Bitcoin Forum
October 20, 2018, 08:33:26 PM *
News: Make sure you are not using versions of Bitcoin Core other than 0.17.0 [Torrent], 0.16.3, 0.15.2, or 0.14.3. More info.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Difficulty factors added to bruteforcing multisig private keys  (Read 124 times)
jackg
Copper Member
Legendary
*
Offline Offline

Activity: 1162
Merit: 1111


View Profile
September 12, 2018, 02:46:29 PM
 #1

As I understand it, a multisig (let's say for example) a 15/15 multisig requires a signature from all 15 private keys of a controlling address.

Is it therefore much harder to bruteforce if quantum computers descend in the next few years? I'm thinking of printing out 15 seeds and storing those seeds on a flash drive and putting that flash drive in a secure location (with other crypto related things so I remember what it is)...

Am I right in thinking this or is there some sort of private key that can be calculated out of all the other private keys that exist which relates to a "regular" address' private key?

1540067606
Hero Member
*
Offline Offline

Posts: 1540067606

View Profile Personal Message (Offline)

Ignore
1540067606
Reply with quote  #2

1540067606
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Heisenberg_Hunter
Full Member
***
Offline Offline

Activity: 294
Merit: 127



View Profile
September 12, 2018, 05:37:37 PM
Merited by jackg (1)
 #2

You could have slightly messed up with the info. As far as I have understood multisig addresses, let me try to explain it in a simpler way.

An ordinary bitcoin address consist of only one private key. In simpler terms, a private key is hashed to create a public key which in turn is hashed to create a bitcoin address. Whereas a multisig address has a collection of private keys. Let us consider that 15 private keys create 15 public keys. These 15 public keys are used to create a locking script. This script which consists of 15 public keys is hashed to create the multisig address. Based on the M of N which you have specified you need 1-15 signatures to unlock the script and spend the bitcoins.

A locking script looks similar to this

Code:
15 [pubkey 1][pubkey 2][pubkey 3]...[pubkey 15] 15 OP_CHECKMULTISIG

An unlocking script to spend the bitcoins present in the multisig address will be like

Code:
OP_0 [sig 1][sig 2][sig 3]...[sig 15]

Hence, to unlock the script we need to have an unlocking script which consists of 15 signatures from 15 private keys. Hence, spending the coins require the correct unlocking script to be provided for validation which can only be fulfilled by these 15 private keys. There is no other 16th key involved as you think.

Is it therefore much harder to bruteforce if quantum computers descend in the next few years?
Yes, based on my assumption. Bitcoin is designed in such a way that it is impossible to derive the private key from the normal address unless it is exposed. Even after the involvement of quantum computers, it would be not very difficult to find a single private key. But in order to spend the coins from a multisig address, 15 private keys needs to be involved which would be quite difficult as all the 15 keys are independent to each other.

I'm thinking of printing out 15 seeds and storing those seeds on a flash drive and putting that flash drive in a secure location
Bad idea. If the flash drive is stolen, all your coins would be lost as all the keys to release the coins are exposed to the hacker or the thief. Better to store the 15 seeds in 15 different locations so that it would be impossible to steal your coins.

is there some sort of private key that can be calculated out of all the other private keys that exist which relates to a "regular" address' private key?
No, I don't think so there is another 16th private key which can be derived from the 15 keys.

█        ★★★★★ TrustedCars Flex ★★★★★      
     │ ★★★★★ Changing Car Ownership Forever ★★★★★ │     
█  Website Token Sale up to 25% Bonus ANN Thread Telegram │ 
jackg
Copper Member
Legendary
*
Offline Offline

Activity: 1162
Merit: 1111


View Profile
September 12, 2018, 06:05:18 PM
 #3

Thanks!
I was going to put the drive on a micro sd card and hide it inside something worth a lot less of its value so it goes unnoticed and the seeds will be encrypted with one of my bitcoin addresses...

Thirdspace
Hero Member
*****
Offline Offline

Activity: 770
Merit: 603


Mixing reinvented for your privacy | chipmixer.com


View Profile
September 12, 2018, 10:58:09 PM
 #4

interesting topic! I've been thinking about the same idea though not as crazy as 15-of-15 multisig address
since there are more and more people trying to brute force private keys sequentially,
it seems that legacy addresses (1...) and segwit addresses (3...) are vulnerable to this
so even a 2-of-2 multisig address would add some degree of complexity to it

is there some sort of private key that can be calculated out of all the other private keys that exist which relates to a "regular" address' private key?
No, I don't think so there is another 16th private key which can be derived from the 15 keys.
I have concern about possibility of another single key that can unlock a mutisig address
it's not about deriving the 16th key from all 15 keys,
but is it possible to have another single key to control the fund?
or the architecture of the system forces the use of all 15 keys to sign the transaction?
your first response answered this but I just want to make sure another possibility

the drawback of this multisig address is the more participants required to sign the bigger the transaction size will be,
for every single utxo Tongue the size will be multiply by the number of participants involved

eddie13
Hero Member
*****
Offline Offline

Activity: 938
Merit: 635


BTC or BUST


View Profile
September 12, 2018, 11:10:39 PM
 #5

but is it possible to have another single key to control the fund?

Maybe you could sign a TX from all 15 keys offline and then save that signed TX in an encrypted file?

To create a single key for yourself to use conveniently at a later time.. It would have to be a predetermined TX though, dump all BTC to XX address..

So the attackers would still have to bruteforce 15 BTC keys, or just the 1 encryption on your file if they get your file somehow..

Maybe you could sign and save a bunch of them going to different places so you could give yourself some choice where you want them sent..
Plan A-Z

A signed TX that hasn't been broadcast doesn't expire in time does it? As long as the inputs are still there it should still work in 10 years no?





█████           █████        ██████████████▀▄███▄       ▄███▄      ▄▄▄████████▄▄▄        ▄▄███████▄▄         ▄███▄
 █████         █████         ██████████████ █████       █████    ████████████████     ▄███████████████▄      █████
  █████       █████          ▀▀▀▀▀▀▀▀█████▀▀ ▀▀▀         ▀▀▀    ██████▀▀▀▀▀▀▀▀███   ▄███████████████████▄     ▀▀▀
   █████     █████ ▄▄▄▄▄       ▄▄▄▄▄ █████  ▄▄▄▄▄       ▄▄▄▄▄  █████▀              ███████████████████████   █████ ████▄ ▄██████▄
    █████   █████  █████       █████ █████  █████       █████ ▐█████              █████████████████████████  █████ ███████████████
     █████ █████   █████       █████ █████  █████       █████ ▐████▌             ███████████████████████████ █████ ███████▀▀▀██████
      █████████    █████       █████ █████  █████       █████ ▐████▌             ███████████████████████████ █████ █████▀    ▀█████
       ███████     █████       █████ █████  █████       █████ ▐████▌             ███████████████████████████ █████ █████      █████
        █████      █████       █████ █████  █████       █████ ▐█████              █████████████████████████  █████ █████      █████
        █████      █████       █████ █████  █████       █████  █████▄              ███████████████████████   █████ █████      █████
        █████      ██████▄▄▄▄▄██████ █████  ██████▄▄▄▄▄██████   ██████▄▄▄▄▄▄▄▄███   ▀███████████████████▀    █████ █████      █████
        █████       ████████████████ █████   ████████████████  ▄ ████████████████     ▀███████████████▀  ▄█▄ █████ █████      █████
        █████        ▀▀████▀▀  █████ █████    ▀█████▀▀  █████ ▀█▀   ▀▀████████▀▀▀        ▀▀███████▀▀     ▀█▀ █████ █████      █████
Thirdspace
Hero Member
*****
Offline Offline

Activity: 770
Merit: 603


Mixing reinvented for your privacy | chipmixer.com


View Profile
September 12, 2018, 11:45:09 PM
 #6

but is it possible to have another single key to control the fund?

Maybe you could sign a TX from all 15 keys offline and then save that signed TX in an encrypted file?

I should change the wording, is it possible to "find" a single private key to control the fund?
whether there is exist a single private key corresponding to a multisig address
but after re-reading Heisenberg_Hunter explanations, it seems not possible and not exist
and afterall multisig address is a P2SH address Cheesy

Coding Enthusiast
Sr. Member
****
Offline Offline

Activity: 515
Merit: 389


Novice C♯ Coder


View Profile WWW
September 13, 2018, 03:36:32 AM
 #7

In simpler terms, a private key is hashed to create a public key

NO! Private key is NOT hashed to create public key.

The way you get a public key is by using a elliptic curve cryptography techniques. And that is basically a set of operations on points on this plane curve over a finite field. This operation only works in one way and not in reverse. In other words you can easily find the public key from private key but if you try to find the private key from your public key it would be impossible. It requires solving Elliptic Curve Discrete Logarithm Problem which was introduced in 1985 and so far the mathematicians have not been able to find any solution for it.

Have fun reading: https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/

Projects List+Suggestion box
Donation link using BIP21
Bech32 Donation link!
BitcoinTransactionTool (0.9.2):  Ann - Source Code
Watch Only Bitcoin Wallet (supporting SegWit) (3.1.0):  Ann - Source Code
SharpPusher (broadcast transactions) (0.10.0): Ann - Source Code

jackg
Copper Member
Legendary
*
Offline Offline

Activity: 1162
Merit: 1111


View Profile
September 13, 2018, 08:55:28 AM
 #8

but is it possible to have another single key to control the fund?

Maybe you could sign a TX from all 15 keys offline and then save that signed TX in an encrypted file?

To create a single key for yourself to use conveniently at a later time.. It would have to be a predetermined TX though, dump all BTC to XX address..

So the attackers would still have to bruteforce 15 BTC keys, or just the 1 encryption on your file if they get your file somehow..

Maybe you could sign and save a bunch of them going to different places so you could give yourself some choice where you want them sent..
Plan A-Z

A signed TX that hasn't been broadcast doesn't expire in time does it? As long as the inputs are still there it should still work in 10 years no?

That's right transactions don't expire. They have a time stamp but that says more as to when the transaction got signed than to when they were actually broadcast...
The old time stamp may trick the network into confirming it with a lower fee too if I'm not mistaken...

In simpler terms, a private key is hashed to create a public key

NO! Private key is NOT hashed to create public key.

The way you get a public key is by using a elliptic curve cryptography techniques. And that is basically a set of operations on points on this plane curve over a finite field. This operation only works in one way and not in reverse. In other words you can easily find the public key from private key but if you try to find the private key from your public key it would be impossible. It requires solving Elliptic Curve Discrete Logarithm Problem which was introduced in 1985 and so far the mathematicians have not been able to find any solution for it.

Have fun reading: https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/

A hash is just a mathematical operation... So both rare technically correct.

Coding Enthusiast
Sr. Member
****
Offline Offline

Activity: 515
Merit: 389


Novice C♯ Coder


View Profile WWW
September 13, 2018, 09:26:51 AM
 #9

A hash is just a mathematical operation... So both rare technically correct.

Well, 2*5 and 2+5 are also both mathematical operations but you call the first one multiplication and the second one addition and you can't call both of them addition!

Projects List+Suggestion box
Donation link using BIP21
Bech32 Donation link!
BitcoinTransactionTool (0.9.2):  Ann - Source Code
Watch Only Bitcoin Wallet (supporting SegWit) (3.1.0):  Ann - Source Code
SharpPusher (broadcast transactions) (0.10.0): Ann - Source Code

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!