Take these 2 scenarios:
  • 24 word seed phrase, split up into two (12 words each) chunks, and stored in separate, secure locations
  • 2 of 2 multi-sig, the seed phrases stored in separate, secure locations
It seems like the first option (splitting 24 words into two 12 word chunks) would give you the benefits of the 2 of 2 multi-sig, without the multi-sig complexity.
What am I missing?
The 2/2 requires two separate xpubs, where the single seed requires one xpub. For individuals, 2/2 just makes things more difficult when signing transactions and recovering. Frankly, splitting the seed in two parts in the first place isn't something one should labor with. This type of complexity is unnecessary unless you have an exceptional reason.
I'm of the opinion individuals shouldn't use multisig to begin with. If they do, it should be 2/3 multisig where a custodian (3rd party) holds one of the private keys along with all 3 extended public keys — which means yes, they can see and monitor all your transactions. Because like I hinted at above, people seem to forget that with 2/3, 3/5, etc, if you lose one of the private keys, and don't have the wallet file or extended public key saved somewhere for that private key, your bitcoin is lost forever. Because you need all three public keys to construct a valid 2/3 multisig transaction. With this setup, you have shit saved and stamped all over the place, you have all these different singing devices, it gets unmanageable for something that's quite simple. There's a better way.
reply
I'm of the opinion individuals shouldn't use multisig to begin with.
I disagree with this. I'd say if an individual has a large amount of their net worth in Bitcoin they should have it in a multisig. I don't have any issue with using a custodian, but if you have someone you trust to hold onto 1/3 sig then you can go that route too. Ideally you have someone that also has money in Bitcoin and they can use one of their signing devices in your multisig. You want them to use one of their sigs because they also have an incentive to keep it safe.
For the backup of the xpubs (I think the descriptor is actually want you want) I think you should just throw that in your password manager. It's semi-secret and isn't the end of the world if someone got access to it. If someone got access to all your passwords in your password manager they could do a lot of damage, certainly more than if they just had your xpubs.
There is also the seedhammer if you want to backup your descriptor. If your Bitcoin is a large % of your net worth buying a seedhammer shouldn't be that big of a deal. I also think Bitcoiners should focus on setting up a Bitcoin Citidal near them and one of the features they should offer is a seedhammer.
There's a better way
What is the better way?
reply
Occam's Razor. And realize what 128- or 256-bits of entropy means, trust the math.
A 2/3 custodian is fine. Trying to retain all that information yourself is not. What's also strange are the people who refuse to backup their seed by memorizing it as well, which in real world cases, would prevent 99% of self-custody losses. Literally a once in a lifetime requirement. Instead we get a parade of ever more difficult custody schemes. Good news is that hybrid self custody, scripting, and a possible vault-type BIP could end the self-custody question for good.
reply
Occam's Razor. And realize what 128- or 256-bits of entropy means, trust the math.
Occam's Razor just means the simplest option is usually the better option; The usually matters. I'm not sure what you mean by the entropy sentence. The difference in 128 vs 256 bits of entropy only applies when you think someone might bruteforce their way to getting your private key.
Literally a once in a lifetime requirement
No it isn't, what happens when you have a brain injury that makes you forget your mnemonic phrase? What happens when your forget it as you age since as you age your memory gets worse.
reply
deleted by author
reply
Splitting your seed decreases entropy.
reply
Splitting a 24 word seed into 2 separate chunks is very insecure and should never be done
reply
For the single-sig, all secrets are in one place at the point of signing. So you are more vulnerable to tampered devices and $5 wrench attacks.
I actually think the backup complexity is not too bad. Multi-sig has the xPub set, but ultimately both require 4 secure locations if you want redundancy (2 for each key). The main problem with the xPub backup IMO is privacy (an attacker can see your balance), so single-sig wins there.
Counterintuitively, a 2-of-3 multi-sig is easier to backup here because you only need 3 locations (the redundancy is "built-in"). I can't think of a reason why you'd want a 2-of-2 multi-sig for storing funds.
Alternatively you could just roll with single-sig + passphrase, where the passphrase is memorised + has one physical backup (so again 3 locations total). IMO this is a good middle ground for people uncomfortable with multi-sig and far superior to single-sig fragmentation because it's a recognised standard and also gives you plausible deniability (the seed-only wallet acts as a decoy). The passphrase should be sufficiently complex (6 - 8 words taken from the BIP39 word list would be good).
reply
One downside of the passphrase compared to a 2/3 multisig is you don't have any redundancy. If you loose your passphrase, you loose your Bitcoin. In a 2/3 multisig if you loose a sig you don't loose your Bitcoin.
You did a great job listing the pros of a passphrase, just wanted to throw out the con I thought of.
reply
100%
Personally I roll with multi-sig these days but it took me a while to upgrade from single-sig + passphrase.
reply
Thanks for the single-sig passphrase idea. I haven't played with passphrases at all, probably worthwhile.
reply
2/2 Multisig is a terrible idea. Splitting up 24 words into two parts is also a terrible idea. With both cases you have TWO single points of failure. Just don't.
Also as others have noted Multisig is a difference in kind backup method requiring the xPubs of ALL keys in the quorum in order to reconstruct the wallet and spend the funds. Possibly one of the best setups we've come across so far is Stateless Multisig with something like SeedSigner or the Blockstream Jade.
We also have a full piece on How To Protect Your Bitcoin Private Key that goes through a number of other common (but bad) ideas as well as best practices 👍🙂
reply
Thanks for your reply, this makes the most sense to me. The 2 options may be equal (maybe splitting the single sig is better because of less complexity), but they're both bad because of single points of failure. I'll take a look at the article as well.
reply
You can collaborate on a 2of2 without revealing your secret key to the counter party, so it is useful for doing business with others.
I don't know what scenario you are describing though. Are you backing up a key?
reply
deleted by author
reply
The bitcoin that would get this treatment would be the "vault", as DarthCoin explains in this article.
This would be bitcoin you don't want to touch, except maybe to deposit to. It wouldn't be where you'd make payments from.
reply
I respect DarthCoin, but reject dabbling in Shamir Secrets, using substitution cyphers, custom derivation paths, multisig, etc. You become your own worst enemy instead of a potential attacker.
reply
dabbling in Shamir Secrets
For those curious about the details of why you shouldn't dabble with Shamir Secret Sharing: https://en.bitcoin.it/wiki/Shamir_Secret_Snakeoil
Choice quote from that page:
...many attempts at SSS [Shamir Secret Sharing] have been so weak a child's speak-n-spell could crack them. Like the one-time-pad and most other cryptosystems, the security of SSS is fairly brittle.
reply