Friction in #multisig:
1. Loss of metadata = loss of funds.
2. Compromised metadata = others see your funds.
3. Device firmware maintenance * N.
4. Non-standard implementations couples users to specific software providers, like Nunchuk.
These are severely underappreciated.
but for me, each of these points can be mitigated through training
Certainly and at a certain amount of #Bitcoin these tradeoffs become worth the improved security.
1. Keep an encrypted copy of the metadata with each signer.
2. This problem is not unique to multisig. Mitigate by encrypting the metadata copies.
3. When upgrading firmware, upgrade a fresh signing device, then “restore” seed and metadata. Confirm ability to sign. Wipe old device, then upgrade it too. (Two same-vendor signing devices per seed).
4. Use standard multisig wallet setup. Confirm same sequence of addresses on separate hardware. For example, use metadata to setup a Sparrow wallet, confirm that ColdCard produces same sequence of addresses from same metadata.
Now you have an additional factor, the password to decrypt the metadata, to secure.
This is added complexity and illustrates my point. Lose that password, lose your funds.
Actually, it's not an additional factor: it's a single point of failure. You lose the encrypted payload or the password to decrypt it, you lose the ability to recover your funds.
If these backups are the only copies, then yes, you must have both the encrypted metadata file and the decryption key (or all N seeds to reconstruct the metadata).
This risk can be mitigated by using a long, randomly generated encryption key, which is sharded using Shamir secret sharing, keeping shares with each backup in the same configuration (M-of-N) as the wallet proper.
Of course, this adds complexity, so you’ll want to include a README with enough hints to help you remember how to recover. Or you could keep a Tails OS USB key with each signer which has the instructions and the related tools like the Shamir secret sharing implementation binary.
This only proves my point: #multisig has a significant complexity burden that should not be taken lightly. At a certain level of #Bitcoin, the security benefits outweigh the costs, but not before.
Agreed that multisig introduces complexity. It’s important to understand what the tradeoffs are.
The point of using a signing device (hardware wallet) is to protect one’s private keys from leaks during signing. In a single-sig setup, a malicious vendor or vendor vulnerability that causes keys to leak means loss of funds.
Multi-vendor multisig mitigates the vendor problem because it’s significantly less likely that two independent vendors will experience key-leakage issues at the same time. This increases complexity by a size-able amount, per your original post. To reconstruct the wallet, one needs the metadata.
The simplest vendor mitigation would be a M-of-N (M>1, N>1) multisig where all signers are kept together. In that case, it’s not urgent to store the metadata. The seed material is already all in the same place, so recovery can begin with seeds.
But this does not mitigate other risks such as discovery risk. If someone stumbles upon the cache of signers, the discoverer gets the coin. This is where geographically distributing comes in. Geographically distributed, multi-vendor multisig mitigates accidental discovery risk. It also introduces a time component, as even a dedicated attacker must travel between locations. But it increases complexity since now the metadata does need to be explicitly backed up, and the locations of signers is now a new secret to be kept.
Ultimately—and I hope you’ll forgive me for going philosophical—in #Bitcoin, ownership is knowledge, and security is measured in time.
Knowledge can either be kept in one’s head or encoded in the world. One can encrypt information, but as you rightly point out, now you have the decryption key to store as well.
You can write words down by hand, or save a plain text file, perhaps in a secret location. But the location is now knowledge that has to be stored, and we’re right back where we started—memorizing secrets.
Because ownership is knowledge, exclusive ownership demands secrecy. But a secret written down can be discovered. Therefore the only way to exclusively own Bitcoin is to keep some amount of knowledge exclusively in one’s own head. Any configuration in which all of the knowledge is encoded in the world is exploitable.
It's a great addition to the thread. 🎯
Note that even with multivendor multisig, the software originating the transaction needs to be secured. Generally speaking, it's best to use a dedicated machine for this purpose.
Correct.
During initial wallet creation, use at least two different vendors to generate lists of addresses from metadata. Confirm that these lists match. This protects you from a malicious software wallet at setup time.
Bonus points: save off a copy of these addresses with the metadata, in offline storage. Before receiving coin, confirm that the address is the next one on the saved address list. This protects you from a software wallet that became malicious between setup and receive time.
Bonus bonus points: keep two machines running different OS’s for the coordinator wallet. This way, if either has a vulnerability (revealed by the above) you still have another wallet ready to use.
are there any dangerous to upgrading firmware when it comes to devices used in multisig? Or you mean because you have multiple devices you will spend more time keeping them all up to date in regards to firmware running on them?
The latter. There is a maintenance burden when compared to #BIP39 in that the firmware for multiple devices has to be considered.
Multisig without multivendor is not advised.
Single seed multi-location backup schemes ftw:
https://github.com/openoms/bitcoin-tutorials/blob/master/backups/README.md
I'm a fan for most users. There is only a small group of people with enough #Bitcoin to warrant the security and friction of #multisig.
