by sindurasaraswathiThreshold signatures are now common methods to secure funds in Bitcoin. An m-of-n signature scheme requires at least m signatures to unlock funds secured by n public keys. An open question, however, is the optimal design of such schemes. When should the threshold be high, when should it be low, and how should it change over time? This is where things get interesting. So, we study this problem in a security context, where a malicious attacker tries to steal a user’s signatures.Imagine you are setting up your wallet. On one hand, a higher threshold keeps attackers at bay - they will need to compromise more keys before they can get your Bitcoin. On the other hand, the higher the threshold, the more likely you are to lock yourself out of your own funds. Self-lockout is a common problem, evidenced by the vast sums that users are willing to pay to recover lost bitcoin.So, the real challenge is balancing these costs and benefits, namely, the benefit of security against the cost of usability. The “optimal” threshold is the one that minimizes your expected loss. That loss has two parts:
- Attacker Loss: The risk of losing funds to an attacker.
- User Loss: The risk of losing access yourself.
pull down to refresh
related posts
77 sats \ 0 replies \ @Scoresby 2 Oct
This was a pretty cool article. I've been using multisigs for the last five Yeats, and I've often wondered about the different threshold designs.
Prior to taproot, my maim concern was not making a configuration that was too obvious on chain (who's using a 4 of 6)? But now you can make it so your multisig only reveals the keys you use to spend, not all possible keys.
I love that people are thinking about the optimal threshold configurations like this.
reply