In this video, he's basically pointing out that you need all three private keys to reconstruct the xpubs, which are needed to prove spending authority... Which he implies defeats the purpose of multisig for individuals.
"Multisig does not create a 2-of-3 redundancy - it requires 3-of-3 redundancy to create 2-of-3 spending authority, and that is very dangerous if you decide to use it for yourself. Because, for yourself, you don't need 2-of-3 spending authority, what you need also is 2-of-3 redundancy, and if you don't have that because if you lose a single seed, you lose all of your money."
This is where this reasoning is incorrect:
If you're thinking you need to reconstruct xpubs, you're thinking about private/public keys the wrong way in this context. There is no reason to be in a situation where you have to reconstruct xpubs.
You can think of xpubs as the wallet's public spending key. xpubs specify what wallet you're spending from. It's the original public key constructed from the original private keys. Yes - you need that to spend. If you lose that, you can't specify what wallet you're trying to spend from. It's the "from" address - you can't send without the "from" address.
BUT - knowing the xpubs doesn't actually give you spending authority. You can't spend with it.
That's incredibly important. Why? Because you don't have to treat your xpubs like a private key! The stakes aren't that high - you can store your xpubs digitally in multiple locations. You can have backups upon backups.
With a private key, too many backups means increased theft potential. That's not the case with xpubs. You should never be in a situation where you have to reconstruct your xpubs in the first place!
So the idea that "you need all three private keys to reconstruct your xpubs to send" is a completely moot point.
Just like any wallet setup, it's dangerous if you don't understand it. As long as you know to store multiple xpubs backups, 2-of-3 multisig is significantly less dangerous than single sig + passphrase.
If that's too complicated for someone to understand, third party collaborative custody solutions like unchained fix that. During their vault setup, they tell you to store a digital copy of your xpubs, and they hold a copy themselves. Unchained would have to completely die AND you'd have to lose access to your cloud or PWM for you to lose access to your bitcoin.
so, just store backups of every xpub in the multisig (N of N) with each one of the seed phrases. makes sense.
reply
I created a LaTeX template for exactly this: https://gist.github.com/ekzyis/7736e2446dbb8ed2cdb587071c42380b
It even uses the SN font for extra style points
reply
Thanks for sharing this
reply
That's really good!
reply
Pretty much. At minimum you could do:
Location #1: Seed 1 + xPubs 1, 2, 3 Location #2: Seed 2 + xPubs 1, 2, 3 Location #3: Seed 3 + xPubs 1, 2, 3 Mobile / desktop wallet: xPubs 1, 2, 3
There isn't a standard to represent xPubs in human readable format (like BIP39) so you can't easily engrave them in metal. As such, you need high redundancy to safeguard against paper / digital copies getting destroyed.
As xPubs don't grant spending permission, you can have as much redundancy as you want. One downside is that while the xPub set doesn't grant spending permission, it does reveal your holdings. An attacker who discovers one of your xPub backups might be motivated to continue digging around if they see that the wallet has a high balance.
reply
If you have the seed and derivation path, you can recreate the xpub, so that’s all you need to save
reply
Yeah it’s kind of confusing, this tripped me up at first too!
You can’t actually recreate the xpubs unless you have all three seed phrases. But you don’t need that to save/receive. You need different pieces of the puzzle to save vs spend.
reply
i think you're missing the point.
reply
I guess so
reply
This guy gets it
reply
He's right
'Most people' are not obsessed with bitcoin though. Leave multisig to the psycho's
reply
Multisig w/ a third party takes minimal intentionality and will result in a lot less lost bitcoin for the non tech-savvy people that use it.
reply
Yes
But there are other risks with that too. KYC & potential gov shutdown
reply
Hey may be incorrectly reasoning correct facts.
Facts being:
The #1 threat to your Bitcoin is you. Multisig set-ups make you even more dangerous.
Now, compromised devices may be the next consideration. Only assuming all best practices wrt that are satisfied, 2 of 2 becomes a reasonable next step for the individual.
2 of 3 is for more of a governance or inheritance scheme. What's in question is the term "individual".
reply
2of2 is reasonable for individuals but 2of3 is for govs?
I would say 2of2 is a lot less secure than single sig for individuals. You just doubled the chance to lose all your bitcoins since it's all gone if you lose a single key.
reply
Good info. Threat modeling on these things is so complicated for normal people, esp in an era where people reuse passwords and most of those who don't use a centralized password manager to manage the passwords, or else write them down in a little paper book.
reply
I use Casa for multi-sig
reply
What I had considered was that I use a 2 of 3 set up where I keep two, and give the third to a TRUSTED source to safeguard. 1. software key, 1 hardware key, and 1 paper key. I am losing trust in the hardware key solution, and I can see that being a potential problem as the trusted party key. A hardware key has to be backed up on paper for best practice does it not?
reply
If you’re using a singlesig hardware wallet, you want a metal backup, not paper.
If you want multisig, paper back ups for each wallet is fine.
reply
I'm just not getting what he means with that, whatever signing device you use to create a multisig wallet always contains all public keys from other signers, so if one of them is compromised, you can still recreate that with any of the signing devices or their backups.
I wrote about my own setup and I think it should be more widely used, it's actually not THAT hard.
Didn't want to mention before, but I feel there is a conflict of interest from people publishing many things on multisig, they always mention some kind of fancy HWW (ahem sponsor).
reply
So, if you genuinely lose your xpubs, the only way to recreate is with all three seed phrases
reply
How do shamir shares compare, one doesn't need as much information from what I gather?
reply
Shamir secret sharing is just a lot more complex than multisig. It involves correctly implemented cryptography, which is incredibly difficult to get right and really easy to mess up.
reply
It solves a different problem. Allows you to securely split and then geographical distribute your private key.
reply