Pages:
Author

Topic: Wallet Features That Are Missing but Essential (Read 314 times)

copper member
Activity: 2996
Merit: 2374
November 09, 2021, 05:41:00 PM
#29
CheckMultiSigVerify OP
So you change OP_CHECKSIGVERIFY to another OP_CHECKMULTISIG as pooya has said,
You're right. I had not considered that.

Although you are still limited as to how many potential signers there are in a script (this is my understanding), and there is still the issue of having to change keys whenever an employee leaves, and changing keys with multi-sig means that a transaction is required, including the cost of said transaction.

Also, the employees need to be in a location specified by the employer in order to sign a transaction when using SSS with my setup. If a group of employees are fired for misconduct, as long as you can keep them outside of the room containing the computer used to sign transactions (and otherwise limit their access to said computer), your private keys are safe.

In my scenario, a company computer most be used to access the secret. Using a computer that is not the specific computer designed by the computer to calculate the secret will result in useless information. This allows the company to log any transactions that are signed, including which employees are approving the transaction.
So you set up the multi-sig as above to absolutely require one signature which is stored only on a company computer, and set it up so the company computer will not accept PSBTs but will only accept unsigned transactions and employees connecting their hardware wallets to sign with their relevant keys.
If you are using multi-sig without sharing keys, the company could just look at the blockchain, specifically the signature of the transaction to see who signed the transaction.
legendary
Activity: 2730
Merit: 7065
hmmmmmm I've seen blue wallet have a similar option that doesnt reveal the "correct" recovery phrases on purpouse
What do you mean on purpose? So if I had a Blue wallet, and I wanted to check my seed (for whatever reason), the software would show some random words (aka a fake seed) and not my actual seed? Why would it do that? Could I still bypass it and have the client display my real mnemonic as well by entering another password or removing that feature in the settings?

It actually doesn't sound that bad when you think about. You enable a feature that displays a wrong seed. If someone were to get hold of your wallet file + password, he wouldn't be able to spend from the wallet or display its seed without a secondary spending password. Some exchanges use a trading or withdrawal PIN that is independent of your password.
legendary
Activity: 2268
Merit: 18711
If you do that, you must have a single manager and cannot have one of multiple managers sign off on a transaction.

You are also limited to one mandatory person and a second group of people. With SSS, you can have an arbitrary number of groups of people required to access the ultimate secret.
So you change OP_CHECKSIGVERIFY to another OP_CHECKMULTISIG as pooya has said, and then you can have one of three managers and two of three employees needed. Maybe you use OP_IF combined with another OP_CHECKMULTISIG to make it so two managers together can bypass the employee requirement, or OP_IF with OP_CHECKSIGVERIFY to make it so one director on their own can bypass all the managers and employees. Or maybe you use three OP_CHECKMULTISIGs to create three 1-of-3 set ups together, so you need one employee from three different groups.

In my scenario, a company computer most be used to access the secret. Using a computer that is not the specific computer designed by the computer to calculate the secret will result in useless information. This allows the company to log any transactions that are signed, including which employees are approving the transaction.
So you set up the multi-sig as above to absolutely require one signature which is stored only on a company computer, and set it up so the company computer will not accept PSBTs but will only accept unsigned transactions and employees connecting their hardware wallets to sign with their relevant keys.

Anything that is possible with SSS is possible with multi-sig, and multi-sig is a much safer way of doing things.
legendary
Activity: 3472
Merit: 10611
If you do that, you must have a single manager and cannot have one of multiple managers sign off on a transaction.
You are also limited to one mandatory person and a second group of people.
You are only limited by your imagination and understanding of how bitcoin smart contracts work. You can create almost any scenario you can think of very easily. For example if you wanted to add multiple managers to the above script you simply turn the CheckSigVerify to CheckMultiSigVerify OP.

Quote
you can have an arbitrary number of groups of people required to access the ultimate secret.
At some point things stop making sense. For example how many "groups of people" should have access to your money?! In most cases it is not more than 2, anything more complex may need much simpler solutions with better security such as splitting the money between smaller delegates.
copper member
Activity: 2996
Merit: 2374
Multi-sig treats all signing keys equally.
Not necessarily. You could use something like:

Code:
OP_CHECKSIGVERIFY OP_1 OP_3 OP_CHECKMULTISIG

This will essentially create a 2-of-4 multsig, but it requires the manager to be one of those two.
If you do that, you must have a single manager and cannot have one of multiple managers sign off on a transaction.

You are also limited to one mandatory person and a second group of people. With SSS, you can have an arbitrary number of groups of people required to access the ultimate secret.

It also allows for logging of who is signing off on transactions, which is not possible using a 2-of-2 multisig when keys are shared.
Can you elaborate? In your example, any 3 of the 24 SSS shares will recover the same secret. You don't know if A+B+C combined to recover the secret or if it was D+E+F.
In my scenario, a company computer most be used to access the secret. Using a computer that is not the specific computer designed by the computer to calculate the secret will result in useless information. This allows the company to log any transactions that are signed, including which employees are approving the transaction.

This is not cryptographically provable, however the same can be said about other business records generated by companies. 
legendary
Activity: 2268
Merit: 18711
Multi-sig treats all signing keys equally.
Not necessarily. You could use something like:

Code:
OP_CHECKSIGVERIFY OP_1 OP_3 OP_CHECKMULTISIG

This will essentially create a 2-of-4 multsig, but it requires the manager to be one of those two.

It also allows for logging of who is signing off on transactions, which is not possible using a 2-of-2 multisig when keys are shared.
Can you elaborate? In your example, any 3 of the 24 SSS shares will recover the same secret. You don't know if A+B+C combined to recover the secret or if it was D+E+F.
copper member
Activity: 2996
Merit: 2374
At a bank, in order to access cash, you must have one person from one set of employees, and another from another set of employees to open a vault/safe (some employees are assigned a small amount of cash they are personally responsible for so they can handle smaller transactions).
Which can all be achieved more securely with multi-sig than it can with SSS.
Multi-sig treats all signing keys equally. So the only way to implement forcing two different groups of people needing to sign is via a 2-of-2 multi-sig with all members of each group sharing the same key.

With SSS the setup could be as follows:
A 3-of-24 SSS unlocks 1 of a 2-of-2 SSS secret[1]
The 2-of-2 SSS secret named "[1]" above is used to unlock a second 2-of-2 SSS secret[2] that is the private key(or xprvkey).
The second secret needed to unlock [1] is stored on the computer kept in a secure location in which it is difficult for employees to access.
The second secret needed to unlock [2] can be derived from a 2-of-3 SSS used by a different group of people (such as the managers)
In the event an employee leaves the company, a new 2-of-3 SSS[3] is created with one being the output of a new 3-of-24 SSS, one being stored on the above described computer, and one being destroyed.
After [3] is created, the secret for [1] is destroyed on the above described computer.
Alternatively, [3] could be a 3-of-3 SSS in which two of the 3 secrets are stored on the above described computer, and one is derived from the new 3-of-24 SSS for the employees.
Which is a ridiculously complicated scenario, even more so when you start needing to replace some secrets. As I said above, this overly complicated scenario is far more error prone and far more likely to lead to information being leaked or accidentally exposed, even before you consider the many inherent weaknesses in SSS when compared to multi-sig.
Most of the above can be automated, including the replacing of the secrets. It also allows for logging of who is signing off on transactions, which is not possible using a 2-of-2 multisig when keys are shared.
legendary
Activity: 2268
Merit: 18711
A college fund is for well, college. As such, the child should not have access to his or her college fund until he or she is old enough to attend college.
Replace college fund with savings account or something similar then. You might want them to be able to spend their money on something useful they have saved up for like a new computer, but you don't want them to be able to blow it all on beer for the weekend. My point is although you might not have a use case for it, someone else will.

At a bank, in order to access cash, you must have one person from one set of employees, and another from another set of employees to open a vault/safe (some employees are assigned a small amount of cash they are personally responsible for so they can handle smaller transactions).
Which can all be achieved more securely with multi-sig than it can with SSS.

With SSS the setup could be as follows:
A 3-of-24 SSS unlocks 1 of a 2-of-2 SSS secret[1]
The 2-of-2 SSS secret named "[1]" above is used to unlock a second 2-of-2 SSS secret[2] that is the private key(or xprvkey).
The second secret needed to unlock [1] is stored on the computer kept in a secure location in which it is difficult for employees to access.
The second secret needed to unlock [2] can be derived from a 2-of-3 SSS used by a different group of people (such as the managers)
In the event an employee leaves the company, a new 2-of-3 SSS[3] is created with one being the output of a new 3-of-24 SSS, one being stored on the above described computer, and one being destroyed.
After [3] is created, the secret for [1] is destroyed on the above described computer.
Alternatively, [3] could be a 3-of-3 SSS in which two of the 3 secrets are stored on the above described computer, and one is derived from the new 3-of-24 SSS for the employees.
Which is a ridiculously complicated scenario, even more so when you start needing to replace some secrets. As I said above, this overly complicated scenario is far more error prone and far more likely to lead to information being leaked or accidentally exposed, even before you consider the many inherent weaknesses in SSS when compared to multi-sig.
copper member
Activity: 2996
Merit: 2374
I would echo Dave's concerns about "protecting" children's money. If your child is growing up, as a parent, you need to "let" them fail so they will learn.
Maybe, maybe not. Maybe I would be ok with my kid losing their monthly allowance of 0.0025 BTC so it teaches them a lesson about a security, but I don't want them to lose their college fund of 2.5 BTC.
A college fund is for well, college. As such, the child should not have access to his or her college fund until he or she is old enough to attend college. At that point, he or she will hopefully learned how to sufficiently protect his or her money.

So I guess a 2-of-2 multi-sig would be better than my simple example, but shamir shared secret is superior to more complex scenarios that might be more realistic in the corporate world.
I disagree. A 2-of-2 multi-sig is obviously better in the example discussed above, but in more complex scenarios I fail to see any corporate entity setting up a 3-of-24 SSS and a 2-of-3 SSS, and combining them in to a 2-of-2 multisig as you have described. You need either everyone working in the same office, or you need to take significant additional and costly security precautions and yet still expose yourself to significant additional risks. It is far more complex to set up and far more cumbersome to use. More likely is that employees would simply send a written request to the managers (maybe even signed with their PGP keys for authenticity purposes), who would then approve the request and sign a transaction from their managerial x-of-y multisig.
At a bank, in order to access cash, you must have one person from one set of employees, and another from another set of employees to open a vault/safe (some employees are assigned a small amount of cash they are personally responsible for so they can handle smaller transactions).

Employee turnover is another risk to multi-sig. Anytime an employee leaves the company (especially if they are fired), the company would need to move their bitcoin to a new multi-sig address to reduce the risk their bitcoin will be stolen by a combination of rouge ex-employees.
This applies equally to SSS. A quorum number of ex-employees could combine their secrets to recover the wallet.
With SSS the setup could be as follows:
A 3-of-24 SSS unlocks 1 of a 2-of-2 SSS secret[1]
The 2-of-2 SSS secret named "[1]" above is used to unlock a second 2-of-2 SSS secret[2] that is the private key(or xprvkey).
The second secret needed to unlock [1] is stored on the computer kept in a secure location in which it is difficult for employees to access.
The second secret needed to unlock [2] can be derived from a 2-of-3 SSS used by a different group of people (such as the managers)
In the event an employee leaves the company, a new 2-of-3 SSS[3] is created with one being the output of a new 3-of-24 SSS, one being stored on the above described computer, and one being destroyed.
After [3] is created, the secret for [1] is destroyed on the above described computer.
Alternatively, [3] could be a 3-of-3 SSS in which two of the 3 secrets are stored on the above described computer, and one is derived from the new 3-of-24 SSS for the employees.

As long as the old secrets stored on the above described computer are destroyed, it would be impossible for former employees to use their secrets to get any meaningful information.
legendary
Activity: 2268
Merit: 18711
Why not the same here? Why get big brother involved?
Because you can essentially achieve the same outcome already if you are technically minded, as we have discussed in this thread. A multi-sig set up with with the child holding one key and sending a PSBT to their parent for approval and broadcasting does the same thing, with the added bonus of being completely non-custodial, not requiring any third parties, being more secure, being more private, and you can increase the number of shares if you want to have other people involved or other back ups.

Any user who wants to run a system like this and is capable of doing so will simply do so as described above. To turn all this in to a centralized process, which will no doubt track your usage and collect your data to sell to third parties, is the kind of thing you would expect from the usual suspects. Perhaps I should have said Coinbase instead of Google, but the point still stands.
newbie
Activity: 58
Merit: 0
hmmmmmm I've seen blue wallet have a similar option that doesnt reveal the "correct" recovery phrases on purpouse
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Makes you wonder if there is a need for something like linked mobile wallets.
Sounds like something Google will come out with in due course.

Why Google? I would like to think any wallet could do it with some back end work.

What I envision is you have 'X' number of devices when you create the wallet.
When you setup that spend wallet you give it all the phone #s of the other wallets and / or some other device id information for push.

The 'spend' wallet has code in it that requires a push alert or SMS code before signing.
When it goes to sign a transaction, it either sends out a mass text or contacts a server that does a push notification to all the other listed wallets.
All it needs to sign (or show the private keys / seed) is a yes response from one of the other devices.

You don't have to use their server to do the push if you are OK with SMS.
You don't have to use SMS if you just want to use their server, and in an ideal world it's open source so you could setup your own server.

Banks have done this for YEARS with CC processing. Citibank (at least I think it's Citi could be BoA) has corporate card settings where you can spend up to X without others getting notified. At Y dollars certain people get a text / email / alert. And at Z dollars the transaction will not be processes till someone hits the green button marked OK. XYZ are all editable by corporate accounting.

Why not the same here? Why get big brother involved?

-Dave
legendary
Activity: 2268
Merit: 18711
I would echo Dave's concerns about "protecting" children's money. If your child is growing up, as a parent, you need to "let" them fail so they will learn.
Maybe, maybe not. Maybe I would be ok with my kid losing their monthly allowance of 0.0025 BTC so it teaches them a lesson about a security, but I don't want them to lose their college fund of 2.5 BTC.

So I guess a 2-of-2 multi-sig would be better than my simple example, but shamir shared secret is superior to more complex scenarios that might be more realistic in the corporate world.
I disagree. A 2-of-2 multi-sig is obviously better in the example discussed above, but in more complex scenarios I fail to see any corporate entity setting up a 3-of-24 SSS and a 2-of-3 SSS, and combining them in to a 2-of-2 multisig as you have described. You need either everyone working in the same office, or you need to take significant additional and costly security precautions and yet still expose yourself to significant additional risks. It is far more complex to set up and far more cumbersome to use. More likely is that employees would simply send a written request to the managers (maybe even signed with their PGP keys for authenticity purposes), who would then approve the request and sign a transaction from their managerial x-of-y multisig.

Employee turnover is another risk to multi-sig. Anytime an employee leaves the company (especially if they are fired), the company would need to move their bitcoin to a new multi-sig address to reduce the risk their bitcoin will be stolen by a combination of rouge ex-employees.
This applies equally to SSS. A quorum number of ex-employees could combine their secrets to recover the wallet.

Makes you wonder if there is a need for something like linked mobile wallets.
Sounds like something Google will come out with in due course.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Electrum 2fa will work with the 2fa part being on the parents phone. Note 2fa not sperate multisig
There are some custodial wallets that will allow for this, they need a Google Authenticator to send which does not need to be on the same phone.
The problem with 2FA codes are their 30 second time limit. Any kind of network delay between the parent sending the code to the child and it will no longer be valid by the time the child copies it in. And I don't know about your parents, but I wouldn't trust mine to be able to copy and paste a code in to a message and send that message in anything under 30 seconds. Tongue

I would not trust my parents to do it either. BUT, at a guess we are both 'older' and we would be the parents and our parents would be the grandparents.

Makes you wonder if there is a need for something like linked mobile wallets.
The other phones / tablets would need to be connected with the app running in the background all the time.
Person A tries to spend. Everyone else gets a popup that they tried to send a transaction approve Y / N

Zero privacy and subject to needing data / ability to send receive SMS but an interesting concept.
For the really paranoid parents / employers you could geo tag where the sender is.

As far as I know nothing like that exists, but might be an interesting thing to see if people would want it.

-Dave
copper member
Activity: 2996
Merit: 2374
If you want to guarantee that the "approver" cannot spend on their own, an alternative might be to implement shamir shared secret. The workflow might be as follows:
What benefit does this have over a 2-of-2 multisig?
I would echo Dave's concerns about "protecting" children's money. If your child is growing up, as a parent, you need to "let" them fail so they will learn.

In my example, only two people were mentioned, but in reality, the number of people involved could be in the dozens, and there could be more than one required person making the request, and more than one person required to approve the request, and these people must come from distinct groups of people. Say for example, there is a team of 24 team members managed by three managers. The company might require that three employees request a transaction, and it must be approved by two managers. The employees could have a 3 of 24 secret that could be one of two secrets that are required to access a private key. Each of the three managers could have one secret that is part of a 2 of 3 secret that would e the other of the two secrets required to access the private key.

Having 24 team members would not be possible with multi-sig, and requiring a certain number of signatures from y distinct groups is also not possible with multi-sig.

So I guess a 2-of-2 multi-sig would be better than my simple example, but shamir shared secret is superior to more complex scenarios that might be more realistic in the corporate world.

Employee turnover is another risk to multi-sig. Anytime an employee leaves the company (especially if they are fired), the company would need to move their bitcoin to a new multi-sig address to reduce the risk their bitcoin will be stolen by a combination of rouge ex-employees.

This will change with taproot, but currently, multi-sig requires more block space.

I don't understand why people keep recommending Shamir if we can have multisig. It has so many downsides; just a few in the example from Quickseller:

* both entities must be at the same place & same time
* way more complex (need airgapped computer, load keys on it, etc.)
* way less secure (full private key will be on that machine in that moment - one can grab it and run etc.)
* much more knowledge required (verify the drive is wiped and all those steps)
If certain security measure are taken to ensure no one has physical access to the computer, and that anytime someone accesses the room where the computer is physically located that power is cut to the computer (wiping its RAM), an alternative might be to SSH, or otherwise remotely connect to the computer with the script that calculates the private key. This obviously comes with the pitfalls related to keeping your private keys on a non-airgapped computer. You might be able to reduce the risks somewhat by keeping the computer on a private network, and restricting which computers can connect to the private network.

Without allowing SSH/remote access to the airgapped computer, precautions could be taken to prevent a "smash and grab" theft, such as bolting the computer to the ground, remote camera monitoring of the room the computer is located in, and being required to be "buzzed" out of the room when you have signed the transaction, and probably others.
legendary
Activity: 2268
Merit: 18711
The only advantage of Shamir secret sharing I had ever thought of is for inheritance purpose in which the hires will not know the exact amount of bitcoin in connection to the seed phrase. If multisig wallet is used which is better, but the bitcoin in connection to the seed phrase will definitely be known to the hires.
Not necessarily.

Let's say I want to set up an inheritance between my partner and 3 children. 4 shares in total, but I want some redundancy in the system in case something happens to one of them, so I want a 3-of-4 system. I create a 3-of-4 multisig, and for my 4 back ups I create the following:

Back up 1: Seed A, xpub B
Back up 2: Seed B, xpub C
Back up 3: Seed C, xpub D
Back up 4: Seed D, xpub A

I then hand out one back up to each of my family members. No family member has any idea how much bitcoin is stored in the multi-sig wallet, but any three shares contains enough information to fully recover the 3-of-4 multisig wallet.
legendary
Activity: 2730
Merit: 7065
Oh yes, very valid point! Kid could receive money from grandparents and then a parent grabs it since they 'need it' or something like that.
o_e_l_e_o was just suggesting an alternative in case the kid doesn't have both parents. If one of them is deceased, divorced, imprisoned, etc. I mentioned that the mom could hold one key while the dad has possession of the other. But if the kid has only one parent, a grandparent, uncle, trusted friend, etc. could take the place of the missing parent. It would still be the parent/s who are depositing money into the account for their child to spend, so that part remains the same.

But in your scenario, if the grandparent held one of the private keys, he could prevent the parent from stealing coins that were meant for the grandchild. I understand what you were trying to say.   
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
If you want to guarantee that the "approver" cannot spend on their own, an alternative might be to implement shamir shared secret. The workflow might be as follows:
What benefit does this have over a 2-of-2 multisig?
The only advantage of Shamir secret sharing I had ever thought of is for inheritance purpose in which the hires will not know the exact amount of bitcoin in connection to the seed phrase. If multisig wallet is used which is better, but the bitcoin in connection to the seed phrase will definitely be known to the hires.

But Shamir secret sharing is not advisable, first because it is not part of BIPs, second because it is made up of characters like private keys (although, not private keys), just like what has been implemented before in BIP (master private key) that was converted to seed phrase which is easy for backup, I do not see any good reason to backup characters as they are hard to put down.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
I really like this option; actually prefer it over the one I suggested myself, because here both parents can sign, for example if sometimes one is at work, sometimes the other and stuff like that.
It also prevents one parent "going rogue" and stealing all the kids' money. There are plenty of horror stories out there of parents spending their kids' birthday or Christmas gifts, savings, college funds, etc., on themselves. If there are not two parents in the picture, then perhaps a grandparent or family friend could hold the other key. Kid and parent can make a purchase, with kid and grandparent as a backup if something happens to the parent.
Oh yes, very valid point! Kid could receive money from grandparents and then a parent grabs it since they 'need it' or something like that.

If you want to guarantee that the "approver" cannot spend on their own, an alternative might be to implement shamir shared secret. The workflow might be as follows:
What benefit does this have over a 2-of-2 multisig?
I don't understand why people keep recommending Shamir if we can have multisig. It has so many downsides; just a few in the example from Quickseller:

* both entities must be at the same place & same time
* way more complex (need airgapped computer, load keys on it, etc.)
* way less secure (full private key will be on that machine in that moment - one can grab it and run etc.)
* much more knowledge required (verify the drive is wiped and all those steps)
legendary
Activity: 2268
Merit: 18711
I really like this option; actually prefer it over the one I suggested myself, because here both parents can sign, for example if sometimes one is at work, sometimes the other and stuff like that.
It also prevents one parent "going rogue" and stealing all the kids' money. There are plenty of horror stories out there of parents spending their kids' birthday or Christmas gifts, savings, college funds, etc., on themselves. If there are not two parents in the picture, then perhaps a grandparent or family friend could hold the other key. Kid and parent can make a purchase, with kid and grandparent as a backup if something happens to the parent.

Electrum 2fa will work with the 2fa part being on the parents phone. Note 2fa not sperate multisig
There are some custodial wallets that will allow for this, they need a Google Authenticator to send which does not need to be on the same phone.
The problem with 2FA codes are their 30 second time limit. Any kind of network delay between the parent sending the code to the child and it will no longer be valid by the time the child copies it in. And I don't know about your parents, but I wouldn't trust mine to be able to copy and paste a code in to a message and send that message in anything under 30 seconds. Tongue

If you want to guarantee that the "approver" cannot spend on their own, an alternative might be to implement shamir shared secret. The workflow might be as follows:
What benefit does this have over a 2-of-2 multisig?
Pages:
Jump to: