Bitcoin Forum
February 26, 2024, 07:20:21 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1] 2 3 »
1  Bitcoin / Bitcoin Technical Support / Re: Multisig derivation paths and xpubs on: August 08, 2023, 03:53:02 PM
Quote
I was thinking less about forgetting your derivation path and more about if you ever needed to use some different piece of software.

As I said above, you can easily back up your derivation path alongside your seed phrase, and therefore have no additional risk of losing your coins. The issue would come if you want to import your multi-sig in to a different piece of software for whatever reason that does not let you specify arbitrary derivation paths.

If you back up your full descriptors and always use the same version of Sparrow then of course there will be no problems. But it is fairly easy to imagine a scenario where you need emergency access to your funds and you are forced to recover the seed phrases using different software, perhaps on a different OS, perhaps on mobile instead of a computer, and so on. In such a case it is always going to be an easier process if you have used the widely accepted standards rather than done something unique.

It is of course up to you - just explaining my rationale behind preferring to stick to standard practices.

I appreciate that. I have Electrum back ups too and a watch only Blue Wallet, but I know what you're saying.
2  Bitcoin / Bitcoin Technical Support / Re: Multisig derivation paths and xpubs on: August 07, 2023, 11:26:49 PM
Quote
Simply because it is the standard. I am not aware of a single wallet which derives P2SH address at m/49/0/x by default, while there are hundreds which follow the BIP39 standard of m/49'/0'/x'.

Just like there is nothing stopping me deriving a single sig wallet at m/3894329'/284760'/1609266' and backing up my derivation path, it is much safer to just stick to the standard m/84'/0'/0'.

Ah ok, yes that is a fair point. However, I think so long as I backup the derivation path I should be ok. This thread will serve as an extra back up Wink
3  Bitcoin / Bitcoin Technical Support / Re: Multisig derivation paths and xpubs on: August 06, 2023, 02:04:01 PM
Quote
However, I would highly recommend sticking to the standard of using hardened paths for the first three levels if you are using 49 at the purpose level, not least of all to make your life easier when recovering your wallet in the future.

Forgive my ignorance, but how does a hardened path help wallet recovery? I have the output descriptors and Sparrow and Electrum wallet files backed up on multiple media.
4  Bitcoin / Bitcoin Technical Support / Re: Multisig derivation paths and xpubs on: August 06, 2023, 01:15:12 PM
Quote
Of course in MultiSig, it needs the "N" number of cosigners, not just one.
And the other cosigner's xpub and private keys are unrelated to each other, that unhardened derivation vulnerability isn't applicable to each cosigner's keys.

Thanks for the above. So ultimately unhardened vs hardened doesn't matter a great deal in multisig?
5  Bitcoin / Bitcoin Technical Support / Re: Multisig derivation paths and xpubs on: August 05, 2023, 11:19:58 PM
Quote
The relevance is that unhardened levels can be derived only using public keys, while hardened levels require the private keys. In short, they are entirely different numbers and will derive entirely different addresses.

Right. So after doing a little digging, it seems that the unhardened path can compromise all the coins in a wallet if the xprv of one address is compromised. However, this seems less of a risk for a multisig wallet?
6  Bitcoin / Bitcoin Technical Support / Re: Multisig derivation paths and xpubs on: August 05, 2023, 06:03:12 PM
Quote
If your output descriptors either include your derivation path, or are using the xpubs already derived from the relevant derivation paths, then yes.

Just be careful with hardened paths. You've said m/49/0/4, but I suspect you mean m/49'/0'/4'.

Thanks. So, the xpubs will point to the right addresses with or without the derivation paths?

What is the difference between m/49' and m/49? So far as I can see, the derivation paths for all my multisig wallets are hardened (i.e., m/49).

7  Bitcoin / Bitcoin Technical Support / Re: Multisig derivation paths and xpubs on: August 05, 2023, 01:46:51 PM
Just revisiting this topic for verification/reassurance.

As my (thoroughly backed up and tested) keys are geographically distributed, I have used the derivation path (m/49/0/4) and xpubs derived by my collaborative custodian to create a 2 of 3 fully self-sovereign multisig. It signs fine. My one concern is that I'm using a non-standard derivation path (I would have preferred to have used m/84/0/0). However, so long as I have the output descriptors and private keys fully backed up, I should always be able to sign from this wallet, correct?
8  Bitcoin / Bitcoin Technical Support / Re: How best to store output descriptors/wallet backups on: July 27, 2023, 10:59:37 PM
Great ideas both of you, thanks!
9  Bitcoin / Bitcoin Technical Support / How best to store output descriptors/wallet backups on: July 27, 2023, 04:54:51 PM
I am wondering what the best practice is for storing output descriptors. Currently I have them offline on USB drives. However, there is an obvious risk of physical/environmental degradation over time. My instinct is that it would be foolish to save them on a cloud. I guess the tradeoff is physical degradation vs. being hacked. I'm guessing the latter is probably more likely.
10  Bitcoin / Bitcoin Technical Support / Re: Multisig derivation paths and xpubs on: June 30, 2023, 03:31:56 PM
Quote
So the derivation path is used both in the generation of the xprvs/xpubs, and also in the generation of individual addresses from those xprvs/xpubs. Allow me to explain.

Take the following familiar derivation path: m/84'/0'/0'.

m stands for your master private key, which is generated from your seed phrase. Technically speaking, this is the only key which should ever be called your master private key, but a lot of people and software also use the term master private key to refer to your account extended private key (which I'll come to in a second).

The next three numbers are, in order, your purpose, coin type, and account. 84 is the number assigned to P2WPKH segwit addresses. 0 is the coin type for mainnet bitcoin. The next 0 simply means the first account. As I explained previously, that derivation path tells your wallet software to generate the extended key at the 85th hardened index,* use that to generate the extended key at the 1st hardened index, and then use that to generate the extended key at the 1st hardened index. The extended key you end up with after doing all that is your account extended private key. Account because it is at the account level, extended because you have an extra part which allows you to continue to derive at further levels. But as I said above, lots of places incorrectly refer to this key as your master private key. When you extract an xprv from a wallet, it is almost always this key that you are extracting - your account extended private key.

Now, to get actual addresses from that key, we need to derive through a further two levels. The derivation path of the very first address in your wallet will look like this: m/84'/0'/0'/0/0. The first extra zero is change (0 for not being a change address, 1 if it is a change address), and then the second extra zero is in the index of the individual address itself.

m/84'/0'/0'/0/0 - 1st non-change address
m/84'/0'/0'/0/1 - 2nd non-change address
m/84'/0'/0'/1/0 - 1st change address
m/84'/0'/0'/1/3 - 4th change address
And so on.

Note that multi-sig sometimes add in an additional field called the script type, so instead of something like m/84'/0'/0' you would have m/48'/0'/0'/2'. (48 is the purpose number for such multi-sig paths, and 2 is the script type for P2WSH.)

So, in the case of HD wallets, you can import keys in two ways. The first is that you can either import a seed phrase, and tell the wallet the exact derivation path you used to get the account extended private key. So for example I could give you the following seed phrase:
Code:
tray expect pact quantum junior chronic nation topple boy today maid syrup
And tell you I used the derivation path m/84'/0'/0', meaning you can calculate the following xprv:
Code:
xprv9zScb44VdRkzpdV8djUnNzD69QWRCA3iMvMm29UaouknnXxH3KRrnpN9QAyzEbqgMSVUVUavpki aWuBhTBpefXXX5kg4tUvSQpd2dDHKFFX
The wallet then knows to start there and add on the extra /0/0 derivations to reach individual addresses.

The second option is I can just give the wallet the xprv directly, and not tell it about the seed phrase or the derivation path I used to get to the given xprv. The wallet will take the xprv and add on the extra /0/0 as above, without knowing the derivation path used to reach that xprv.

Now let's say, for example, I'm setting up a 2-of-3 multi-sig. In this particular multi-sig, I'm using one seed phrase on my computer, and two hardware wallets. Let's say the seed phrase on my computer is using the derivation path m/48'/0'/0'/2'. Great. So my software knows to use this deviation path to calculate the first xprv from the seed phrase it has, and the corresponding xpub. Now my two hardware wallets come along. For the sake of argument, the first uses m/84'/0'/0', and the second uses uses m/0'. What a nightmare! Each hardware wallets generates an xprv at the given derivation path, calculates the corresponding xpub for the xprv, and then feeds the xpub to the wallet software on my computer. Now, my wallet software has three xpubs, but it may or may not have any idea the derivation paths used to reach the two xpubs from the hardware wallets. But actually, it doesn't need to know. All it needs to do is calculate a child key at /0/0 for each one and combine them in to a multi-sig address.

So it can do seed phrase + m/48'/0'/0'/2'/0/0 to generate the first key itself, and then it can do hardware-wallet-xpubs/0/0 to generate the second and third keys. One it has all three keys at /0/0, it combines them to create an address. It does the same thing at /0/1 and combines the three keys to generate the second address, and so on.


*Hardened indices, indicated by the ' symbol, are actually the number you see plus 231, but the reasons behind that are not relevant for this.

Wow, thanks for this. I think I'm going to have to read it taking notes several times.
11  Bitcoin / Bitcoin Technical Support / Re: Multisig derivation paths and xpubs on: June 29, 2023, 12:11:06 PM
Quote
Maybe you have the safety setting "Validate Derivations" disabled that enabled you to use the single-sig derivation paths to MultiSig.

No, it is on. BIP 49 is a multisig derivation path though.

Quote
I have no means to test this but you may be able to sign by creating a new MultiSig wallet with the correct derivation paths to the provided extended public keys.

I think you're right. The $30 locked in that wallet is the cost of tuition.
12  Bitcoin / Bitcoin Technical Support / Re: Multisig derivation paths and xpubs on: June 29, 2023, 10:58:20 AM
Quote
Perhaps.
If those Nested SegWit extended public keys are derived from your master private key with m/49'/0'/0' path,
But used it in a MultiSig setup and provided the standard path of m/48'/0'/0'/1' (BIP48 - Nested SegWit), then your hardware wallet will derive a different xpub key than what you've provided.

What does the descriptor looks like? You can edit the extended public keys for privacy reasons.
BTW, in Sparrow, you can't use the standard derivation path of BIP49 in a MultiSig setup by design.

I think the fatal flaw in my understanding was that I thought the xpubs were generated solely by the hardware devices and were independent of the derivation path, and that the derivation path specified the receive and change keys from the child xpubs of the devices.

So, given I imported two xpubs from a BIP 49 setup and one from a BIP 84 wallet, then used the derivation path BIP 48 to derive all the receive and change keys, have I just made a huge spaghetti soup that I won't be able to sign?

Quote
BTW, in Sparrow, you can't use the standard derivation path of BIP49 in a MultiSig setup by design.
That's strange, I currently use BIP 49 in a collaborative multisig 3 of 5 setup, and imported it into Sparrow with no issue. I was also able to form a 2 of 3 setup using the same xpubs and derivation path in Sparrow.  


13  Bitcoin / Bitcoin Technical Support / Re: Multisig derivation paths and xpubs on: June 29, 2023, 12:18:18 AM
I have the master fingerprints, so could sign. Thatís not the issue. The private keys are stored in my hardware wallets.
14  Bitcoin / Bitcoin Technical Support / Re: Multisig derivation paths and xpubs on: June 28, 2023, 10:18:15 PM
Ok, so I'm learning through doing here. I took what I know to be valid xpubs from my three keys and used the derivation path for nested segwit. However, I can't sign from that quorum. I'm thinking this is probably because the xpubs I am using were not generated by the derivation path I specified?
15  Bitcoin / Electrum / Re: Electrum multisig for long-term cold storage on: June 27, 2023, 10:29:23 PM
Totally with you there. I just meant that a dedicated air gapped HD wallet is going to offer the same security (if not more) than an air gapped encrypted PC.
16  Bitcoin / Bitcoin Technical Support / Re: Multisig derivation paths and xpubs on: June 27, 2023, 10:10:34 PM
My current multisig (with a third-party provider) uses m/49/0/3. I took the derivation paths and xpubs from that and created a smaller multisig quorum, which has signed fine.
17  Bitcoin / Bitcoin Technical Support / Multisig derivation paths and xpubs on: June 27, 2023, 09:12:05 PM
I am having trouble wrapping my head around derivation paths in multisig setups. I had a multisig wallet with the derivation path m/49/0/3 (i.e., each key used that path). I wanted to swap a key to set up a new wallet. I used Sparrow and, even though the new device used the derivation path m/48/0/0/2 and the other two had m/49/0/3, it still generated the multisig wallet (i.e., Sparrow detected no error).

My question is, can each device in a multisig setup have a different derivation path? I always thought every device had to refer to the same one.
18  Bitcoin / Electrum / Re: Electrum multisig for long-term cold storage on: June 27, 2023, 02:59:45 PM
Interesting. The way I see it, if you're storing coins on a multisig setup with open source hardware wallets, this should offer the same security (maybe more secure?).
19  Bitcoin / Electrum / Re: Electrum multisig for long-term cold storage on: June 26, 2023, 02:24:05 PM
I use my wallets on a Linux system with full disk encryption. Stealing the device should prevent an attacker to gain access to the filesystem. I do wallet password protection even for watch wallets, just a habit I don't want to break with. I only make an exception if I do something with a test wallet which doesn't control any worth.

Even my Testnet Bitcoin wallets are password protected, but not with my stronger passwords. For convenience I relax passwords strength where appropriate.

Do you keep your private keys on hardware wallets, or are they stored on your hard drive? My wallet files are watch only, but with the master fingerprints so that I can use them to sign from an air gapped device.
20  Bitcoin / Electrum / Re: Electrum multisig for long-term cold storage on: June 25, 2023, 03:51:53 PM
Thanks for the reply.

Quote
No, it wouldn't make any meaningful difference if you are already doing everything over Tor.

My node (separate machine) is connected to my wallet via Tor, but the computer that has Sparrow installed is still connected to to the internet. Does the above advice still stand?

Quote
The descriptors that Sparrow creates only contain xpubs, and therefore are watch only and cannot be used to sign anything. You should definitely still password protect your wallet files which contain your seed phrases/private keys.

None of my private keys are kept in the wallet files. They just contain the xpubs and master fingerprints. The private keys are stored in hardware wallets.

Quote
That's right. The descriptor file will contain the xpubs for all your co-signers. Personally, I would still back up the xpubs alongside each seed phrase back up though, in the manner I describe here which maintains your privacy at the same time: https://bitcointalk.org/index.php?topic=5456975.msg62443533#msg62443533

Thanks for this.
Pages: [1] 2 3 »
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!