top of page

AIRGAP PSBT SIGNING
CUVEX VS TRADITIONAL AIR GAPPED HARDWARE WALLETS

Air-gapped hardware wallets are widely considered one of the most secure methods for Bitcoin transaction signing.

Traditionally, an AirGap wallet isolates the signing device from all networks and transfers PSBT data via QR codes.

Cuvex builds on the AirGap model preserving private key isolation while solving the usability limitations of QR-based AirGap workflows for multisig, CoinJoin, and complex PSBT transactions.

CUVEX_PSBT.png
hardware_wallet_PSBT.jpg

WHAT IS AN AIR-GAPPED
HARDWARE WALLET

An air-gapped hardware wallet typically:

  • Has no WiFi, Bluetooth, or cellular connectivity

  • Is not network-reachable

  • Transfers transaction data via optical QR codes

  • Executes signing locally

This prevents remote attacks and network-based key exfiltration.

However, QR-based AirGap transfer introduces operational friction in advanced Bitcoin use cases.

blog_btc_digital_treasure.jpg

THE PROBLEM WITH QR-BASED AIRGAP IN ADVANCE BITCOIN USE

QR AirGap signing works well for simple transactions.

But in scenarios such as:

  • Multisignature PSBT coordination

  • CoinJoin transactions

  • UTXO consolidation

  • Multiple-recipient transactions

  • High-input PSBT files

QR-based AirGap often requires:

  • Dozens of sequential scans

  • Multi-frame synchronization

  • Strict ordering

  • Manual confirmation loops

This increases:

  • Human error probability

  • Operational time

  • Workflow impracticality

For advanced Bitcoin users, traditional QR AirGap can become limiting.

CUVEX AIRGAP ARCHITECTURES

Cuvex offers two AirGap signing architectures designed around the same core principle:

Private keys never interact with an internet-connected environment, and signing execution always occurs locally.

psbt.png

  • Category: Physically Segmented AirGap Hardware Wallet

    Transport: Passive NFC data carriers

    Security Characteristics

    • No network stack

    • No WiFi / Bluetooth / cellular

    • No electronic tether to an online host during signing

    • PSBT transferred via fully passive NFC tags

    • Private keys never leave the device

    • Signing execution is fully local

    Although NFC is technically wireless, Cuvex uses fully passive NFC tags:

    • No battery

    • No active radio

    • Cannot initiate communication

    • Cannot execute arbitrary code

    • Cannot autonomously transmit data

    Physical proximity is required for transfer.

    This model maximizes physical segmentation while improving data throughput compared to QR-based AirGap wallets.

  • Category: Network-Isolated Hardware Wallet

    Transport: USB-C file exchange with Watch-Only Wallet (WOW)

    Cuvex BIT maintains the same signing isolation principle while optimizing PSBT transfer for complex workflows.

    Security Characteristics

    • No network stack inside the signing device

    • Private keys never leave the device

    • Signing execution occurs locally

    • The device independently validates PSBT structure

    • The host cannot access secret key material

    • USB functions purely as a data transport layer

    Cryptographic authority remains fully isolated inside the device.

ARE NFC AND USB AS SECURE AS QR AIRGAP

Security is determined by:

  • Where private keys reside

  • Where signing execution occurs

  • Whether the device is network-reachable

  • Whether key material is externally accessible

In both Cuvex models:

  • No remote signing is possible

  • No network-based key exfiltration is possible

  • The host cannot extract private keys

  • Signing authority remains internal

The difference lies in transport efficiency not in cryptographic control boundaries.

SECURITY CONSIDERATIONS AND ATTACK SURFACE ANALYSIS

Host Compromise

Even if the smartphone or desktop constructing the PSBT is compromised:

  • It cannot extract private keys

  • It cannot force signing without device confirmation

  • The device independently verifies transaction structure

 

BadUSB and USB Attack Concerns (Cuvex BIT)

  • The signing device does not expose key material over USB

  • USB is used for file transport only

  • Signing logic and key storage are isolated

  • No remote firmware update channel exists during signing

 

NFC Relay and Emulation Risks (Cuvex NFC Model)

  • NFC tags are passive and proximity-bound

  • No autonomous communication capability

  • No execution capability

  • Signing requires physical presentation of both components

Threat boundaries are explicitly defined and do not rely solely on terminology such as “AirGap.”

DEFINED THREAT MODEL

Security boundaries are clearly defined.

DESIGN TO MITIGATE

  • Remote malware on transaction-construction devices

  • Network-based key exfiltration

  • Remote signing attacks

  • Host-controlled signing execution

  • Network firmware exploitation

NOT DESIGN TO MITIGATE

  • Forensic-level hardware analysis requiring prolonged physical possession of the device

  • Invasive laboratory techniques involving device disassembly and specialized equipment

These scenarios assume full physical control of the device and cannot be performed covertly during normal user operation.

But the most important, Cuvex devices do not retain processed transaction data or decrypted signing material beyond the active signing session, as volatile memory is cleared after each operation.

4fa1989f-faa8-4a93-9f5f-868d3f9f1e40.png

AIRGAP SIGNING FOR MULTISIG, COINJOIN AND COMPLEX PSBT WORKFLOWS

Advanced Bitcoin users often require:

  • Multisignature signing coordination

  • CoinJoin participation

  • Large-input PSBT files

  • Complex UTXO management

Traditional QR AirGap becomes operationally heavy in these scenarios.

Cuvex provides:

  • Passive NFC AirGap signing for maximum physical segmentation

  • USB-C optimized workflow for high-throughput PSBT handling

Both preserve signing isolation while improving usability.

  • Cuvex preserves the core AirGap principle: network isolation of private key execution.


    The NFC model closely matches traditional AirGap design.


    The USB model maintains signing isolation while optimizing transport efficiency.

  • No.


    Private keys never leave the device, and signing execution occurs internally.


    USB functions only as a PSBT file transfer mechanism.

  • NFC is a wireless protocol, but Cuvex uses fully passive tags that cannot initiate communication or execute code.


    Security depends on signing isolation not the optical vs NFC transport method alone.

  • Both models protect private keys from network exposure.


    The NFC model maximizes physical segmentation.


    The USB model maximizes workflow efficiency for advanced transactions.

    The appropriate choice depends on user workflow needs.

  • QR-based AirGap introduces significant friction in multisig, CoinJoin, and complex PSBT transactions.


    Cuvex improves data throughput while preserving signing isolation.

mock_PSBT.png

AIRGAP SECURITY, EVOLVED FOR REAL-WORLD BITCOIN USE

Cuvex does not redefine AirGap. It preserves the fundamental principle:

Network-isolated signing with local cryptographic authority.

While offering two architectures to balance:

  • Maximum physical separation

  • Maximum workflow efficiency

Security is defined by execution boundaries and threat models not terminology alone.

bottom of page