Towards Trust-Minimization in Bitcoin Custody

Insurance Dec 13, 2019

It’s been a short busy time since we formally launched the Knox custody service this past September. It was exciting to finally get a chance to expose our particular views on Bitcoin custody, and speak to many different people the world over.

One critical aspect of crafting copy or refining messaging during a launch is whittling down to the bare essentials, erring toward short and sweet as opposed to comprehensive. At the same time, taking this approach means nuances are necessarily lost, and we can’t touch on facets that we care about but that we know don’t belong in terse copy. All of this gets us excited about being more vocal and public about what we’ve been up to. This space will give us a chance to delve deeper into the topics we’ve touched on previously, as well as giving us a venue in which to expose the myriad topics both core and adjacent to our space.

Today, we’ll start approaching a topic near and dear to our hearts: Insurance. As excited as we are to delve deeper into some core themes, this one is too rich to visit in one piece, and requires the introduction of some other concepts that we expect to explore in the future. It should however act as a good index into this set of topics, which we are eager to further expand. We think the preamble will be worth it for the sake of understanding insured Bitcoin custody as a layer above the uncompromising base layer protocol.

As we approach insurance, it’ll be important to think through the basics of what it means to hold, to own, to lose, and to steal. These are deceptively simple concepts, even in the physical world, but end up getting hairier still when we start thinking about them in the context of non-physical but fundamentally scarce assets.

Bearing an Instrument

We often hear of Bitcoin referred to as a bearer instrument. This is an old term, and at the surface a relatively simple concept. In the physical world, a tangible object can be held, and the simplest system we can build will couple the notions of holding and owning. For a true bearer instrument in the physical world, maintaining physical possession of some object means you own it. Transferring ownership of such an instrument is as simple as transferring physical possession. If a market ascribes a value to that instrument, physical transfer represents a value transfer. Take for example handing someone cash.

Bitcoin of course is not physical. What it means to hold bitcoin in different ways is its own expansive topic, and there are interesting ways in which this complicates insurance, but for today we can stick to the general notion of an entity maintaining signing authority. We should be able to get through this without diving into the particulars of public-key cryptography.

An entity is said to maintain signing authority over a Bitcoin address if that entity has the ability to produce a valid proof of spending rights on that address every time it wishes to move funds. The ability to produce such a proof boils down to knowing a secret. The bearer of some secret of this form is then the bearer of the sum of associated bitcoin.

The Bitcoin protocol is necessarily amoral. Correct behavior is governed by an uncompromising set of rules, and by design there should be nobody to run to to cry foul. This is a beautiful and necessary property of the network, affording us hard guarantees that hadn’t appeared in previous monetary systems, but for holders it’s not without its caveats. One of the amoral properties of the Bitcoin protocol is that it does not attempt to separate bearing and owning.

So far as the network is concerned, anyone who knows the appropriate secret can produce a valid proof of spending rights, and therefore owns the associated bitcoin sum. This is what makes Bitcoin a true non-physical bearer instrument. Lose the secret, and you’ve lost the assets. Divulge the secret, and you’ve shared ownership rights.

Insured Custody as an Optional Storage Layer

The base protocol will never (and should never) make the distinction between bearing and owning, but there’s nothing preventing others from producing a layer above it that achieves this property for anyone who desires it.

The trouble is, designing a service to enable this separation presents new risks that need to be carefully considered and managed. We do not maintain that insurance is the right tool for every job, but we believe affording fiduciaries the right to engage it is important for the evolution of the space.

I think if you had told me years ago I’d be running a custodian, I’d be aghast, as the notion of engaging another party to manage on-chain spending rights is antithetical to the ethos of Bitcoin. I still feel quite strongly that anyone who can maintain their own keys ought to, but I’ve come to recognize that third party custodians are often necessary.

Consider the case of a fund manager. The principal-agent problem is pervasive in finance, and can be applied in several different ways to the custody context, but today we’ll look at one of the most obvious. A fund manager starts life with no holdings, but comes to accept capital from a set of investors. The fund manager’s job is to grow this base capital. In this context, the fund manager is acting as an agent on behalf of a set of principals. In most such cases, part of being an agent necessarily means that any on-chain spending rights can not be maintained by the principals. Traditionally, this case produces the need for a new party, the custodian. The custodian’s job in this case is to act as another agent, moving funds as instructed, and being capable of independent reporting that grants the ultimate principals increased oversight of the underlying activity.

Risk Origination and Insurance

We came here to get into insurance, but spent a majority of our time running over bearer instruments, principals and agents, and the distinction between holding and owning. These are important fundamentals to understand first, because our philosophy on insurance arises from how these are intertwined.

We can speak about different categories of negative events that can happen to an entity that maintains signing authority over an address. The entity can lose secrets and forever lose the ability to spend, resulting in an irrevocable loss. The entity can also have its secrets learned by others with a subsequent irrevocable on-chain movement representing the theft of those assets. The thieves may appear from inside or outside the entity, but the end result is the same. This means the entity is exposed to this risk. In insurance parlance, this entity is originating the risk — It emanates as a natural side effect of its operations. By default, an entity originating risk will have that risk sitting on its books.

We have come to believe something simple: If we exist as an agent to an entity that is acting as a true fiduciary, we need to provide some mechanism by which the downside risks of engaging us as a counterparty can be mitigated.

No matter how unlikely we know these events to be, anyone sufficiently knowledgeable and honest will readily admit that there is a non-zero probability of their occurrence. Even though we have good reason to believe their occurrence is significantly less likely in our system than elsewhere, we believe fiduciaries deserve the right to have the full value of their assets insured.

One of the first questions we asked ourselves when designing this service was: what properties would we expect from a custodian before we could consider it a trust-minimized counterparty? To start, we set a few ground properties:

1. The custodian should be able to be insured up to 100% of the value of the assets held. This is a topic you can be sure we’ll be writing about in the near future, as there is a lot of confusion in the marketplace over what this means.

2. The custodian should be able to be insured against loss in the sense of missing secrets: Destruction of secrets, whether by natural disaster or otherwise, must represent a valid claim event.

3. The custodian should be able to be insured against external theft: Parties breaching from the outside and learning secrets leading to a theft must represent a valid claim event.

4. The custodian should be able to be insured against internal theft: Internal parties learning secrets and colluding to cause an undesirable fund movement must represent a valid claim event.

We are proud to have achieved all of these properties, and to have discovered that we’re not alone in our beliefs that such properties are critical for the continued evolution of the space, allowing responsible capital allocation to Bitcoin.

Until Next Time

Knox is just getting started. We have a lot more coming down the pipeline.

If you want to learn about responsible Bitcoin custody for your fund, exchange, or other vehicles, have strict LP and risk management requirements, or otherwise appreciate a trust-minimized profile, we’d love to talk.

Please email us at

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.