How do you use Bitcoin in a trustless way?

Decent breakdown. Good job.

8. You can usually export it more conveniently. 10-13 is overkill. Most wallets have some reasonable way to move txes between hardware wallet and online system (like SD card). They don't really compromise the practical security and are a much better UX.

3. checking if hardware really have no internet connectivity is indeed a thing. You could use Faraday Cage to be certain. Some wallets like ColdCard are translucent so you can inspect the components.

6. It is maximally secure to generate seed phrase manually using dices and paper lookup table. If you enter it into two wallets from two different vendors, you can see if they generate same addresses.

There's one attack you're missing: Hardware wallets could possibly slowly leak your private key by biasing bits in the signatures by grinding nonce. It would take whole lot of txes, but it is theoretically possible.

There's also possibility of someone just analyzing the electromagnetic waves during hw wallet signing txes to extra a key. Very very sophisticated and unlikely, but since we already have the tin foil hat on... just invest in Faraday Cage. :D

For maximum tin foil hat security, use multisig between two or more different devices (and/or parties), signing in different locations.

Edit: Oh. And since you're so into it it's worth mentioning that using seed passphrase is always a good idea!

(as others have noted multi-sig schemes may be a better option but here are a few infos regarding your questions)

> 1: Create a seed phrase with dices

You can do that but you'll need a way to generate the checksum for the seed phrase. A 24 words BIP39 seed contains 264 bits (24 x 11 bits): 256 bits for the seed and 8 bits for the checksum.

> There is not an easy way to check if the hardware wallet really has no internet connectivity.

Indeed but you can at least open / disassemble some of them easily (there are even docs by the manufacturers explaining how to verify that the hardware wallet's PCB looks legit).

Seed exfiltration, even without connectivity, is an issue too.

And some hardware wallets are extremely noisy and impossible to use totally offline (there are mandatory firmware upgrades and mandatory connectivity needed to install the "apps" that allow to sign transactions), so you have to trust the vendor.

> There is no way to check if the hardware wallet really uses the seed phrase to create the extended public key.

Yes there is. Use an airgapped/offline computer which has physically no network connectivity options (no wifi / no ethernet / no bluetooth / no nothing), no HDD, booted from, say, a live Linux CD with contains for example Ian Coleman's BIP39 tools. Then you enter your seed and verify that the extended public key / keys derived is the same as the one shown by your hardware wallet. Data exfiltration from such a computer is still technically possible but I wouldn't worry too much about it: you power that computer for a few minutes, turn it off, and you'll be fine.

Instead of a hardware wallet you could buy or build an airgapped PC with no wireless hardware.

Of course it’s possible to exfiltrate data even without dedicated wireless hardware (TEMPEST etc) so I guess build a faraday cage if you’re really paranoid.

Also: https://glacierprotocol.org/

Mostly agree with your steps except that to sign a transaction, you need all of its data, not just the hash. So it would be impractical to manually type it in a hardware wallet (also, most hardware wallets don't have a keyboard).

Hardware wallets like Ledger instead connect directly to a computer via USB to receive/transmit transactions to sign. They also transmit the extended public key to the wallet software so you don't have to type it manually. You have to trust the hardware wallet vendor to some degree.

Regarding, your comment on number 6, that's an interesting thought that I hadn't considered. Since you are not supposed to enter your seed on a computer, there really isn't any way to verify that the hardware wallet is really using the seed you provided and not some seed that can be predicted by the hardware manufacturer. I guess you could enter it on a hardware wallet from a different vendor, or on an air-gapped computer[0], and see if it matches.

[0] Make sure that the computer is never connected to the Internet again in case there was a key logger running and waiting for Internet connectivity.

You can't. You have to live with the fact that there's some amount of risk and weigh whether it's an acceptable level compared to what you're securing. See Reflections on Trusting Trust for the canonical example.

I think you can't. You're right about 3 and 6, which are the same basic issue of needing to trust the vendor, their hardware suppliers, their employees, and the delivery chain to you. (You can be more secure, but you can't be totally secure)

Or, for example, what if all your communications and actions are being monitored continuously by state-level actors with cameras and hidden bugs, recording every keystroke? Or what if we are living in a simulation, and the malicious operators can extract data from your brain, or just alter reality at will?

But I think you can provide a "practical" level of trustless. That means that, if your adversary was powerful enough to steal your Bitcoins, then they'd be so powerful that they could destroy you in many other ways. So it's a moot point.

A practical solution to your question could be to take all the precautions you've said above, and then simply gradually increase the amounts you are transacting, using a variety of methods, and see if anything gets stolen.

Call it a bribe or a bug bounty or a tax. It's quite effective, because organizations are comprised of individuals, who are subject to human temptations. At least two federal agents independently stole funds from the Silk Road marketplace while investigating it, and they were imprisoned later

If you're willing to accept that an individual MOSFET won't be bugged, build your own hardware from individual transistors to do all the necessary cryptographic steps. Run it on a battery supply to avoid power line information leakage[0]. Run the hardware inside a Faraday cage to avoid RF information leakage.

[0]: using a lead acid battery so you can disassemble it and verify it isn't bugged.

You've missed step 0 (and earlier): how did you trustlessly obtain the bitcoin in the first place? Your options aren't good here:

a) Buy it on an exchange: You need to trust that the exchange won't just run off with/sell your real money/credit card details (but at least in the real world you have a chance of clawing back stolen cash)

b) Buy it via a service like localbitcoins, where you meet a stranger in an alley and hand them hard cash. Not very trustless!

c) Mine the coins yourself. But unless you build a bitcoin miner from scratch, you need to trust the hardware and software (how do you know for sure that it isn't mining to someone else's account?) And your miner needs to be connected to the internet, so hackers could get your coins.

There are no good trustless options. You have to accept some risk.

EDIT: I missed the only tried and true trustless way to get bitcoins:

d) Hack/phish/con someone else out of their bitcoins!

The solution is to replace the hardware wallet with a Raspberry Pi, or similar hardware device, and use open source wallet software. However you need to be able to disable the Wi-Fi of the hardware device so that the device that holds the keys is offline.

You’ll need to first discover if you can trust yourself. Make sure you don’t sleepwalk, test your susceptibility to hypnotic suggestion, and talk to a medical professional you trust about other possible health conditions that could jeopardize your assets. Unfortunately, there are few cryptographically verifiable medical professionals.

Step 1 is going to be figure out what you are prepared to trust and work upwards from there.

There will always be an infinitely recursive list of trust issues or potential attack vectors, they will just become less and less likely.

What if the hardware wallet is backdoored? Use a Faraday cage. What if both the hardware wallet and Faraday cage is compromised? etc.

There is still some trust hidden away in step 10 that you didn't call out, which is that you're trusting the software wallet. The software wallet that you use to create the transaction could under the hood create a different transaction than what you expect and show you the hash of that transaction. A hardware wallet that signs a raw hash will always be vulnerable to this kind of attack. To really eliminate the need to trust the software wallet, you should send the whole transaction to the hardware wallet so the hardware wallet can calculate the hash. You're still trusting the hardware wallet to some extent but you entered your seed phrase into the hardware wallet so you're implicitly trusting that no matter what.

This method is still vulnerable to rubber hose cryptanalysis - which is what I'd worry about.

Everything that is non-verifiable, requires trust. So, if you can verify that your hardware works correctly, you don't need to trust the manufacturer or supply chains. There are ways to verify that hardware works correctly.

3: You measure RF signals to verify that there's no wireless connection of any kind.

6: You can verify the public key by using multiple devices from different vendors with the same seed.

Practically speaking, you don't need to verify everything yourself. It's guaranteed that any information about attacks will be quickly available, if someone is able to verify everything.

Your hardware might either leak the private key via a non-internet connection (bluetooth, nfc, physical interface, some non-standard protocol). Also, it might use weak crypto to generate the private key (see ROCA vulnerability). Trusting non-trivial hardware is hard as it takes very little to have it behave maliciously under very specific circumstance.

I think you left out one important part, which might lead to losing your funds! When you withdraw only a portion from your bitcoin wallet the default behaviour is that that your wallet is still emptied completly. The leftover amount is transferred to a different wallet generated by the software wallet you use to generate the transaction. I am not sure if the new private key could be restored from the original private, if you would delete the software wallet after the transaction.

There is no good solution.

You can specify multiple recipients, so you could send the leftover back to your secure wallet. But reusing adresses after a transaction is considered insecure (I don't know why).

Or you have a second secure hardware wallet, that can receive the leftover.

Download green wallet by blockstream and call it a day. Make sure to close all other apps before opening it. Write your seed phrase down and give it to your Mom.

Instead of trying to eliminate trust, a better approach would be to decentralize trust.

There are various solutions for that, e.g. multi-sig, Shamir's Secret Sharing, etc.

if you don't fully trust your hardware wallet, you could try multisig with multiple wallets of different vendors. also see BLS signatures.

Ethereum is much better in these scenarios.

Regarding 7-10: any recommendations for good software wallets?

1. How can you know for sure that the dice are not rigged?

runinga vm linux distro with a wallet that connects to internet would probably make it less or the same degree of trustlessness while being more practical

Step 6: unless you reviewed the source code, there’s no telling the key it generates is not compromised.

A wallet like Coinomi on an iPhone is a secure enough platform to keep your crypto on.

brain wallet + coinb.in offline. you're welcome

you buy monero

You don’t.