Xor or multisig

[Jason Brendon]

let's discuss on the security level of one having a 2/2 xor setup and a 2/3 multi-sig setup.

So, let's say I am to create two wallets using the xor scheme and 2/3 multisig respectively.
Both setups use a 12-word seed and no passphrase at all.

Which one do you like better?
1. security (i know even a single sig wallet is already good enough, I am asking which one of these two is better)
2. usability (error-prone, convenience)
3. attack surface/vector (similar to point 1)
4. hww support
5. hidden facts that people don't know about?

thanks

[1715281356]

1715281356

[1715281356]

1715281356

[pooya87]

I have no idea what you mean by "xor scheme" but security of your wallet depends on how you use it. For example if you have a 15-of-15 multi-sig wallet but you store all 15 keys in one place that can be compromised all at once (eg. on your online PC), you don't really have any security. Compare that with a simple single-sig wallet that you keep on an air-gap PC that is encrypted.

A single-sig wallet can be safe enough if the user puts a little effort in. A multi-sig setup can provide additional security if the user needs it as long as the keys are created and stored separately and all in secure environments. A 2-of-3 setup is better than 2-of-2 because the third key is used as a failsafe in case any of the first two keys were lost.
But when you use muti-sig, you are increasing the size of your transaction hence paying higher fees for each transaction you want to make. Of course you can always use Taproot and pubkey aggregation but there still is not user friendly way of doing that.

[Jason Brendon]

I have no idea what you mean by "xor scheme" but security of your wallet depends on how you use it. For example if you have a 15-of-15 multi-sig wallet but you store all 15 keys in one place that can be compromised all at once (eg. on your online PC), you don't really have any security. Compare that with a simple single-sig wallet that you keep on an air-gap PC that is encrypted.

A single-sig wallet can be safe enough if the user puts a little effort in. A multi-sig setup can provide additional security if the user needs it as long as the keys are created and stored separately and all in secure environments. A 2-of-3 setup is better than 2-of-2 because the third key is used as a failsafe in case any of the first two keys were lost.
But when you use muti-sig, you are increasing the size of your transaction hence paying higher fees for each transaction you want to make. Of course you can always use Taproot and pubkey aggregation but there still is not user friendly way of doing that.

a xor scheme, like you have one 12-word seed (A) and separate it into three 12-word seed (B,C,D), each of which is a new wallet. But the real one which you actually want to hide is the one (A) that can only be reconstucted by B,C,D.

the xor, i am surprised you haven't heard of that.

[witcher_sense]

I have no idea which one is better: both have their pros and cons, and both can be used in an incorrect way that may lead to a loss of funds. But if I faced the necessity of choosing between these two, I would go for the xoring scheme because it is easier to understand and maintain. Unlike in a multi-signature scheme where you need to store both private and public keys to be able to reconstruct your address and move funds, the xor scheme requires you to keep only "pieces of your puzzle." The other advantage is that you can manually reconstruct the initial seed phrase, without employing any software tools. But if you wish, you can purchase a hardware wallet like ColdCard that offers an in-built functionality of creating xor seeds.[1]

[1] https://seedxor.com/

[Jason Brendon]

I have no idea which one is better: both have their pros and cons, and both can be used in an incorrect way that may lead to a loss of funds. But if I faced the necessity of choosing between these two, I would go for the xoring scheme because it is easier to understand and maintain. Unlike in a multi-signature scheme where you need to store both private and public keys to be able to reconstruct your address and move funds, the xor scheme requires you to keep only "pieces of your puzzle." The other advantage is that you can manually reconstruct the initial seed phrase, without employing any software tools. But if you wish, you can purchase a hardware wallet like ColdCard that offers an in-built functionality of creating xor seeds.[1]

[1] https://seedxor.com/

the idea of XOR Seed was created by coldcard, which should be trusted but i'd rather like to know if it is widely audited by other veterans.

[o_e_l_e_o]

I would use multi-sig over XOR for a number of reasons.

Firstly, XOR is not widely used. The code provided is not widely audited, and if you do it yourself you are prone to making mistakes. If the code disappears, would you remember how to combine your seed phrases and regenerate your original seed phrase? Seems unlikely to me. Multi-sig is a standardized feature of bitcoin and can be recovered using many different wallets.

Further, with a 3-of-3 system like XOR (or any other number) the loss of one share means you have lost everything. A 3-of-5 multi-sig means an attacker still has to compromise the same number of shares to access your coins (3), but you have 2 additional shares to provide redundancy in your system.

A XOR system requires all the shares to be brought to one place to be combined in to a single wallet on a single device. That's multiple single points of failure. A multi-sig system can have each wallet remain on entirely separate systems and avoids any single point of failure.

The benefit that ColdCard give about each XOR share being a valid seed phrase which can generate a wallet and therefore provide plausible deniability holds equally true for every seed phrase share in a multi-sig set up.

[franky1]

if you are passing around an unsigned raw TX to different devices, where each device creates a signature. where only signatures and raw tx are passed. is better security than having ANY key system where all keys sign from same device

whether they mix and match seeds to create a superkey, or are separate signers using separate keys but in both cases are all done on same device is less than great security in comparison

theres no point in elaborate key separation/mixing to create a super key. if its all done on one device. because if that one device is exposed/compromised, so are all keys

if you want to do that. ensure keys are on separate devices/paper and then online combine them when you want to spend. but have the 'change'/remainder of spend go to a keyset not exposed to the device you are using online to spend, but address.. of which was calculated using separate keys on separate devices
......
.. its not just about hijacking a device to grab keys. its also hijacking a device simply to change the funds destination to a hackers preferred address rather then the one you intend it to go to


so still be aware of the risk the software on device might change the funds destination address at the signing process.. so again for best security have different devices sign a raw tx, that way you have multiple opportunities/stages to check and sign the destination. therefore ensure it goes to destined spend recipient by knowing the signatures match the tx details you want(destination)... that way if one device was compromised and changed destination. it would have different signature "messages" and txids which will get that tx rejected at broadcast because the signatures dont all match the same raw tx

but all this is overkill for most users

[Jason Brendon]

thank you all for the input here.
now i think it's safe to say multisig wins.

[Husires]

It's the first time I've heard of seedxor, but from my reading of this article https://seedxor.com/, I can say that comparing it to multisig is wrong there is a huge differences between them.

The logical comparison lies between seedxor and Shamir's Secret Sharing (https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing). In terms of comparison, I prefer Shamir's Secret Sharing because of the ability to set the threshold, which means the minimum number of shares are needed, a feature that is not present in seedxor.

• Seedxor will fail when compared to any other method of splitting seeds.
• Using SSS and multisig will give you better results if you lost one of your wallet seed

[dkbit98]

Which one do you like better?

Multisig is always a better and safer option than SeedXor or alternatives like Secret Shamir Sharing that uses splitting of seed words.
You can also ask yourself why only Coldcard hardware wallet is supporting Xor and no other hardware wallet.
With Multisig setup you don't have single point of failure and I think this is not the case with Xor and other alternatives.

[o_e_l_e_o]

At least for this part, it could be mitigated by saving/printing the documentation page[1] and list of BIP39 words[2] which contain it's respective binary/hex value (such as "advance", "0x1F", "0b11111").

But it is yet another thing to back up, and yet another thing where the loss of a single component could potentially result in complete loss of your coins. Multi-sig remains safer. If the code for recovering multi-sig wallets is no longer available anywhere online, then bitcoin itself will no longer exist.

In terms of comparison, I prefer Shamir's Secret Sharing because of the ability to set the threshold, which means the minimum number of shares are needed, a feature that is not present in seedxor.

SSS is a poor choice for a wide number of reasons:
https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/
https://en.bitcoin.it/wiki/Shamir_Secret_Snakeoil

Again, multi-sig remains the better choice, or even just a single sig wallet with an additional passphrase and multiple back ups.

[ABCbits]

At least for this part, it could be mitigated by saving/printing the documentation page[1] and list of BIP39 words[2] which contain it's respective binary/hex value (such as "advance", "0x1F", "0b11111").

But it is yet another thing to back up, and yet another thing where the loss of a single component could potentially result in complete loss of your coins. Multi-sig remains safer. If the code for recovering multi-sig wallets is no longer available anywhere online, then bitcoin itself will no longer exist.

That's true, i was thinking people would do both things (write down seed and print manual) at same time and then store both of them are same location. And i definitely agree multisig is safer option.

The logical comparison lies between seedxor and Shamir's Secret Sharing (https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing). In terms of comparison, I prefer Shamir's Secret Sharing because of the ability to set the threshold, which means the minimum number of shares are needed, a feature that is not present in seedxor.

But don't forget there are trade off where SSS recovery can't be done manually with hand and you need to check software which implement SSS doesn't have any bug or weird config which makes it harder to recover with different software.

[o_e_l_e_o]

That's true, i was thinking people would do both things (write down seed and print manual) at same time and then store both of them are same location.

At that point you then lose the plausible deniability that each share is an individual standalone wallet and not part of a bigger XOR scheme.

and you need to check software which implement SSS doesn't have any bug or weird config which makes it harder to recover with different software.

The most talked about implementations of SSS I am aware of (and please correct me if there are other common ones, as I tend not to pay much attention to SSS implementations for the reasons I've discussed above) are Trezor's (https://github.com/satoshilabs/slips/blob/master/slip-0039.md) and Ian Coleman's (https://iancoleman.io/shamir39/ and https://iancoleman.io/shamir/ - he has two different ones). All of them are completely incompatible with each other, and a wallet generated with one is unrecoverable with the others. Not a safe choice.

[Kryptowerk]

Not an expert on the field (yet ; ) but multi-sig 3/5 is a great one to have because it offers a wonderful mix of
- attacker cannot access funds even if they manage to access 2 of the 5 seeds
- very secure even if two of your houses / storage places get burned down (/ are for any other reasons not accessible)

XOR - never heard of it, but if I understood correctly by some of the replies, this would be problematic as soon as one seed-phrase is compromised  lost/destroyed -> You lose all your funds. With 3 places to store them at, it is 3x as likely to happen.

[o_e_l_e_o]

XOR - never heard of it, but if I understood correctly by some of the replies, this would be problematic as soon as one seed-phrase is compromised -> You lose all your funds. With 3 places to store them at, it is 3x as likely to happen.

That's not quite right. If one of your seed phrases is compromised in the XOR set up, the attacker can still gain nothing, just as in a multi-sig set up. The difference is that if one of your seed phrases is lost in a XOR set up, it is impossible to recover your wallet since you need all the shares, unlike multi-sig which is set up to require m-of-n shares.

Given this, if you were using 3 shares in a XOR set up, you would want each of them backed up at least twice, since the loss of one share means the loss of everything, which then necessitates 6 separate secure back up locations. At that point a 3-of-5 multi-sig is much preferable, as you say.

[Kryptowerk]

XOR - never heard of it, but if I understood correctly by some of the replies, this would be problematic as soon as one seed-phrase is compromised -> You lose all your funds. With 3 places to store them at, it is 3x as likely to happen.

That's not quite right. If one of your seed phrases is compromised in the XOR set up, the attacker can still gain nothing, just as in a multi-sig set up. The difference is that if one of your seed phrases is lost in a XOR set up, it is impossible to recover your wallet since you need all the shares, unlike multi-sig which is set up to require m-of-n shares.

Given this, if you were using 3 shares in a XOR set up, you would want each of them backed up at least twice, since the loss of one share means the loss of everything, which then necessitates 6 separate secure back up locations. At that point a 3-of-5 multi-sig is much preferable, as you say.

Thanks for clearing up this stupid mistake / mistype. Yes, I ofc meant if a share is lost you cannot recover your keys, even if you have a 10-share XOR and still have 9 of them.

On a side note: I wonder how many people using paperwallets / other cold storage options actually do multi-sig? Anyone got any numbers?
Maybe I'll try creating a poll, but ofc it's gonna be very biased just based on who actually clicks the topic, is active on bitcointalk etc. But still, could be interesting. My guess is, it's not a high percentage at all.

[o_e_l_e_o]

On a side note: I wonder how many people using paperwallets / other cold storage options actually do multi-sig? Anyone got any numbers?

It would be impossible to get accurate figures, but I agree the number will be very low.

Let's look solely at P2SH outputs as an example: https://txstats.com/dashboard/db/p2sh-repartition-by-type

We currently have around 4.7 million BTC in P2SH outputs. 3.2 million of those outputs are on addresses which have never been spent from, so we can't say anything about their script. Of the 1.5 million which we do know the scripts, over half are nested segwit scripts, and only about 600k are in multi-sig addresses. However, we also know that there are some major centralized exchanges which hold tens or even hundreds of thousands of bitcoin in multi-sig wallets, meaning that number of 600k becomes significantly smaller when considering coins held in multi-sig set ups by individual users.

Now obviously there are P2WSH multi-sigs, there are probably some P2MS outputs still kicking about, there are now P2TR outputs which we don't know if they are multi-sig or not, and there are all the unspent outputs which are in multi-sig set ups that we don't know about yet. But even extrapolating the above numbers out to cover all this, multi-sigs will very much be in the minority for the average user.

[BlackHatCoiner]

Further, with a 3-of-3 system like XOR (or any other number) the loss of one share means you have lost everything. A 3-of-5 multi-sig means an attacker still has to compromise the same number of shares to access your coins (3), but you have 2 additional shares to provide redundancy in your system.

That is true, but master public keys must be taken into account. To spend from a 3-of-5 multi-sig, you need to ensure access to all 5 master public keys. One thing I dislike about multi-sig (and please correct me if I'm wrong) is that you can't back it up in the same comfortable and easy manner as a single-sig, because master public keys aren't meant to be written down on paper as seed phrases. So, you need to store it electronically, which is also prone to fail overtime.

[o_e_l_e_o]

One thing I dislike about multi-sig (and please correct me if I'm wrong) is that you can't back it up in the same comfortable and easy manner as a single-sig, because master public keys aren't meant to be written down on paper as seed phrases. So, you need to store it electronically, which is also prone to fail overtime.

Yes you need to back up the xpubs, and yes that is a pain/error-prone to do by hand. I don't think that means you need to back up electronically, though. You can still write them by hand, provided you take your time, use clear writing, and triple check everything (including checking that you can successfully recover each share before you fund the wallet). There is also less risk involved in printing out xpubs than there is in printing out seed phrases or private keys, for obvious reasons. Provided you have set up your multi-sig properly (e.g. using 3 different and completely separate devices for a 2-of-3 multi-sig), then printing out xpubs from each device presents minimal risk.

And of course, you do not need to store every other xpub with every seed phrase, but rather n minus m xpubs with each seed phrase (provided you pick the correct ones, of course). Doing so also brings a privacy benefit since an attacker with access to one back up cannot even view your wallet.

[BlackHatCoiner]

Yes you need to back up the xpubs, and yes that is a pain/error-prone to do by hand.

The more the xpubs, the more the pain and chances to mess it up somewhere. I triple checks addresses when I'm sending bitcoin to my cold storage, let alone what I'd do if I had to ensure it's the correct xpubs. I mean think about it, you have to write down a nightmare like this:

Code:

xpub6CnyhgdRermBTjxxY8RB2uW9WsziDfVM2suB4c3aAYH77hNMwLpqR8vktGY769i5oxFHSzRZqJjZX8Zmog7nYwCk8SqePofgARCcrfvWTnH
xpub6Dd32ygm66fDRv2eQScFSxZPuxM4TYGma8c6S3oyts8JnStQ8wNC1XTNtpavFaU8iEJswC5JT9vmjG1cugLVsqXP9QwqKZYjEiykksHYbsZ
xpub6DgDQmupKYNRCpnmHyTF4iseuwH9d3e3PVFR8hnjaCiJ12gfPCJzHfF3NtbJKTbrs8oUWi5QndV3UnyvcCcebWNxoteqhD6jZZcMsPKAkRV
xpub6CQwwygLeymu12sXMDDQ8sURu8QfrY5TNHetAd3GMo5FDP4aTWKqGvJLEQA7CZg76PdtMv3vszb8fDEjjq7e6K9KZznNhvbViDow4ynbjXE
xpub6EbPANACYCRBUToYADM6bVodkzxLNc2wJdnENHn7KVdDiH4tWeueh3pxKGnNuDdDi2VZm8wKez1XzEyP4yF5H8H4StEbt8gQPuoprWixcjd

By hand. Clean writing. About 560 characters, case sensitive. How come there hasn't been a mnemonic standard for xpubs?