Multi-Sig Strategy to Keep Bitcoin is not the Ideal Solutions for Individuals

[alastantiger]

In one of Antonopoulos recent video, he questioned the idea that having a multi-sig strategy to keep you bitcoin is not the ideal solution. For summary, in the video, I have provided the link at the footnote, he stated that MultiSig's primary purpose is to provide separation of concerns or duties for controlling funds in scenarios with multiple independent actors. According to him, MultiSig is suitable for cases where corporate executives or board members jointly control funds, and a certain number of them must collaborate to access funds without the risk of a single individual stealing everything which makes sense.

Each person involved in a MultiSig setup must have adequate backups of the seeds used to create the MultiSig address. Becasue losing a seed can lead to a dangerous failure mode where the MultiSig cannot be reconstructed. From what he said which we already know, MultiSig addresses are generated from a script involving multiple public keys, and the address requires all public keys to be provided for spending, even though only a subset is needed for signing.

He goes further to say that while MultiSig provides redundancy for spending (e.g., 2 out of 3 signatures required), it demands full redundancy for public keys, and it is therefore risky for individual users who may not have the necessary backup redundancy, because if they lose a single seed, they have lost all access to funds. Do you agree with him that multi-sig strategy is not the ideal solutions for individuals? What do you think?

YouTube Video link: https://www.youtube.com/watch?v=sjS5qF65Yos

[1714594282]

1714594282

[Charles-Tim]

If you want to increase the security of your wallet, you can go for multisig. Although, it is very useful for multiple users purposes. For individual, we have suggested 2-of-3 multisig wallet several times on this forum with the appropriate backups like this:

Seed 1, MPK 2
Seed 2, MPK 3
Seed 3, MPK 1

Backups in different locations. If you lose one of the backups, you can still use the other two to recover your wallet.

[Zaguru12]

Do you agree with him that multi-sig strategy is not the ideal solutions for individuals? What do you think?

This has actually been discussed by some prominent members or say experienced members before. It is simply burdensome to have a multi sig for personal use, the risk somehow lessens but when you think of burden you will consider it not that worth it. Imagine using one device to sign the transactions from the multi sig, once the device become compromised you the other co signer keys also get affected since it is on this device.

As for paper storage it is also a burden because how will one back up the seeds and keys. Imagine a 2-3 multi sig, you have a 3 private keys and 3 seeds to backup making it six backup places to store them ( although you can have one single seed for all ). And if a passphrase is added then it adds to the number of backs. Storing all of them will definitely leave some vulnerable to been seen

The convenient of will be a single sig with probably a passphrase on an airgapped devices.

[Charles-Tim]

when you think of burden you will consider it not that worth it.

If you have experience about how you can setup a multisig wallet, it is worth it.

Imagine using one device to sign the transactions from the multi sig, once the device become compromised you the other co signer keys also get affected since it is on this device.

You will setup the multisig wallet on different devices. Example is the 2-of-3 multisig wallet, it requires 3 devices. Multisig wallet is one if the safest bitcoin wallet, even if created on online devices.

As for paper storage it is also a burden because how will one back up the seeds and keys. Imagine a 2-3 multi sig, you have a 3 private keys and 3 seeds to backup making it six backup places to store them ( although you can have one single seed for all ). And if a passphrase is added then it adds to the number of backs. Storing all of them will definitely leave some vulnerable to been seen

Read what I posted above.

With 2-of-3 multisig wallet, I do not think a passphrase is necessary.

The convenient of will be a single sig with probably a passphrase on an airgapped devices.

I have two mobile devices and a laptop, I can think of 2-of-3 multisig wallet. Or if you have a hardware wallet, a phone and a laptop, you may prefer a multisig wallet.

[Zaguru12]

I have two mobile devices and a laptop, I can think of 2-of-3 multisig wallet. Or if you have a hardware wallet, a phone and a laptop, you may prefer a multisig wallet.

Yeah with two or more different device it is most suitable, what I meant and stated Above is using a single device to set it up, this defeats the purpose of multi sig entirely.

[o_e_l_e_o]

Imagine a 2-3 multi sig, you have a 3 private keys and 3 seeds to backup making it six backup places to store them

That's not necessary. For any m-of-n multi-sig, the minimum number of back ups you need is equal to n. Each back up will contain one seed phrase, and a specific arrangement of n minus m master public keys such that any m back ups is sufficient to completely restore your wallet.

What this means is that for a 2-of-3, you need three back ups in the formulation that Charles-Tim has shared above, each containing one seed phrase and one master public key. There is no need to have three different back ups just for the public keys, and there is no need to back up raw private keys at all.

You could of course duplicate all your back ups if you wanted and end up with six back ups for a 2-of-3, but you would have to weigh the increased redundancy against the increased risk of discovery.

Yeah with two or more different device it is most suitable, what I meant and stated Above is using a single device to set it up, this defeats the purpose of multi sig entirely.

Of course. The whole point of a multi-sig is to remove any single points of failure. As soon as you bring the threshold number of keys together on the same device or in the same location, then you have a single point of failure.

[satscraper]

Each person involved in a MultiSig setup must have adequate backups of the seeds used to create the MultiSig address. Becasue losing a seed can lead to a dangerous failure mode where the MultiSig cannot be reconstructed. From what he said which we already know, MultiSig addresses are generated from a script involving multiple public keys, and the address requires all public keys to be provided for spending, even though only a subset is needed for signing.

Strange as it may appear, at this point I'm against Antonopoulos view. If you use multisig approach  by yourself to make your stash a bit safer you may take child SEEDs ( derived from one master/deterministic  SEED) to build relevant multisig wallet.  Thus,  to reconstruct MultiSig  wallet your need to keep safe only one mnemonic , i.e Master SEED.

[hosseinimr93]

I also disagree.
If you know what exactly you are doing, then there's nothing to worry about.

Thus,  to reconstruct MultiSig  wallet your need to keep safe only one mnemonic , i.e Master SEED.

If all keys can be derived from a single seed phrase, it would defeat the purpose of a multi-signature wallet. What you are proposing is like a single signature wallet, but with bigger transaction fee.

[Charles-Tim]

If all keys can be derived from a single seed phrase, it would defeat the purpose of a multi-signature wallet. What you are proposing is like a single signature wallet, but with bigger transaction fee.

I did not know that this is in bitcoin protocol before until I was corrected on this forum. I mean to use the same seed phrase to generate m-of-n multisig wallet. On Electrum, it is not possible as it will bring up error, which is likely because it is not secure at all. I also will not recommend it.

[hosseinimr93]

I did not know that this is in bitcoin protocol before until I was corrected on this forum.

It may worth mentioning that there is no seed phrase in bitcoin protocol.

I mean to use the same seed phrase to generate m-of-n multisig wallet. On Electrum, it is not possible as it will bring up error, which is likely because it is not secure at all.

Right. But just to be more accurate:

Electrum doesn't allow two co-singers have the same master public keys.
Therefore, it's possible to use a single seed phrase with different derivation paths to create a multi-signature wallet in electrum.

[satscraper]

I

Thus,  to reconstruct MultiSig  wallet your need to keep safe only one mnemonic , i.e Master SEED.

If all keys can be derived from a single seed phrase, it would defeat the purpose of a multi-signature wallet. What you are proposing is like a single signature wallet, but with bigger transaction fee.

The major purpose of multisig approach is to have wallet which is more  resistant to a potential backdoor in a single device. Thus, if you create child mnemonics from Master SEED and import each of them into different BIP39 compliant wallets further used in signing  multisig transaction , such multisig wallet would serve purpose. It seems to me  that such  logic would work. Correct me if this logic is wrong.

[hosseinimr93]

The major purpose of multisig approach is to have wallet which is more  resistant to a potential backdoor in a single device. Thus, if you create child mnemonics from Master SEED and import each of them into different BIP39 compliant wallets further used in signing  multisig transaction , such multisig wallet would serve purpose. It seems to me  that such  logic would work. Correct me if this logic is wrong.

We create a multi-signature wallet for two purposes.


First purpose: When we want to have a wallet in which transactions can be made only if m out of n people allow that.
Due to obvious reasons, there is no way to use your proposal for this purpose.


Second purpose: When we want to use a wallet individually and increase our security.
We use the multi-signature wallet to eliminate any single point of failure. If there's a seed phrase that can generate all required keys, there's still a single point of failure.

If someone has access to the master seed, the thief can steal the fund.
If the device which is used for creating the master seed is compromised, the fund will be stolen.

[o_e_l_e_o]

Therefore, it's possible to use a single seed phrase with different derivation paths to create a multi-signature wallet in electrum.

Only with BIP39 seed phrases. With Electrum seed phrases, segwit multi-sig wallets always use the derivation path m/1', and there is no option in the GUI to change this. Therefore if you try to use the same seed phrase twice, you will get an error as Charles-Tim has said. If you use a BIP39 seed phrase, on the other hand, you can change the derivation path from the default m/48'/0'/0'/2' (for segwit) to anything you like, allowing you to use the same seed phrase with different derivation paths. (It would of course be possible to use the same Electrum seed phrase if you manually derived at different paths and exported the relevant Zprvs and Zpubs, but all you'll really achieve here is to increase the risk that you accidentally lock yourself out of your coins by doing something weird.)

The other option not mentioned yet would be to use the same seed phrase with different passphrases. You can use this option with either Electrum or BIP39 seed phrases on Electrum. I don't see any real advantages to this over using separate seed phrases, though.

[satscraper]

If someone has access to the master seed, the thief can steal the fund.

It goes without saying. But this a point  a failure to all multisig  no matter in what way they  were  created either from child seeds derived from deterministic entropy or independent ones. If someone get access to seeds then kiss the relevant stash goodbye.

The way  to create multisig from mnemonics compliant to  deterministic entropy makes harder to access multisig by having backdoor say in one wallet that participates in signing. The more wallet you use the more sustainable multisig wallet to backdoor attack. At the same time it make easier the management of pertaining SEEDs.

[hosseinimr93]

But this a point  a failure to all multisig  no matter in what way they  were  created either from child seeds derived from deterministic entropy or independent ones. If someone get access to seeds then kiss the relevant stash goodbye.

No. If you have a 2 of 3 multi-signature wallet and someone has access to one of three seed phrases, there is no way for the thief/hacker to steal your fund.
In your proposal, there's a seed phrase that can be used to derived all seed phrases. If someone has access to that seed phrase, your fund is gone.
 
You can set the m in the m of n multi-signature wallet to 3 or more, so that even two seed phrases are not enough to steal the fund.

[apogio]

He goes further to say that while MultiSig provides redundancy for spending (e.g., 2 out of 3 signatures required), it demands full redundancy for public keys, and it is therefore risky for individual users who may not have the necessary backup redundancy, because if they lose a single seed, they have lost all access to funds.

In general, multi-sig is MUCH safer than single-sig. We must not confuse privacy danger with safety danger. Of course we need full redundancy for public keys, but it is not difficult. Even if you lose a backup of all of your xpubs, your coins are totally safe. But you don't have to backup all xpubs together.

Backing up xpubs is easy like Charles-Tim said in the quote below. It is what I do personally and I feel very comfortable. I just need to check my backups occasionally (1-2 times a year).

If you want to increase the security of your wallet, you can go for multisig. Although, it is very useful for multiple users purposes. For individual, we have suggested 2-of-3 multisig wallet several times on this forum with the appropriate backups like this:

Seed 1, MPK 2
Seed 2, MPK 3
Seed 3, MPK 1

Backups in different locations. If you lose one of the backups, you can still use the other two to recover your wallet.

[pooya87]

It seems like topics like this keep coming up every now and then where someone is arguing that a particular method is not suitable, not ideal or outright insecure just because people that are using it may not do it correctly.
For example we've had this argument with regarding paper wallets and the bitcoin wiki is still calling them "obsolete and unsafe" which is wrong.

Everything in Bitcoin has pros and cons, from bitcoin itself with its volatile price to the wallet types we use. For example you can't say "bitcoin core is not an ideal solution for individuals because it takes a long time to sync" just as you can't say "multi-sig is not suitable because it is hard to setup and backup correctly".

Multi-sig wallets have their benefits even for individuals but they obviously require more effort to setup, backup and use. The important thing is for people to learn how to choose the most suitable tool for them and understand how to take advantage of what it offers. If the benefits of multi-sig wallet is what an individual looks for, they will also accept the extra effort that it demands.

[satscraper]

But this a point  a failure to all multisig  no matter in what way they  were  created either from child seeds derived from deterministic entropy or independent ones. If someone get access to seeds then kiss the relevant stash goodbye.

No. If you have a 2 of 3 multi-signature wallet and someone has access to one of three seed phrases, there is no way for the thief/hacker to steal your fund.
In your proposal, there's a seed phrase that can be used to derived all seed phrases. If someone has access to that seed phrase, your fund is gone.
 
You can set the m in the m of n multi-signature wallet to 3 or more, so that even two seed phrases are not enough to steal the fund.

It seems to  me you missed the point of my message. What I meant was,  eventually,  someone could  have the ability  to  access all your  seed phrases. Judging to that, and the fact that the management of the set of child mnemonics is less difficult   I see the option to have multisig constructed from that set is more convincing - security and safe is almost the same, well, probably a very little less, but that "very little" is fully covered by management benefits.

[Zaguru12]

It seems to  me you missed the point of my message. What I meant was,  eventually,  someone could  have the ability  to  access all your  seed phrases.

Logical it is possible that even if you have even 10 seed phrase for a multi sig it can still be located or accessed but what hosseinimr93 is saying which I agree with is the fact that the probability of getting access to the m seeds  of the m-n multi sig is much higher than if it they are generated by a single seed. The probability will only be the same when you back all the individual seeds in Jus one place and that from a start is definitely not logical, as this is just same as one using a single device to set the multi sig up.

With the individual seeds dispersed in different back up locations it will be hard to get all m required seeds to sign a transaction from that wallet

[satscraper]

It seems to  me you missed the point of my message. What I meant was,  eventually,  someone could  have the ability  to  access all your  seed phrases.

Logical it is possible that even if you have even 10 seed phrase for a multi sig it can still be located or accessed but what hosseinimr93 is saying which I agree with is the fact that the probability of getting access to the m seeds  of the m-n multi sig is much higher than if it they are generated by a single seed. The probability will only be the same when you back all the individual seeds in Jus one place and that from a start is definitely not logical, as this is just same as one using a single device to set the multi sig up.

With the individual seeds dispersed in different back up locations it will be hard to get all m required seeds to sign a transaction from that wallet

Sure, 100 seed phrases would be even better  but I'm in very doubt someone  builds multisig from 10 seeds. I think the most common case is either 2-of-2 or 2-of-3 multisig. Moreover I believe people  play hanky-panky when talking about different geolocations  of their backups, It’s easier said than done.