Secure Element

What Is a Secure Element?

A secure element is a dedicated microprocessor chip designed to store sensitive data and execute cryptographic operations in a tamper-resistant environment. Unlike general-purpose microcontrollers (MCUs) found in everyday electronics, secure elements include hardened circuitry at the silicon level that actively resists physical probing, power analysis, and fault injection attacks.

In the context of cryptocurrency, secure elements serve one critical function: they hold seed phrases and private keys in protected memory where they cannot be read externally, and they perform signing operations internally so keys never leave the chip boundary. This makes SEs the foundation of hardware wallet security and a key component of cold storage architectures.

Secure elements originated in the banking and government sectors: they are the chips inside credit cards, passports, and SIM cards. The cryptocurrency industry adopted them because the threat model is similar: protect a secret (a private key) from an attacker with physical access to the device.

How It Works

A secure element operates as an isolated computing environment with its own processor, memory, and operating system. When a signing device needs to sign a transaction, the process follows a strict boundary:

1. The host device (wallet firmware) sends the unsigned transaction data to the SE
2. The SE verifies the request and displays details on the device screen for user confirmation
3. Upon user approval, the SE signs the transaction using the private key stored internally
4. The SE returns only the signature to the host device
5. The private key never leaves the SE at any point

This architecture means that even if the wallet firmware is compromised, the attacker can trick the SE into signing a malicious transaction (if the user approves it on screen) but cannot extract the key itself.

Hardware Countermeasures

What separates an SE from a standard microcontroller is the set of physical countermeasures built into the silicon. These defenses operate continuously during all cryptographic operations:

• Active shielding: metal mesh layers over the die detect physical probing attempts and trigger key erasure
• Power analysis resistance: randomized execution timing and noise injection defeat Simple Power Analysis (SPA) and Differential Power Analysis (DPA) attacks
• Voltage and clock glitch detection: sensors monitor power supply and clock signals for anomalies that indicate fault injection attempts
• Light sensors: detect decapping (removing the chip package) and laser fault injection
• Memory encryption: all data stored on the SE is encrypted at rest, preventing cold boot attacks or direct memory reads

Without these countermeasures, an attacker with a few hundred dollars of equipment can extract keys from a standard MCU through voltage glitching in under 15 minutes. This was demonstrated in 2020 when researchers at Kraken Security Labs used a voltage glitch attack to extract seed data from a wallet that relied on an MCU without SE protection.

Certification Standards

Secure elements are evaluated against formal security standards before deployment. The two most relevant certifications for cryptocurrency hardware:

The "+" suffix in EAL ratings indicates augmentation, typically meaning the chip underwent AVA_VAN.5 testing: evaluators with significant expertise actively attempt to defeat the security mechanisms before certification is granted.

Secure Elements in Cryptocurrency

Hardware Wallets

Most dedicated signing devices use one of a few well-known SE chips:

In a typical Ledger device, the SE runs a custom operating system and handles all key derivation (following BIP-32 and BIP-44 standards), key storage, and transaction signing. The companion MCU handles USB communication, display rendering, and button input but never accesses key material.

Mobile Device Secure Enclaves

Modern smartphones include SE-like hardware that cryptocurrency apps can leverage for key storage, though with important differences from dedicated hardware wallets:

• Apple Secure Enclave: a dedicated coprocessor in Apple silicon that generates and stores keys internally. The CryptoKit framework allows apps to perform signing operations, but private keys cannot be exported from the enclave. Supports NIST P-256 curves natively.
• Samsung Blockchain Keystore: uses ARM TrustZone with a hardware-backed secure file system. Supports ECDSA with the secp256k1 curve used by Bitcoin and provides a Trusted User Interface for transaction confirmation.

These mobile SEs provide better security than software-only key storage, but differ from dedicated hardware wallets in one critical way: the host device is online and runs general-purpose software, expanding the attack surface compared to a cold storage device. For a deeper comparison of custody approaches, see the self-custodial vs. custodial wallets analysis.

The Open-Source Tradeoff

The most debated aspect of secure elements in cryptocurrency is the tension between physical security and code transparency. SE firmware is almost always closed-source because chip manufacturers (STMicroelectronics, Infineon) require non-disclosure agreements as a condition of Common Criteria certification. This creates a fundamental trust dilemma.

The debate has historically been framed as the Ledger vs. Trezor approach:

• Ledger's position: SEs are essential for physical attack resistance. The closed-source firmware is a necessary tradeoff because evaluating physical countermeasures requires specialized lab equipment regardless of source code availability.
• Trezor's original position: full open-source transparency is more important than physical attack resistance. Users can verify every line of code, and passphrase protection adds a layer of defense against physical attacks on the MCU.

Both positions were tested in practice. In 2020, Kraken demonstrated voltage-glitching attacks against Trezor's open-source MCU, extracting seed data with physical access. In 2023, Ledger's closed-source firmware drew scrutiny when the Ledger Recover feature revealed that firmware updates could instruct the SE to export key shares: behavior users could not have predicted or audited from outside the chip.

The industry has since moved toward a hybrid approach. Trezor's Safe 3, Safe 5, and Safe 7 models now include EAL6+ certified secure elements while maintaining fully open-source application firmware. This combines SE-grade physical protection with auditable wallet logic, though the SE chip firmware itself remains closed.

Use Cases

• Hardware wallet key storage: the primary use case, where the SE holds the master seed and performs all BIP-32 key derivation and Schnorr or ECDSA signing internally
• Mobile wallet signing: smartphone SEs allow self-custodial wallets to store keys in hardware-protected memory without requiring a separate device
• Authentication and attestation: SEs can prove device identity through attestation certificates, useful for verifying that a signing request originated from a genuine hardware wallet
• Multi-signature schemes: SEs can serve as one signer in a threshold signature setup, providing hardware-grade protection for one key share while other shares are distributed across different devices or custodians

Risks and Considerations

Closed-Source Trust Requirements

Users of SE-based wallets must trust that the chip manufacturer and wallet vendor have not introduced backdoors, key exfiltration mechanisms, or exploitable vulnerabilities in the proprietary firmware. The 2023 Ledger Recover controversy illustrated that firmware updates can fundamentally change the security model of the SE without users being able to detect or prevent it.

Certification Limitations

CC EAL certification evaluates a chip against a specific set of attack vectors at a point in time. It does not guarantee absolute security. The EUCLEAK vulnerability, disclosed in September 2024, demonstrated this: a non-constant-time modular inversion in Infineon's ECDSA implementation on the SLE78 chip went undetected through approximately 80 CC certification evaluations over 14 years. Researchers at NinjaLab extracted FIDO private keys from YubiKey 5 devices by measuring electromagnetic emissions during about 5 minutes of physical access.

Curve and Algorithm Constraints

Not all SEs support the secp256k1 elliptic curve used by Bitcoin. Many banking-oriented SEs only support NIST P-256. Apple's Secure Enclave, for example, does not natively support secp256k1, which limits its direct use for Bitcoin transaction signing. Wallet developers must verify curve support before designing around a specific SE.

SE vs. TEE

A secure element should not be confused with a Trusted Execution Environment (TEE). A TEE is a software isolation zone within a general-purpose processor (such as ARM TrustZone or Intel SGX), while an SE is a physically separate chip with dedicated tamper-resistant hardware. TEEs protect against software attacks but offer limited defense against physical attacks compared to a true SE. For a comparison of custody architectures that use these technologies, see the Bitcoin custody solutions comparison.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.