RE: Andreas Antonopoulos - MultiSig is NOT the best option for most people \ stacker news ~bitcoin

RE: Andreas Antonopoulos - MultiSig is NOT the best option for most people

2547 sats \ 23 comments \ @frostdragon 21 Aug 2023 bitcoin

In this video, he's basically pointing out that you need all three private keys to reconstruct the xpubs, which are needed to prove spending authority... Which he implies defeats the purpose of multisig for individuals.

"Multisig does not create a 2-of-3 redundancy - it requires 3-of-3 redundancy to create 2-of-3 spending authority, and that is very dangerous if you decide to use it for yourself. Because, for yourself, you don't need 2-of-3 spending authority, what you need also is 2-of-3 redundancy, and if you don't have that because if you lose a single seed, you lose all of your money."

This is where this reasoning is incorrect:

If you're thinking you need to reconstruct xpubs, you're thinking about private/public keys the wrong way in this context. There is no reason to be in a situation where you have to reconstruct xpubs.

You can think of xpubs as the wallet's public spending key. xpubs specify what wallet you're spending from. It's the original public key constructed from the original private keys. Yes - you need that to spend. If you lose that, you can't specify what wallet you're trying to spend from. It's the "from" address - you can't send without the "from" address.

BUT - knowing the xpubs doesn't actually give you spending authority. You can't spend with it.

That's incredibly important. Why? Because you don't have to treat your xpubs like a private key! The stakes aren't that high - you can store your xpubs digitally in multiple locations. You can have backups upon backups.

With a private key, too many backups means increased theft potential. That's not the case with xpubs. You should never be in a situation where you have to reconstruct your xpubs in the first place!

So the idea that "you need all three private keys to reconstruct your xpubs to send" is a completely moot point.

Just like any wallet setup, it's dangerous if you don't understand it. As long as you know to store multiple xpubs backups, 2-of-3 multisig is significantly less dangerous than single sig + passphrase.

If that's too complicated for someone to understand, third party collaborative custody solutions like unchained fix that. During their vault setup, they tell you to store a digital copy of your xpubs, and they hold a copy themselves. Unchained would have to completely die AND you'd have to lose access to your cloud or PWM for you to lose access to your bitcoin.

view all related items

220 sats \ 9 replies \ @jasonofbitcoin 21 Aug 2023

so, just store backups of every xpub in the multisig (N of N) with each one of the seed phrases. makes sense.

521 sats \ 2 replies \ @ek 21 Aug 2023

I created a LaTeX template for exactly this: https://gist.github.com/ekzyis/7736e2446dbb8ed2cdb587071c42380b

It even uses the SN font for extra style points

10 sats \ 0 replies \ @DrStacker 21 Mar

Thanks for sharing this

10 sats \ 0 replies \ @orthwyrm 22 Aug 2023

That's really good!

20 sats \ 0 replies \ @orthwyrm 22 Aug 2023

Pretty much. At minimum you could do:

Location #1: Seed 1 + xPubs 1, 2, 3 Location #2: Seed 2 + xPubs 1, 2, 3 Location #3: Seed 3 + xPubs 1, 2, 3 Mobile / desktop wallet: xPubs 1, 2, 3

There isn't a standard to represent xPubs in human readable format (like BIP39) so you can't easily engrave them in metal. As such, you need high redundancy to safeguard against paper / digital copies getting destroyed.

As xPubs don't grant spending permission, you can have as much redundancy as you want. One downside is that while the xPub set doesn't grant spending permission, it does reveal your holdings. An attacker who discovers one of your xPub backups might be motivated to continue digging around if they see that the wallet has a high balance.

1 sat \ 3 replies \ @monaco 22 Aug 2023

If you have the seed and derivation path, you can recreate the xpub, so that’s all you need to save

0 sats \ 0 replies \ @frostdragon OP 22 Aug 2023

Yeah it’s kind of confusing, this tripped me up at first too!

You can’t actually recreate the xpubs unless you have all three seed phrases. But you don’t need that to save/receive. You need different pieces of the puzzle to save vs spend.

0 sats \ 1 reply \ @jasonofbitcoin 22 Aug 2023

i think you're missing the point.

0 sats \ 0 replies \ @monaco 22 Aug 2023

I guess so

0 sats \ 0 replies \ @frostdragon OP 21 Aug 2023

This guy gets it

18 sats \ 2 replies \ @2bithits 21 Aug 2023

He's right

'Most people' are not obsessed with bitcoin though. Leave multisig to the psycho's

0 sats \ 1 reply \ @frostdragon OP 21 Aug 2023

Multisig w/ a third party takes minimal intentionality and will result in a lot less lost bitcoin for the non tech-savvy people that use it.

2 sats \ 0 replies \ @2bithits 21 Aug 2023

Yes

But there are other risks with that too. KYC & potential gov shutdown

10 sats \ 1 reply \ @0330830bf9 21 Aug 2023

Hey may be incorrectly reasoning correct facts.

Facts being:

The #1 threat to your Bitcoin is you. Multisig set-ups make you even more dangerous.

Now, compromised devices may be the next consideration. Only assuming all best practices wrt that are satisfied, 2 of 2 becomes a reasonable next step for the individual.

2 of 3 is for more of a governance or inheritance scheme. What's in question is the term "individual".

50 sats \ 0 replies \ @ek 21 Aug 2023

2of2 is reasonable for individuals but 2of3 is for govs?

I would say 2of2 is a lot less secure than single sig for individuals. You just doubled the chance to lose all your bitcoins since it's all gone if you lose a single key.

0 sats \ 0 replies \ @elvismercury 22 Aug 2023

Good info. Threat modeling on these things is so complicated for normal people, esp in an era where people reuse passwords and most of those who don't use a centralized password manager to manage the passwords, or else write them down in a little paper book.

0 sats \ 1 reply \ @Sasquatch 21 Aug 2023

What I had considered was that I use a 2 of 3 set up where I keep two, and give the third to a TRUSTED source to safeguard. 1. software key, 1 hardware key, and 1 paper key. I am losing trust in the hardware key solution, and I can see that being a potential problem as the trusted party key. A hardware key has to be backed up on paper for best practice does it not?

0 sats \ 0 replies \ @frostdragon OP 21 Aug 2023

If you’re using a singlesig hardware wallet, you want a metal backup, not paper.

If you want multisig, paper back ups for each wallet is fine.

0 sats \ 1 reply \ @purpurato 21 Aug 2023

I'm just not getting what he means with that, whatever signing device you use to create a multisig wallet always contains all public keys from other signers, so if one of them is compromised, you can still recreate that with any of the signing devices or their backups.

I wrote about my own setup and I think it should be more widely used, it's actually not THAT hard.

Didn't want to mention before, but I feel there is a conflict of interest from people publishing many things on multisig, they always mention some kind of fancy HWW (ahem sponsor).

0 sats \ 0 replies \ @frostdragon OP 21 Aug 2023

So, if you genuinely lose your xpubs, the only way to recreate is with all three seed phrases

0 sats \ 2 replies \ @Lumor 21 Aug 2023

How do shamir shares compare, one doesn't need as much information from what I gather?

0 sats \ 0 replies \ @sime 21 Aug 2023

It solves a different problem. Allows you to securely split and then geographical distribute your private key.

0 sats \ 0 replies \ @frostdragon OP 21 Aug 2023

Shamir secret sharing is just a lot more complex than multisig. It involves correctly implemented cryptography, which is incredibly difficult to get right and really easy to mess up.