Security of multisig vs regular wallet

[AardVark05]

I am just trying to see if I am thinking about this correctly - it seems to me that all other things being equal (physical security and such), a multisig wallet is ORDERS OF MAGNITUDE more secure than a regular wallet.

It seems vastly superior just about from any angle.

Here are my thoughts on this:

1. Obviously, if you use M of N multisig wallet where M < N (2 of 3 , 3 of 4, 4 of 6) you automatically get a failsafe in case you lose one of your keys (or master seed if you used a separate HD wallet based on new master seed derivation). With a regular wallet - if you lose the master private key and seed - you are sunk, that's it, there is no recourse. It's a single point of failure.

2. If you use different devices / sources of entropy to derive master seed phrase -such as hardware device, rolling die, software construction via strong CSPRNG library (say Electrum) - that further lowers your chances of someone brute-forcing your seed to due accidental weak source of randomness in one particular setup. 1 out of 2^256 is nearly 0 anyway, but chances of brute forcing two or three of those are even more ridiculous. The same logic in terms of lowering your risk of using a single compromised device - if you use multiple physically independent devices to generate your keys, it seems you dramatically lower your chances of being pwned.

3. If you have a 2 of 4 setup for instance - you can spend several times from the same address by using different key combinations to sign the transaction - without giving away any privacy, unlike a regular address where every new signature to spend from that address could potentially be used to brute force the private key for that address.

4. The fact that there is a threshold of keys needed to withdraw funds makes multisig more amenable to being stored relatively safely in the cloud. Someone could use Shamir's secret-sharing algorithm to split each master seed, even encrypting it, for additional peace of mind, and storing it on multiple providers' file storage - GDrive, Dropbox, self-hosting, across physical devices. In a 3 of 5 setup, you could store up to 2 seeds in such fashion - and be quite safe in knowing that even if the parties were to collude, break your encryption and assemble 2 of your master keys, that would still not be enough to steal your funds.

5.Does multisig offer more in the way of being resistant to quantum computing cryptanalysis?

What am I missing? Are there any good counterarguments to using multisig vs just a regular [hardware] wallet?

I guess for now multisig transactions are slightly larger (for the spending tx ) but that will hopefully be soon mitigated with Schnorr/Taproot, right?

[1714904210]

1714904210

[1714904210]

1714904210

[1714904210]

1714904210

[bitmover]

1. Obviously, if you use M of N multisig wallet where M < N (2 of 3 , 3 of 4, 4 of 6) you automatically get a failsafe in case you lose one of your keys (or master seed if you used a separate HD wallet based on new master seed derivation). With a regular wallet - if you lose the master private key and seed - you are sunk, that's it, there is no recourse. It's a single point of failure.

You can just make 2 pieces of paper of your regular wallet, then you will not have a single point of failure.

2. If you use different devices / sources of entropy to derive master seed phrase -such as hardware device, rolling die, software construction via strong CSPRNG library (say Electrum) - that further lowers your chances of someone brute-forcing your seed to due accidental weak source of randomness in one particular setup. 1 out of 2^256 is nearly 0 anyway, but chances of brute forcing two or three of those are even more ridiculous. The same logic in terms of lowering your risk of using a single compromised device - if you use multiple physically independent devices to generate your keys, it seems you dramatically lower your chances of being pwned.

Don't worry about brute forcing private keys. That won't happen.
Just buy a good hardware wallet ,a such as ledger or trezor, that nobody (even with quantum computers) will be able to  brute force you. If you are having problems with people brute forcing your private keys, you are using the wrong software and a multisig format won't help.

3. If you have a 2 of 4 setup for instance - you can spend several times from the same address by using different key combinations to sign the transaction - without giving away any privacy, unlike a regular address where every new signature to spend from that address could potentially be used to brute force the private key for that address.

You still have privacy problems when reusing address.

[odolvlobo]

Of course, multiple keys are safer than a single key, but I wouldn't say "orders of magnitude".

There is generally a trade-off between security and convenience, so the question is this -- is the extra security worth the inconvenience?

[AardVark05]

You can just make 2 pieces of paper of your regular wallet, then you will not have a single point of failure.

Hmm, I don't think that's a fair comparison. Sure, backups reduce my chances of loss, but they also increase the attack surface.
 
In the case of 2 pieces of paper - if either one gets compromised, I am sunk.

This is not the case for multisig where loss of one of the keys is typically not catastrophic.

[BrewMaster]

your main argument is like saying the Milky Way galaxy is huge but if we add 2 galaxies it is orders of magnitude huge-er. the whole security of bitcoin is based on the fact that a single 256-bit private key is providing enough security on its own with its underlying cryptography. if that stops being true even slightly the whole bitcoin protocol comes down and it won't matter if you are using multisignature.

meanwhile you just increase the size of your transactions and the fee you have to pay each time by "orders of magnitude" specially if you are using 4 or 6 pubkeys in the multisig scheme.

[Charles-Tim]

First, know that if bitcoin Elliptic Curve Digital Signature Algorithm or ECDSA can be over-riden by Quantum Computers, multisig wallets will also be susceptible, it is done in a way that addresses can be used to generate the private key belonging to the addresses. But, know that this will not happen. Bitcoin algorithm will be by then advanced in a way advanced quantum computing will not be able to compromize.

Second, if you are protecting your bitcoin, you should let it be in a way that you will not lose your access to you or keys, if you only accessing bitcoin with multisig, that means you will have two or more devices, that means you will have to protect all the private keys. Multisig are designed to be used by companies in a way two or more people will be able to sign transactions. But, for one person, I will not recommend it.

If you have only one private key, and it is stored offline, nobody can brute-force the key, not possible. Hardware wallets provided you a mean your private keys can be stored offline. This means your private keys can not be revealed to hackers, but, we all still know that we still have to take security essential because anything can still happen. Making sure your device you use to operate the hardware wallet is not having any malware, protecting the device is another thing to have in mind.

Security is not about using multisig wallet or regular wallet, it is about what you know about how to avoid hackers, the way hackers penetrate is easy, but only experts knows how to avoid, if we know how to avoid, that is enough. Be it multisig or regular wallet.

[AardVark05]

your main argument is like saying the Milky Way galaxy is huge but if we add 2 galaxies it is orders of magnitude huge-er.

  Yes, I guess that's kind of what I am saying. I suppose being in this space kind of makes one more paranoid than normal  .

the whole security of bitcoin is based on the fact that a single 256-bit private key is providing enough security on its own with its underlying cryptography. if that stops being true even slightly the whole bitcoin protocol comes down and it won't matter if you are using multisignature.

Yes, I think you are definitely right about that.

[Charles-Tim]

This is not the case for multisig where loss of one of the keys is typically not catastrophic.

If one of the private keys is lost, it is catastrophic. For example, if you set 2 signatures, that means you will have 2 cosigners or more. If you have 2 cosigners, that means you need the two private keys to be signing transactions. Assuming you lost one of the private keys and you need it to be able to sign a transaction, that means the wallet is useless if you can not get the backup. You will need the two private keys for each transactions you are making. Many wallets are not accessible by owners because of too tight means of accessing their wallets.

[AardVark05]

This is not the case for multisig where loss of one of the keys is typically not catastrophic.

If one of the private keys is lost, it is catastrophic. For example, if you set 2 signatures, that means you will have 2 cosigners or more. If you have 2 cosigners, that means you need the two private keys to be signing transactions. Assuming you lost one of the private keys and you need it to be able to sign a transaction, that means the wallet is useless if you can not get the backup. You will need the two private keys for each transactions you are making. Many wallets are not accessible by owners because of too tight means of accessing their wallets.

Right on - which is why in my original post, I mentioned M of N where M < N.

I absolutely agree with you -2 of 2 multisig or any M of M multisig is probably a terrible idea for an individual wallet. It's just asking for trouble.

However, my question was mostly related to something like 2 of 3 or 3 of 5 multisigs where you have a bit of room to lose one or even two keys and still be able to recover funds. I believe Jameson Lopp's Casa's business model is based around this concept.

[bitmover]

You can just make 2 pieces of paper of your regular wallet, then you will not have a single point of failure.

Hmm, I don't think that's a fair comparison. Sure, backups reduce my chances of loss, but they also increase the attack surface.
 
In the case of 2 pieces of paper - if either one gets compromised, I am sunk.

This is not the case for multisig where loss of one of the keys is typically not catastrophic.

Ofc it is a fair comparison.
You are basically saying that multi sign are safer because you will have 2 pieces of paper  one for each key.

Then you are saying that if I have 2 piece of paper for the same seed it is a larger attack surface? It doesn't make any sense.

[o_e_l_e_o]

1 - Single point of failure. This is only true if you have a single back up, which is a bad idea all round.

2 - Entropy. This is an improvement if you cannot be certain about your source of entropy. If you can be certain about your source of entropy, such as flipping a coin, then this argument is unnecessary. If 2²⁵⁶ can be broken then your private keys can be broken, regardless of how many signatures are required.

3 - Privacy. You shouldn't reuse addresses anyway, so revealing the public key when you spend from an address is not an issue.

4 - Shamir's secret sharing. I would never use cloud storage for anything, but you can quite easily split a single seed with Shamir's secret sharing and spread that across multiple cloud servers if you want. I would add the splitting 3-5 different keys each in to 3-5 parts and spreading them across multiple sites is going to make your recovery process very difficult and error prone.

Multi-sig can certainly be more secure in some cases, but for the majority of users it is unnecessary. It would add no additional security to my permanently airgapped, fully encrypted cold storage, for example. It also comes with a cost of being more cumbersome to use and requiring significantly higher fees.

[bitbunnny]

Generally speaking multi sig will give you higher level of security but what will you choose depends on your needs. Very often users choose comfort and convenience rather than security but that might cost them a lot at the end. I think that level of of awareness about security is still not at the satisfying level.

[AardVark05]

Ofc it is a fair comparison.
You are basically saying that multi sign are safer because you will have 2 pieces of paper  one for each key.

Then you are saying that if I have 2 piece of paper for the same seed it is a larger attack surface? It doesn't make any sense.

Ok, let me see if I can clarify my thoughts on this with a concrete example.

Let's say we have Alice who has a single key backed up in 3 different locations (that's your case) and Bob who has multisig 2 of 3 wallet with his 3 different keys backed up in 3 different locations just like Alice.

Let's assume that in each of their physical backup locations the probability of loss is 1%  and probability of compromise is 2%.

What is their risk profile?

Probability of loss:
   for Alice = 1% * 1% * 1% = 0.0001%
   for Bob =  1% * 1% = .01% (as he would need to lose only 2 keys to suffer total loss)

Probability of compromise
   for Alice = 2% + 2% + 2% = 6% (as the compromise of ANY of her backups will incur a total loss)
   for Bob = 2%*2% = 0.04% (as the attacker would need to gain access to BOTH of his backups to steal his funds)


Their overall risk is the SUM of the probabilities of the two scenarios,
    Alice = 6.0001%
    Bob = .05%.


As I was doing this little exercise, it occurred to me that as probability of loss rises vs. probability of compromise - there is a point at which Alice will be better off with a single key. I guess the exact point at which this happens will depend on the specific probabilities. Not sure how you would estimate those two for something like a safety deposit box in a bank. I guess depends on your jurisdiction a lot.

[o_e_l_e_o]

-snip-

It's a fair point, but there are other ways Alice can mitigate the risk of compromise of her back up without having to resort to multi-sig and the decreased usability and increase fee which it brings. She can split her seed in to multiple parts, meaning an attacker needs to gain access to more than one part, which would make her risk the same as Bob's. She can encrypt her seed phrase before backing it up. She can use multiple passphrases.

I would also suggest that 2% is far too high a risk of compromise, and if you estimate that for your seed phrase then you need to think about storing it more securely. The stark differences in your final numbers because much smaller when you estimate a 1 in several thousand chance of compromise, rather than a 1 in 50.


As an aside (and a pedantic one at that), your math is slightly off for Alice's risk of compromise. Given the the chance of any of her back ups being compromised are independent events, then the probability P of event A or event B or both occurring is:

Code:

P(A∪B) = P(A) + P(B) - P(A∩B)

So the chance of her seed phrase being compromised would be 5.88%, rather than 6%.

[AardVark05]

As an aside (and a pedantic one at that), your math is slightly off for Alice's risk of compromise. Given the the chance of any of her back ups being compromised are independent events, then the probability P of event A or event B or both occurring is:

Code:

P(A∪B) = P(A) + P(B) - P(A∩B)

So the chance of her seed phrase being compromised would be 5.88%, rather than 6%.

Good catch, thanks! I think math is the one area where being pedantic is very much appreciated .

[hatshepsut93]

All the alleged benefits that you have mentioned can be achieved with a single seed or private key using schemes like Shamir's secret sharing. Multisig addresses have a drawback - since you need to provide multiple signatures, your transactions will be larger and will require higher fees, and since Bitcoin fees tend to get high from time to time, it can be a problem for some users.

Overall I'd say these benefits aren't very great to recommend it to most people. It's better to focus on avoiding malware and phishing, since that's how 99% of coins get stolen.

[bitmover]

As I was doing this little exercise, it occurred to me that as probability of loss rises vs. probability of compromise - there is a point at which Alice will be better off with a single key. I guess the exact point at which this happens will depend on the specific probabilities. Not sure how you would estimate those two for something like a safety deposit box in a bank. I guess depends on your jurisdiction a lot.

Your thougths makes sense but they are biased.

If Alice Has 2 backups only (no need to have more) and BOb has only 2 papers as well, Bob would be in a greater risk using a multi sig. If bob loses 1 paper, he lost all. And if Alice loses one, she loses nothing.

As the majority of people only have 2 pieces of paper because they dont need more (unnecessary risk), you would have to comapre 2 pieces from Alice and 3 from Bob.

Anyway, you have enough material already in this thread to decide whetever you want or not to use a multisig.

There are no real gains for the majority of users. But if it looks good for your case and  you want to use, go ahead.