Topic: Multisig 2 of 3 recovery question (Read 135 times)

You can. Just use a single seed phrase, and generate three different master private keys at three different derivation paths, and use those to create a 2-of-3 multi-sig (for example).

This is partly how 2FA Electrum wallets work. When you set one up, you create a 2-of-3 wallet between yourself and TrustedCoin. Your wallet holds one key, and TrustedCoin holds another, allowing for 2FA spends. However, you can also restore this wallet and bypass the 2FA by entering a single seed phrase. This is because Electrum derives two sets of keys from this single phrase, one at m/0' and another at m/1', and imports them both in to your recovered wallet, allowing you to spend without the need for TrustedCoin's key.

I would note that doing this negates a large part of the benefit of a multi-sig wallet, in that the compromise of a single back up will compromise your entire wallet, rather than requiring the compromise of 2 or more back ups in a traditional multi-sig set up.

The easy solution here is that you include back ups of the other shares' master public keys alongside each of your seed phrase back ups. For example, on one piece of paper you would back up Seed Phrase A, xpub B, and xpub C.

A slightly more complicated (but better) solution is as follows. If an attacker was to find one of your back ups as above (containing 1 seed phrase and all other xpubs), although they could not steal your coins, they could recover your addresses and be able to see how many coins you are holding. To avoid this, you can create a back up system which does not store every xpub on every back up, but still means that any two back ups (in a 2-of-3 wallet) are enough to fully recover your wallet. Your three back ups would look like this:

1 - Seed A, xpub B
2 - Seed B, xpub C
3 - Seed C, xpub A

If an attacker finds one of your back ups, they can learn nothing about your wallet or your coins. Any two back ups gives you two seed phrases and the third xpub in order to restore your coins. The same system can be expanded to cover 3-of-5 or other multi-sig combinations, if you choose.

I was primarily looking for a setup to help me mitigate theoretical "software/bug" scenarios (or maybe the good old Exit Scam myth) in devices, so I will likely opt in now for 2 of 2 multisig and use single sheets of paper for seeds until later on in life when the stack is big enough to feel a need to do 2 of 3 via collaborative custody (and when I feel more comfortable with multisig of this kind).

For now I will experiment a bit more with air-gapped signing operations until I get the hang of it.

[On a related note, why can't we simply derive all cosigners of a Multisig address from the same piece of paper, but stored in 3 different parts?]

It seems a bit cumbersome if you're going to be the only one using the Multisig configuration and have to manage 3 seeds. You would reduce the risk of losing one of your papers if you simply store all 3 seeds on the same paper - without any fancy typesetting that would indicate it's a multisig address.

Take note that your master public key is derived from your seed phrase and that's why in a single signature wallet, having the seed phrase is enough.
In a 2 of 3 multi-signature wallet, if you have two seed phrases, two of master public keys are derived from those seed phrases and you must have the third master public key.
If you use a 3 of 3 multi-signature wallet in which you have control over all three seed phrases, you won't need the master public keys, because they are derived from your seed phrases.

Thanks everyone for the input so far.
Yes, it seems the public elements are also needed. I never encountered this issue so far because previously I was running single signature, and the secret keys were enough to generate the single public keys.
But it's not that bad. Sparrow for example allows you to export the Public keys/Output Descriptor even as a PDF so that you can even print it out and keep a paper version of it.
Not impossible to manage.

Output Descriptors are quite new and not all wallets support it, the two that I know are Bitcoin Core and Sparrow.
That video used Sparrow wallet which has good features and descriptor support.

Most wallets as of now, store the keys in a different way.

Let's say Bob, Alice and Diana are the 3 owner of the 3 key. Both have their seed-phrase which are private to them and the muster public key is known to all. If Diana lose her seed-phase. Bob and Alice can move the funds. Bob and Alice had public master key of Diana.

When I read it I get two angles to answer.
1. Diana lost her seed-phrase and everything. But bob and Alice have her Public Master key. This is not a problem as we already discussed
2. Bob and Alice both lost Diana's Public Master Key (Unlikely, isn't it?). Bob and Alice, none can restore the 2 of 3 wallet because it will ask Diana's Public Master Key. The wallet is not accessible anymore.

2 out of 3 setup, and 2 out of 2 setup are two different setup for two different wallet.

Understood, so basically just the Secret elements (2 seedphrases) are not sufficient. One still does need access to the 3 Public elements of this scheme to exist somewhere in order to be able to reconstruct this map.
Thanks for confirming. With this in mind I will know better what to do to plan a good recovery scheme. 👍

In the meantime I came across this video which pretty much also confirms it. They seem to be called Output Descriptors, the pieces of information that allow for this map to be navigated/used.
https://www.youtube.com/watch?v=_X5LygNovLU

I don't think this is possible. If I'm remembering right the hash of a redeemscript is what is paid to as.the "address" (which would contain the 3 keys that are paid) so you'd have to provide all 3 public keys in order to redeem the funds.

You'd only need that extra zpub though to spend those funds (and the 2 nmemonics you already have). If you had it in mind you were going to use 2 often and have a third as a backup, there's no reason you couldn't put that zpub everywhere you'll find it online (like cloud storage and email) - you'll remain untraceable unless you use that third signature to spend funds and then you'll only be tracked by where you uploaded it to or if that account gets hacked a hacker might see it.

Hello everyone,
I just got myself some hardware devices from different companies in an attempt to reduce that risk surface of "one entity/company pulling a exit scam". Of course, kind of unlikely, but why not learn Multisig to mitigate this risk (helps with software/code vulnerabilities too).
Anyway, here is my question:

I want to set up 2 of 3 multisig. I noticed those 3 elements are initially needed to set up/create this scheme.
What happens if somehow I totally lose access to one of these seedphrases/elements, zpub included (even the common one).
Let's say I somehow end up in a situation where I will have access to only two seedphrases, are these enough to create a 2 of 2 multisig that has similar properties or will that 3rd element still be needed?

In the classic setup with single signature seed backup, the seed itself is enough to derive the list of addresses and the rest.
Are 2 out of 3 seeds enough to generate that same address tree if I try to use them to make a 2 out of 2 setup? I noticed all devices seem to go for this derivation path: m/48'/0'/0'/2'

I hope the question was clear enough  , the reason I got this curiosity now is because of backup procedures.
I am now left wondering if I should worry only about the seeds primarily or also if I must seek to make backups of the respective xpub/zpub information for these respective seeds to rebuilt at a later date.

Thanks for your time, I hope some of you can help me out here.