Multisig cold storage

[milad-hodler]

Hi,
I created a multisig wallet with seeds + extension on an offline machine and distributed them to the parties and destroyed the machine. Everybody only takes care of her own seed + extension.
Every party created a watch-only wallet to receive BTC and for spending we transfer transactions to a fresh offline machine, recover the wallet with seeds and sign the transaction and then again destroy the machine.

I have 2 questions:
1. Did we do everything right? Is there anything we may miss?
2. How long should a seed extension be to make brute force attack hard in case the seed itself is compromised?

Cheers,
Milad

[1715107831]

1715107831

[1715107831]

1715107831

[1715107831]

1715107831

[DireWolfM14]

Hi,
I created a multisig wallet with seeds + extension on an offline machine and distributed them to the parties and destroyed the machine. Everybody only takes care of her own seed + extension.
Every party created a watch-only wallet to receive BTC and for spending we transfer transactions to a fresh offline machine, recover the wallet with seeds and sign the transaction and then again destroy the machine.

I have 2 questions:
1. Did we do everything right? Is there anything we may miss?
2. How long should a seed extension be to make brute force attack hard in case the seed itself is compromised?

Cheers,
Milad

I think you're being very cautious, but I question the caution exercised by the other parties.  You created all the seeds, including those for other people?  Each of you should have created your own seeds.

I don't know what the purpose is for the wallet, but by nature multi-sig adds security to your wallet.  Creating the seeds offline is best for preserving the integrity of the seed, but constantly building and destroying offline machines for signing sounds like a lot of work.  If you need to sign transactions regularly an encrypted desktop wallet on a secure machine should be sufficient, even on an on-line machine.  Of course there's no such thing as over-kill for security, so your situation may warrant the added security of using only an off-line machine.

[pooya87]

2. How long should a seed extension be to make brute force attack hard in case the seed itself is compromised?

It depends on what else is leaked alongside the seed phrase. But generally speaking I wouldn't go for any extension that is lower than 160 bits of random entropy.

[o_e_l_e_o]

1. Did we do everything right? Is there anything we may miss?

What n-of-m set up did you use for your multisig? Since you are all recovering the wallet from the seed phrase each time you want to use it then the seed phrase is the only source of each part, and unless you have duplicated each seed phrase then each party does not have a back up. Are you covered in the case of 1 or more parties losing/damaging their seed phrase and/or extension?

Each party should have created their own seed phrase/extension and you all share master public keys with each other to generate the watch only wallets.

When you say "we transfer transactions to a fresh offline machine", do you mean a offline machine each, or you all come together and use the same offline machine? The latter is far less secure than the former.

But generally speaking I wouldn't go for any extension that is lower than 160 bits of random entropy.

To put some values on this:

If using just lowercase letters, you need 35 random characters.
Lower and uppercase letters, 29 random characters.
All letters and numbers, 27 random characters.
Full ASCII character set, using all letters, numbers, and symbols, 25 random characters.

This would be the minimum I would accept. If you want the extension to be as secure as a 24 word seed phrase itself, then you would need 256 bits of entropy, which would equate to 39 characters using the full ASCII character set.

Note that these are random characters. Picking 6 dictionary words which have a total of 35 letters is far less secure than generating 35 random letters.

[milad-hodler]

You created all the seeds, including those for other people?  Each of you should have created your own seeds.

Yeah I mean everyone generated her seed on an offline machine separately.

but constantly building and destroying offline machines for signing sounds like a lot of work.

Each party uses a fresh Live Ubuntu to recover her wallet using seeds and then signs the transaction and terminates Ubuntu. Does it make sense in terms of security?

What n-of-m set up did you use for your multisig? Since you are all recovering the wallet from the seed phrase each time you want to use it then the seed phrase is the only source of each part, and unless you have duplicated each seed phrase then each party does not have a back up. Are you covered in the case of 1 or more parties losing/damaging their seed phrase and/or extension?

We are using 2 of 3 multisig. Each party is responsible to duplicate her seeds, so in case more than one party losses her seeds, we are all fucked up.

Each party should have created their own seed phrase/extension and you all share master public keys with each other to generate the watch only wallets.

Yeah we did the same.

When you say "we transfer transactions to a fresh offline machine", do you mean a offline machine each, or you all come together and use the same offline machine? The latter is far less secure than the former.

Well, my bad English. I mean each party signs the TX on a cold machine - a fresh Live Ubuntu - and shares the partially signed TX with the others.

If using just lowercase letters, you need 35 random characters.
Lower and uppercase letters, 29 random characters.
All letters and numbers, 27 random characters.
Full ASCII character set, using all letters, numbers, and symbols, 25 random characters.

That is a nice point. thanks

[ABCbits]

but constantly building and destroying offline machines for signing sounds like a lot of work.

Each party uses a fresh Live Ubuntu to recover her wallet using seeds and then signs the transaction and terminates Ubuntu. Does it make sense in terms of security?

1. Do you verify the whether ISO is genuine? See https://ubuntu.com/tutorials/how-to-verify-ubuntu
2. AFAIK Ubuntu doesn't have built-in Bitcoin wallet software, so my first question also apply to the Bitcoin wallet software used
3. What medium do you use to transfer unsigned transaction? Internet is a bit risky.

P.S. Using Tails is a bit more convenient (since it include Electrum) and protect your privacy if you need internet connection.

[milad-hodler]

1. Do you verify the whether ISO is genuine? See https://ubuntu.com/tutorials/how-to-verify-ubuntu
2. AFAIK Ubuntu doesn't have built-in Bitcoin wallet software, so my first question also apply to the Bitcoin wallet software used
3. What medium do you use to transfer unsigned transaction? Internet is a bit risky.

1. Yeap,
2. The latest version of Electrum is saved on a clean and read-only flash disk and is consumed by the Live OS
3. Actually we use internet to transfer the unsigned transactions. What would be the risk here?

[ranochigo]

Actually we use internet to transfer the unsigned transactions. What would be the risk here?

Depends on the configuration. If all of the signers are aware of the value and the destination of the transaction, then a replacement of the raw transaction would be fairly obvious. If you're doing n-of-m (2-of-3) multisig and the other parties are blind sided to the transaction information with no prior communication, then there could be a scenario whereby someone can craft another transaction that spends to another address and trick the others (2 of them) into signing it. As long as n(2) parties are tricked, the transaction will work.

What I'll do is to use a PGP signature or encryption to transfer the information. Of course, you need to authenticate each other's PGP in person to ensure this is secure. If the users are able to authenticate each others PGP, then you can be sure that the raw transaction is crafted by the legitimate person. Encrypting it would also prevent others from snooping and see which transaction belongs to you.

I've described a fairly hypothetical scenario where it's quite unlikely for any party to initiate transactions without any communication. It's still a good practice to have some proof of authentication before signing any transactions.

[Abdussamad]

in order to recreate the wallet you need the missing cosigner's xpub. so even if you have 2 out of 3 cooperating cosigners but no xpub for the remaining 3rd one you will not be able to spend the coins. the only way to get the xpubs now is to have them recreate the wallet and email you the xpub that electrum gives them. it's may be a Zpub or something btw. the different first letters denote different script types.

[milad-hodler]

Depends on the configuration. If all of the signers are aware of the value and the destination of the transaction, then a replacement of the raw transaction would be fairly obvious. If you're doing n-of-m (2-of-3) multisig and the other parties are blind sided to the transaction information with no prior communication, then there could be a scenario whereby someone can craft another transaction that spends to another address and trick the others (2 of them) into signing it. As long as n(2) parties are tricked, the transaction will work.

Yeah you are correct. I believe PGP brings it's own complexity but prevents any overlooking.

[milad-hodler]

in order to recreate the wallet you need the missing cosigner's xpub. so even if you have 2 out of 3 cooperating cosigners but no xpub for the remaining 3rd one you will not be able to spend the coins. the only way to get the xpubs now is to have them recreate the wallet and email you the xpub that electrum gives them. it's may be a Zpub or something btw. the different first letters denote different script types.

Oh man it is a million-dollar point I have not been aware of   
So we need to communicate the xpubs between us or simply keep them in a shared location where is easily accessible, since I believe it is not a sensitive data, unless I am wrong. 

[HCP]

it's not "sensitive data" insofar that nobody can steal the coins with only the xpubs... but it's sensitive from a "privacy" point of view as anyone with all the xpubs can effectively create a watching-only wallet of your multisig and see all your addresses, transaction history and balances etc.

Each signer, should provide each other signer with their xpub. So each signer should have:

- Their own private seed
- 2xCosigner1 XPub's


So, SignerA will have:
- SeedA
- XPubB
- XPubC

SignerB will have:
- XPubA
- SeedB
- XPubC

and SignerC will have:
- XPubA
- XPubB
- SeedC

[o_e_l_e_o]

So we need to communicate the xpubs between us or simply keep them in a shared location where is easily accessible, since I believe it is not a sensitive data, unless I am wrong.

This is a security risk. Let's say an attacker gets access to your shared location, and so changes all three of your xpubs to xpubs which they control the private keys for. You decide you want to deposit some coins in to your multi-sig wallet, so you go and retrieve xpubs 2 and 3 to combine with your seed phrase. The addresses you generate using those malicious xpubs will be in a different 2-of-3 wallet in which the attacker controls 2 of the keys, and you only control 1, meaning your funds will be stolen.

This could be mitigated by comparing the first address of your new 2-of-3 wallet between all 3 parties to ensure you have all generated the same wallet, and never sending coins to an address until you have confirmed with at least 1 of your cosigners that they are also able to generate the same address. Even then, however, it is better practice to treat the xpubs as sensitive data rather than store them out in the open. As HCP has said, each signer should back up the other two co-signers' xpubs (or Ypubs/Zpubs) in addition to their own seed phrase, and store them securely and non-electronically. Since you are recreating the wallet from scratch every time, if one person loses their seed phrase and you don't have their xpub backed up elsewhere, then you cannot spend your funds.

[milad-hodler]

Respect to both of you for such a sharp view

So as a summary what we need to do and consider in our scenario - 2-of-3 multisig cold wallet - :

- "We" use a genuine Live Ubuntu ISO as the cold machine to generate the seeds - https://ubuntu.com/tutorials/how-to-verify-ubuntu
- The Wallet App - executor - is stored on a clean and read-only device to be used on the Live Ubuntu
- Each party creates his own seeds + seed extensions. The seed extension should have minimum 160 bit of random entropy
- Each party shares her xpub with the others. As a result, each party securely stores her own seeds + 2 xpubs of the others
- Watch-only Multisig wallets can be generated using the xpubs to generate the receiving addresses
- To sign a "send" transaction, the raw transaction is either securely distributed to all parties ( via PGP ) to keep it tamper resistant, or each party should double-check validity of each and every transaction
- Each party uses the Live Ubuntu ISO to sign the transaction as explained in the Electrum doc.

I hope we are good with this setup 

[o_e_l_e_o]

The only thing I would do differently if it were me would be to use Tails instead of Ubuntu (as has been mentioned above), since it comes bundled with Electrum already installed, and you can set up a persistent encrypted storage so you do not need to recover the wallet from scratch (by entering seed phrase, extension, and xpubs) every single time you want to make a transaction. Although having said that, persistent storage is possible with any live Linux distro.

If you don't want to create a persistent storage, then consider where you will store the xpubs of the other users. I can't imagine you would type them in by hand every time you want to recover your wallet, since that would be both time consuming and error prone. Storing them on the same device as the Electrum software is a possibility, but could potentially open you up to them being altered as I described above. If, however, you are running a watch only wallet on an internet connected device as you suggest, then that would also help to prevent you from restoring the wrong wallet.

[Abdussamad]

in order to recreate the wallet you need the missing cosigner's xpub. so even if you have 2 out of 3 cooperating cosigners but no xpub for the remaining 3rd one you will not be able to spend the coins. the only way to get the xpubs now is to have them recreate the wallet and email you the xpub that electrum gives them. it's may be a Zpub or something btw. the different first letters denote different script types.

Oh man it is a million-dollar point I have not been aware of   
So we need to communicate the xpubs between us or simply keep them in a shared location where is easily accessible, since I believe it is not a sensitive data, unless I am wrong. 

yeah or make a copy of the multisig wallet file which will contain all the xpubs. file > save backup in electrum will do that.

there's a guide to making multisig wallets here:

https://bitcoinelectrum.com/creating-a-multisig-wallet/

[milad-hodler]

The only thing I would do differently if it were me would be to use Tails instead of Ubuntu

I need to try it out. I am not so familiar with Tails.

I have one more question. If after sometimes Electrum disappears or the network changes protocol or whatever stupid thing you imagine, is there any chance that we cannot recover our wallet using the seeds and spend the Bitcoins?
I mean is there any chance our wallet/seeds become obsolete?

[o_e_l_e_o]

If after sometimes Electrum disappears or the network changes protocol or whatever stupid thing you imagine, is there any chance that we cannot recover our wallet using the seeds and spend the Bitcoins?
I mean is there any chance our wallet/seeds become obsolete?

No. Provided you have the seed phrases and their extensions backed up, there will always be a way to recover your coins. Even if Electrum disappears and you can't find a copy to download anywhere, there are countless other open source repositories and software packages which would be capable of restoring your private keys. The way that Electrum turns its seed phrases and extensions in to private keys is very similar to the BIP39 method, is widely known, and given how many people use Electrum and how many coins are stored on Electrum wallets, then there will effectively always be a way to recover their seed phrases.

[HCP]

I mean is there any chance our wallet/seeds become obsolete?

The short answer is "No".

All the information/processes required to get from seed -> private keys is public, common knowledge. It would take something like a complete failure of the internet... at which point Bitcoin would effectively be worthless anyway