Square To Open Source Its Subzero Bitcoin Cold Storage Technology
According to the Square’s official Medium page, this mobile payment company is open sourcing tools, documentation, and code for their Subzero crypto cold storage solution.
The payment app recently added cryptocurrency trading and invested heavily into security to protect user funds given its custodial role.
What is Subzero?
Subzero is a programmable offline Bitcoin wallet. Programmable means that, although at the moment it supports solely Bitcoin, it provides the possibility to implement other protocols in the future.
Security engineer at Square, Alok Menghrajani, emphasizing the security aspect of the system, explains:
“One specific customization we implemented is the ability to enforce that cold wallet can only send funds to a Square-owned hot wallet. Such layering provides defense in depth, forcing an attacker to compromise multiple systems in order to extract funds,”
Furthermore, the author of the blog post states that their “multi-party signing ceremony leverages the multi-signature feature available in Bitcoin.” It is also explained how users combine smart cards and passwords to verify the cold storage system.
The offline and online aspects of the system exchange the minimal amount of data through QR codes, while the physically secured cold wallet remains offline, which should ensure its integrity in the following series of events:
“A signing ceremony starts by having an online server generate a QR code. The QR code contains the minimal amount of information necessary to sign a transaction. QR codes are efficiently encoded using Protobufs.”
Menghrajani further explains that these QR codes can be printed and archived, which is making them useful for forensic purposes, and they also keep a certain amount of exchangeable data.
Square’s Subzero tech leverages the Hardware Security Module (HSM), which is utilized in the payments industry to store delicate cryptographic key material and perform operations by using those stored keys.
As a result of everything, the Subzero’s supply chain is secured, making an unauthorized modification of the active system a very difficult task for a would-be hacker.
Why open source the software?
Besides the raw announcement and the explanation of the product’s core system, Square also lets readers deeper into their motivation for sharing their achievements.
“Since launching Bitcoin support, Square developed a robust approach to Bitcoin cold storage, and we recognize the importance of sharing our work with the community […] We hope that by sharing our work, we can make it easier for others to fulfill their security needs, enabling even more innovation — and better protection for all players — in the cryptocurrency space. In the long run, since we had to solve problems that other companies may face, we are interested in standardizing some of our work.”
Square’s security engineer explains through the Medium blog that the shared Github repository “contains documentation, code to build DVDs, the GUI, the wallet that runs on the HSM, and a few other utilities.”
Allegedly, some parts of the code is tightly coupled to the specific piece of hardware. However, the company claims that they are open to contributions which would enable the support for other merchants.