Skip to content
This repository has been archived by the owner on Sep 1, 2019. It is now read-only.

Home

Jump to bottom
Nathaniel Burke edited this page Jan 2, 2016 · 30 revisions

Foreward

Polly was a Bitcoin hardware wallet project started in 2014 and terminated in late 2015. Difficulties with the physical hardware development contractor and pressures from my day job led me to abandon this project before launch. The source code for the firmware and test harness is now fully open source for anyone to use as they please. I am not planning to continue any development, but for those with questions about the firmware or hardware feel free to contact me.

Overview

Polly is what some call a 'hardware wallet'. However, more accurately it is a key vault and signing device implemented in a small single-purpose hardware device running a lightweight firmware stack. Polly does not perform blockchain related communication and requires external software to track balances and send/receive transactions. Its purpose is to keep the most sensitive aspect of owning Bitcoins, the private keys, on a hardened and dedicated device not subject to vulnerabilities and malware that software running on a general purpose OS is exposed to.

Polly is fully deterministic and uses the BIP32 key generation strategy. In short, this means that from a single seed an infinite chain of Bitcoin public and private keys can be deterministically generated. This has two implications: first if the device is lost all keys can be recovered from the initial seed, and second the deterministic algorithm allows the device to generate an infinite number of addresses without storing anything other than the seed. Of course, the seed is a critical thing to protect as a compromise would compromise the entire set of keys - more on the security model later.

Polly allows the untrusted Bitcoin wallet software to perform the following operations:

  • Provide another source of entropy for generating the initial seed
  • Get a new public Bitcoin address
  • Request signing of a transaction

Hardware

Polly firmware runs with the following hardware:

  • TI CC2538 microcontroller with:
    • ARM Cortex M3 CPU
    • Accelerated ECC (elliptic curve cryptography) operations
    • USB2.0
  • Sharp Memory LCD LS013B7DH03
  • RN42 Bluetooth Module
  • 4 push button or capacitive touch buttons

The CC2538 was chosen for its large flash capacity, very low power CPU operation (Cortex M3), native USB2.0 support, and the ability to offload the computationally demanding elliptic curve cryptography. The Sharp memory LCD allows for excellent contrast in both full sun and night operation (using a frontlight) with a very low power consumption. The RN42 bluetooth module allows for wireless communication with the Bitcoin wallet software running on a desktop, smartphone, laptop, etc.

Security Model

Seed generation When Polly is powered on by the end-user for the first time, the seed for the BIP32 key chain must be created. Internal entropy is generated by the user tapping one of the buttons a number of times to get sufficient entropy for the 64-byte seed. Additional entropy can be provided externally to Polly via a command to give the user additional protection from any potential hardware exploit with the input tapping scheme. The entropy is used to generate an 18-word mnemonic that the user can memorize or record, which is simply a mapping of the entropy to a fixed word list. This 18-word phrase can be used to fully recreate Polly's seed if the device is lost or stolen. The entropy is fed through a PBKDF2 algorithm to generate the actual 64-byte seed. For more details on the mnemonic scheme see BIP39, and for details on how the seed generates the key chain see BIP32.

The seed must be stored in Polly for use each time the device is powered on and asked to sign a transaction. Obviously, the seed is vital to protect as it can be used to generate all private keys associated with the user's device. Storing this in plaintext on the device's flash memory would be an unacceptable breach of security. Additionally, the device must be protected by a user passphrase on each power on as a way to authorize use for signing transactions (spending coins!). Therefore, this passphrase must be generated the first time Polly is powered on by the user and is used both for authentication and to generate the key used to wrap the seed. The same entropy generation and key creation technique is used as described for the seed.

User Input

TODO

Clone this wiki locally