Understanding HandCash’s Approach to Wallet Security and User Experience

At HandCash, we’d like to clarify some key aspects of our wallet system to enhance your understanding.

Threshold Signatures for Enhanced Security

HandCash utilizes a threshold signatures scheme to secure user transactions. In this system, the private key is distributed across multiple legal entities, each holding a portion of it. These parties collaboratively sign transactions on the user’s behalf, triggered by signed requests using private keys registered individually to each party. Importantly, the key that initiates a payment isn’t the same as the one used to sign the transaction, and no single entity possesses the entire private key in its full form.

We adopted this approach primarily because users often lost their private keys, leading to significant inconvenience and loss of funds. The threshold signature scheme offers a balanced trade-off between security and convenience, ensuring that users can transact safely without the risk of losing access to their assets. This is possible because the key that triggers the creation of a transaction can be discarded and replaced with another, making the loss of it a non-event.

Trust and Reputation: The Cornerstones of Our Wallet

With over five years in the wallet development space, HandCash places a strong emphasis on trust and reputation. Since transitioning to the threshold signature scheme, we’ve had zero instances of users losing funds—not even a small amount. This is a significant improvement over the past, where key loss was a common issue.

We operate with full transparency and steer clear of the questionable practices that sometimes tarnish the crypto industry. It’s important to emphasise that many wallet developers are not entirely honest about the security risks associated with their products. The moment you introduce your private key into a wallet, unless you take extreme measures like reviewing every line of code, rebuilding the wallet locally, and ensuring no backdoors exist in the compiler, the wallet is, while not legally, effectively custodial of your funds. This is because a malicious developer within the organisation could potentially steal your keys, and users have no way of knowing how security operations—which are often expensive—are handled internally.

Our distributed key system mitigates this concern. With HandCash, no team member can access the full private key, not even in theory, enhancing the security of your assets. Our approach is also more cost-effective, as the possibility of fraud is eliminated unless all key slice holders collaborate in wrongdoing, which is highly improbable.

That said, we acknowledge the valid point that users should have the option to retrieve their funds in case the wallet becomes unexpectedly unavailable without offering a recovery tool.

Technical Decisions for Wallet Integrity

While it’s theoretically possible to reconstruct the private key by collecting slices from all involved parties, we haven’t developed such a tool yet. Allowing users to spend UTXOs outside our system could desynchronize the wallet, disrupt transaction immediacy, introduce risks like double-spend attacks, and create significant dependencies on node indexers. Our decision to maintain this structure is purely technical, aimed at preserving wallet integrity.

Commitment to User Privacy

User privacy is of paramount importance to us. We’ve implemented several techniques that are rare or even unheard of in the industry to protect your privacy:

• One-Time Use Addresses: We never reuse addresses, ensuring that each one is used only once.

• Transaction Obfuscation: We split amounts into several UTXOs to obfuscate the actual value being paid to end users.

While blockchain transactions are public, we believe that your actions shouldn’t be easily traceable by external parties. Our measures make it as difficult as possible for others to analyse your transaction details unless you specifically want that feature on purpose.

Future Possibilities: User Access to Signing Keys

We’ve recently upgraded our core infrastructure, specifically enhancing our low-level communication with the BSV network. This significant upgrade allows us to explore the possibility of allowing users to access transaction signing keys directly. This would enable you to back them up and hold them as a safeguard in case something goes wrong. While no final decision has been made, we believe this could be valuable for many users.

In such a scenario, these keys would come with the disclaimer that they should be used in read-only mode. If you attempt to spend UTXOs outside the HandCash wallet, your wallet may go out of sync, and you’d need to manage those funds independently in another wallet. We consider this a reasonable trade-off, as there’s currently no simple way to maintain the same level of seamless functionality while offering full interoperability for key export/import between different wallets. In the future, we can envision efficient wallet synchronisation protocols emerging, allowing users to have the same keys in multiple wallets without compromising the user experience, but right now we need to live with certain trade-offs.

Author: Ivan Mlinarić @ HandCash