Section I: Cryptographic Foundations

The Custody Paradigm Shift

Cryptocurrency fundamentally transforms value into information. This shift eliminates the need for physical trucks and armored vaults but creates a new reality: keys equal control. If a party can authorize a transaction, they effectively own the asset, creating new opportunities for self-sovereignty and different categories of risk. Custody can exist entirely in memory. A 12-word mnemonic can hold millions of dollars with no physical footprint. For refugees or anyone living under hostile or bad faith governments, this enables value to cross borders in someone's head, resist confiscation, evade capital controls, and be reconstructed anywhere with an internet connection.

This capability comes with corresponding responsibility. Whether for individuals or institutions, the shift from physical to informational value creates new failure modes. One forgotten passphrase or compromised backup can mean permanent loss. Sophisticated custody operations become a discipline of minimizing online exposure, implementing tested recovery procedures, and ensuring provable operations. The implications are clear: transactions are irreversible, and most losses stem from operational lapses rather than cryptographic vulnerabilities. To see how control is enforced in practice, we start with keys, addresses, and signatures.

Public Keys, Private Keys, and Digital Signatures

At the heart of custody lies a fundamental cryptographic relationship: public keys and private keys. Think of this as a mathematical lock-and-key system where the lock (public key) can be shared freely, but only the corresponding key (private key) can unlock it.

A private key is a large random number, typically 256 bits of entropy, that serves as the holder's secret. In practice, private keys are usually derived from 12 or 24-word mnemonic seed phrases rather than generated directly. From this private key, mathematical operations generate a corresponding public key. While it's computationally easy to derive a public key from a private key, the reverse is practically impossible with current technology. (Chapter XIV examines how quantum computers could change this equation.)

Digital signatures prove ownership without revealing the private key. When someone wants to spend cryptocurrency, they create a digital signature using their private key and the transaction details. Anyone can verify this signature using the public key, confirming that only the holder of the corresponding private key could have created it.

Digital signatures enable non-repudiation: once someone signs a transaction, they cannot later claim they didn't authorize it. The mathematics provides cryptographic proof of authorization.

Different blockchains use different signature algorithms. Bitcoin and Ethereum rely on ECDSA (Elliptic Curve Digital Signature Algorithm), while Solana uses EdDSA (Edwards-curve Digital Signature Algorithm). Bitcoin's Taproot upgrade introduced Schnorr signatures, which enable multiple parties to jointly sign transactions in ways that appear identical to single-signature transactions on-chain. These algorithmic differences become relevant when designing multi-party custody arrangements, as some schemes work better with certain signature types than others. The practical implications will become clearer when we examine institutional custody models in Section III.

Addresses: Public Identifiers

Addresses serve as public identifiers for receiving cryptocurrency, derived from public keys through cryptographic hashing. Different blockchains use different address formats. Bitcoin addresses come in several types, including Legacy addresses starting with "1", Script Hash addresses starting with "3", and modern Bech32 formats starting with "bc1". Ethereum addresses are 40-character hexadecimal strings that always start with 0x, derived from the last 20 bytes of the public key hash. Solana addresses are 44-character strings representing Ed25519 public keys directly.

This fundamental asymmetry enables the entire cryptocurrency ecosystem: addresses can be shared publicly for receiving funds, but spending requires the corresponding private key.

Mnemonic Seed Phrases: Human-Readable Keys

While the cryptographic primitives above provide the mathematical foundation for custody, they create a practical problem: how do humans safely manage these keys? Raw private keys are 64-character hexadecimal strings like e9873d79c6d87dc0fb6a5778633389f4453213303da61f20bd67fc233aa33262, which are impossible to memorize, prone to transcription errors, and difficult to store securely.

Mnemonic seed phrases solve this usability problem by encoding cryptographic entropy into human-readable words.

BIP-39 (Bitcoin Improvement Proposal 39) standardizes mnemonic phrases using a dictionary of 2048 words. A 12-word phrase encodes approximately 128 bits of entropy, while a 24-word phrase provides approximately 256 bits. These words encode cryptographic entropy plus a checksum to catch transcription errors. The phrase is processed through a key stretching algorithm that applies many iterations of cryptographic hashing to generate a master seed, making brute-force attacks computationally expensive. From this master seed, hierarchical deterministic (HD) wallets derive unlimited addresses and keys following related BIP standards (BIP-32 defines the derivation method, BIP-44 standardizes the path structure across different cryptocurrencies).

These seed phrases have several important properties. They are deterministic, meaning the same phrase always generates the same keys and addresses. They are hierarchical, allowing one seed to generate keys for multiple cryptocurrencies and accounts. And they are recoverable, meaning the phrase alone can restore an entire wallet across different software applications.

The 25th word: An optional passphrase can be added to the mnemonic, creating an additional security layer. This passphrase effectively creates different wallets from the same seed phrase, providing plausible deniability and additional security.

High-quality random number generation is important when creating seed phrases. Weak randomness can lead to predictable keys that attackers could guess. When restoring a wallet from a seed phrase, using the same derivation path (the specific method for generating addresses from the seed) as the original wallet ensures all addresses are recovered correctly. Different wallets may use different derivation paths, so compatibility matters when moving between wallet software.