Pages:
Author

Topic: Introducing Cypherock X1, World's first hardware-based MPC Wallet (Read 360 times)

jr. member
Activity: 59
Merit: 30
Apologies, I am not that used to Bitcointalk and hence forgot about the pagination.

Quote
You don't store it yourself, but does that mean that someone else might store it for you?
Like other wallets, there are services like Analytics and others we use currently that require collection of data.

Quote
You don't mention in your Privacy Policy for how long the data is stored and after how long it gets deleted or anonymized:

Yes, the privacy policy is going to be updated soon. We intend to delete the geographical addresses and contact info within 30 days from the date of delivery. We intend to keep the name and email to communicate important announcements like security patches or major feature releases.

Quote
How much time needs to pass before a customer can request to have all its data removed from your servers and offline copies (if they exist)? What does the local law require you do in terms of how long the data needs to be stored?

We are a Singapore incorporated company. As far as I know, like every other company, we would need to maintain the invoices for company compliance for atleast 5 years. Read - https://www.iras.gov.sg/taxes/corporate-income-tax/basics-of-corporate-income-tax/record-keeping-requirements
jr. member
Activity: 59
Merit: 30
Hello everyone,
I am the cofounder of Cypherock wallet. I am moving this thread to a new post as the current OP is no longer working with the company. Please continue the discussion here - https://bitcointalksearch.org/topic/cypherock-x1-shamirs-secret-sharing-based-hardware-wallet-5459720

Thanks @dkbit98 for supporting this.
legendary
Activity: 2730
Merit: 7065
We never store the IP addresses. After the db hacks that other wallets faced, we don't store any information ourselves that will reveal personal information about the user. You can find our latest privacy policy here - https://www.cypherock.com/privacy
You don't store it yourself, but does that mean that someone else might store it for you?

I took a look at your Privacy Policy and here are a few interesting points:

Quote
Depending on the purposes stated above, we may collect the following types of information:

- Information that you provide us with: When you purchase a product or service from Cypherock, we collect, as part of the buying and selling process, the personal information you submit during your purchase, including:

Your surname and first name;
Your contact information such as your address, email and telephone numbers;
Your financial information such as your credit/debit card number.


- Information resulting from your activity on our Website: We receive and store certain types of information every time you interact with us. For example, like many websites, we use Cookies and we obtain certain types of information when your Web browser accesses our Websites and other content provided by or on behalf of Cypherock on other websites. We may therefore also collect the following Data from you:

IP address (automatically collected);
Web browser type and version (automatically collected);
Operating system (automatically collected);
Your browsing history to and from the Website;

You don't mention in your Privacy Policy for how long the data is stored and after how long it gets deleted or anonymized:

Quote
RETENTION OF PERSONAL DATA

7. The retention period of Personal Data processed by Cypherock may vary depending on common practice, the documents considered in accordance with the legal obligations and the applicable limitation rules.

With regard to credit card data, Cypherock uses payment services providers that manage transaction data in accordance with strict security rules applicable to online payments via encryption methods.

8. All Personal Data is securely stored on our servers in accordance with industry standards and the GDPR. For more details on the security measures implemented, please refer to the section “Security” below.

Personal data can also be shared with 3rd-parties who might collect it:

Quote
10. To allow access to certain payment methods, we use third party providers that may also collect Personal Data. In this case, such service providers are responsible for the collection and processing of Data for the provision of the service. Please refer, if necessary, to their own privacy policy.

To be fair, you do mention that the data used by 3rd-parties is only in connection to the services you provide:

Quote
11. All Personal Data used by these third parties is used solely for the purposes of the services provided at our request. Any use for other purposes is strictly prohibited.

How much time needs to pass before a customer can request to have all its data removed from your servers and offline copies (if they exist)? What does the local law require you do in terms of how long the data needs to be stored?

Quote
15. You have the right to request access to your Personal Data, their rectification or erasure, as well as the right to request the restriction of the processing or to object to the processing.
You also have the right to withdraw your consent at any time, in particular to have your data no longer processed for the purpose of marketing by electronic means.

https://www.cypherock.com/privacy
newbie
Activity: 21
Merit: 20
Quote
How about information like IP addresses and transactions that are registered by Cypherock server?
We never store the IP addresses. After the db hacks that other wallets faced, we don't store any information ourselves that will reveal personal information about the user. You can find our latest privacy policy here - https://www.cypherock.com/privacy

Quote
I can't follow everything myself so please post any Cypherock update changes in this topic, when they are released.
Thank you.
Sure, will do.
legendary
Activity: 2212
Merit: 7064
information about accounts, history, and transactions are never stored on the device or cards. They are only available with the desktop companion (CySync) application.
How about information like IP addresses and transactions that are registered by Cypherock server?
Since there is no way to run full node with Cypherock or use any alternative software client like Electrum at this point, this would mean that privacy is not very good.
Is this information being saved anywhere and for how long?

I can understand. These are things that are part of the roadmap already.
I can't follow everything myself so please post any Cypherock update changes in this topic, when they are released.
Thank you.
newbie
Activity: 21
Merit: 20
Quote
So can you tell us what exactly is stored on actual Cypherock device?

There must be some data and information about accounts, history, transactions, so I wonder is that stored on device or also on cards?

1. The device is the processing house to provide coin-specific functionality. The permanent storage of all the account secret is on the cards. To provide some authenticity check, the device stores private keys of its own in the Secure chip (ATECC). Apart from that, the device also stores some session keys specific to enable a secure execution environment.
2. The device has access to PIN (and its subsequent hash) only for a short duration (one session) of time in its RAM. No information about PIN is stored on the device. Whenever a user enters PIN it is erased right after it's used. The cards store the double hash of the PIN permanently to provide an authentication mechanism whenever someone tries to access the user data on the card. The storage of PIN digest on the card is fully managed by JCOP OS that is EAL 5+ certified which provides in-built safety even from side-channel attacks.
3. If the user has set a PIN, then the shard is first encrypted and then stored in the NVM. If there is no PIN, the shard is stored as it is. The decryption is done using the first hash of the PIN. The handling of PIN is unaffected by this bahaviour since the nonce for encryption is stored on the cards. The nonce for encryption acts as salt for the encryption along with hash of PIN.
4. information about accounts, history, and transactions are never stored on the device or cards. They are only available with the desktop companion (CySync) application.


Quote
I get the point that you wanted to achieve simplification with PIN code, but watching all Cypherock review videos I still think it's a bit complicated to handle and tap all those cards multiple times.

I agree that these are minor UX issues at this point. This is what we are currently solving at the moment. This will get improved in another month.

Quote
Few more negative things I noticed about Cypherock X1 and I want to see this being added in future, there is no support for Multisig, no support for full Bitcoin node, no signing messages, only one account for coin, and no coin control.

I can understand. These are things that are part of the roadmap already.
newbie
Activity: 21
Merit: 20
Quote
That also makes it less secure and exponentially easier to brute force compared to a passphrase of let's say 8 random words.

Not if it is backed by strong tamper-resistant hardware security which has brute force prevention mechanisms. We use smartcards that have been battle-tested in the banking industry for more than 50 years. Regardless, you can still use a passphrase with the product if you value that more for the security of your assets even with Cypherock X1.

Quote
I knew you would say that, and it's, of course, in your best interest to sell as many as possible. Buyers would obviously want to buy only one and have it work for a lifetime.

Not necessarily. Also, the same could be argued for any other hardware wallet.

Quote
Does that mean that the recovered seed in that case pops up on the screen of your cell-phone or is shown in some native software environment by Cypherock? 

This is more relevant in the case if ever Cypherock goes out of business. We will have our own open-source IOS and Android apps as well for this. But the seed phrase can be recovered directly on the smartphone without our assistance directly from the cards when you enter the correct PIN if set. Although it is definitely not recommended for your hardware wallet seed phrases and should be used only if Cypherock ever goes out of business.
legendary
Activity: 2212
Merit: 7064
PIN in our case is never stored on the device, it stored on the X1 cards that are EAL 5+ certified. The share on the device is encrypted too which is decrypted only when the card is unlocked. Hence, even if someone hacks the device, they cannot brute force the PIN.
Interesting.
So can you tell us what exactly is stored on actual Cypherock device?
There must be some data and information about accounts, history, transactions, so I wonder is that stored on device or also on cards?

I get the point that you wanted to achieve simplification with PIN code, but watching all Cypherock review videos I still think it's a bit complicated to handle and tap all those cards multiple times.
Few more negative things I noticed about Cypherock X1 and I want to see this being added in future, there is no support for Multisig, no support for full Bitcoin node, no signing messages, only one account for coin, and no coin control.
legendary
Activity: 2730
Merit: 7065
PIN can be remembered also which makes it exponentially better than seed or passphrase.
That also makes it less secure and exponentially easier to brute force compared to a passphrase of lets say 8 random words. Relying on your memory is also not recommended especially when a person gets older.

The idea is it is much easier to hide in plain site it than the 24 words which has higher pattern matching as seen recently. Additionally, with securing the seed phrases, the more obscure the setup is, the harder it is to make it inheritable.
No argument there.

Not required since you can buy another device, and it will function like the old device.
I knew you would say that, and it's, of course, in your best interest to sell as many as possible. Buyers would obviously want to buy only one and have it work for a lifetime.

Else, you can also recover back your seed phrase from the two cards with the help of an NFC-enabled smartphone.
Does that mean that the recovered seed in that case pops up on the screen of your cell-phone or is shown in some native software environment by Cypherock? 
newbie
Activity: 21
Merit: 20
Quote
PIN code is saved on device and that means that it can be hacked and extracted, it's just a matter of time when this will happen.

PIN in our case is never stored on the device, it stored on the X1 cards that are EAL 5+ certified. The share on the device is encrypted too which is decrypted only when the card is unlocked. Hence, even if someone hacks the device, they cannot brute force the PIN.

Quote
Advantage of additional passphrase compared to PIN code is that it is not stored anywhere on device and there is nothing that can be hacked.

But you can bruteforce the passphrase compared to PIN which is dangerous if it is a short pass phrase. Passphrase we don't recommend to basic users. At the same time, if you want, you can setup the passphrase on our wallets as well.

Quote
I am not saying PIN codes are bad for hardware wallets, but I wouldn't trust them to keep my coins safe.

I think it comes down to personal preference. Since there is the geographical distribution of the cards as well in our case, there are users who don't even set a PIN and rely on the geographic distribution as a security mechanism.
newbie
Activity: 21
Merit: 20
Quote
It's much more complicated and time-consuming to recover different seeds, but one alternative could be having multiple hidden wallets protected by unique passphrases. The recovery takes more time, but it works. 

The product supports passphrases. So if you find that easier for yourself, you can do that as well. It is just that we do not recommend setting up of passphrases for most users. The areas where they can make a mistake are just too many.

Quote
An unauthorised entity getting hands on seedphrase backup can drain you out as they are so easy to recognise and the only component needed to wipe you out. If you extend the seed with a long and secure passphrase and keep the two separate, nothing can happen even if your seed is found.   

Isn't that a problme? You have to backup the seed phrase and the passphrase both securely now. If you lose one, the other becomes useless.

Quote
You can make the same point for a seed or a passphrase even if they take up some more room. People make bodies disappear, a piece of paper with 24 words written on it shouldn't be that difficult.

PIN can be remembered also which makes it exponentially better than seed or passphrase. The idea is it is much easier to hide in plain site it than the 24 words which has higher pattern matching as seen recently. Additionally, with securing the seed phrases, the more obscure the setup is, the harder it is to make it inheritable.


Quote
They should obviously make that backup asap to not run into problems of not being able to access their seeds if the device breaks or malfunctions. 

Not required since you can buy another device, and it will function like the old device. Else, you can also recover back your seed phrase from the two cards with the help of an NFC-enabled smartphone.
legendary
Activity: 2212
Merit: 7064
PIN Backups which are 4-8 character long can be hidden indistinguishably anywhere. As compared to seedphrase backups which are exponentially much more difficult to hide.
PIN code is saved on device and that means that it can be hacked and extracted, it's just a matter of time when this will happen.
Advantage of additional passphrase compared to PIN code is that it is not stored anywhere on device and there is nothing that can be hacked.
I am not saying PIN codes are bad for hardware wallets, but I wouldn't trust them to keep my coins safe.

User can export seedphrase from X1 and it takes under a minute to do so. X1 being BIP-39 compatible means it works with all the mainstream software and hardware wallets and users can seamlessly shift from X1 to any other wallet, or vice versa.
OK, it's clear now.
Thank you for explanation.
legendary
Activity: 2730
Merit: 7065
It's much more complicated and time-consuming to recover different seeds, but one alternative could be having multiple hidden wallets protected by unique passphrases. The recovery takes more time, but it works. 

An unauthorised entity getting hands on seedphrase backup can drain you out as they are so easy to recognise and the only component needed to wipe you out.
If you extend the seed with a long and secure passphrase and keep the two separate, nothing can happen even if your seed is found.   

PIN backups are almost impossible to find if hidden properly.
You can make the same point for a seed or a passphrase even if they take up some more room. People make bodies disappear, a piece of paper with 24 words written on it shouldn't be that difficult.

User can export seedphrase from X1 and it takes under a minute to do so. X1 being BIP-39 compatible means it works with all the mainstream software and hardware wallets and users can seamlessly shift from X1 to any other wallet, or vice versa.
They should obviously make that backup asap to not run into problems of not being able to access their seeds if the device breaks or malfunctions. 
newbie
Activity: 21
Merit: 20
I don't think that PIN codes are bulletproof protection, and it's possible that someone could hack it much easier than 12/24 seed words.
The underlying security of BIP-39 Seedphrases is exactly the same for all the wallets. PINs are just the top layer security to prevent anyone from getting into the device. What i meant by seedphrase being single point of failure was: Not Seedphrases but Seedphrase backups are a single point of failure. Anyone getting access to your backup can wipe you out completely. Here is a great example that happened recently.

https://twitter.com/lopp/status/1604599964713328640

PIN Backups which are 4-8 character long can be hidden indistinguishably anywhere. As compared to seedphrase backups which are exponentially much more difficult to hide.

An unauthorised entity getting hands on seedphrase backup can drain you out as they are so easy to recognise and the only component needed to wipe you out. PIN backups are almost impossible to find if hidden properly. On top of that, even with access to PIN, attacker needs atleast 2 components of the wallet in order to break into your funds.

Quote
Can I still use the seed words I used on Cypherock wallet and import them in some other brand of hardware wallet, let's say Trezor, should everything work fine or they are useless without PIN?
User can export seedphrase from X1 and it takes under a minute to do so. X1 being BIP-39 compatible means it works with all the mainstream software and hardware wallets and users can seamlessly shift from X1 to any other wallet, or vice versa.

Here is how you can do so: https://www.youtube.com/watch?v=0W22TcY8MtQ
 
Quote
Just wondering if you can tell us how big Cypherock team is, I mean how many developers you have that are working on firmware, code and everything else?
Cypherock currently is 20+ member team. 
legendary
Activity: 2212
Merit: 7064
PIN backups are not single point of failure like seedphrases [ IMPORTANT ][/b]
Single point of failure means that if you lose your PIN code, your funds are lost.
I don't think that PIN codes are bulletproof protection, and it's possible that someone could hack it much easier than 12/24 seed words.
Can I still use the seed words I used on Cypherock wallet and import them in some other brand of hardware wallet, let's say Trezor, should everything work fine or they are useless without PIN?

I agree, since we are a new player in the market. There is a lot of features that we need to implement and that's why our product roadmap is jampacked(currently not public, will be soon).
Just wondering if you can tell us how big Cypherock team is, I mean how many developers you have that are working on firmware, code and everything else?
newbie
Activity: 21
Merit: 20
I am sure I saw something like this posed on Technical Specifications section of main page, posted under Power and Battery subsection.
Thank you for flagging it. Will do the needful to prevent further confusion.

Quote
I finished watching Crypto Guide video and other Cypherock video reviews, and I have to say that I don't like single point of failure that makes wallet unusable if PIN code is lost or forgotten.
There are considerable benefits of PIN backup over solutions opted by other wallets:
1. Backuping up PIN is 100x easier than backing up seedphrases. (Like mandatory in all the rest of the wallets)
  • Easier to write, no mis-writing mistakes.
  • Easier to store. Need smaller space.
2. PIN backups are not single point of failure like seedphrases [ IMPORTANT ]
  • PIN backup can be taken at 'n' number of places as it is not a single point of failure.
    Same cannot be said with seedphrases. User cannot take 'n' number of backups as losing any one of them is catastrophic.

That being said, we agree with Crypto guide's point of view. Therefore, we are redesigning our onboarding flow so that there is a substantial warning while user sets up the PIN. It will be same as other wallets give a substantial warning to backup your seedphrase.

Once our Inheritance Solution is released. Forgetting PIN won't be a problem as our Inheritance Solution will take care of it. (More on it on it's launch)


Quote
Some other things really need to be improved if you want to compete with all other hardware wallet manufacturers, and I hope to see software updates and compatibility with other wallets (like you said before for Electrum).
I agree, since we are a new player in the market. There is a lot of features that we need to implement and that's why our product roadmap is jampacked(currently not public, will be soon).
newbie
Activity: 21
Merit: 20
This really is an interesting concept compared to what other hardware wallet brands do. Instead of resetting to factory settings and recovering a different wallet from seed, users could simply switch between them and save plenty of time. But imagine how many different backups you would have to make and how many new physical locations you would have to keep them in if you started using 4 different wallets with their own unique seeds?

This is the exact problem we are trying to solve. Current self custody solutions have tons of limitations. For a start, there is no portfolio management tools in self custody solutions. If a user wants to manage multiple portfolios they need to buy multiple hardware wallets and computer setups, in order to do so. From our interaction with users we found a few interesting customer profiles facing this issue. Let me mention couple of them.
  • Bitcoin Maxi but likes testing Smart contracts on other chains: Because of the faith in security of Bitcoin ecosystem, users liked to keep their wallet containing Bitcoin funds separate from other chains. To do so, users had to maintain multiple device setups, one for bitcoin and one for other chains.
  • Web3 Startup Founders/ VC Partners: Founders usually are responsible for managing their personal funds along with company funds. This is problematic is current solutions but with X1, they can create multiple wallets with separate seedphrase, each for different portfolios from one setup and use them separately in a sandboxed manner. No need to maintain excel sheets to keep track of your portfolio.
    Additionally, They can create sub portfolios. Like Marketing funds, development funds, Legal funds,s, etc. using multi-account feature.(Scheduled for January Release)
    You can read more one it here: https://www.cypherock.com/features/portfolio

Quote
3 backups per seed takes the total up to 12. Add passphrases to that mix (if you use them) and you will have to buy/rent more properties or get more friends and family. Grin
Precisely, seedphrase backup is the sole limiting factor for self custody solutions making bigger leaps in terms of innovation. We believe our solution has solved core problem of self custody. As you mentioned finding 12 secure places to store plain text seedphrase is quite a tedious task for a users. But with Cypherock X1, you have Zero Seedphrases and you can distribute X1 cards to any geo location or trusted person without ever worrying about that entity being able to read your private keys.
legendary
Activity: 2730
Merit: 7065
It was strange to me so I didn't really understand if device is powered with USB or with some internal battery.
Maybe you need to rephrase it or explain what that means exactly... if there is no battery why posting word Battery at all?
They should remove the word 'battery' to avoid further confusion since the device has no battery. The hardware wallet has a 5V USB input that matches the electricity supply of computer USB ports that is usually 5V as well. 
legendary
Activity: 2212
Merit: 7064
We were never using a battery in the hardware wallet. Can you point out the link where you saw this?
I am sure I saw something like this posed on Technical Specifications section of main page, posted under Power and Battery subsection.
It was strange to me so I didn't really understand if device is powered with USB or with some internal battery.
Maybe you need to rephrase it or explain what that means exactly... if there is no battery why posting word Battery at all?


https://www.cypherock.com/

I finished watching Crypto Guide video and other Cypherock video reviews, and I have to say that I don't like single point of failure that makes wallet unusable if PIN code is lost or forgotten.
Some other things really need to be improved if you want to compete with all other hardware wallet manufacturers, and I hope to see software updates and compatibility with other wallets (like you said before for Electrum).
newbie
Activity: 21
Merit: 20
Quote
I saw you are using 500mA battery for Cypherock and I wonder can you say what that model is exactly?

We were never using a battery in the hardware wallet. Can you point out the link where you saw this?

Quote
Some people would like to replace it when it gets dead, but I don't know how complicated is to open your hardware wallet, and would this break anything or make it unusable (not counting warranty void).

Don't recommend opening the hardware since it is ultrasonic welded. Better would be to buy another device or recover the private keys from the cards through an NFC enabled smartphone.

Quote
I am just watching reviews about Cypherock available on youtube, including most recent with Crypto Guide, so I will comment more about it later.

Sure thanks.
Pages:
Jump to: