Difficulty factors added to bruteforcing multisig private keys

[jackg]

As I understand it, a multisig (let's say for example) a 15/15 multisig requires a signature from all 15 private keys of a controlling address.

Is it therefore much harder to bruteforce if quantum computers descend in the next few years? I'm thinking of printing out 15 seeds and storing those seeds on a flash drive and putting that flash drive in a secure location (with other crypto related things so I remember what it is)...

Am I right in thinking this or is there some sort of private key that can be calculated out of all the other private keys that exist which relates to a "regular" address' private key?

[1714926025]

1714926025

[Heisenberg_Hunter]

You could have slightly messed up with the info. As far as I have understood multisig addresses, let me try to explain it in a simpler way.

An ordinary bitcoin address consist of only one private key. In simpler terms, a private key is hashed to create a public key which in turn is hashed to create a bitcoin address. Whereas a multisig address has a collection of private keys. Let us consider that 15 private keys create 15 public keys. These 15 public keys are used to create a locking script. This script which consists of 15 public keys is hashed to create the multisig address. Based on the M of N which you have specified you need 1-15 signatures to unlock the script and spend the bitcoins.

A locking script looks similar to this

Code:

15 [pubkey 1][pubkey 2][pubkey 3]...[pubkey 15] 15 OP_CHECKMULTISIG

An unlocking script to spend the bitcoins present in the multisig address will be like

Code:

OP_0 [sig 1][sig 2][sig 3]...[sig 15]

Hence, to unlock the script we need to have an unlocking script which consists of 15 signatures from 15 private keys. Hence, spending the coins require the correct unlocking script to be provided for validation which can only be fulfilled by these 15 private keys. There is no other 16th key involved as you think.

Is it therefore much harder to bruteforce if quantum computers descend in the next few years?

Yes, based on my assumption. Bitcoin is designed in such a way that it is impossible to derive the private key from the normal address unless it is exposed. Even after the involvement of quantum computers, it would be not very difficult to find a single private key. But in order to spend the coins from a multisig address, 15 private keys needs to be involved which would be quite difficult as all the 15 keys are independent to each other.

I'm thinking of printing out 15 seeds and storing those seeds on a flash drive and putting that flash drive in a secure location

Bad idea. If the flash drive is stolen, all your coins would be lost as all the keys to release the coins are exposed to the hacker or the thief. Better to store the 15 seeds in 15 different locations so that it would be impossible to steal your coins.

is there some sort of private key that can be calculated out of all the other private keys that exist which relates to a "regular" address' private key?

No, I don't think so there is another 16th private key which can be derived from the 15 keys.

[jackg]

Thanks!
I was going to put the drive on a micro sd card and hide it inside something worth a lot less of its value so it goes unnoticed and the seeds will be encrypted with one of my bitcoin addresses...

[Thirdspace]

interesting topic! I've been thinking about the same idea though not as crazy as 15-of-15 multisig address
since there are more and more people trying to brute force private keys sequentially,
it seems that legacy addresses (1...) and segwit addresses (3...) are vulnerable to this
so even a 2-of-2 multisig address would add some degree of complexity to it

is there some sort of private key that can be calculated out of all the other private keys that exist which relates to a "regular" address' private key?

No, I don't think so there is another 16th private key which can be derived from the 15 keys.

I have concern about possibility of another single key that can unlock a mutisig address
it's not about deriving the 16th key from all 15 keys,
but is it possible to have another single key to control the fund?
or the architecture of the system forces the use of all 15 keys to sign the transaction?
your first response answered this but I just want to make sure another possibility

the drawback of this multisig address is the more participants required to sign the bigger the transaction size will be,
for every single utxo the size will be multiply by the number of participants involved

[eddie13]

but is it possible to have another single key to control the fund?

Maybe you could sign a TX from all 15 keys offline and then save that signed TX in an encrypted file?

To create a single key for yourself to use conveniently at a later time.. It would have to be a predetermined TX though, dump all BTC to XX address..

So the attackers would still have to bruteforce 15 BTC keys, or just the 1 encryption on your file if they get your file somehow..

Maybe you could sign and save a bunch of them going to different places so you could give yourself some choice where you want them sent..
Plan A-Z

A signed TX that hasn't been broadcast doesn't expire in time does it? As long as the inputs are still there it should still work in 10 years no?

[Thirdspace]

but is it possible to have another single key to control the fund?

Maybe you could sign a TX from all 15 keys offline and then save that signed TX in an encrypted file?

I should change the wording, is it possible to "find" a single private key to control the fund?
whether there is exist a single private key corresponding to a multisig address
but after re-reading Heisenberg_Hunter explanations, it seems not possible and not exist
and afterall multisig address is a P2SH address

[Coding Enthusiast]

In simpler terms, a private key is hashed to create a public key

NO! Private key is NOT hashed to create public key.

The way you get a public key is by using a elliptic curve cryptography techniques. And that is basically a set of operations on points on this plane curve over a finite field. This operation only works in one way and not in reverse. In other words you can easily find the public key from private key but if you try to find the private key from your public key it would be impossible. It requires solving Elliptic Curve Discrete Logarithm Problem which was introduced in 1985 and so far the mathematicians have not been able to find any solution for it.

Have fun reading: https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/

[jackg]

but is it possible to have another single key to control the fund?

Maybe you could sign a TX from all 15 keys offline and then save that signed TX in an encrypted file?

To create a single key for yourself to use conveniently at a later time.. It would have to be a predetermined TX though, dump all BTC to XX address..

So the attackers would still have to bruteforce 15 BTC keys, or just the 1 encryption on your file if they get your file somehow..

Maybe you could sign and save a bunch of them going to different places so you could give yourself some choice where you want them sent..
Plan A-Z

A signed TX that hasn't been broadcast doesn't expire in time does it? As long as the inputs are still there it should still work in 10 years no?

That's right transactions don't expire. They have a time stamp but that says more as to when the transaction got signed than to when they were actually broadcast...
The old time stamp may trick the network into confirming it with a lower fee too if I'm not mistaken...

In simpler terms, a private key is hashed to create a public key

NO! Private key is NOT hashed to create public key.

The way you get a public key is by using a elliptic curve cryptography techniques. And that is basically a set of operations on points on this plane curve over a finite field. This operation only works in one way and not in reverse. In other words you can easily find the public key from private key but if you try to find the private key from your public key it would be impossible. It requires solving Elliptic Curve Discrete Logarithm Problem which was introduced in 1985 and so far the mathematicians have not been able to find any solution for it.

Have fun reading: https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/

A hash is just a mathematical operation... So both rare technically correct.

[Coding Enthusiast]

A hash is just a mathematical operation... So both rare technically correct.

Well, 2*5 and 2+5 are also both mathematical operations but you call the first one multiplication and the second one addition and you can't call both of them addition!