we think it adds a barrier against an insider attack. Additionally, we are open source and the firmware builds have been verified by Wallet Scrutiny - https://walletscrutiny.com/hardware/cypherockx1/

If only 2 cards can access my coins then I need to protect the cards too, so if I lose 2 cards that means I lose my coins, and if I need X1 Vault with one of the cards then there is a central point of failure which is X1 Vault.

There is a PIN protection on card also individually if set which protects against cases of collusion. You can lose upto 3 hardware components and still be fine since you can recover the assets from device + card or 2 cards. So no, you don't lose your coins if you lose 2 cards. Answering along the similar lines as I answered before, the only point of failure comes when you are actually transacting with the X1 Vault and the card. Even in that case, the private key only exists in the temporary memory during transaction signing and the private key as a whole never touches the permanent storage.

If you are comparing to multisig, in most multisig wallet cases, if a single user is operating it, whether we like it or not, the user is using 2 wallets at the same time at the same place which defeats the purpose of multisig. And again, we are trying to build the best possible wallet for securing a single seed. You are free to use Cypherock X1 as part of a multisig wallet setup as well.

In addition, NFC is a short-range wireless connectivity which adds more problems because of wireless connection.

There is encrypted NFC communication session established between the device and the cards before any sensitive message is exchanged. Not sure what the concerns are then. Also, I personally don't get the point of rallying against wireless connectivity. A hardware wallet is built keeping a threat model in mind. Atleast for Cypherock X1, we assume your PC and its communication medium with the wallet both are compromised and still the hacker should not be able to compromise the assets until you physically authorize a particular transaction.

Can I extract wallet seed from the X1 Vault?

No. The wallet seed is never permanently stored on the X1 Vault.

Does this mean that it is similar to Ledger Recovery but is non-KYC? I advise any HW service to stay away from the complications of inheritance or the possibility of the user recovering his seed because it means that a third party will keep part of encrypted seed, which contradicts all the concept of hardware wallets.

No. The seed will NEVER leave the secure hardware environment in our case ever. More on this soon when we release the specs on the same.

Agreed, despite the fact that basic procedure for SSSS is well-defined, AFAIK,  there is no standard for its algo/protocol.  Consequently, implementation can vary across different systems, potentially leading inconsistencies.  That is why any specific device-based or software wallet employing  SSSS presents  a single point of failure resulted from lack of standardization.

I agree, this is definitely one of the things we realize the industry needs badly. Our implementation is open source and we hope it gets adopted and standardized further. When we started building Cypherock X1, we looked into Trezor's implementation of Shamir backups but concluded that any implementation that is going to scale, needs to be BIP39 compatible to be adopted. Hence we had to develop our own implementation.

Though I don't think the lack of standardization is going to result in single point of failure. The code is always open source and BIP39 compatibility makes your seed interoperable with other wallets.

Regardless, you can always pair it with Multisig to standardize your key custody if that helps.

[moderator's note: consecutive posts merged]

[o_e_l_e_o]

The only point of failure comes when the user is actually transacting with the X1 Vault and the card. Even in that case, the private key only exists in the temporary memory during transaction signing

Which remains a single point of failure, so to claim there is no single point of failure is incorrect.

Also in most multisig wallet cases, if a single user is operating it, whether we like it or not, the user is using 2 wallets at the same time at the same place which defeats the purpose of multisig.

A multi-sig option at least has the option to use the wallets at different times in different places. SSS does not. If you think using two multi-sig wallets in the same place is a weakness, then that same weakness applies to SSS.

And again, we are trying to build the best possible wallet for securing a single seed.

A noble cause, but you should at least be honest in your marketing and not make factually incorrect statements to appeal to users who don't know any better.

We are building an open source Android and IOS apps that will do this.

That's good to hear. What's the time frame for these being released?

Compromising the device to steal the assets is not enough since the user will still need to use the cards along with the device atleast once.

If an attacker compromises the device with malicious firmware, then they just need to wait for the next time you want to make a transaction and tap one of your cards. Hence, a single point of failure.

Though I don't think the lack of standardization is going to result in single point of failure. The code is always open source and BIP39 compatibility makes your seed interoperable with other wallets.

The lack of standardization is a real problem with all SSS schemes. If your codebase disappears, there is a real risk users are unable to recover their coins. To be safe the user needs to personally download and store copies of your codebase, which is a significant hurdle for most average users.

[dkbit98]

Thanks @dkbit98 for supporting this.

No problem, but I am not supporting anything, I just tried to help with answering a question you asked me in private about old ANN topic and inactive member Nmnsth
Before asking any questions here everyone should also check the old topic.
That old topic should be locked now, and I reported it to moderators.

Cypherock X1 certainly have some interesting features, like ability to use it with multiple see phrases, and using multiple cards is not a bad idea compared to other hardware ewallets.
However, at this point I think Cypherock X1 is not fully ready to be used as main hardware wallet, unless you made some significant improvements from last time I checked.
Lack of support for Electrum and other third party wallets was one of the main deal breakers for me.

[rohanagarwal7]

Which remains a single point of failure, so to claim there is no single point of failure is incorrect.

Ok makes sense. Technically you are right. Updated the original post with the correct statement.

A multi-sig option at least has the option to use the wallets at different times in different places. SSS does not.

I agree. Though in our product, we can make some changes to enable sharing of the Shamir shares remotely from different places securely which solves the different places problem. Though it does not solve the different times problem, you can always couple the product with a multisig setup if you want that for yourself. Additionally, since with Cypherock X1 you don't need to maintain a seed phrase backup separately, it makes it easier for new users to create their multisig setups.

A noble cause, but you should at least be honest in your marketing and not make factually incorrect statements to appeal to users who don't know any better.

I don't think I made any factually incorrect statement apart from the nuanced take on the single point of failure. Since you mentioned statements, can you point me to others which you feel are factually incorrect?

That's good to hear. What's the time frame for these being released?

3-4 months is what we are seeing right now because we have requests for other other priority features by the current users. You can check our public roadmap here - https://cypherock.com/roadmap

If an attacker compromises the device with malicious firmware, then they just need to wait for the next time you want to make a transaction and tap one of your cards. Hence, a single point of failure.

As clarified above, the single point of failure is in the context of seed storage. If the hacker attacks any other hardware wallet physically, your assets could be compromised. But not with Cypherock X1, since the hacker will also need to physically find another card, compromise its security and only then he may be able to access the complete seed to compromise the assets.

Even in your example, the card authenticates whether it is communicating with a genuine device. If you have not already, I would recommend you to read the audit report to understand the security threat model of Cypherock X1 - https://cypherock.com/keylabs

The lack of standardization is a real problem with all SSS schemes. If your codebase disappears, there is a real risk users are unable to recover their coins. To be safe the user needs to personally download and store copies of your codebase, which is a significant hurdle for most average users.

As I said even if the codebase disappears, you can always view the BIP39 seed phrase and back it up separately if you think this is a risk for you on a personal level. You can argue the same risk for any other open source hardware wallet.

No problem, but I am not supporting anything, I just tried to help with answering a question you asked me in private about old ANN topic and inactive member Nmnsth

I meant that only. Otherwise, I have seen here people marking spams for similar posts. I just wanted to be sure what I am doing is right.

However, at this point I think Cypherock X1 is not fully ready to be used as main hardware wallet, unless you made some significant improvements from last time I checked.
Lack of support for Electrum and other third party wallets was one of the main deal breakers for me.

Can you list down features/support requests you would love to see on Cypherock X1 that would convince you to purchase it? Here is what I could infer -

• Electrum, PSBT support
• Multisig support

[moderator's note: consecutive posts merged]

[dkbit98]

Can you list down features/support requests you would love to see on Cypherock X1 that would convince you to purchase it? Here is what I could infer -

• Electrum, PSBT support
• Multisig support

Here is what I don't like at Cypherock X1 wallet, other than lack of support for Electrum (Sparrow wallet and other third party wallets) and multisig setup.
Price is a bit more expensive than other alternative hardware wallets, there is no support for full Bitcoin node, no signing messages, one account for coin, no coin control.
ATECC608A secure element is a bit outdated and it has some security issues, so it probably should be updated with newer model.
I am not saying Cypherock X1 is bad, but I never used it and I can't really say more about negative/positive things.

[rohanagarwal7]

Here is what I don't like at Cypherock X1 wallet, other than lack of support for Electrum (Sparrow wallet and other third party wallets) and multisig setup.

This is coming soon. Probably in the next couple of months I will announce it here itself.

Price is a bit more expensive than other alternative hardware wallets,

I would say it equivalent to Foundation devices. But we will try to reduce the price even further as we scale up the manufacturing.

there is no support for full Bitcoin node

Electrum support will enable this automatically.

no signing messages

We are releasing the SDK soon. That will solve this as well. Expect it to be supported by August.

one account for coin

This is already supported multiple accounts for a single seed phrase. We already support passphrase as well.

no coin control.

Electrum support will enable this also automatically.

ATECC608A secure element is a bit outdated and it has some security issues, so it probably should be updated with newer model.

This will get upgraded soon as well.

[/quote]

[thebitcoinhole]

Hi, we added Cypherock X1 to our website, so you can compare it against other 39 hardware wallets.

https://thebitcoinhole.com/

[rohanagarwal7]

We got reviewed by Athena Alpha - https://www.athena-alpha.com/cypherock-x1-review/

[DaveF]

Obligatory questions.

1) Where is the device made?

2) Where are the cards made?

3) What security do you have in place to prevent supply chain attacks?

4) What security do you have in place to prevent device attacks?

I have a bunch of reasons not to like ColdCard. BUT they really did it right in the fact that their devices are transparent. If you take it apart and tamper with it there is at least the chance I may notice it.
With all the other 'black boxes' there is a much smaller chance.

But, I do like SSS. Others may not, but I have been using it on and off for years.

-Dave

[rohanagarwal7]

1) Where is the device made?

India. We package the complete product also in India.

2) Where are the cards made?

In Singapore by NXP Semiconductors.

3) What security do you have in place to prevent supply chain attacks?

You can read it here - https://docs.cypherock.com/security-overview/physical-attacks/supply-chain-attack

4) What security do you have in place to prevent device attacks?

You can read it here - https://docs.cypherock.com/security-overview/introduction

I have a bunch of reasons not to like ColdCard. BUT they really did it right in the fact that their devices are transparent. If you take it apart and tamper with it there is at least the chance I may notice it.
With all the other 'black boxes' there is a much smaller chance.

I disagree that it really helps enough. The tampering is usually on a chip level which is very hard to even notice. We use tamper proof seal on the packaging and Ultrasonic welding for the enclosure - https://docs.cypherock.com/design-decisions/cypherock-x1-hardware-architecture/using-ultrasonic-welding-for-the-x1-vault-enclosure

[rohanagarwal7]

Cypherock X1 now ships with a Hard Case - https://twitter.com/CypherockWallet/status/1719697106984972728

• Comes FREE as part of the packaging
• Is a Faraday Cage to protect against unintended EM waves
• Use it to keep other hardware wallets along with your Cypherock X1 safe against scratches
• It is Dust & Water Resistant

[Pmalek]

Maybe you should add a note on your official shop that the case is included if you buy the hardware wallet.
https://www.cypherock.com/product/cypherock-x1/

Currently, it's not mentioned that you get a hard case as well. There is an image of the case, but no additional details. Perhaps the heading could say 1x X1 Vault, 4x X1 Cards + 1x Hard Case (while stocks last).

[rohanagarwal7]

Maybe you should add a note on your official shop that the case is included if you buy the hardware wallet.

Makes sense. Thanks.