This only proves my point: #multisig has a significant complexity burden that should not be taken lightly. At a certain level of #Bitcoin, the security benefits outweigh the costs, but not before.
Discussion
Agreed that multisig introduces complexity. It’s important to understand what the tradeoffs are.
The point of using a signing device (hardware wallet) is to protect one’s private keys from leaks during signing. In a single-sig setup, a malicious vendor or vendor vulnerability that causes keys to leak means loss of funds.
Multi-vendor multisig mitigates the vendor problem because it’s significantly less likely that two independent vendors will experience key-leakage issues at the same time. This increases complexity by a size-able amount, per your original post. To reconstruct the wallet, one needs the metadata.
The simplest vendor mitigation would be a M-of-N (M>1, N>1) multisig where all signers are kept together. In that case, it’s not urgent to store the metadata. The seed material is already all in the same place, so recovery can begin with seeds.
But this does not mitigate other risks such as discovery risk. If someone stumbles upon the cache of signers, the discoverer gets the coin. This is where geographically distributing comes in. Geographically distributed, multi-vendor multisig mitigates accidental discovery risk. It also introduces a time component, as even a dedicated attacker must travel between locations. But it increases complexity since now the metadata does need to be explicitly backed up, and the locations of signers is now a new secret to be kept.
Ultimately—and I hope you’ll forgive me for going philosophical—in #Bitcoin, ownership is knowledge, and security is measured in time.
Knowledge can either be kept in one’s head or encoded in the world. One can encrypt information, but as you rightly point out, now you have the decryption key to store as well.
You can write words down by hand, or save a plain text file, perhaps in a secret location. But the location is now knowledge that has to be stored, and we’re right back where we started—memorizing secrets.
Because ownership is knowledge, exclusive ownership demands secrecy. But a secret written down can be discovered. Therefore the only way to exclusively own Bitcoin is to keep some amount of knowledge exclusively in one’s own head. Any configuration in which all of the knowledge is encoded in the world is exploitable.
It's a great addition to the thread. 🎯
Note that even with multivendor multisig, the software originating the transaction needs to be secured. Generally speaking, it's best to use a dedicated machine for this purpose.
Correct.
During initial wallet creation, use at least two different vendors to generate lists of addresses from metadata. Confirm that these lists match. This protects you from a malicious software wallet at setup time.
Bonus points: save off a copy of these addresses with the metadata, in offline storage. Before receiving coin, confirm that the address is the next one on the saved address list. This protects you from a software wallet that became malicious between setup and receive time.
Bonus bonus points: keep two machines running different OS’s for the coordinator wallet. This way, if either has a vulnerability (revealed by the above) you still have another wallet ready to use.