Understanding and Securing Recovery Codes and Private Keys

The Fundamentals of Bitcoin Security 

Bitcoin, the world's first decentralized digital currency, relies on a technology known as cryptography to transmit data between peers in a way that can’t be intercepted, censored, or hacked. For this cryptographic system to work you need an address to send and receive crypto, and a confidential way to access the crypto you have. This is usually referred to as public and private keys. The CoinFlip Wallet adds a layer on top of the traditional private keys called recovery codes. This document will provide a comprehensive explanation of public and private keys in Bitcoin, explain how the CoinFlip Wallet uses recovery codes, and how to keep your private access information safe. 

What Are Public and Private Keys? 

Cryptography is the mathematical field of obscuring information so that only the intended audience can interpret it. Cryptography has existed for as long as the written word. For example, in ancient Rome they would replace letters in the alphabet with another letter 13 places down, so “A” becomes “N” and “B” becomes “O”, etc. With this system - called ROT13, meaning “rotate 13 places,” - a nonsense string of letters like Ohl lbhe Ovgpbva guebhtu PbvaSyvc can be decoded to say Buy your Bitcoin through CoinFlip. With the help of computers, Bitcoin uses a more sophisticated method developed by the National Security Administration called SHA256 - which stands for, “Secure Hashing Algorithm that spits out a 256-character final product.” All data entered into SHA256 goes through eight increasingly complicated calculations to appear as a random string of 256 letters and numbers.  

But Where Do Keys Come From? 

The Bitcoin core protocol is designed to allow anyone with an Internet connection to create a wallet. The 256-character private keys are a part of the wallet, and only the wallet’s creator can see them. On its own, the private key isn’t much use, but the wallet also includes a Digital Signature Algorithm, which translates the private key into a public key in a process called, “key pairing”.  

The public key is an encrypted public asset, meaning you can use it to represent yourself and your bitcoins on the blockchain, and it can serve as an account for sending and receiving bitcoin, but data cannot be retrieved from it without the corresponding private key. It’s a one-way street.  

Any time you send or receive bitcoin, all the transaction data – including the amount, time, your public address and the address of the other party – gets hashed by SHA256 and added to the blockchain.  

The Bitcoin protocol transfers bitcoin ownership by following the instructions contained within the data of the transaction itself. Anybody can see this transaction on the public ledger by looking up the hash ID through a blockchain scanner, and they can see the public keys of the participants as well.  

Mnemonics and CoinFlip Recovery Codes 

The 256-character private key is nearly impossible for a human to remember and use in any practical way. So, in 2013 some developers proposed an improvement (known as BIP-39 in the docs) that makes the private key more user-friendly by allowing it to be represented by a list of 12, 18, or 24 words.  

This is called a seed phrase, and it comes from a dictionary of 2,048 words in several languages that can be arranged in up to 1.6x10^77 different combinations. When placed in the correct order, the Bitcoin protocol converts the words into the private key hash, giving you access to your bitcoins.  

The CoinFlip Wallet modifies the Bitcoin mnemonic seed phrase concept for simplicity and security. Instead of 12, 18, or 24 words to write down or memorize, the CoinFlip Wallet only requires five code words. Our wallet uses multi-party computation, which means the private key is never created or stored in one place. Instead, it’s split into multiple pieces — one stays on a server, and the other goes to the user. The recovery codes that CoinFlip gives users represent their piece of the private key. Alone, it’s not enough to move funds, but when combined with CoinFlip’s piece, the wallet becomes functional. During onboarding, users can either write down their recovery code or encrypt and back it up to their iCloud or Google Drive with a password they choose. CoinFlip cannot see the user’s part of the key and cannot gain access to it. No CoinFlip representative will ever ask for your recovery codes, do not share them with anybody. 

The Importance of Recovery Code Security 

You need your keys or recovery codes to access the blockchain. If you lose your codes, there is nothing CoinFlip or any other company can do to retrieve them. At the same time, if anybody ever finds your recovery codes or private key, they gain access to your assets and can spend them without your permission. Here are some do’s and don’ts of recovery code security:  

Do: Write your recovery codes on archival-quality paper with pigment-based ink. If you want to go a step further, engrave your codes on a lasting surface, like metal. You want to preserve your private key info on something that won’t degrade over time.  

Don’t: Write your recovery codes on a Post-it or use a pencil. Many inexpensive paper products are acidic and degrade or fade over a few years. Pencil led flakes away. Your private key information may need to last generations, so it’s important to use quality recording materials.  

Do: Encrypt your recovery codes and put them on a password-protected cloud account, like iCloud. This option is available on the CoinFlip Wallet and makes it easy to retrieve forgotten information while maintaining security. 

Don’t: Take a screenshot and email it to yourself. Emails get hacked all the time, and phones get stolen. This is one of the primary vectors that hackers use to steal bitcoin.  

And most importantly, do not tell people about your cryptocurrency holdings, you could become a target and there’s no insurance on bitcoin theft.  

From xkcd: Security 

Public Key Security 

Even though the public key can’t be hacked by any known technology, it is vulnerable to human interference. That is, when you’re typing in a public key to transfer bitcoins, it’s easy to accidentally add an extra digit or mistype something. The CoinFlip Wallet minimizes potential errors by providing a QR code and an easy copy/paste interface, but it’s always vital to double-check every transaction. For example, some copy/paste functions automatically add a space after pasting. This can be time saving for writing text, but any erroneous spaces or characters in a wallet address will cause it to appear invalid. Once a transaction is sent it cannot be recalled.  

Conclusion 

Public and private keys are fundamental to the security and functionality of the Bitcoin network. Understanding how they work and ensuring their protection is essential for anyone participating in the Bitcoin ecosystem. By following best practices for key security, users can confidently manage their bitcoins and participate in the decentralized digital economy. If you have more questions about security or CoinFlip recovery codes, contact our customer support team any time.