Proof of Keys Vol. 2:
Multisig, Shamir Secret Sharing, Quorum Choices, Assisted Custody and How to Apply Diversity from a Security Mindset
Rijndael: Multisig, in classical cryptography, is usually referred to as ‘threshold schemes’ and is a way of saying: these coins can only be spent if key signers out of n keys produce signatures. Normally, when you have a Bitcoin wallet, and somebody sends Bitcoin to you, those coins that you have, can only be spent, if you sign a transaction with your private key. What multisig lets you do is it lets you say: 'instead of requiring a signature from one key, my coins require a signature from some threshold number of keys', and you can dial the threshold up or down. So you can say: ‘I want to have 3 keys in total, and 2 of my keys have to sign.’ Or": ‘I have 5 keys in total, and 3 of them have to sign.’ This allows for distributing risk and having some degree of failure tolerance. For example, if you have a 2-of-3 multisig setup, you could completely lose 1 key, but as long as you still have 2, you can still sign and spend transactions. That's the general premise. And then there's a couple of different ways to implement multisig. The parameters for the threshold number and the total number are configurable and may vary based on the circumstances. Before discussing the different options, it's worth noting that multisig is different from Shamir secret splitting, which involves breaking a single seed into multiple pieces and reassembling the shares to produce a single signature with a single key. With multisig, multiple signatures are produced by signing multiple times. And one nice attribute of that is that you don't have to get all of your keys together on a single computer to do multig. If you do Shamir secret sharing, you have to reassemble the pieces and then once they're reassembled, there's now a single key that can spend your Bitcoin. With multisig, you can have keys in different locations or held by different people and they produce different independent signatures and you don't have to have a quorum of keys together at the same time.
NVK: Craig, like us at Coinkite, essentially supports all forms of multisig and he's building multsig software. So Craig, I know this might sound like we're starting to pigeonhole people; but what are some reasonable multisig quorum choices in terms of m of n, that you personally think are good and not too complex?
Craig: Look, I think one thing to consider with multisig is the privacy aspect to it that you do reveal the details of your quorum when you spend. It is worth being aware of that. And if you have a very unusual, quorum setup, say, 5-of-11, or some something very odd, that's really going to stand out, and it will allow your spins to be more easily tracked on chain. I think that that's one of the biggest factors for me that I consider. And then taking that in, in mind that I believe, I'd be surprised if it isn't the most common quorum set up as a 2-of- 3. If you're doing that with your multistate, you are likely to be in a fairly large crowd, and it'll be hard to tell you apart. The next probable one, and Jameson probably knows this better than me, but I would suspect it 2-of-3 or 5. So that's probably next. And that kind of makes a lot of a lot of sense, both of those you can have a complete loss of 1 of those keys, so long as you still have all of the public keys, and you will be able to sign and move your funds just just fine. Obviously, with the 3-of-5, you then can have a complete loss of 2 of those keys. That's, I think the two that kind of stand up for me as as solving at least, you know, 80% of people's needs, when it comes to multisig. If you need more than that, you obviously have quite a unique need. You'll then have to consider all sort of that, but I would look at those two quorum sizes first
NVK: I think there's a reason why those two are chosen because they address most of the issues multisig is trying to solve, without getting too complex. And, there are some wallets out there that do 2-of-2, which I dislike. Because, now you're essentially getting the worst of everything. You're getting the complexity of multisig and the worst possible recoverability out of each secret. So, if you're doing 2-of-2, personally, I would recommend just doing single sig + passphrase. But, that would be a different discussion
Jameson: You can actually go to txstats.coinmetrics.io And they have this chart that's called P2SH repartition by type where you can actually see & count how many UTXOs and how many Bitcoin are known to be stored in different ones. And so 2-of-3 is the most common. Interestingly, 3-of-4 is the second most and then it's 2-of-2. I'm not sure what uses 3-of-4. 2-of-2; I think we can mostly agree probably Blockstream’s Green Wallet, and then 3-of-5 after that and I believe that they do have an out for their 2-of-2 two that's using essentially a lock time so that there is a way to recover even if you lose 1 of those keys and then you wait long enough
Justine: Now, in collaborative or assisted multisig, a third party, such as a trusted individual or institution, is allowed to hold one of the keys to assist in accessing the funds. This eliminates single points of failure and can be done independently, for example, by creating a multisig on a Sparrow wallet and having a trusted family member hold one of the keys. With Unchained, we do a 2-of-3 collaborative custody setup where you would hold 2 keys and we would hold 1 key. We also perform physical backups 2-of-3 times, where you as an individual hold 4 pieces of information, such as 2 signing devices and 2 physical backups of seed phrases. You can lose 3 out of 4 of those, and we can still assist you with your Bitcoin. So lots of error margin. This way, even if you lose some of the pieces, we can still assist you with your Bitcoin. We believe that this setup is the most secure option for most individuals, as it allows for multiple pieces of information to be secured in different locations. When you start adding more keys, it adds more complexity and often leads to people not properly distributing them and having them sitting in one place. That's why we offer a 2-of-3 key setup, which provides the necessary security without added complexity. We also offer Caravan, which is a wallet software that allows you to create your own multisig setup, and different quorums can be used with it. However, in the future, we may add additional quorums to accommodate different needs. As of right now, our standard is 2-of-3 keys. On the user side, you have your four pieces of information: two signing devices and two physical seed phrases. You're going to store these geographically in different places. We recommend using a metal plate to put these in four different places. What that looks like to you could be different. What we generally recommend for someone starting out is to take one seed phrase and put it away from all the others. This doesn't mean you're self-sovereign in your Bitcoin custody, but it means that you can't lose all pieces of information if you have a fire or flood in your house. The bare minimum is to remove one seed phrase and put it in a second secure location. These locations could be another physical home, an office, or a safety deposit box. We don't recommend putting all information in there because you shouldn't trust the banks. But with multisig, you don't have a single point of failure in that seed phrase, and nobody can access your Bitcoin with one. So you as an individual are storing that physically somewhere. And what that looks like could be whatever you want, such as buried behind the third oak tree hole on the left or behind your drywall seed phrase. It just needs to be four different locations is the optimal security setup on our end.
Jameson: We initially launched with 3-of-5 key management options, and then worked our way backwards to do a 2-of-3, which is easier to manage. Our thought process in deciding how to architect key management is that multisig is more complicated than a single key, so there's a lot more potential for errors. We want to constrain the design space to guide users down a limited number of paths. Within our system, there are different decisions that can be made, especially between the 2-of-3 wallet options. We offer a more convenient option with three keys, one on the phone, one with CASA, and one on a hardware device, or a more self-sovereign option using two different hardware devices with CASA as the third key. But of course, that creates a bit more onus on you, more responsibility to manage those backups. So one of the key differentiators between us and a lot of other multisig wallets is that we tend, as a default for the 2-of-3, to have the mobile key on the phone. Even if the phone device gets compromised, your funds will not be lost. We also do a secure backup of that key by encrypting it, putting the encrypted blob in cloud storage that can only be decrypted with the decryption key held on the CASA side. This creates a backup for that key, even if both sides are compromised. We are trying to make things easier for people to navigate the additional complexity, even with all the decisions that can be made. A very important aspect of our systems is that we offer support, because there is no single cookie cutter solution that works for everyone. Especially if you are going for a more complex multisig setup and are not familiar with adversarial thinking and key management, it is helpful to have someone to talk to and bounce ideas off of to understand the different trade-offs of the decisions you have to make.
NVK: And I guess I'll bring up Nunchuk. Nunchuk is a phone wallet that allows you to create multisig setups similar to Electrum or Sparrow, such as 2-of-2, 2-of-3, or 3-of-5. It is more of a DIY solution, compared to Unchained or CASA. Nunchuk uses a new product called TAPSIGNER for NFC transactions on the phone. This creates a different type of device with a different risk profile for multisig. Nunchuk also offers a signing service, allowing you to set a threshold for daily spending. If you don't want to use the service anymore, you can use your backup quorum to sign your money outside of the multisig service. This is a new type of non-custodial, assisted financial solution where a third party is involved in your spending to help prevent mistakes or limit daily spending. However, if you choose to leave the service, you can retrieve your quorum by using your backup keys, preventing the service from ever taking your money. This is a new concept in the field of money services
Justine: You made a really important point that many people confuse with multisig, especially collaborative or assisted multisig, that it doesn't mean you're locked in to a specific wallet provider. This is an important aspect of Bitcoin self-custody, as it allows self-sovereignty. It's important to remember that in Bitcoin, there are always trade-offs. And with multisig, you are adding complexity, which means you need to have a plan for self-sovereign recovery. When setting up a multisig, you will need a wallet configuration file. This acts as a blueprint for rebuilding the wallet outside of the provider. It's important to remember that this file cannot be used to spend Bitcoin, but it includes personal information, so it should be kept secure. When using collaborative multisig, you are trading privacy information. It's important to factor in the trade-offs and decide if it's the right fit for you. External recovery is important, so you should have a plan in place to prevent a single point of failure. Our company focuses on education, and we offer services such as a concierge service, webinars, and articles to help guide you through the process of setting up signing devices, learning about seed phrases, and recovering your keys.
NVK: We all agree that different people have different needs different solutions. I think that it all like even the same people might need different solutions. You want your spending wallet, your lightning wallet, maybe a warm wallet. I think we all agree that keys should never be on a computer or touch a computer, that hardware wallets work great, that multisig solves a lot of problems. We don't all agree that single sig + passphrase is great. But we do have some agreement on what where the faults lie. The big thing is that I want people to take out of this: don't get overwhelmed with solutions out there. You have time, you can test things. You can experiment with different services, you can experiment with different wallets. Most of the solutions are free. And then if you want to get into hardware wallets, and you can even build your own, there's solutions out there. I think it's important that people don't roll their own solutions, especially now their own cryptography. I don't think that's a concern anymore. But it used to be back in the day.
Jameson: If you got 50 bucks, or 100 bucks on Coinbase or Gemini, just go install Munn wallet, or Blue wallet on your phone and get it off and start playing with it. You don't have to go straight to buried behind the third oak tree. If you've got 50 bucks on Coinbase, you can really start small. It's worth saying over and over and over again.
NVK: That question does come up like every single time I do space somewhere. It's amazing to me how much people don't understand that they don't need like 12 out of 12 DVDs for 100 bucks worth for Bitcoin. You should be experimenting with Bitcoin. Don't go buy an asset with all your life savings until you understand how the heck that asset works.
Justine: I’ve also heard people telling me: ‘Well, you know, like, I only have 100 bucks worth of bitcoin, I don't really want to go buy this, this hardware wallet that's, you know, certain amount of money, it seems kind of crazy for the amount.’ You don't you don't have to! There's free mobile wallets, that can be your first step. I think the biggest takeaway from this is that it’s not all or nothing; take the steps. And we're kind of walking through the steps specifically, but you don't you don't have to spend money on an assigned device or hardware wallet. You can just download a mobile wallet, that's the first step. In my opinion.
Jameson: When you start getting more sophisticated, you also don't have to have one wallet. I have blue wallet on my phone. I also have, several multisig setup. You can think about partitioning your money where you have a really small bucket of money that's super easy to get to and very easy to spend, and then you have a bigger bucket of money that's harder to get to and harder to spend. And those things can change as your life does.
Justine: Just like we're not walking around with our life saving in our in our pocket, right? We take what we need to spend when we go get coffee or whatnot, and the other is secured somewhere. So yeah, the multiple wallets depending on your needs is it's totally.
NVK: Segregation is like hygiene in that sense. You're gonna have your savings account, your checking account, your credit card. You already do segregate fiat in all these buckets in your life. So why not do the same as Bitcoin? You don't want to be buying coffee with all your wealth.
Jameson: I think there is something interesting to be said about diversity and how to apply diversity from a security mindset. For example, one really common trope that we see is people coming to us who have, for their safety, diversified their funds across 5 or 10 different wallets. And some of these may be self custody, some maybe custodians, but their whole idea is: don't put all of your eggs in one basket. And my pushback against that is that yes, that type of diversity does, of course, reduce the chance that a single catastrophe will completely wipe you out and cause you to lose everything…but it can also be increasing the chance that you will have a partial loss and 1 or more of those setups will fail. One interesting aspect of multisig is that the diversity that you can add to the setup by having keys on different hardware manufacturer devices in different physical locations and basically different security properties around each of the keys. In that setup, security is actually additive, it creates a stronger and stronger setup, because it's essentially eliminating the single points of failure where if an attacker, for example, compromised the supply chain of popular hardware manufacturer, if your multisig setup is not using all the same hardware manufacturer, you're protected from that. Diversity can be good, but applied the wrong way, it can actually be harmful.
NVK: It's kind of fascinating. And it really goes to show why there is no fix all solution. Each set up is going to have different sets of trade offs. You could argue on one side that you want to have some diversity in your hardware wallets because in case one vendor is evil. Realistically speaking, it's would most likely to be a targeted attack against you that would maybe replace the hardware or something like that. But at the same time, even if you had multiple hardware wallets, the software update on some of them could break the multisig setup. It's unlikely to have full loss of funds, but you'll be it could be quite the quite the issue to go back to being functional. Each vendor is going to offer different thresholds and some vendors out there offer simply either no security, or illusion of security. Really crappy hardware. There's hundreds of hardware wallets. I'd say out of 100, probably 95 of them are absolute garbage and should never be used. And the guys from Ledger actually do a great job breaking hardware wallets. You should check out their Donjon blog, where they have broken hardware wallets and they tell us how long it took them to break them. And how much money breaking them actually costs. There's some hardware wallets that cost $10 to break and there's other hardware wallets that cost half a million dollars to break. Not all things are equal, just because they're the same category.