Good catch, thanks! I think math is the one area where being pedantic is very much appreciated .

Ok, let me see if I can clarify my thoughts on this with a concrete example.

Let's say we have Alice who has a single key backed up in 3 different locations (that's your case) and Bob who has multisig 2 of 3 wallet with his 3 different keys backed up in 3 different locations just like Alice.

Let's assume that in each of their physical backup locations the probability of loss is 1%  and probability of compromise is 2%.

What is their risk profile?

Probability of loss:
   for Alice = 1% * 1% * 1% = 0.0001%
   for Bob =  1% * 1% = .01% (as he would need to lose only 2 keys to suffer total loss)

Probability of compromise
   for Alice = 2% + 2% + 2% = 6% (as the compromise of ANY of her backups will incur a total loss)
   for Bob = 2%*2% = 0.04% (as the attacker would need to gain access to BOTH of his backups to steal his funds)


Their overall risk is the SUM of the probabilities of the two scenarios,
    Alice = 6.0001%
    Bob = .05%.


As I was doing this little exercise, it occurred to me that as probability of loss rises vs. probability of compromise - there is a point at which Alice will be better off with a single key. I guess the exact point at which this happens will depend on the specific probabilities. Not sure how you would estimate those two for something like a safety deposit box in a bank. I guess depends on your jurisdiction a lot.

Right on - which is why in my original post, I mentioned M of N where M < N.

I absolutely agree with you -2 of 2 multisig or any M of M multisig is probably a terrible idea for an individual wallet. It's just asking for trouble.

However, my question was mostly related to something like 2 of 3 or 3 of 5 multisigs where you have a bit of room to lose one or even two keys and still be able to recover funds. I believe Jameson Lopp's Casa's business model is based around this concept.

  Yes, I guess that's kind of what I am saying. I suppose being in this space kind of makes one more paranoid than normal  .


Yes, I think you are definitely right about that.

Hmm, I don't think that's a fair comparison. Sure, backups reduce my chances of loss, but they also increase the attack surface.
 
In the case of 2 pieces of paper - if either one gets compromised, I am sunk.

This is not the case for multisig where loss of one of the keys is typically not catastrophic.

I am just trying to see if I am thinking about this correctly - it seems to me that all other things being equal (physical security and such), a multisig wallet is ORDERS OF MAGNITUDE more secure than a regular wallet.

It seems vastly superior just about from any angle.

Here are my thoughts on this:

1. Obviously, if you use M of N multisig wallet where M < N (2 of 3 , 3 of 4, 4 of 6) you automatically get a failsafe in case you lose one of your keys (or master seed if you used a separate HD wallet based on new master seed derivation). With a regular wallet - if you lose the master private key and seed - you are sunk, that's it, there is no recourse. It's a single point of failure.

2. If you use different devices / sources of entropy to derive master seed phrase -such as hardware device, rolling die, software construction via strong CSPRNG library (say Electrum) - that further lowers your chances of someone brute-forcing your seed to due accidental weak source of randomness in one particular setup. 1 out of 2^256 is nearly 0 anyway, but chances of brute forcing two or three of those are even more ridiculous. The same logic in terms of lowering your risk of using a single compromised device - if you use multiple physically independent devices to generate your keys, it seems you dramatically lower your chances of being pwned.

3. If you have a 2 of 4 setup for instance - you can spend several times from the same address by using different key combinations to sign the transaction - without giving away any privacy, unlike a regular address where every new signature to spend from that address could potentially be used to brute force the private key for that address.

4. The fact that there is a threshold of keys needed to withdraw funds makes multisig more amenable to being stored relatively safely in the cloud. Someone could use Shamir's secret-sharing algorithm to split each master seed, even encrypting it, for additional peace of mind, and storing it on multiple providers' file storage - GDrive, Dropbox, self-hosting, across physical devices. In a 3 of 5 setup, you could store up to 2 seeds in such fashion - and be quite safe in knowing that even if the parties were to collude, break your encryption and assemble 2 of your master keys, that would still not be enough to steal your funds.

5.Does multisig offer more in the way of being resistant to quantum computing cryptanalysis?

What am I missing? Are there any good counterarguments to using multisig vs just a regular [hardware] wallet?

I guess for now multisig transactions are slightly larger (for the spending tx ) but that will hopefully be soon mitigated with Schnorr/Taproot, right?

Thanks for sharing this!

This is an interesting point - about upgrading to new equipment just before the halvening - if a lot of miners are following the same pattern, this would pretty much explain a temporary drop which is followed by a new all-time high in hashing in a matter of weeks.

Looking at the hash rate chart on https://www.blockchain.com/charts/hash-rate you can see a huge drop right after this year's halvening - similar in % move to the drop which followed the nearly 50% price decline in March. While the March price drop was an unforeseen event, the halvening had been a known quantity for years in advance - and yet we still saw a huge drop in hashrate a few days after the reward switched to BTC 6.25. How does this make sense in the context of the supposed long-term horizon of most large-scale miners which (again presumably) try to utilize economies of scale - both in terms of equipment and time.

Are these sharp declines that follow a very predictable event revealing that the mining market is in fact dominated by lots of smaller players which are operating on the edge of insolvency? Or is mining mostly an investment gig with a ~4 year time horizon until the next halvening?

Just thinking out loud but would love to hear what the rest of you think...