Today we’d like to propose a brand new form of self custody, the Time Locked Multisig wallet. While the explanation for this new type of wallet setup is a bit different, it solves one of the only remaining critical flaws we have in today’s self custody setups.
After 15 years of bitcoin, Software Wallets, Hardware Wallets and Multisig Wallets are the three main ways most people as well as serious companies with hundreds of billions of dollars of bitcoin, self custody their funds.
Despite this, even multisig wallets still don’t fully protect your funds under the extrema risk scenarios of where thieves break in / kidnap you and use physical duress and force you to give them your funds.
The general attack scenario we're referring to is where one or more thieves break in and threaten you and/or your family with a gun, knife, whatever. Even with a multisig setup, they can simply drive you at gun point and obtain your other keys. Does geographically distributed multisig make this task harder? Absolutely. Does it fully protect your funds? No. This is a critical flaw that no one seems to be addressing in a sufficient manor.
Self Custody: A double Edged Sword
We want users to have full custody and control over their funds with no trusted third parties and Bitcoin can give you that capability like no other asset can. But with great power comes great responsibility and even with a multisig wallet setup, criminals may still knock at your door and do you harm to get at those funds.
Fully seeding that control to a third party that specializes in secure custody and protection of valuable assets like a bank solves the problem, but now we’re just back at square one trusting third parties.
Worse still, if everyone eventually allows banks to custody their massive bitcoin funds in the future it opens the door to seizure from governments or confiscation of funds due to whatever “reason” the bank comes up with.
Space Locked Multisig
It’s recommend with a 2-of-3 multisig wallet that you store each of the keys at separate locations. This locks you out of being able to spend any funds until you physically go and retrieve a second key from some distance. This distance can be small or large and can be thought of as a “spacial lock” on your funds.
If it’s a small distance, say 10-100 miles away, then it’s moderately effective as a deterrent when dealing with the physical threat of duress. However assuming we’re talking about significant funds here, criminals can just drive you at gun point to where ever the second key is located and still steal all your funds.
If it’s a large distance, say 1,000-10,000 miles away in a different country, then this does make it all but impossible for the criminals to tag along as they’d have to pass through country borders which usually have numerous armed guards. However now you cannot access your funds without complying with local government rules. Access to your funds is now at the mercy of the state, which isn’t the best result.
In order for a space locked multisig setup to fully resist this type of physical threat of duress, it must force the attackers to pass through a location with specialized security and protective services. Armed guards. 24/7 surveillance. Steel reinforced locked vaults. In essence, a bank.
Not only that, but they must not be able to get 2 of the keys without passing through at least one of these types of locations. For example, if you keep 1 key at home, 1 in a bank vault and 1 at a families home they can just use your home and family keys.
For full protection, you must keep 1 key at home and the other 2 in a bank or banks. This however then lands us straight back at square one again as a private bank company now has your private keys. If so forced by the state, it can seize all your funds.
Time Locked Multisig
As it seems clear that limiting your control over the funds in the space domain doesn’t work, we would like to propose a new type of multisig wallet setup, one that limits control using not just space, but also time. We call this a Time Locked Multisig (TLM).
A TLM functions just like a regular multisig wallet, but adds further restrictions on when funds can be spent. Let’s have a look at how a 2-of-3 TLM might work:
- Funds are time locked for whatever period the user desires, for example 1 year
- Even if you have 2 keys, funds are not spendable until the time lock expires
- If all 3 keys are used, the user can override the time lock and spend the funds immediately
So why the extra complexity? Well imagine you put a time lock on your 1 BTC UTXO that says it can only be spent after 1 year. You store 2 of the keys in regular environments such as at your home and a friends place.
The 3rd is stored in a location that is specialized in protecting valuable assets. This could be a bank, a bank safety deposit box or any other third party company that has a bank grade level secure location with 24/7 armed guards and check points.
Note: While many people detest banks now, taking deposit of and protecting valuable assets like gold is one of the main reasons they were created and has been a valuable service for many thousands of years. There is also no need to trust the bank as they only have 1 key, which is not enough to spend any funds.
This setup fully protects you from a physical duress attack. Even if a gang of criminals breaks into your home and holds a gun to your families head demanding “all your Bitcoin” they only have two options to get it:
- Retrieve 2 keys from separate locations and wait 1 year for the time lock to expire
- Retrieve 2 keys from separate locations and then also break into a bank grade secure location to obtain the 3rd key so they can override the time lock
This we think is enough security to stop even the most motivate criminals. These time locked coins are also fully provable via on chain, immutable data too. So even with a gun to your head, you have iron clad proof to show them that even with 2 private keys in your hands, you can’t send the criminal any funds.
Furthermore, if the criminals break in and steal 2 keys, you simply go to your bank and get the 3rd key. With all 3 keys you can now override the time lock and instantly move the funds to a new address. Meanwhile the criminals 2 keys cannot send any funds until the 1 year time lock is up making them worthless. You would also do this if you wanted to spend your 1 BTC instantly.
As the bank company only ever has 1 of the 3 keys it’s also useless on its own, no amount of government control or seizure can take your funds. If that same bank bans you or withholds access to your 3rd key for any reason, you simply wait until the time locks pass and you have your funds again without having to trust any third parties.
While in our example we’ve locked up 1 BTC for 1 year, you could splice and dice the amounts and time locks however you wish! For example, that same 1 BTC could be time locked in four separate UTXOs:
- 0.5 BTC spendable after 1 year
- 0.25 BTC spendable after 6 months
- 0.15 BTC spendable after 1 month
- 0.1 BTC spendable after after 1 week
After each tranche of coins passes its time lock and becomes spendable, you can then spend them with just 2 of the 3 keys and “refresh” the time lock. Another way is to have a rolling stock, so that 1 BTC is spliced up into 10 x 0.1 BTC UTXOs and time locked in rolling 1 month intervals.
If you have a 3-of-5 TLM, then you would still store 1 key in a bank grade protective environment and you would need 3 keys to spend funds (after the time lock has expired) and all 5 keys to spend funds instantly. If you lose a key at any point, you’re funds are still safe as you can spend them after the time lock expires.
Future Self Custody
12 years ago mobile wallets didn’t exist. 10 years ago seed phrases, hardware wallets and multisig wallets all didn’t exist. Who knows what amazing tech we’ll have in another decade.
TLMs take the excellent spacial locking that geographically distributed private keys provide and combines it with temporal locking to prevent all known threats whilst still ensuring full self custody is maintained and no trusted third parties are required.
This type of multisig setup doesn’t exist at the moment, but as best we can tell, it doesn’t require any soft or hard forks of Bitcoin to enact. New wallets like Liana (which is in Beta at the moment) already use time locks for different reasons and Blockstream Green already has some server side time locks via their 2FA implementations that are similar in nature to this.
Obviously TLMs would only be for those with serious funds, just like regular multisig is now, but as bitcoins price inevitably increases and it gains major widespread use we expect instances like below to only increase in frequency.
This Monday, a middle-aged Swedish couple was tied up in their home and robbed by 4 masked men. They were physically abused and threatened with their own kitchen knives. They were tied up for hours and one had to be escorted to the hospital via helicopter. One of many in Sweden
You’re Not Setup For Serious Physical Attacks
A final point is that while we suggest this setup for those with “serious funds”, depending on who you are, that might not be nearly as much money as you think it might be. While most might instantly assume it’s only for high net worth individuals or businesses with millions or even billions of dollars worth of Bitcoin, you have to think about it from the thieves point of view.
Even a moderate amount of bitcoin (eg. 0.25 BTC worth ~$9,000 USD) is a lot of money to a lot of people and will motivate many criminals to do some horrendous things. As long as the above tactic works and rewards the criminals with thousands of dollars, the behavior will continue and likely flourish.
Maybe you’ve got guns a plenty and scream “come get some!” while you lather yourself in mud to avoid their thermal cameras, but even that might not be enough for a group of armed criminals given you’ve effectively got a bounty on your head equal to how much bitcoin you custody.
Multisig obviously helps, but again, criminals motivated by a huge bounty (even a few thousand dollars) could hold your family hostage while they force you to take them to retrieve the other keys. You likely are not specialized in armed conflict with a bank grade home and even if you’re a full on Command Sergeant Major in the army, there’s only so much 1 person can do against literally unlimited others.
TLMs we think, if implemented with a simple and clear user experience, could potentially become the standard way people self custody their bitcoins in the future, just like how hardware wallets are now. If everyone implements it as part of a normal Bitcoin savings and investment strategy, then it will significantly help mitigate this final major risk of physical duress.
If it’s eventually cheap, easy and everyone does it then fewer and fewer attacks will be successful which will discourage future instances. This will in turn ensure more people, both rich and poor fully self custody their funds without seeding the job to trusted third parties.