A BIP39 passphrase is an additional layer of protection for your bitcoin wallet; it acts as the 13th word to your 12-word seed phrase, or the 25th word if you have a 24-word seed phrase. If you lose your passphrase, you will lose access to your wallet and won’t be able to recover your funds.

A bitcoin wallet password is a way to lock your wallet application, and in the case of Wasabi Wallet, it’s the same as a BIP39 passphrase. However, in other wallets, it will only lock you out of the wallet, but you will be able to recover with your seed phrase without the need for the password.

In this article, we will explain what BIP39 is, the benefits and tradeoffs of passphrases, how to properly back them up, and how they differ from regular passwords.

What is BIP39?

BIP39 is a bitcoin improvement proposal from 2013 that revolutionized the way bitcoin wallets work. Here’s the description straight from the BIP:

“This BIP describes the implementation of a mnemonic code or mnemonic sentence — a group of easy-to-remember words — for the generation of deterministic wallets.”

Today, BIP39 is the standard for how bitcoin wallets work. You create a wallet and you get a set of words, often 12 or 24, and if you back up that property, you can retrieve your wallet anywhere, anytime.

But what if someone other than you finds your seed phrase backup? They would have instant access to your money, and you wouldn’t be too happy about it.

What can be done to solve this problem?

What is a Passphrase?

To add an extra layer of protection to your wallet, you can add a passphrase to protect your seed phrase. This passphrase can be anything you want; any combination of alphanumeric and special characters of any length.

When you set up Wasabi Wallet, you’ll be asked to enter a passphrase. This is a BIP39 passphrase, and you should take the time to understand that you will need this passphrase every time you want to use your wallet, and if you lose it, you will lose access to your funds.

As long as you understand and accept the tradeoff of losing access to your funds if you lose your passphrase, you’re ready to use it. Just make sure you back it up properly.

How to Properly Backup a Passphrase?

First, remember why you’re using a passphrase in the first place: to protect your seed phrase. The first step to properly handling your passphrase backup is to keep it separate from your seed phrase backup.

Then, you should test your passphrase and your full wallet backup before sending a significant amount of money to your wallet. Also, make sure you’re comfortable with the recovery process. 

Some people may tell you that you shouldn’t write your passphrase down anywhere and that you should memorize it, but they’re dead wrong. You should never make your memory your single point of failure, unless you have no choice, like crossing a border in a war zone.

So is there a difference between passphrases and passwords?

The Difference Between a Passphrase and a Password

The answer is that it depends on the wallet. In the case of Wasabi Wallet, there’s no difference between a passphrase and a password, they are used interchangeably.

However, in many other wallets, such as Blue Wallet, a password is not part of your wallet, it’s just a way to protect access to your application. This means that if you restore your wallet from your seed phrase backup, you won’t be asked for your password to access your funds, and you will be able to set a new password.

Conclusion

In this article, we explained what BIP 39 is, what is a passphrase, how passphrases help protect your seed phrase, how to properly back them up and the difference between a passphrase and a password.

Bitcoin self-storage isn’t too difficult, but you do need to take the time to familiarize yourself with the basics and feel comfortable with the recovery process. We recommend that everyone take the time to properly test their wallet backup so that they are not nervous when the time comes to do it for real.

The post What is the Difference Between a Passphrase and a Password? appeared first on Wasabi Wallet - Blog.

xPub stands for Extended Public Key while xPrivs stands for Extended Private Key. Simply put, xPubs and xPrivs are the parent keys that can allow a wallet to mathematically produce billions of child keys that work as public keys and private keys within your wallet.

As a Bitcoin user, knowing about xPubs and xPrivs will help you to:

• Discover ways to unlock more out of your Bitcoin experience
• Understand how xPubs and xPrivs affect the security and privacy of your bitcoin
• Know why the best bitcoin wallets use this

xPubs and xPrivs have not always been around since the beginning of Bitcoin wallets, here is why they were introduced.

Bitcoin Before xPubs and xPrivs

The first bitcoin wallet, Bitcoin-Qt, had a key-management problem. It generated private keys at random which were all stored on the computer in a wallet.dat file.

While this worked, there was a flaw in that users could lose their bitcoin when they accidentally deleted the file or fell victim to malware. In the case that you encrypt this file and forget your wallet’s password, there is no way to recover your funds.

For your funds to be safe as a Bitcoin-Qt user, you had to make continual backups of the newer versions of the wallet.dat file every time you made a transaction. Still, there was no solution for losing your password.

To make this less cumbersome, Bitcoin Improvement Proposal 32 (BIP32) was devised to change how private keys are generated. In the proposal, instead of Bitcoin wallets needing to generate private keys at random for every transaction, a wallet can have one master key that can generate other keys from itself in a predefined way.

Having a determined way to generate private keys means that:

• You only need to backup one (master) private key
• You have the convenience of using the private keys across different wallet applications

Here’s how one parent private key can replace multiple private keys:

How xPubs and xPrivs Work

The key-pair concept is inseparable from Bitcoin, where private keys are meant to sign transactions and public keys, derived from private keys, are used to receive transactions.

When it comes to xPubs (Extended Public Keys) and xPrivs (Extended Private Key) they also  serve as public keys and private keys, only in a morphed manner. Their “extendedness” gives them the ability to derive more child private keys and public keys. And just as in normal private keys and public keys, the extended public key is generated from an extended private key.

What’s more, all derived child keys can also derive their own future generations of grandchild keys. But even with continued derivation, all derived keys always carry the unique signature (like DNA) of their parent keys throughout their generation. It’s this family-tree-like derivation process that serves as the origin of a new breed of Bitcoin wallets, hierarchical deterministic wallets.

In hierarchical deterministic wallets (also called HD-wallets), a specific tree-path/branch is selected from which future child keys will be held in. And by having the parent keys, which are the xPub and xPriv, you can traverse through all branches to check for child keys.

The convenience of having a master key to derive all possible keys generated opened a new world in Bitcoin where users no longer have to make the decision between better privacy or easy backups.

xPubs and xPrivs in Action

You Can Have Many Accounts in One Wallet

By having a parent key that can generate many child keys, a wallet can derive child private keys and child public keys that serve as parent keys for new wallets within one main wallet.

As a user, you can find this useful if you wish to have multiple accounts within one wallet. You can use this to separate your financial concerns. For example, you could have an account for personal expenses, business, or even savings without needing to set up multiple bitcoin wallets.

Securing your Keys is Easier

Generating private keys at random meant you had many keys to backup. This is not the case with wallets that implement xPubs and xPrivs.

With parent keys that can deterministically generate child keys for all your wallet transactions, you’ll only have to backup one master key. This master key can be used to derive all other keys you previously generated to transact. Thus, you only need one backup to restore everything.

You Can Share Funds in One Bitcoin wallet

Since an xPriv can sign for transactions from any address generated by it, sharing it can allow other trusted parties to make payments on your behalf. For example, an organization can use the Master xPriv to give child keys to both the procurement and employee payments departments without giving either department the ability to spend each others’ funds.

With this in mind, sharing your xPriv should be done with extreme caution since anyone who holds your private key gains control over all your funds.

More Privacy for your Transactions

An xPub can generate multiple child public keys that can be used to receive funds. This is a simple way to improve privacy for Bitcoin transactions as it prevents linking transaction data together by reusing an address to receive unrelated transactions.

A Multi-Wallet Experience is Possible

xPriv and xPubs are the advancement in Bitcoin that allows users to use more than one wallet software application without creating multiple backups.

Using your wallet’s seed, any wallet application can derive both the xPub and the xPriv and recover coins that you previously received with another wallet.

Despite this, there is always a challenge when wallets use different schemes to derive keys. As a user you can benefit from checking for Bitcoin wallet compatibility before switching vendors.

Payments are Secure With Untrusted Parties

Since private keys have full control of your wallets, storing them on an Internet connected device to accept payments may be sub-optimal. Particularly, if you store your private keys on an unsecure payment processor to generate addresses, any breach can lead to the loss of your funds.

Instead, with an xpub you can generate multiple payment addresses without having to expose your private keys to potential threats.

The post xPubs & xPrivs appeared first on Wasabi Wallet - Blog.

If you’re considering using Wasabi or already have, installing malicious software from a scam website that can steal your bitcoin is the last thing you want. So what are Wasabi’s code signature strategies which can allow you to verify the authenticity of the software? For Windows and Mac, Wasabi uses the respective code signing standards that depend on centralized certificate authorities for signature validation. For every OS (Linux included), you can verify the release signature using PGP but should validate that the PGP key is really in the hands of Wasabi by leveraging a concept called Web of Trust.

This article will explain how Wasabi Wallet’s three code signing strategies (Windows, MacOS, and PGP) work and how they compare in terms of user experience, trust models, cryptography, and certificate subscription/expiry. Then, we will explain deterministic builds, why they are important, and how MacOS code signing ruins it for their platform. Finally, we will touch on Wasabi Wallet’s automatic software updater, which is only available for MacOS and Windows and employs code signature verification before installing the new release.

What is Code Signing, and Why is it Important?

The power of code is limitless. It can be used for good or malicious intent, so you should always be careful what software you install on your devices. This applies particularly if you’re interested in bitcoin, privacy, and security, which we assume you are, given that you’re reading this. This section will explain code signing and its cruciality for secure software development and distribution.

When you install open-source software on your machine, you can do it by compiling it from the source code, and you can read every code line to ensure that you understand what is happening on your machine. However, this is an extremely long and complicated process. In most cases, you might trust the open-source software development process and the team behind it, so you accept to install their compiled releases. The question now becomes, how can you ensure that you’re installing the original release?

Code signing fixes software authenticity validation by leveraging cryptography. It allows you, as a user, to verify that the binary you’re about to install on your device matches the one released by the software development team by comparing code signatures. We will examine how it works in Wasabi Wallet strategies: Windows, MacOS, and PGP.

How does Wasabi Wallet’s Windows Code Signing Work?

Operating system platforms like Microsoft’s Windows have a standard format to code signing, and Wasabi Wallet’s security engineering management team follows that. Authenticode is the platform’s code-signing technology to identify the publisher of signed software.

When a new version is released, the team uses SignTool to sign the .msi installer with an EV (Extended Validation) digital certificate issued to zkSNACKs LTD, the company maintaining Wasabi Wallet’s software development by Digicert Inc, a renowned CA (Certificate Authority).

To obtain the hardware token-protected certificate, zkSNACKs LTD underwent a multi-step identity verification process. The release gets signed with the SHA-256 algorithm, and this action is timestamped to Digicert’s servers. The current certificate was issued on February 15th, 2023, and expires on February 15th, 2025.

Now that we’ve established Wasabi Wallet’s Microsoft code signing strategy, let’s move forward to the other proprietary operating system platform, MacOS.

How does Wasabi Wallet’s MacOS Code Signing Work?

MacOS code signing policies are even stricter than Windows; there’s only one option available for Wasabi Wallet’s team. They have an Apple developer account on Xcode, where Apple Inc issues a developer ID certificate that signs every release. The signed package of files is sent to Apple, which signs it, too, creates a .dmg binary, and sends it back.

zkSNACKs signs the newly created .dmg binary, and it’s sent back to Apple for a final signature and notarization, in which they run many security tests on the code. Every signature uses the SHA-256 hashing algorithm.

The final code signature strategy Wasabi Wallet’s team employs is PGP code signing, which we’ll look at now.

How Does Wasabi Wallet’s PGP Code Signing Work?

Since Linux is a libre open-source operating system, there’s no standard code-signing method for your software to pass the system’s security checks. Wasabi Wallet uses the PGP (Pretty Good Privacy) standard for code signing on Linux, but it’s also available as an additional security verification step on MacOS and Windows.

PGP is an encryption program to sign, encrypt, or decrypt text, files, e-mails, etc. In this case, Wasabi Wallet’s security engineering management team uses PGP to sign their releases for all three major operating system platforms with RSA 2048-bit keys. Wasabi Wallet’s current PGP key fingerprint is 6FB3872B5D42292F59920797856348328949861E, and it is valid from the 22nd of August 2019 to the 24th of February 2028.

A user verifies the code signature by importing zkSNACKs PGP public key, downloading the latest version and the corresponding signature file, and verifying that everything matches. Find out more on how to do this here. Now that the details of each code signing strategy employed by Wasabi Wallet’s team are understood, let’s compare them.

How Do Wasabi Wallet’s Code Signature Strategies Compare Between Them?

This section will compare all three code signing strategies regarding cryptography, user experience, trust models, and certificate subscriptions/expiry. First, for Windows and Mac, Wasabi Wallet uses SHA-256 as a hashing algorithm to sign the releases. For PGP, it is RSA 2048-bit keys that sign the code binary.

As a user, your experience is about the same when verifying signed releases; it’s all done automatically by your operating system during installation. On the other hand, PGP requires manual verification by importing zkSNACKs public key because it doesn’t depend on a CA (Centralized Authority) for certificate issuance, which brings us to the next point.

The trust model of PGP makes it unique compared to the other two code-signing strategies employed by Wasabi Wallet. Windows and Mac code signing depend on a CA for certificate issuance, so a user must trust that centralized entity’s legitimacy. Wasabi had a choice between many CAs on Windows, but on MacOS, you have to use the computer manufacturer and operating system developer, Apple Inc, for certificate issuance.

For PGP, the trust model simply relies on the legitimacy of the public key. How can you be sure the software development team behind Wasabi’s Wallet owns this key? To answer this question, the Web of Trust model comes into play; users must sign each other’s public keys to establish trust. Many developers have signed zkSNACKs public key with their own PGP key, so if you can physically verify the ownership of one of those PGP keys, you can trust the legitimacy of zkSNACKs PGP key. This step is optional, but you can never be sure by skipping it, and you’re under a false sense of security.

Finally, since PGP doesn’t rely on a centralized authority, it requires no permission, and its expiry date is fully customizable: in Wasabi’s case, it lasts eight years, six months, and two days. Companies like zkSNACKs can buy DigiCert-issued windows code signing certificates for 1, 2 (Wasabi’s case), or three years, costing 570 to 699 USD a year. MacOS developer accounts cost 99 to 299 USD for a yearly membership, and the key expiry date is not on the binary signature.

Now that we’ve compared the three code signing strategies used at Wasabi for releases, let’s explain what a deterministic build is, why it is important, and how MacOS code signing limits it for their platform.

What is a Deterministic Build, And Why is it Important?

Open-source software released as binaries, such as Wasabi Wallet, is signed to ensure its authenticity to the users. However, how can a user or a security auditor ensure that the binary releases match the code repository? Deterministic builds fix precisely that, and they’re essential to an open-source community to create an independently-verifiable path from source to binary code.

To build Wasabi Wallet deterministically, you must follow many steps, such as asserting the correct environment by having the same operating system and installing identical software package versions. You must then reproduce and verify builds by comparing them with the binary code. The deterministic build process works well for Windows and Linux releases, but users can’t do it for macOS because of the code signing.

How does MacOS Code Signing Limit Deterministic Build?

Unlike Windows, the binary file stores the MacOS code signature. When trying to build Wasabi Wallet on macOS deterministically, a user won’t be able to verify that the source code matches the .dmg release because he doesn’t have the certificate to sign it. However, since Wasabi Wallet’s version 2, every release includes a macOS .zip folder that one can reproducibly build with the source code.

We proceed to the final section before concluding this article: Wasabi Wallet’s automatic software updater.

What is Wasabi Wallet’s Automatic Software Updater?

On Windows and MacOS, you can turn on Wasabi Wallet’s automatic software updater. When a new update is available, the latest version will automatically download and install by the update manager. Since this isn’t a fresh install, Wasabi Wallet’s three code signing strategies aren’t employed. However, this remains safe because the code’s signature is cryptographically verified before the update.

How does the Update Manager Validate the Code it Installs?

The update manager downloads the SHA256SUMS.asc and SHA256SUMS.wasabisig files, and on line 215 of this code file WasabiSignerHelpers.VerifySha256SumsFileAsync is called to validate the signature. Then on that function in the WasabiSignerHelpers code file, the content and signature files are read and evaluated to match the constant Wasabi’s Public Key on line 38.

In simple terms, the binary hash and the digital signature are downloaded, and then, the code verifies that Wasabi’s signature matches the hash, and matches the public key saved in the previously installed version. This key set differs from all other code-signing keys used; it uses the same cryptography as Bitcoin.

Conclusion

In this article, we explained what code signing is, why it is essential, and what the three code signing strategies used for Wasabi Wallet’s releases are, which we compared in terms of cryptography, user experience, trust models, and certificate subscription/expiry. Then, we defined what a deterministic build is, why it is important, and how MacOS code signing clashes with it. Finally, we describe the code signature verification happening when automatically updating Wasabi.

PGP code signature verification is recommended to all users, even those on Windows and Mac, because, unlike the other code signature strategies, it is trustless if employed correctly by leveraging the Web of Trust and physically validating a key that has validated the zkSNACKs key. It is also essential to be wary of scam websites, which might resemble the domain name.

You should only install software from the official website https://wasabiwallet.io and the official onion service.

The post What are Wasabi Wallet’s Code Signature Strategies? appeared first on Wasabi Wallet - Blog.

This article, however, focuses on the privacy aspect of Bitcon’s soft fork. It seeks to explain how Taproot increases every user’s plausible deniability and potentially poses a threat to the blockchain analysis business. To make this improvement easily comprehensible, the benefits will be divided by use cases.

How Taproot Increases Lightning Network Privacy

The Lightning Network is Bitcoin’s layer for instant, private and inexpensive transactions. Unlike a blockchain, it’s extremely scalable, fast and doesn’t require the entire network to store and validate every operation. The more elegant design also enables greater privacy: only the parties involved in a money transfer and the routing nodes can get information about an ongoing transaction. Outsiders are completely left in the dark and unable to tell anything about the actors involved and the amount of bitcoin that they moved around. For a better understanding of how Lightning works, read my article “Explaining the Lightning Network So Even a 10 Year-Old Can Understand It”.

But since Taproot is a base layer upgrade, does it really affect Lightning? Without this Schnorr-friendly upgrade, channel openings and closings get revealed on the public blockchain exactly as what they are: 2 of 2 multi sigs with hashed time locked contracts (HTLCs). After the Taproot activation, everyone opening or closing a Lightning channel collaboratively will appear to be doing a regular transaction which is indistinguishable from the others.

Previously, blockchain analysts were able to tell when certain transactions would close Lightning channels. But after Taproot, they will only be able to see that the coins have moved. They won’t know how they moved, they’ll only observe that the amount has been spent in an indistinguishable way.

However, the privacy level still isn’t perfect. As pointed out by Wasabi Wallet creator Adam Ficsor, non-private Lightning channels broadcast a channel point which corresponds to the opening output. Therefore, this bit of information, which can be observed on the Lightning network, gives away information about the output that is engaged in the channel opening. Taproot does make Lightning network channel opening private, but only if the channels are also private. Similarly, even though CoinJoin transaction before and after opening a Lightning channel can obfuscate the previous and future, the Lightning gossip would still reveal the precise UTXO controlled by the node operator. There is promising research to mitigate the problem with ring-signature proofs for DoS protection.

How Taproot Increases Sidechain Privacy

Like Lightning channel openings, sidechain peg-ins also rely on a multisig contract. On RSK (Rootstock, a Bitcoin sidechain which seeks to port Ethereum smart contracts), there’s a two-way peg (2WP) which ensures that the BTC gets transferred safely. But after Taproot, this transaction is going to be indistinguishable from all the others and will also occupy less block space.

The same happens for Blockstream’s federated sidechain Liquid, as well as Drivechains. Regular transactions, Liquid peg-ins, Lightning channels and user multisig will look exactly the same.

How Taproot Increases Multisig Privacy

In recent years, multisig setups have become extremely popular among bitcoiners. As the user experience has improved with wallets such as Electrum, Sparrow and Specter, many community members have chosen to make their coins harder to steal, hack or spend. The idea behind it is that you don’t need to trust a single wallet or entity with the randomness and security of your private key. You use different devices with different processing units to generate your keys, and afterwards you can go as far as distributing your private key backups to different parts of the world.

Depending on your setup (most users do 2 of 3, but you can go as far as 15 of 15 if you prefer complexity), you can get a lot of extra security at the expense of losing accessibility – and if you make it too hard even for yourself to recover the coins, you might just lose them.

Taproot has two essential benefits for multisig setups: it makes them more accessible (the transaction cost of signing a 19 of 20 transaction will be the same as taking care of a single one) and also adds an extra layer of privacy. All the unnecessary information will no longer appear on the public blockchain. This preserves the secrecy of all the signers by only displaying the main input and its corresponding output. Before Taproot, blockchain analysis could determine which keys from the setup have signed the transaction. After Taproot, this information will become unavailable to the public.

How Taproot Increases the Privacy of Bitcoin Smart Contracts

Since day one, Bitcoin has enabled smart contract functionality. Basically, users have been able to broadcast conditional transactions which would instruct the rest of the network when the funds become available for spending. Multisig setups, Lightning channel openings and sidechain peg-ins are all variations which make use of different types of conditions.

So let’s consider a basic contract in which Alice locks her bitcoins until a certain block height when she thinks her infant child Bob will be a grown adult, or else allows for Bob to unlock the amounts as soon as he becomes technically capable of signing a multisig transaction. Under the current framework, both conditions get revealed to the entire network and become part of the immutable ledger. But with Taproot, only the one that gets executed will actually become public. It’s an efficiency upgrade which saves precious block space but also a great privacy trick that’s going to enable lots of creative ways to preserve wealth across time.

Taproot Simplifies Invisible Coin Swaps

Mercury Wallet by CommerceBlock has become increasingly popular in recent months. This is because of a special feature which performs a change of output ownership on the Lightning network and effectively enables users to trade their coins’ transaction history in an elegant and scalable way. If bitcoiners open Lightning channels and trade UTXOs with one another, they can obfuscate a lot of the previous activities involving their money and return to the BTC blockchain with a different set of coins. Mercury Wallet makes use of Ruben Somsen’s statechains concept to lock funds for a predetermined amount of time and conduct mixes between equal outputs.

In a sense, Coinswaps are CoinJoins that make use of Lightning’s scalability and low fees. Thanks to Taproot, they too are indistinguishable from the other transactions.

However, with Coinswaps,  you always face the risk of receiving a more problematic UTXO which may have a criminal history. Instead of combining multiple transaction histories (as in the case with CoinJoins), it enables an anonymous market for swapping transaction histories. As Wasabi wallet creator Adam Ficsor pointed out in a recent interview, the two privacy solutions can become complimentary tools: “The combination seems to be more interesting though: CoinSwaps to and from CoinJoins, which could make low anonymity set CoinJoins getting as much privacy as a CoinSwapper would.”

Bitcoin Privacy After Taproot

With Taproot, Bitcoin has undergone a long-desired upgrade to the more efficient Schnorr signatures, while also taking a few steps towards winning the battle against financial surveillance. This doesn’t mean that blockchain analysis becomes obsolete after this upgrade, though. First of all, it will take time for users to update their nodes to the latest Taproot-friendly client (so the benefits will not be enjoyed by everyone). Secondly, developers have to release wallets and applications that make use of Taproot’s full potential. For now, not much has changed since block 709632, when the soft fork was activated. But the numerous benefits of Taproot give hope for swift adoption.

Furthermore, the Bitcoin protocol can even further be optimized for scalability and privacy. One of them may be Jeremy Rubin’s OP_CHECKTEMPLATEVERIFY (BIP 119, formerly known as OP_SECURETHEBAG), which batches transactions to reduce the amount of inputs and cut down on fees during moments of high demand and congestion. With it, CoinJoins and Coinswaps can get even more plausible deniability since the same technique becomes a natural component of the Bitcoin transaction routine.

Other solutions include Drivechains (Paul Sztorc has managed to create a Zcash-like chain which serves the purpose of increasing the fungibility of processed bitcoins), Mimble Wimble extension blocks (an ongoing experiment on Litecoin, which may be useful if it proves to work), and the hope that Core developers will figure out a way to integrate zero-knowledge proofs or Confidential Transactions without the need for a hard fork. However, the Schnorr signature-powered Taproot is still a great start and the way in which it was activated gives us hope that one day bitcoins will acquire nearly-absolute fungibility.

The post The Privacy Benefits of Taproot appeared first on Wasabi Wallet - Blog.