Home
Polly was a Bitcoin hardware wallet project started in 2014 and terminated in late 2015. A functional PCB was fabricated and Polly was able to receive user input, display on the LCD screen, and return signed Bitcoin transactions supplied by the python test bench via USB and Bluetooth. Difficulties with the physical hardware development contractor and a new project at my day job led me to abandon this project before launch.
The source code for the firmware and test harness is now fully open source for anyone to use as they please. I am not planning to continue any development, but for those with questions about the firmware or hardware feel free to contact me.
Polly is what some call a 'hardware wallet'. However, more accurately it is a key vault and signing device implemented in a small single-purpose hardware device running a lightweight firmware stack. Polly does not perform blockchain related communication and requires external software to track balances and send/receive transactions. Its purpose is to keep the most sensitive aspect of owning Bitcoins, the private keys, on a hardened and dedicated device not subject to vulnerabilities and malware that software running on a general purpose OS is exposed to.
Polly is fully deterministic and uses the BIP32 key generation strategy. In short, this means that from a single seed an infinite chain of Bitcoin public and private keys can be deterministically generated. This has two implications: first if the device is lost all keys can be recovered from the initial seed, and second the deterministic algorithm allows the device to generate an infinite number of addresses without storing anything other than the seed. Of course, the seed is a critical thing to protect as a compromise would compromise the entire set of keys - more on the security model later.
Polly allows the untrusted Bitcoin wallet software to perform the following operations:
- Provide another source of entropy for generating the initial seed
- Get a new public Bitcoin address
- Request signing of a transaction
- Download a new firmware
For more information on the communication protocol see the PollyCom python-based test bench.
Polly firmware runs with the following hardware:
- TI CC2538 microcontroller with:
- ARM Cortex M3 CPU
- Accelerated ECC (elliptic curve cryptography) operations
- USB2.0
- Sharp Memory LCD LS013B7DH03
- RN42 Bluetooth Module
- 4 push button or capacitive touch buttons
The CC2538 was chosen for its large flash capacity, very low power CPU operation (Cortex M3), native USB2.0 support, and the ability to offload the computationally demanding elliptic curve cryptography. The Sharp memory LCD allows for excellent contrast in both full sun and night operation (using a frontlight) with a very low power consumption. The RN42 bluetooth module allows for wireless communication with the Bitcoin wallet software running on a desktop, smartphone, laptop, etc.
Polly uses Bitcoin standard BIP techniques wherever possible as these have been peer-reviewed and adopted by the Bitcoin community as best practices. Furthermore, the key for all encrypted material is always derived from the user passphrase. No secrets are stored on the device in plaintext.
When Polly is powered on by the end-user for the first time, the seed for the BIP32 key chain must be created. Internal entropy is generated by the user tapping one of the buttons a number of times to get sufficient entropy for the 64-byte seed. Additional entropy can be provided externally to Polly via a command to give the user additional protection from any potential hardware exploit with the input tapping scheme. The entropy is used to generate an 18-word mnemonic that the user can memorize or record, which is simply a mapping of the entropy to a fixed word list. This 18-word phrase can be used to fully recreate Polly's seed if the device is lost or stolen. The entropy is fed through a PBKDF2 algorithm to generate the actual 64-byte seed. For more details on the mnemonic scheme see BIP39, and for details on how the seed generates the key chain see BIP32.
The seed must be stored in Polly for use each time the device is powered on and asked to sign a transaction. Obviously, the seed is vital to protect as it can be used to generate all private keys associated with the user's device. Storing this in plaintext on the device's flash memory would be an unacceptable breach of security. Additionally, the device must be protected by a user passphrase on each power on as a way to authorize use for signing transactions (spending coins!). Therefore, this passphrase must be generated the first time Polly is powered on by the user and is used both for authentication and to generate the key used to wrap the seed. The same entropy generation and key creation technique is used as described for the seed.
Each time Polly is powered on, the user is prompted to enter a three word passphrase (more on how that is done with 4 input buttons later). This passphrase is used to create the store key on every power-on. The store key, in turn, is used to decrypt the key chain seed. AES-128 encryption is used to store the seed on the device's flash.
The user must enter a 3-word passphrase to unlock the device on every power on, and potentially to recover a device using an 18-word mnemonic. Polly does not have a touchscreen, and only has 4 input buttons. To accomplish this, each button is associated with 6 to 8 letters of the alphabet. The user simply 'types' words out by tapping buttons associated with the letters of the words they are trying to enter, much like 'spelling' using phone buttons. The trick is that all words used for the mnemonic and passphrase have unique combinations of 4-button presses such that there is no overlap. This allows efficient word entry with limited buttons.