Question about HD wallets derivation paths xpubs and multisig and 8/12 split

[JohnyD1]

Hello, so I've recently started to learn how to use bitcoin core using bitcoin-cli and also qt.

I have a ledger but I want to start using bitcoin cli/qt only, so my objective is 2 laptops for offline and a pc for full node (perhaps a laptop in the future).
I want to use laptops with only linux and bitcoin core without ever connecting them to internet since format (install) just getting bitcoin core onto a cd and ubuntu onto a dvd both checked for gpg signatures to make sure they are correct/unchanged, but i noticed some fancier things need alot of dependencies like jq etc....

I have several questions but the first would be:

Given the online node uses descriptors which contain xpubs of multisig and derivation path, and given that a nonhard derivation path if a child private key is leaked somehow puts the entire wallet at risk I'd like to avoid this method, but from recent reads hard derivation paths avoid this problem correct?
Also given that a node is connected to internet and might get compromised since it's connected to internet isn't putting xpubs/childpub in a watch-only wallet dangerous for privacy anyway you look at it, given again from child pubkey you can reach xpub? Or does hard derivation path fix this, if most wallets mostly use same derivation paths isn't this dangerous with a hard or non hard derivation path ? Since there are standards won't an attacker use these standards to derive xpub amd since watchonly wallets use xpubs unless manually imported?

So wouldn't it be better to use importaddress and just keep 50 addresses +50change(internal) or whatever each time without using descriptor which requires xpub/s?

Wouldn't it be better to not use HD and use P2SH multi sig 3/7 for example and forego the privacy factor and just use 1 address?

Is it possible to use a HD wallet for deriving addresses but require 2/6 extra p2sh privkeys for all those derived addresses instead of child privs or xpriv from more hd wallets? (So I memorise seed but still have 6 cds ie with the remaining privkeys(p2sh) I guess they need to be xpriv (same type)? Because of conflicting scripts/address types?)

xpubs make me nervous, I guess you can use 3/7 multisig with different xpriv/xpub but to derive the adresses you still need to place all 7 xpubs into descriptor which will go on the node no? unless manual import?

If I split a priv key p2sh/p2pkh into 12 pieces and have 8 of those pieces not in the order they should be and 4 hidden pieces how much would it take to brute force that privkey (i know pubkey, guess it's irrelevant since its asymmetric) and how many pieces would need to be hidden for it to be unfeasible to bruteforce? (With p2sh without redeemscript would this be irrelevant to bruteforce)? A graph would help (appreciated)

Thanks all in advance.

[1715340702]

1715340702

[1715340702]

1715340702

[1715340702]

1715340702

[jackg]

I think 8 segments of keys would go back together pretty easily and I don't think I'd call it bruteforcing at that point. I'm not sure how much it would be exactly but 8! Is only 40000 and there is a checksum in the private key so it'll only go back together one way (unless you're fortunate/unfortunate).

Hardened derivation paths mean your private keys can't be derived from each other. I don't know if your public keys can be derived into an extended public key though in some circumstances. It's best practice to not release any of your private keys also and your public key and signature are the only things you should be using an offline wallet to obtain.

Don't make your wallet too complex, a 2 of 6 multisig is as secure as a 2 of 3 (imo) and a 2 of 3 is cheaper.

Xpubs normally hide your change too as being your wallet (unless you spend too much or don't have the right coin control setting).

[o_e_l_e_o]

and given that a nonhard derivation path if a child private key is leaked somehow puts the entire wallet at risk I'd like to avoid this method, but from recent reads hard derivation paths avoid this problem correct?

With non-hardened derivation paths, if the parent extended public key is revealed (as it would be if you had imported an xpub in to a wallet) and you also somehow leak a child private key, then an attacker can calculate the parent extended private key and therefore all the child private keys in your wallet. As you say, hardened derivation paths prevent this since the parent extended public key is not used in deriving the child keys.

Also given that a node is connected to internet and might get compromised since it's connected to internet isn't putting xpubs/childpub in a watch-only wallet dangerous for privacy anyway you look at it, given again from child pubkey you can reach xpub?

You cannot go from a child public key to the parent public key. In fact, you cannot go from any child key (public or private) or any parent key (public or private), on either hardened or non-hardened paths.

Since there are standards won't an attacker use these standards to derive xpub amd since watchonly wallets use xpubs unless manually imported?

They can only derive your xpub if they know the entropy or seed phrase which was used to generate it in the first place, or the xprv from the same or higher level And if an attacker knows one of those, then all your coins are probably lost already.

So wouldn't it be better to use importaddress and just keep 50 addresses +50change(internal) or whatever each time without using descriptor which requires xpub/s?

You can do this if you prefer, but I don't think it adds anything.

Wouldn't it be better to not use HD and use P2SH multi sig 3/7 for example and forego the privacy factor and just use 1 address?

If you prefer to use multi-sig, you can still use an HD multi-sig wallet with a new address for each transaction.

Is it possible to use a HD wallet for deriving addresses but require 2/6 extra p2sh privkeys for all those derived addresses instead of child privs or xpriv from more hd wallets?

I'm not entirely clear what you are asking here. You can set up a 3-of-7 multi-sig HD wallet if you want, but you will need at least all 7 xpubs to derive new addresses.

So I memorise seed but still have 6 cds

Don't memorize a seed phrase. Recipe for disaster.

I guess you can use 3/7 multisig with different xpriv/xpub but to derive the adresses you still need to place all 7 xpubs into descriptor which will go on the node no? unless manual import?

Correct.

If I split a priv key p2sh/p2pkh into 12 pieces and have 8 of those pieces not in the order

Don't do this either. Another recipe for disaster.

[JohnyD1]

I think 8 segments of keys would go back together pretty easily and I don't think I'd call it bruteforcing at that point. I'm not sure how much it would be exactly but 8! Is only 40000 and there is a checksum in the private key so it'll only go back together one way (unless you're fortunate/unfortunate).

Yesterday I thought more about it and realises I can simply create a p2sh multisig and have 1 private key exposed and still be safe if 2/12 pieces contains the second provided key and redeemscript, correct? With privkey I can make pubkey correct?



Don't make your wallet too complex, a 2 of 6 multisig is as secure as a 2 of 3 (imo) and a 2 of 3 is cheaper.
I understand but what if I lose 3 xprivs. I'd have other 4 as backup.


 I don't know if your public keys can be derived into an extended public key though in some circumstances.
For a multisig don't you have to put xpubs at wallet ( descriptor)  my problem is if node gets compromised. And one of the xprivkeys but I see your point with hard derivation path. They'd still need all xprivs.

It's best practice to not release any of your private keys also and your public key and signature are the only things you should be using an offline wallet to obtain.
I plan using the offline device that creates keys to sign psbts

Thank you and o_e_l_e_o for the answers.


New question: from a fresh linux and bitcoincore and ian coleman I guess, how do I create a multisig using 3/5 HD bip39 or bip44  I think I'd like to use the passphrase (salt) is it only possible using bip39?

My objective is to get a dvd with linux, a cdrom with everything necessary bitcoincore ian coleman etc... (libs, dependencies etc... to install from cd rom in linux (ubuntu 22.04)) install everything on 2 laptops without network/bluetooth/etc... adapters, create the 5 HD wallets, 3 in first laptop, 2 in second laptop. I want hard derivation so the xpubs that I will input in the node cannot compromise children or parent keys, but still create adresses which this reassured me is safe
" (To counter this risk, HD wallets use an alternative derivation function called hardened derivation, which "breaks" the relationship between parent public key and child chain code. The hardened derivation function uses the parent private key to derive the child chain code, instead of the parent public key. This creates a "firewall" in the parent/child sequence, with a chain code that cannot be used to compromise a parent or sibling private key. The hardened derivation function looks almost identical to the normal child private key derivation, except that the parent private key is used as input to the hash function, instead of the parent public key, as shown in the diagram in Hardened derivation of a child key; omits the parent public key. - https://github.com/bitcoinbook/bitcoinbook/blob/develop/ch05.asciidoc#generating_entropy_and_encoding)".

After getting everything installed, create wallets (5hd), create multisig 3/5, backup only HD seeds with instructions how to use them, and use the 2 laptops to sign the psbts created from full node.



Do HD bip39 bip44 prevent multisig wallet creation and if not is the multisig created a new HD seed(wallet)? For example p2sh 2/3 you need all public keys to create the multisig which has to be done in same order for recreating the address but it does not allow for HD/D using p2sh.

How to create multisig using HD wallets?
 
I'd like to learn how to do the above basically, if not answers, material I can read to achieve this would be great, I've been reading alot but too much out there to read, atleast I've been learning.

Thanks everyone.

Ps: my main question atm is if I create a multisig using several HD with bip39 for example will this create a new seed or is it not possible to have multisig using HD wallets except using same address ?

[o_e_l_e_o]

A general point first: I don't see the point in creating a 3-of-5 multi-sig if your 5 seed phrases are going to be stored on only 2 devices. It is especially pointless if 3 of the seed phrases (i.e. enough to spend the coins) will all be stored on a single device. Compromise of that one device leads to loss of all your coins, thus entirely defeating the point of multi-sig in the first place. If I had two devices like this, I would create a 2-of-3 multi-sig, with one seed phrase on each device and one more seed phrase stored only on paper as an emergency back up.

I want hard derivation so the xpubs that I will input in the node cannot compromise children or parent keys, but still create adresses which this reassured me is safe

If you use hardened derivation then you cannot use xpubs to generate addresses at all, since with hardened derivation you must use the xprv to generate child keys. And again, an xpub cannot be used to compromise other keys. An xpub only allows anyone who can access it to generate child public keys and addresses. It is impossible to go from xpub to a private key, at any level (parent, child, or self).

How to create multisig using HD wallets?

I would do this all with Electrum. You can install Electrum on your entirely airgapped laptops, then use it to generate new multi-sig wallets, and it will provide both the seed phrase and xpub (or Zpub if you are using segwit) for each wallet. It is also very easy to combine all the Zpubs together on your main computer to create a watch only wallet which can generate new addresses but cannot be used to compromise your coins or keys.

[JohnyD1]

A general point first: I don't see the point in creating a 3-of-5 multi-sig if your 5 seed phrases are going to be stored on only 2 devices. It is especially pointless if 3 of the seed phrases (i.e. enough to spend the coins) will all be stored on a single device. Compromise of that one device leads to loss of all your coins, thus entirely defeating the point of multi-sig in the first place. If I had two devices like this, I would create a 2-of-3 multi-sig, with one seed phrase on each device and one more seed phrase stored only on paper as an emergency back up.

My objective was to have 2 keys on 1 device 1 key on second device and other 2 simply as backup.

I want hard derivation so the xpubs that I will input in the node cannot compromise children or parent keys, but still create adresses which this reassured me is safe

If you use hardened derivation then you cannot use xpubs to generate addresses at all, since with hardened derivation you must use the xprv to generate child keys. And again, an xpub cannot be used to compromise other keys. An xpub only allows anyone who can access it to generate child public keys and addresses. It is impossible to go from xpub to a private key, at any level (parent, child, or self).

So multisig watchonly only works with zpubs? And non hardderivation (for it to create new multisig addresses automatically.

How to create multisig using HD wallets?

I would do this all with Electrum. You can install Electrum on your entirely airgapped laptops, then use it to generate new multi-sig wallets, and it will provide both the seed phrase and xpub (or Zpub if you are using segwit) for each wallet. It is also very easy to combine all the Zpubs together on your main computer to create a watch only wallet which can generate new addresses but cannot be used to compromise your coins or keys.

I wanted to use only bitcoin core and perhaps Ian coleman but I guess I have to use electrum?

So I still use electrum on main computer instead of core? To create psbt or I can import the zpubs into bitcoinqt as watchonly to create psbt?

[o_e_l_e_o]

I wanted to use only bitcoin core and perhaps Ian coleman but I guess I have to use electrum?

Bitcoin Core does not support seed phrases, so it would not be possible to generate seed phrases on Ian Coleman and then import them in to Core. Hence why I suggested Electrum. And having said that, I don't really trust using websites which rely on Javascript to generate seed phrases at all, so if you were going to use Electrum, then probably better to just generate seed phrases in Electrum directly.

You can still do what you are planning (HD multi-sig wallet with two airgapped wallets) using Core, but you won't be able to do it with seed phrases. You would simply need to back up your wallet.dat files instead.

[JohnyD1]

Can you explain me how to do it using bitcoin core? and would I be creating 5 wallets? Which means I could backup 2 and simply keep 2 in one laptop and 1 in second laptop while the other 2 are simply backed up, also would using qt be easy because I don't see multisig support in bitcoincore when creating wallet would I be using bitcoin-cli?
And using bitcoin core qt create more addresses for receiving at full node correct? (All multisig)
Thanks for the help you already provided.
If I do create the multisig using electrum can I then use bitcoin qt to import these xpriv/xpub or zpriv/zpub to the offline laptops and online full node and create/sign psbt?