Bitcoin Custody Standard — Definitions

Controlled vocabulary and authoritative definitions for the BCS normative framework.

Foundational Position

Bitcoin custody must be evaluated for resilience over time, not security at a point in time.

Core Concepts

Bitcoin Custody Standard BCS

A normative framework for evaluating the structural resilience of Bitcoin custody architectures across time.

Custody Architecture

The structured design describing how private keys, recovery material, participants, devices, and procedures are organized to preserve control over Bitcoin across time.

Single-Signature Custody

A custody arrangement in which a single private key controls access to Bitcoin. Single-signature architectures are structurally simple and impose low operational burden, but concentrate all risk on a single key-holder. Resilience depends primarily on the documentation completeness, physical distribution, and temporal maintenance practices of that holder. Latent entropy is the dominant long-horizon failure mode.

Self-Managed Multi-Signature Custody

A custody arrangement in which a quorum of independently managed private keys is required to authorise transactions, with all keys held and managed by the beneficial owner or their direct designees without reliance on a professional third-party co-signer. Self-managed multi-signature custody distributes risk across multiple keys and geographic locations but introduces coordination complexity as a structural risk dimension. Both latent entropy and coordination entropy are material failure drivers.

Collaborative Multi-Signature Custody

A custody arrangement in which a quorum of private keys is required to authorise transactions, with at least one key managed by a professional third-party co-signer service. The involvement of a professional co-signer reduces the holder's personal operational entropy burden but introduces counterparty risk: the architecture's long-horizon resilience is contingent on the continued availability, solvency, and good faith of the co-signer provider. Coordination entropy is the dominant failure mode. Independent recovery capability is a critical structural requirement.

Hosted or Institutional Custody

A custody arrangement in which private-key material is held and managed by a regulated or professional custodian on behalf of the beneficial owner. The holder bears virtually no personal operational entropy, but the architecture's entire resilience is contingent on the custodian's continued existence, operational competence, and willingness to act in the holder's interest. Counterparty and coordination risk are the dominant failure modes. Portability provisions are a structural requirement under BCS.

Custody Resilience

The ability of a custody system to maintain secure, recoverable, and continuous control of Bitcoin across time under operational, human, environmental, and adversarial stress.

Custodial Entropy

The progressive degradation of a custody system over time due to knowledge loss, undocumented changes, coordination breakdown, and technological evolution.

A system can be cryptographically secure while quietly becoming unrecoverable. Custodial Entropy is the primary long-horizon failure mode the BCS framework is designed to measure and mitigate.

Security vs Resilience

Security measures resistance to compromise at a point in time. Resilience measures whether the system continues to function across time. A system can be secure today and structurally fragile tomorrow.

Custodial Paradox

The tension that stronger custody often requires more structure, while greater structure can introduce complexity that itself becomes a source of failure over time.

Every improvement inside a single-key design trades one structural risk for another. The Custodial Paradox cannot be resolved within a single-key framework — only navigated.

Pillar (Structural Domain)

One of five orthogonal structural domains used by the BCS framework to evaluate custody architecture. Strength in one pillar does not compensate for weakness in another.

Five Structural Pillars

The Five Structural Pillars define the core dimensions of custody architecture within the Bitcoin Custody Standard. They represent independent domains required to maintain control of Bitcoin across time. The pillars are orthogonal by design — weakness in any pillar cannot be offset by strength in another.

Cryptographic Integrity

Secure key generation, lifecycle handling of private-key material, preservation of derivation paths and wallet descriptors, and long-horizon algorithmic resilience.

Physical Distribution

Geographic redundancy of recovery material across independent physical risk domains, eliminating single points of physical failure.

III

Operational Dependency

Reliance on signing devices, wallet software, and service providers. Portability of the custody arrangement is a core requirement.

Cognitive Reliability

Recovery must not depend on memory or undocumented knowledge. Procedures shall be documented and reproducible by any authorized party.

Temporal Resilience

Long-horizon survivability through review cadence, recovery validation, succession planning, change control, and active Custodial Entropy mitigation.

Measurement Layer

Bitcoin Custody Resilience Index BCRI

A composite score from 0 to 100 measuring overall custody resilience across architecture, coordination, entropy, and exposure.

Architecture Resilience Score ARS

A structural measure of custody architecture strength across the five BCS pillars: cryptographic integrity, physical distribution, operational dependency, cognitive reliability, and temporal resilience.

Coordination Health Score CHS

A measure of the reliability and durability of coordination required to execute custody operations and recovery procedures across time.

Entropy Resilience Score ERS

A component score measuring a custody architecture's structural resistance to entropy-driven degradation across the operational horizon.

Exposure Resilience Score XRS

A component score measuring structural resistance to adversarial exposure conditions, including identity linkage, disclosure risk, and coercion vulnerability.

Composite Resilience Score CRS

An intermediate aggregate score combining ARS, CHS, ERS, and XRS prior to final BCRI normalization.

Effective Architecture Resilience EAR

Architecture resilience after accounting for entropy-related degradation. EAR reflects what the architecture actually delivers over time, not just at initial setup.

Entropy Model

The analytical framework used to measure custody degradation across time through operational drift and coordination fragility.

Entropy Risk Index ERI

A measure of long-horizon degradation risk arising from operational drift and coordination fragility. Higher ERI indicates greater entropy-related failure risk over time.

Latent Entropy Index LEI

Measures degradation arising from internal operational drift, such as documentation decay, knowledge loss, and software evolution.

Coordination Entropy Index CEI

Measures fragility introduced by multi-party coordination, including participant dependency, sequencing requirements, and governance complexity.

Exposure Risk Index XRI

A measure of how visible, identifiable, and targetable a custody system is under adversarial conditions, including identity linkage, disclosure patterns, and coercion exposure.

Exposure Surface

The set of observable or inferable signals through which a custody system becomes identifiable, targetable, or vulnerable to pressure.

Resilience Sufficiency Threshold

The minimum structural resilience level required for a custody architecture to be considered structurally sufficient within the benchmark framework. Set at BCRI 75 in the BCS benchmark.

Complexity & Efficiency

Complexity Score CS

A measure of the operational burden imposed by a custody architecture, including setup requirements, maintenance burden, technical expertise, coordination overhead, and recovery complexity.

Resilience Efficiency RE

A measure of resilience produced per unit of complexity. Evaluates how efficiently a custody architecture converts operational burden into structural resilience.

RE = BCRI / √CS

Excess Resilience Efficiency ERE

A refined efficiency metric measuring resilience earned above the structural baseline. The value 25 represents the baseline floor — ERE isolates earned resilience rather than counting baseline classification structure as a resilience gain.

ERE = (BCRI − 25) / √CS

Resilience Efficiency Frontier

The analytical curve representing the relationship between operational complexity and excess resilience efficiency. Within the BCS benchmark, efficiency rises through the low- and moderate-complexity range, peaks near CS 4.5, and declines beyond that point.

Architectures beyond the frontier peak deliver diminishing resilience returns per unit of added complexity.

Benchmark Architecture

A reference custody architecture included in the BCS benchmark dataset and evaluated against the BCRI methodology to establish comparative scores across resilience and complexity dimensions.

Resilience Gap

The difference between the resilience score achieved by a custody architecture and the benchmark resilience level associated with architectures of comparable complexity.

Signing Environment

The physical and operational conditions under which transaction signing occurs, including device type, connectivity state, and physical security context. The signing environment is a factor in assessing operational dependency and coercion exposure.

Risk, Entropy & Failure

Structural Failure Modes

Custody systems fail along two independent dimensions: under-engineering — insufficient redundancy and structural fragility — and over-engineering — excessive or misallocated complexity that weakens resilience.

A single-axis evaluation framework cannot distinguish between these two failure modes. The BCS two-dimensional framework is designed to identify both.

Single Point of Failure

Any element whose compromise, loss, or absence can cause catastrophic compromise or permanent loss of access.

Coordination Risk

The risk that custody execution or recovery fails because of excessive complexity, participant dependency, or procedural fragility.

Continuity Risk

The risk that Bitcoin becomes inaccessible due to death, incapacity, or inadequate succession planning.

Coercion Risk

The risk that control of Bitcoin is compromised under physical, legal, or social pressure.

Human Failure Probability

The likelihood that loss occurs due to misunderstanding, memory failure, miscommunication, or procedural error.

Recovery Material

All information required to restore or authorize access to Bitcoin funds, including seed phrases, passphrases, descriptors, xpubs, and wallet configuration data.

Recovery Pathway

The documented sequence of steps, materials, and participants required to restore custody access in the event of primary access failure. A defined and tested recovery pathway is a requirement for conformance at all tiers.

Conformance & Assurance

Conformance

The formal condition in which a custody architecture satisfies the structural requirements defined by the Bitcoin Custody Standard at the level claimed.

Conformance claims must reference the specific BCS version used for assessment and do not imply applicability to future versions without reassessment.

Assurance Tier

A classification level assigned to a conforming custody architecture reflecting the breadth and depth of structural resilience demonstrated under the BCS framework.

Self-Assessment

First-party, user-declared conformance evaluation performed against published BCS criteria and the BCRI scoring methodology. No independence or third-party review is implied.

Verified Review

Second-party evidence review conducted by the BCS scheme owner or an authorised reviewer. May include architectural documentation, recovery runbooks, dependency disclosures, review cadence documentation, and signed attestation. Does not constitute independent certification.

Independent Certification

Formal third-party conformity assessment conducted by an entity operationally and financially independent of both the operator and the BCS scheme owner.

Standard Versioning

The controlled version numbering system applied to BCS normative documents. Version identifiers follow a major.minor format. Minor version changes reflect clarifications or refinements; major version changes reflect substantive updates to the model or structure.