MultiSig - Changing HWWs

[BTR356]

Greetings. New member here, but not new to BTC. It's been a few years and now that feel that I have gone down the rabbit hole deep enough, I am exploring multisig setups. I have a couple of questions. The first: say, for the sake of argument, I create a 2 of 3 using the same HWW (a Jade) for all the keystores. Then I decide to change the brand of wallet for one of the keystores (say seedsigner), would that alter the wallet in a way that would change the foundations of the multisig so that the address are different, or that the descriptor would no longer correspond with the new setup? I've read that the order of adding the xpubs from the HWWs can. That's why I ask.

Second: I have read, but it wasn't explained why, that saving 2 copies of one of the seeds in a 2-of-3 setup can reduce security. Is this true? I don't see why that would that be any different than a 2-of-4 setup.

thanks.

Edit: I miswrote the word passkey instead of keystore. Sorry for the confusion. I had just read an article about passkeys. When Sparrow requests each HWW's information to be registered for mutlsig usage, it refers to it as a keystore. To clarify my question, if I register each keystore/seed using a Jade, but then later choose to change one of the keystores to another HWW brand (using the same seed), will that alter the setup in any way due to the brand change? 

[Zaguru12]

From my own understanding passkeys are used to actually restore wallet instead of the usual seed phrase or private keys (this is definitely not something I advice) so if you are actually restoring same passkey from the jade wallet to another wallet that is importing same wallet (same seed phrase) then I believe it will be same public key and wouldn’t change the multi sig, but if it is a change in passkey (basically change in private key) then it will result in change of public key and it is not longer the same multi sig wallet as the former.

The second question is not all clear but interms of back up all three co-singer details is need to recover the multi sig wallet.

Edit:

If it is a Keystore, a Keystore is more like a wallet file and if it is imported into another wallet with its corresponding password then the wallet will be same as that from the former wallet (jade)

[Charles-Tim]

Passkey can never be Keystore. Keystore is referring to where private key is stored. Passkey refers to saving your biometry like fingerprint or face unlock on an online cloud which can be used to access your wallet.

I prefer the use of passphrase and I can never use passkey.

To import your 2-of-3 multisig seed phrases and master public key on another well known reputed wallet should work. But make sure that the addresses on the old wallet is the same as the addresses on the new wallet. But this is not recommended.

The recommendation should be that you should setup a new multisig on the new wallets and transfer your coins to an address generated on the new 2-of-3 multisig wallets.

Second: I have read, but it wasn't explained why, that saving 2 copies of a single seed in a 2 or 3 setup can reduce security. Is this true? I don't see why that would that be any different than a 2 of 4?

This question is not clear. Are you referring to singlesig seed phrases or multisig seed phrases? If you are referring to singlesig wallet seed phrase, why not just use passphrase to extend the seed phrase and backup the passphrase in different locations from the seed phrast. But if you lost the passphrase, just like seed phrase you will lose the coins.

[apogio]

Second: I have read, but it wasn't explained why, that saving 2 copies of one of the seeds in a 2-of-3 setup can reduce security. Is this true? I don't see why that would that be any different than a 2-of-4 setup.

Perhaps what you 've read is that for a 2-of-3 multisig there isn't a reason to have more than 3 backups.
Because losing one backup will not lead to losing your funds.
Also, perhaps the argument was that doing dual backups could reduce security in the sense that, there would be 2 geographical locations having the same information, so it doubles the risk of getting compromised.

Anyway, for a 2-of-3 setup, you need 3 separate geographical locations.

However, apart from the seed phrases, you also need to backup your XPUBs and this is super important.

I suggest that you create 3 wallets (A,B,C) and make 3 backups as follows:
1. Seed phrase A + XPUB B
2. Seed phrase B + XPUB C
3. Seed phrase C + XPUB A

Doing this, if you lose one backup, you can still recover the wallet.

[BTR356]

Second: I have read, but it wasn't explained why, that saving 2 copies of one of the seeds in a 2-of-3 setup can reduce security. Is this true? I don't see why that would that be any different than a 2-of-4 setup.

However, apart from the seed phrases, you also need to backup your XPUBs and this is super important.

I suggest that you create 3 wallets (A,B,C) and make 3 backups as follows:
1. Seed phrase A + XPUB B
2. Seed phrase B + XPUB C
3. Seed phrase C + XPUB A

Doing this, if you lose one backup, you can still recover the wallet.

This is interesting.  The consensus I have come across seems to be to keep each seed phrase with a copy of the descriptor. I am aware that would be a compromise in privacy, but it would also ensure that none of the XPUBs are not lost. I was also under the impression that the XPUBS alone are not enough to restructure the multi-sig wallet (at least not easily), another reason for the descriptor redundancy. That leads me to my first issue. One that I am still wondering about: would a change in hardware brand conflict with the saved descriptor? Would changing one of the saved keystores (registering via a different HWW, but using the same seed) cause any issues? I plan to test this myself. It will be a while before I can get my hands on an additional HWW, just being impatient.

[apogio]

This is interesting.  The consensus I have come across seems to be to keep each seed phrase with a copy of the descriptor. I am aware that would be a compromise in privacy, but it would also ensure that none of the XPUBs are not lost.

Without the 3 XPUBs, you won't be able to restructure your wallet. They are vital.

In an ELI5 I would say that the 3 XPUBs are needed to find the door and then 2 seed phrases are needed to unlock it.

Even if you could unlock a door, it would be infeasible to do so if you didn't know where the door is. Especially in the cryptographical universe where the space is this vast.

Following my method above, you shouldn't worry about losing one XPUB. Because if you lost one of the backups, then the XPUB of this backup would exist in one of the other two backups. Don't forget that if you have the seed phrase you can always re-create the corresponding XPUB.

I understand that you want to save all the XPUBs among each of your seed phrases. Apart from privacy issues, like you said, I don't see other obvious implications.

[Cricktor]

Because losing one backup will not lead to losing your funds.

It depends on what you mean by backup. Important for multisig setups is that you can't afford to loose any one part completely.

To summarize and generalize what apogio said in previous post: to generate addresses of a n-of-m multisig with n<=m, you need all m xpubs. You can't afford to loose any one xpub completely!

It should be obvious that any distinct seed from a multisig setup can produce the correspondent xpub. So having a seed of a multisig part is equivalent to having the xpub, but additionally you also have the correspondent private keys (xprv).

To be able to sign transactions from such a multisig setup, you need at least n seeds and the other m-n xpub(s).

I like the visual analogy of finding the right door and having enough keys to unlock it.


Regarding security:
Your individual backup should not easily expose seeds to someone who's not supposed to see them. If you can't guarantee this, you need to counter such a potential exposure problem. One possible way could be using every seed with a strong optional mnemonic passphrase which must not be stored with the seed backups. Without the mnemonic passphrase extension the seed words don't produce the correct xprv and xpub, so exposure won't compromise a wallet.

Of course the mnemonic passphrase extension(s) need to be backed up very carefully (redundantly!) as you definitely can't afford to loose any of them. Mnemonic passphrase extension is an advanced feature and you should definitely know and understand what this does.

I can think of other ways to secure backups but that might be off-topic to OP's main question.

[BTR356]

Thanks for the detailed responses. I understand that the XPUBS can be created from the seeds. I shot off that reply a little too quickly while I was heading out the door to teach a class. I see the pattern now and appreciate that the XPUBS would help to prevent any privacy leak. That leaves me questioning how would the wallet be recreated with just the XPUBs. This is where my knowledge starts to get thin. But as I understand it, seed order, derivation paths, wallet idiosyncrasies, xpubs vs zpubs, etc. impact the structure of the wallet and, in turn, the addresses. 

I pondered about using passphrases (mnemonic-I am assuming you mean from the seed wordlist--and otherwise). I read about some suggesting to use child seeds for that purpose. I think that will complicate things, more copies to back up and remember their purpose; I need to consider others that should be able to pick up where I leave off. As for the child seeds, I see a a security risk. I plan on using tamper-evident bags/family/bank deposit box.

I heard of someone using an air-gapped computer to make an encrypted file of one of his multi-sig seeds. Thereafter he uploaded it to Bitwarden or Proton. His thinking was it was as good as Casa or Unchained. Makes me wonder if even those companies are safe.

[Cricktor]

Let's stick to the base example of a 2-of-3 multisig wallet.

That leaves me questioning how would the wallet be recreated with just the XPUBs.

If you have all three xpubs of an example multisig wallet, then you can only create a watch-only multisig wallet because a xpub doesn't give you any private keys.

Signer 1 wallet needs: seed 1 and xpub 2 & 3
(can create unsigned transactions which need to be signed separately by two distinct signers; can create a single signed transaction that additionally needs to be signed by one of the other signers)

Signer 2 wallet needs: seed 2 and xpub 1 & 3
(can create unsigned transactions which need to be signed separately by two distinct signers; can create a single signed transaction that additionally needs to be signed by one of the other signers)

Signer 3 wallet needs: seed 3 and xpub 1 & 2
(can create unsigned transactions which need to be signed separately by two distinct signers; can create a single signed transaction that additionally needs to be signed by one of the other signers)

Watch-only wallet needs: xpubs 1, 2 & 3
(can create unsigned transactions which need to be signed separately by two distinct signers)

I pondered about using passphrases (mnemonic-I am assuming you mean from the seed wordlist--and otherwise).

An optional mnemonic passphrase is an extension of the usually 12 or 24 mnemonic recovery words. Some call it the "13^th" or "25^th" word. It's not necessarily only one word from the BIP39 wordlist. It can be anything UTF-8 valid, spaces are allowed, too.

It's important to know that any unique mnemonic passphrase extension generates an unique wallet. There's no check if correct or not, if you have any error in your mnemonic passphrase extension you get the wrong empty wallet. Make sure to very carefully document such a mnemonic passphrase extension. It should be stored and backed up separately from the mnemonic recovery words.

I read about some suggesting to use child seeds for that purpose. I think that will complicate things, more copies to back up and remember their purpose; I need to consider others that should be able to pick up where I leave off. As for the child seeds, I see a a security risk. I plan on using tamper-evident bags/family/bank deposit box.

With BIP85 child seeds you can derive secure deterministic child seeds from a base seed. You wouldn't need to backup those child seeds because you can always recreate them from an index number and your base seed. You only need to remember which index you used to derive the child seed. That is less data to backup actually. But that's maybe another topic and doesn't quite belong here in this thread.

[dkbit98]

I know MultiSig setup is more secure option, but you should also understand that it ads extra complexity and it needs more fees for transactions.
There is alternative option called SLIP39 or ShamirSecetSharing that is now made a standard for Trezor hardware wallets, and it is supported by Keystone wallet.
Major software wallets like Electrum and Sparrow wallet are also supporting SLIP39, and you can find full list of supported wallets in this topic:
https://bitcointalk.org/index.php?topic=5509625.0

Trezor page for SLIP39 with more information:
https://content.trezor.io/slip39