What info should be kept with each seed of a multi-sig wallet?

[_ERROR_LOADING]

I am getting ready to move some BTC that've been sitting in an encrypted BIP38 wallet for a few years. Setting that up was easy, and I felt comfortable with being able to recover funds in the future. Now though, the value of these coins has gone up enough that I don't feel comfortable storing them all in one place where the coins could be stolen by compromising this single wallet from a single location.

My plan is to create four 12-word BIP39 mnemonics and use these four seeds to create a 2-of-4 multi-sig wallet. I know how to create the multi-sig wallet using the four xpubs from each of the mnemonics, which will then generate a new xpub that can be used to derive HD addresses. Am I correct in that I need to keep a copy of this newly created xpub with each of the 12-word seeds? Obviously I need to plan for the worst case scenario wherein one of the four seeds is somehow destroyed, and so I can't rely on ever having all four seeds together in the future.

I found this awesome project by Ian Coleman: [Shamir39](https://github.com/iancoleman/shamir39) but it is still in development, and as far as I can tell, has not been thoroughly tested enough to use. This would suit my needs perfectly though, as I would only need to store a single mnemonic in each location.

To clarify, I plan to write down the mnemonics by hand and also store the recovery info on an archive grade cd-r, so each location will have a paper seed and a cd; on the cd-r the storage of the xpub would be no problem, simple copy-and-paste; my concern, though, is having to write down the whole xpub by hand, which is a lot of random characters, and recovery in the future may be prone to errors. I don't want to rely solely on a cd-r or paper copy.

So, help me out here:

1.  Is there an existing method of storing multi-sig recovery seeds and xpubs using only mnemonics?

2. If not, am I correct that the right way to go about this is storing the multi-sig xpub and the 12-word mnemonic in each location?

3. Any better way to go about this or redflags with my proposed setup here?

Thanks guys! I feel relatively knowledgeable about this stuff, but I am nervous as hell moving around such a valuable sum and want to cover my ass as much as possible before I pull the trigger on this.

[DannyHamilton]

- snip -
to create the multi-sig wallet using the four xpubs from each of the mnemonics, which will then generate a new xpub that can be used to derive HD addresses.

That doesn't sound like Multi-Sig at all.

That sounds a bit like Shamir's Secret Sharing. Although, typically 2-of-4 Shamir's Secret Sharing would start with a single mnemonic, and then split that mnemonic into 4 separate mnemonics of which any 2 could rebuild the original.

Am I correct in that I need to keep a copy of this newly created xpub with each of the 12-word seeds?

Obviously I need to plan for the worst case scenario wherein one of the four seeds is somehow destroyed, and so I can't rely on ever having all four seeds together in the future.

If I'm correct that you are using Shamir's Secret Sharing to, then (if done correctly) you should be able to re-construct the the xPub from any 2 of the saved mnemonics.

1. Is there an existing method of storing multi-sig recovery seeds and xpubs using only mnemonics?

Personally, I'd just use real MultiSig.  However, if you really want to use some sort of Secret Sharing, then the xPubs can always be generated as long as you have (or can build) the necessary xPriv value.

2. If not, am I correct that the right way to go about this is storing the multi-sig xpub and the 12-word mnemonic in each location?

You'd have to describe the actual process you intend to use.  What method are you using to generate your xPub from 4 mnemonics?  Also, you'll avoid a lot of confusion in the responses  you get if you stop calling it MultiSig and call it "Secret Sharing" or "split key" instead.  What you are describing doesn't sound like it has anything to do with MultiSig at all.

3. Any better way to go about this

That depends on exactly what you are trying to accomplish.  I'd be tempted to just use actual MultiSig.

[_ERROR_LOADING]

- snip -
to create the multi-sig wallet using the four xpubs from each of the mnemonics, which will then generate a new xpub that can be used to derive HD addresses.

That doesn't sound like Multi-Sig at all.

That sounds a bit like Shamir's Secret Sharing. Although, typically 2-of-4 Shamir's Secret Sharing would start with a single mnemonic, and then split that mnemonic into 4 separate mnemonics of which any 2 could rebuild the original.

Am I correct in that I need to keep a copy of this newly created xpub with each of the 12-word seeds?

Obviously I need to plan for the worst case scenario wherein one of the four seeds is somehow destroyed, and so I can't rely on ever having all four seeds together in the future.

If I'm correct that you are using Shamir's Secret Sharing to, then (if done correctly) you should be able to re-construct the the xPub from any 2 of the saved mnemonics.

1. Is there an existing method of storing multi-sig recovery seeds and xpubs using only mnemonics?

Personally, I'd just use real MultiSig.  However, if you really want to use some sort of Secret Sharing, then the xPubs can always be generated as long as you have (or can build) the necessary xPriv value.

2. If not, am I correct that the right way to go about this is storing the multi-sig xpub and the 12-word mnemonic in each location?

You'd have to describe the actual process you intend to use.  What method are you using to generate your xPub from 4 mnemonics?  Also, you'll avoid a lot of confusion in the responses  you get if you stop calling it MultiSig and call it "Secret Sharing" or "split key" instead.  What you are describing doesn't sound like it has anything to do with MultiSig at all.

3. Any better way to go about this

That depends on exactly what you are trying to accomplish.  I'd be tempted to just use actual MultiSig.

Shamir's Secret Sharing IS multi-sig. This is straight from the Bitcoin Wiki:

"Shamir's Secret Sharing Scheme (ssss) is a general software implementation of multisig."
(https://en.bitcoin.it/wiki/Multisignature)

What are you referring to as "actual" multi-sig?



To clarify further, my current plan is to use Electrum and Ian Coleman's Bip39 JS as follows:

1. Create four individual BIP39 12-word mnemonics offline.

2. Enter each mnemonic into Electrum and/or the BIP39 JS site, probably both just to confirm I'm getting the same output. For each individual mnemonic, I will copy the xpub output.

3. Using the four individual xpubs from each 12-word mnemonic, I will enter them into Electrum to create a 2-of-4 multi-sig wallet.

4. Copy the newly created multi-sig xpub and store a copy of this xpub with each 12-word seed.


My intention is to be able to create an HD multi-sig wallet that requires 2-of-4 signatures to spend funds. I want to keep the four private keys in different locations, but be able to recover funds even if all but two of the seeds are lost.

[_ERROR_LOADING]

Okay, looks like I was mistaken in regards to a newly created xpub. I created 4 test mnemonics, and used their xpubs to create a multi-sig 2-of-4 HD wallet in Electrum, but there is no new master public key as far as I can tell.

So what do I need to backup exactly? Does this mean I need to keep all four individual xpubs to recover funds in the future?

[DannyHamilton]

Shamir's Secret Sharing IS multi-sig. This is straight from the Bitcoin Wiki:

"Shamir's Secret Sharing Scheme (ssss) is a general software implementation of multisig."
(https://en.bitcoin.it/wiki/Multisignature)

Someone needs to fix that Wiki page.

That's going to confuse a lot of beginners.

What are you referring to as "actual" multi-sig?

multisig = Multiple Signatures.

Shamir's Secret Sharing Scheme takes a "secret" (such as a private key) and splits it into pieces such that a subset of those pieces can be used to rebuild the original secret.  However, if you build a typical P2PKH address (the addresses starting with a "1") then you still only need a SINGLE signature from that SINGLE private key that was split up.

A SINGLE SIGNATURE is NOT multisig.

On the other hand, if you generate multiple private keys, and then build a P2SH address (the addresses starting with a "3") where the redeem script requires signatures from m of n keys, then you have a situation where you need MULTIPLE signatures from MULTIPLE private keys.

MULTIPLE SIGNATURES IS "actual" multi-sig.

To clarify further, my current plan is to use Electrum and Ian Coleman's Bip39 JS as follows:

The one that you said "is still in development, and as far as I can tell, has not been thoroughly tested enough to use"?

The one that Ian Coleman describes as:
"There are no alternative implementations, meaning you are totally dependent on this tool if you use it. That is a dangerous situation to be in."

1. Create four individual BIP39 12-word mnemonics offline.

Note:  That isn't how Ian Coleman's system works.

He is generating a SINGLE mnemonic that represents a single xPriv and xPub.  Then he is using Shamir's Secret Sharing to split that SINGLE xPriv into multiple values.  Then he is converting each of those values to a mnemonic. If you try to use each of those mnemonics as a seed for a HD wallet, then they each effectively become an xPriv that can be rebuilt from access to ONLY the original SINGLE mnemonic that was split.

In other words, it all starts with a single xPriv and xPub.  If that single xPriv is ever compromised, then it won't matter how many pieces you have. The thief doesn't need multiple pieces because he doesn't need to create multiple signatures.  He just needs that one original xPriv.

2. Enter each mnemonic into Electrum and/or the BIP39 JS site, probably both just to confirm I'm getting the same output. For each individual mnemonic, I will copy the xpub output.

The xPub of the mnemonic from the split pieces is useless. You don't need them, and having them won't help you with anything.  What you'd need (if you lost the mnemonics) is the values that the  mnemonics were calculated from (The Secret Sharing pieces).

3. Using the four individual xpubs from each 12-word mnemonic, I will enter them into Electrum to create a 2-of-4 multi-sig wallet.

Whoa!  Oh my.  This is a horrible idea.  It is also a piece that wasn't clear in your original post which is why I stated that you weren't using "actual" multisig.  Your first post seemed to imply that you were going to use Secret Sharing to rebuild a single wallet from 2 of the mnemonics that you saved.

I mean it's GREAT that you are using actual multi-sig here, but all the private keys are generated from the same original private key.  If that original secret is ever compromised, then you've lost all the protection of MultiSig.

You'd be MUCH better off just generating 4 RANDOM Electrum wallets offline.  Store the Electrum mnemonics separately, and use Electrum to build a 2-of-4 multi-sig wallet.  In that case, all you need to spend the bitcoins is any 2 of the 4 mnemonics that you saved.  You don't need the xPriv (it can be rebuilt from the mnemonic), and you don't need the xPub (it can be rebuilt from the xPriv which can be rebuilt from the mnemonic). In this case, if any 1 of the xPriv or mnemonics are compromised, the transaction is still secure.  This way there is no single source for generating 2 (or more) of the mnemonics.

Using Ian Coleman's Secret Sharing page is a completely unnecessary and very risky option for generating multiple mnemonics.

My intention is to be able to create an HD multi-sig wallet that requires 2-of-4 signatures to spend funds. I want to keep the four private keys in different locations, but be able to recover funds even if all but two of the seeds are lost.

There is absolutely no need to use Shamir's Secret Sharing to accomplish that.  That is an extra complication that adds nothing to the security, and if implemented the way you are describing adds complexity while REDUCING security.

You'll be MUCH better off generating 4 RANDOM wallets offline, and then storing the 4 mnemonics separately.  Use the 4 xPub values from the 4 RANDOMLY generated wallets to create your multi-sig wallet.  Then you should be able to access the bitcoins with any 2 of the 4 mnemonics.

[DannyHamilton]

So what do I need to backup exactly? Does this mean I need to keep all four individual xpubs to recover funds in the future?

No.  You need the 4 mnemonics.

Note that I'm not certain how Electrum implements all of this. You've asked your question in the sub-forum that is intended for "Bitcoin Core, nodes, the Bitcoin network, transactions, and addresses".

I'm discussing all of this as a general concept for mnemonics, multisig, Secret Sharing, etc. You may want to ask in the Electrum sub-forum for better details on the exact steps to accomplish your goal with that particular wallet software.

[_ERROR_LOADING]

Shamir's Secret Sharing IS multi-sig. This is straight from the Bitcoin Wiki:

"Shamir's Secret Sharing Scheme (ssss) is a general software implementation of multisig."
(https://en.bitcoin.it/wiki/Multisignature)

Someone needs to fix that Wiki page.

That's going to confuse a lot of beginners.

What are you referring to as "actual" multi-sig?

multisig = Multiple Signatures.

Shamir's Secret Sharing Scheme takes a "secret" (such as a private key) and splits it into pieces such that a subset of those pieces can be used to rebuild the original secret.  However, if you build a typical P2PKH address (the addresses starting with a "1") then you still only need a SINGLE signature from that SINGLE private key that was split up.

A SINGLE SIGNATURE is NOT multisig.

On the other hand, if you generate multiple private keys, and then build a P2SH address (the addresses starting with a "3") where the redeem script requires signatures from m of n keys, then you have a situation where you need MULTIPLE signatures from MULTIPLE private keys.

MULTIPLE SIGNATURES IS "actual" multi-sig.

To clarify further, my current plan is to use Electrum and Ian Coleman's Bip39 JS as follows:

The one that you said "is still in development, and as far as I can tell, has not been thoroughly tested enough to use"?

The one that Ian Coleman describes as:
"There are no alternative implementations, meaning you are totally dependent on this tool if you use it. That is a dangerous situation to be in."

1. Create four individual BIP39 12-word mnemonics offline.

Note:  That isn't how Ian Coleman's system works.

He is generating a SINGLE mnemonic that represents a single xPriv and xPub.  Then he is using Shamir's Secret Sharing to split that SINGLE xPriv into multiple values.  Then he is converting each of those values to a mnemonic. If you try to use each of those mnemonics as a seed for a HD wallet, then they each effectively become an xPriv that can be rebuilt from access to ONLY the original SINGLE mnemonic that was split.

In other words, it all starts with a single xPriv and xPub.  If that single xPriv is ever compromised, then it won't matter how many pieces you have. The thief doesn't need multiple pieces because he doesn't need to create multiple signatures.  He just needs that one original xPriv.

2. Enter each mnemonic into Electrum and/or the BIP39 JS site, probably both just to confirm I'm getting the same output. For each individual mnemonic, I will copy the xpub output.

The xPub of the mnemonic from the split pieces is useless. You don't need them, and having them won't help you with anything.  What you'd need (if you lost the mnemonics) is the values that the  mnemonics were calculated from (The Secret Sharing pieces).

3. Using the four individual xpubs from each 12-word mnemonic, I will enter them into Electrum to create a 2-of-4 multi-sig wallet.

Whoa!  Oh my.  This is a horrible idea.  It is also a piece that wasn't clear in your original post which is why I stated that you weren't using "actual" multisig.  Your first post seemed to imply that you were going to use Secret Sharing to rebuild a single wallet from 2 of the mnemonics that you saved.

I mean it's GREAT that you are using actual multi-sig here, but all the private keys are generated from the same original private key.  If that original secret is ever compromised, then you've lost all the protection of MultiSig.

You'd be MUCH better off just generating 4 RANDOM Electrum wallets offline.  Store the Electrum mnemonics separately, and use Electrum to build a 2-of-4 multi-sig wallet.  In that case, all you need to spend the bitcoins is any 2 of the 4 mnemonics that you saved.  You don't need the xPriv (it can be rebuilt from the mnemonic), and you don't need the xPub (it can be rebuilt from the xPriv which can be rebuilt from the mnemonic). In this case, if any 1 of the xPriv or mnemonics are compromised, the transaction is still secure.  This way there is no single source for generating 2 (or more) of the mnemonics.

Using Ian Coleman's Secret Sharing page is a completely unnecessary and very risky option for generating multiple mnemonics.

My intention is to be able to create an HD multi-sig wallet that requires 2-of-4 signatures to spend funds. I want to keep the four private keys in different locations, but be able to recover funds even if all but two of the seeds are lost.

There is absolutely no need to use Shamir's Secret Sharing to accomplish that.  That is an extra complication that adds nothing to the security, and if implemented the way you are describing adds complexity while REDUCING security.

You'll be MUCH better off generating 4 RANDOM wallets offline, and then storing the 4 mnemonics separately.  Use the 4 xPub values from the 4 RANDOMLY generated wallets to create your multi-sig wallet.  Then you should be able to access the bitcoins with any 2 of the 4 mnemonics.

I don't think we're on the same page at all.

No, I am not referring to the shamir39 implementation, but this https://iancoleman.github.io/bip39/

I am not relying on that alone, either. I am creating four individual 12-word seeds offline and then using the above BIP39 javascript code and electrum to verify that each 12-word BIP39 seed is giving me the same xpub output. For all intents and purposes, assume these 12-word seeds are each unique and in no way related, they are generated separately offline and only the individual xpubs from each 12-word seed are being used to create the 2-of-4 wallet. I am no way relying on either electrum or Ian Coleman's script to create the BIP39 seeds.

You seem to be saying I should do exactly what I said I was going to do, but I guess I didn't articulate it well enough, which is take four individual 12-word seeds and create a 2-of-4 multi-sig wallet, which requires the four xpubs from each of the 12-word seeds.

[_ERROR_LOADING]

So what do I need to backup exactly? Does this mean I need to keep all four individual xpubs to recover funds in the future?

No.  You need the 4 mnemonics.

Note that I'm not certain how Electrum implements all of this. You've asked your question in the sub-forum that is intended for "Bitcoin Core, nodes, the Bitcoin network, transactions, and addresses".

I'm discussing all of this as a general concept for mnemonics, multisig, Secret Sharing, etc. You may want to ask in the Electrum sub-forum for better details on the exact steps to accomplish your goal with that particular wallet software.

I'm not looking to be locked into a single software implementation and I thought multi-sig was generic to some extent. I chose the electrum + ian coleman's bip39 script because it is easy to run on an offline computer. Is there a better option for creating a 2-of-4 multisig wallet from four 12-word BIP39 seeds?

[HCP]

I was going to point you to: https://bitcointalk.org/index.php?topic=2280898.0

But it seems you already found that thread... which describes EXACTLY what you need to save at each of your locations... but then it seems that you want to use this shamir39 and the mnemonics instead...

I think the piece you're missing in your puzzle... is that if you create a 2-of-4 MultiSig... you absolutely must have ALL 4 pieces to be able to recreate the wallet... This is why the other poster has this as his requirements:

Location 1: wallet seed 1, master pub key 2, master pub key 3, master pub key 4
Location 2: master pub key 1, wallet seed 2, master pub key 3, master pub key 4
Location 3: master pub key 1, master pub key 2, wallet seed 3, master pub key 4
Location 4: master pub key 1, master pub key 2, master pub key 3, wallet seed 4

Each location has 4 pieces... the location specific seed, and the pubkeys (associated with the seeds) from the 3 other locations... in this way, if one site gets compromised, it will be able to recreate the wallet, but can't spend... the only way to spend would be to have the information from two of the sites.

[_ERROR_LOADING]

I was going to point you to: https://bitcointalk.org/index.php?topic=2280898.0

But it seems you already found that thread... which describes EXACTLY what you need to save at each of your locations... but then it seems that you want to use this shamir39 and the mnemonics instead...

I think the piece you're missing in your puzzle... is that if you create a 2-of-4 MultiSig... you absolutely must have ALL 4 pieces to be able to recreate the wallet... This is why the other poster has this as his requirements:

Location 1: wallet seed 1, master pub key 2, master pub key 3, master pub key 4
Location 2: master pub key 1, wallet seed 2, master pub key 3, master pub key 4
Location 3: master pub key 1, master pub key 2, wallet seed 3, master pub key 4
Location 4: master pub key 1, master pub key 2, master pub key 3, wallet seed 4

Each location has 4 pieces... the location specific seed, and the pubkeys (associated with the seeds) from the 3 other locations... in this way, if one site gets compromised, it will be able to recreate the wallet, but can't spend... the only way to spend would be to have the information from two of the sites.

My original plan was the 2-of-4 multi-sig as described in that other thread, and considering it's a tested method as compared to the shamir39 scheme, it's probably what I'll use. Makes sense now, and what I didn't understand prior to posting this and actually going through a few test rounds, is that when you combine the 4 xpubs, there is no new xpub created. I thought I'd only need to retain one newly created xpub + seed, but I understand now that the recovery will require all 4 xpubs to be stored with each backup, and that I can use those to create a watch address as well.

The shamir39 scheme is what I would use if it was tested further as an official BIP, as that is a much easier backup process, requiring the user to store only a 12-word seed, with that being enough to recreate the shared secret along with only one other 12-word seed.

[HCP]

After a quick read through, I like the concept of "shamir39"... You get the benefits of shamir secret sharing, that is to say, being able to split your mnemonic into multiple parts for storage in separate locations, but with "human readable" words as opposed to the normal long "hex" strings to help reduce/prevent errors during transcription etc.

I believe that a system like this would certainly be of benefit for hardware wallet users... it would enable one to create another layer of physical security for one's mnemonic storage.

I'll certainly be keeping an eye on any developments regarding this system.