Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software
Pages:
Author

Topic: Xor or multisig (Read 666 times)

Pmalek
legendary
Activity: 2730
Merit: 7065
Farewell, Leo. You will be missed!
Xor or multisig
February 20, 2023, 03:36:40 PM
#59
Quote from: Jason Brendon on February 20, 2023, 12:11:18 AM
looks like a very solid backup plan. One thing i am not sure with the xpub backups is that since it's xpubs... they can't be really backed up offline or by hand writing....
They can, it's just a tedious and unfriendly process. Print out the xpubs on the same piece of paper where you will write down the seed by hand. You can even add lines for where the seed words will be written later.
Backup: 1. _____ 2. _____ 3. ______ etc.,    xpub 1
o_e_l_e_o
legendary
Activity: 2268
Merit: 18503
Re: Xor or multisig
February 20, 2023, 05:45:24 AM
#58
Quote from: Jason Brendon on February 20, 2023, 03:09:41 AM
imaging you need to note down 3 xpubs.. any wrong character in the xpubs will later cost all the funds.
True, which is why after you have written down your xpubs (or indeed, made any back up of anything in any form), you should test your back up by using it to recover from. If you can successfully recover from it, then you know it is correct. The same goes for seed phrases. I would never create a wallet, write down the seed phrase, and then send coins to the wallet before first testing that the seed phrase I wrote down does indeed recover the same wallet.

Having said all that, if you don't want to write down the xpubs then you can of course print them out. In order to generate addresses to send coins to in your multi-sig set up, you must have all the xpubs together on the same device at some point in order to create the wallet in the first place. Attaching a (dumb) printer to that device in order to print out the xpubs introduces very little additional risk.
witcher_sense
legendary
Activity: 2310
Merit: 4313
🔐BitcoinMessage.Tools🔑
Re: Xor or multisig
February 20, 2023, 05:40:14 AM
#57
Quote from: Jason Brendon on February 20, 2023, 12:11:18 AM
looks like a very solid backup plan. One thing i am not sure with the xpub backups is that since it's xpubs... they can't be really backed up offline or by hand writing....

You will have to either print it out or keep the file in a digital form..

Meaning, if a person uses a multisig setup, he will likely backup the xpubs or the whole setup of his multisig in a digital form.
For this setup to work correctly against physical attacks on your cryptocurrency holdings, all your backups need to be spread geographically, preferably across multiple jurisdictions with different laws regarding your rights to keep your personal information secret. One of them is obviously should be Wyoming. Yes, the first evil person to attack your bitcoin is going to be your own government trying to protect you from supposedly wrong investment decisions, which often results in citizens handing over their gold or something else valuable in exchange for questionable protection. Of course, people who work for the government know about all the established strategies of signature separation, but the xor strategy is somewhat modern, which means there is a tiny chance that they are not aware of how it works exactly. It is up to you to decide which approach to follow, but in my opinion, the best security approach does not involve sharing it on the Internet. Keep it secret how you keep your secret.
Jason Brendon
member
Activity: 133
Merit: 65
Re: Xor or multisig
February 20, 2023, 03:09:41 AM
#56
Quote from: sad-error on February 20, 2023, 03:01:51 AM
Quote from: Jason Brendon on February 20, 2023, 12:11:18 AM
they can't be really backed up offline or by hand writing....

why not? sure it's a bit long and inconvenient but surely nothing is preventing you from writing it out by hand?

not because i am lazy af but it's error-prone... imaging you need to note down 3 xpubs.. any wrong character in the xpubs will later cost all the funds.
sad-error
newbie
Activity: 27
Merit: 12
Re: Xor or multisig
February 20, 2023, 03:01:51 AM
#55
Quote from: Jason Brendon on February 20, 2023, 12:11:18 AM
they can't be really backed up offline or by hand writing....

why not? sure it's a bit long and inconvenient but surely nothing is preventing you from writing it out by hand?
Jason Brendon
member
Activity: 133
Merit: 65
Re: Xor or multisig
February 20, 2023, 12:11:18 AM
#54
Quote from: o_e_l_e_o on February 12, 2023, 09:18:44 AM
Quote from: sad-error on February 12, 2023, 07:33:02 AM
In the end it's always a balance of security and redundancy, isn't it? You can't really have both.
Absolutely. If this is your chosen set up, then the only thing I can see to add would be to airgap your computer, if it isn't already. Encryption at rest is obviously a good thing, but if you are decrypting on an internet connected device, then there is still a potential risk there to your descriptor/pub keys. I have a handful of different multi-sig wallets which I use for storing larger amounts of bitcoin, but the computer involved is always airgapped. Once the transaction is fully signed by a combination of computers, hardware wallets, whatever, then you can load it on to an internet connected computer to be broadcast.

My back ups for a 2-of-3 multi-sig take the following form:
Back up 1: Seed A, xpub B
Back up 2: Seed B, xpub C
Back up 3: Seed C, xpub A

That way any two back ups are sufficient to fully restore the wallet, while the compromise of one back up provides the attacker with nothing useful. Using this system, I don't also have to back up my public keys elsewhere, as you have done in your password manager.


looks like a very solid backup plan. One thing i am not sure with the xpub backups is that since it's xpubs... they can't be really backed up offline or by hand writing....

You will have to either print it out or keep the file in a digital form..

Meaning, if a person uses a multisig setup, he will likely backup the xpubs or the whole setup of his multisig in a digital form.
Pmalek
legendary
Activity: 2730
Merit: 7065
Farewell, Leo. You will be missed!
Re: Xor or multisig
February 18, 2023, 04:30:51 AM
#53
Quote from: Saint-loup on February 15, 2023, 02:21:39 PM
I don't understand why remembering your seed would be a bigger disaster than keeping your seeds at home, into your devices? By doing that you have to trust any people able to access your home when you're outside, guests, family, workers, etc and taking strong and expensive physical security measures against burglars.
Manipulating and extracting data from chips and physical devices isn't something that many people know. Especially not home robbers. Your security should be strong enough so that you have time to recover and move your coins from one of your backups while someone (may or may not be) is working on getting access to the stolen device.

Old age and sickness changes the mind. It makes you forgetful and uncareful. I am looking at my dad, who is no longer a young man, and compare him to the person he was decades ago. He has problems understanding what he hears on TV, he can't keep up with our conversations, and forgets important things. A few weeks ago, he revealed a family secret to some people that had no business knowing it during a family dinner. He didn't think about what he was saying. Later when we asked him why he did it, he was sad and didn't know. I forgot that we weren't supposed to talk about it, he said.   
o_e_l_e_o
legendary
Activity: 2268
Merit: 18503
Re: Xor or multisig
February 15, 2023, 03:12:41 PM
#52
Quote from: Saint-loup on February 15, 2023, 02:21:39 PM
I don't understand why remembering your seed would be a bigger disaster than keeping your seeds at home, into your devices?
Because the human brain is incredibly fragile, and you can easily forget your seed phrase through no fault of your own with zero warning.

Quote from: Saint-loup on February 15, 2023, 02:21:39 PM
By doing that you have to trust any people able to access your home when you're outside, guests, family, workers, etc and taking strong and expensive physical security measures against burglars.
Then all the more reason to use multi-sig and split up your back ups, which protects against this particular threat.

Quote from: Saint-loup on February 15, 2023, 02:21:39 PM
In addition, with a multisig wallet you need to store master public keys along with your seeds, while they are very weak against alteration because few missing characters can lead them to be unrecoverable.
You can simply print out your master public keys with a dumb printer, but you don't have to. As sad-error has explained above, his multi-sig setup does not require backing up the master public keys alongside the seed phrases, although personally I wouldn't choose this method.
Saint-loup
legendary
Activity: 2590
Merit: 2348
Re: Xor or multisig
February 15, 2023, 02:21:39 PM
#51
Quote from: o_e_l_e_o on February 13, 2023, 05:39:29 AM
Quote from: Saint-loup on February 12, 2023, 04:53:42 PM
As I said above a m-of-n multi-sig doesn't provide the same "redundancy in its back ups as an identical m-of-n SSS", because when you use a split seed you only need to remember one seed (the original one), so you don't need to bring your seeds with you each time you need to use your wallet.
I don't recommend remembering any seed phrases. That is a recipe for disaster.

If you want to use a multi-sig on only one device (as you would with SSS), you can do that too by simply importing two seed phrases in to the same device, while still benefiting from the 2-of-3 set up for your back ups. But multi-sig gives you the option to not have a single point of failure, which SSS fails to do.

Quote from: Saint-loup on February 12, 2023, 04:53:42 PM
This means you would need to store 3 seeds, and not a single extra one, to use your wallet with a 2-of-3 SSS seed, instead of 5 or 6 ones.
Why would I need to store 5 or 6 seed phrases with a 2-of-3 multi-sig? I've just shown above what my three back ups would be. A 2-of-3 SSS or a 2-of-3 multi-sig needs 3 back ups (unless you want to duplicate for added redundancy). A SSS requires one device to spend from, which is a single point of failure. A multi-sig can be spent from one device if you want, or can be spent using multiple devices for added security. Anything you are doing here with SSS, a multi-sig does better and more securely.
I don't understand why remembering your seed would be a bigger disaster than keeping your seeds at home, into your devices? By doing that you have to trust any people able to access your home when you're outside, guests, family, workers, etc and taking strong and expensive physical security measures against burglars. In addition, with a multisig wallet you need to store master public keys along with your seeds, while they are very weak against alteration because few missing characters can lead them to be unrecoverable. While mnemonic seeds are still usable with many missing characters and even with few whole words missing.
o_e_l_e_o
legendary
Activity: 2268
Merit: 18503
Re: Xor or multisig
February 13, 2023, 05:39:29 AM
#50
Quote from: Saint-loup on February 12, 2023, 04:53:42 PM
As I said above a m-of-n multi-sig doesn't provide the same "redundancy in its back ups as an identical m-of-n SSS", because when you use a split seed you only need to remember one seed (the original one), so you don't need to bring your seeds with you each time you need to use your wallet.
I don't recommend remembering any seed phrases. That is a recipe for disaster.

If you want to use a multi-sig on only one device (as you would with SSS), you can do that too by simply importing two seed phrases in to the same device, while still benefiting from the 2-of-3 set up for your back ups. But multi-sig gives you the option to not have a single point of failure, which SSS fails to do.

Quote from: Saint-loup on February 12, 2023, 04:53:42 PM
This means you would need to store 3 seeds, and not a single extra one, to use your wallet with a 2-of-3 SSS seed, instead of 5 or 6 ones.
Why would I need to store 5 or 6 seed phrases with a 2-of-3 multi-sig? I've just shown above what my three back ups would be. A 2-of-3 SSS or a 2-of-3 multi-sig needs 3 back ups (unless you want to duplicate for added redundancy). A SSS requires one device to spend from, which is a single point of failure. A multi-sig can be spent from one device if you want, or can be spent using multiple devices for added security. Anything you are doing here with SSS, a multi-sig does better and more securely.
Saint-loup
legendary
Activity: 2590
Merit: 2348
Re: Xor or multisig
February 12, 2023, 04:53:42 PM
#49
Quote from: o_e_l_e_o on February 12, 2023, 04:34:07 AM
Quote from: Saint-loup on February 11, 2023, 05:35:23 PM
This means you are using 2 x 3 (6) seeds while a thief just needs to find 2 of them to be able to steal your funds. That's half more risky than using 4 shares of a split seed scattered in 4 different locations, and 2x times more risky than using a 2-of-3 split seed.
A m-of-n multi-sig provides the exact same redundancy in its back ups as an identical m-of-n SSS, without all the disadvantages of SSS. You can then add a passphrase on top of either system if you so choose.
If you add a passphrase, it adds another element to remember or to care about. And if you are not able to remind it or if you lose it, you will lose all your funds.
As I said above a m-of-n multi-sig doesn't provide the same "redundancy in its back ups as an identical m-of-n SSS", because when you use a split seed you only need to remember one seed (the original one), so you don't need to bring your seeds with you each time you need to use your wallet.
In order to use your multisig wallet you need to store 2 seeds in your devices, with a split seed you would just need to enter the remembered seed in your device when you need to use it. This means you would need to store 3 seeds, and not a single extra one, to use your wallet with a 2-of-3 SSS seed, instead of 5 or 6 ones.

Quote from: o_e_l_e_o on February 12, 2023, 04:34:07 AM
If your device breaks down then any back up will recover your wallet, not just SSS.
It's usually at this moment that you realize that your backup seed is not readable anymore, is encrypted with a key/password you've lost or is not where you think you hid it 3 years ago...
o_e_l_e_o
legendary
Activity: 2268
Merit: 18503
Re: Xor or multisig
February 12, 2023, 09:18:44 AM
#48
Quote from: sad-error on February 12, 2023, 07:33:02 AM
In the end it's always a balance of security and redundancy, isn't it? You can't really have both.
Absolutely. If this is your chosen set up, then the only thing I can see to add would be to airgap your computer, if it isn't already. Encryption at rest is obviously a good thing, but if you are decrypting on an internet connected device, then there is still a potential risk there to your descriptor/pub keys. I have a handful of different multi-sig wallets which I use for storing larger amounts of bitcoin, but the computer involved is always airgapped. Once the transaction is fully signed by a combination of computers, hardware wallets, whatever, then you can load it on to an internet connected computer to be broadcast.

My back ups for a 2-of-3 multi-sig take the following form:
Back up 1: Seed A, xpub B
Back up 2: Seed B, xpub C
Back up 3: Seed C, xpub A

That way any two back ups are sufficient to fully restore the wallet, while the compromise of one back up provides the attacker with nothing useful. Using this system, I don't also have to back up my public keys elsewhere, as you have done in your password manager.
sad-error
newbie
Activity: 27
Merit: 12
Re: Xor or multisig
February 12, 2023, 07:33:02 AM
#47
Quote from: o_e_l_e_o on February 12, 2023, 06:58:58 AM
You need to very careful with address reuse using your set up. Whenever you spend from an address, then the three individual public keys for that address are revealed in the transaction data. If someone was to then compromise a single one of your paired back ups, they would have all the information required to spend any other coins on that address.

I'd also be quite uncomfortable about the wallet files on your PC, depending on your set up. If your wallet files are simply on an online computer then that is not very safe, since you are relying on the secrecy of your wallet descriptor/public keys not to reduce an attacker to only needing 1-of-3 of your back ups to compromise your wallet.

you are absolutely correct on all counts. I have also mentioned that address reuse is a problem with this in my initial post. I think I have taken all necessary precautions - the wallet file itself is also encrypted and on top of that the whole hard drive is enrypted as well. As for the seeds, these are all in industrial grade vaults where only I have access - i think it's fairly unlikely two of these would be breached without me finding out about the first breach. In the end it's always a balance of security and redundancy, isn't it? You can't really have both.
o_e_l_e_o
legendary
Activity: 2268
Merit: 18503
Re: Xor or multisig
February 12, 2023, 06:58:58 AM
#46
You need to very careful with address reuse using your set up. Whenever you spend from an address, then the three individual public keys for that address are revealed in the transaction data. If someone was to then compromise a single one of your paired back ups, they would have all the information required to spend any other coins on that address.

I'd also be quite uncomfortable about the wallet files on your PC, depending on your set up. If your wallet files are simply on an online computer then that is not very safe, since you are relying on the secrecy of your wallet descriptor/public keys not to reduce an attacker to only needing 1-of-3 of your back ups to compromise your wallet.
sad-error
newbie
Activity: 27
Merit: 12
Re: Xor or multisig
February 12, 2023, 05:52:13 AM
#45
Quote from: o_e_l_e_o on February 12, 2023, 05:48:39 AM
Interesting solution. The compromise of your password manager leads to a complete loss of privacy, but your coins cannot be spent. Is your password manager local only, on your own server, or synced to some third party cloud provider? Or do you keep offline back ups?

exactly. yes, I use selfhosted bitwarden. I don't keep offline backups, if push comes to shove (I lose access to all the wallet files on the pc, all my hardware wallets with the multisig descriptors *and* the password manager) I think I have enough redundancy to be able to get all three seeds.

Quote from: o_e_l_e_o on February 12, 2023, 05:48:39 AM
I'm not sure I follow you here. Are we talking about a 2-of-3 multi-sig? You keep two seed phrases backed up in each location, so the compromise of a single location means someone has access to the threshold number of seed phrases (but not the third xpub)?

if seeds are A, B, C i keep three backups, AB, BC, AC in separate locations.
o_e_l_e_o
legendary
Activity: 2268
Merit: 18503
Re: Xor or multisig
February 12, 2023, 05:48:39 AM
#44
Quote from: sad-error on February 12, 2023, 05:39:16 AM
I back up the descriptor in a password manager - separately from my seeds that are on paper, for this very reason.
Interesting solution. The compromise of your password manager leads to a complete loss of privacy, but your coins cannot be spent. Is your password manager local only, on your own server, or synced to some third party cloud provider? Or do you keep offline back ups?

Quote from: sad-error on February 12, 2023, 05:39:16 AM
I keep 3 distinct pairs of seeds backed up together in physically separate and secure locations, so each seed is backed up twice.
I'm not sure I follow you here. Are we talking about a 2-of-3 multi-sig? You keep two seed phrases backed up in each location, so the compromise of a single location means someone has access to the threshold number of seed phrases (but not the third xpub)?
sad-error
newbie
Activity: 27
Merit: 12
Re: Xor or multisig
February 12, 2023, 05:39:16 AM
#43
Quote from: o_e_l_e_o on February 12, 2023, 05:36:20 AM
Quote from: sad-error on February 12, 2023, 05:20:11 AM
for what it's worth, that's not entirely true. When best practices are followed, even with two seeds and no xpub of the third seed they can't really do anything.
I'm curious as to how and where you are backing up your xpubs if you are not backing them up alongside your seed phrases?

I generally back up n minus m xpubs with each seed phrase (in a specific pattern) so that with the threshold number of back up shares I can fully recover the wallet, while the compromise of one back up is not enough to spy on my wallet.

I have the descriptor in a password manager - separately from my seeds that are on paper, for this very reason.  I keep 3 distinct pairs of seeds backed up together in physically separate and secure locations, so each seed is backed up twice.
o_e_l_e_o
legendary
Activity: 2268
Merit: 18503
Re: Xor or multisig
February 12, 2023, 05:36:20 AM
#42
Quote from: sad-error on February 12, 2023, 05:20:11 AM
for what it's worth, that's not entirely true. When best practices are followed, even with two seeds and no xpub of the third seed they can't really do anything.
I'm curious as to how and where you are backing up your xpubs if you are not backing them up alongside your seed phrases?

I generally back up n minus m xpubs with each seed phrase (in a specific pattern) so that with the threshold number of back up shares I can fully recover the wallet, while the compromise of one back up is not enough to spy on my wallet.
sad-error
newbie
Activity: 27
Merit: 12
Re: Xor or multisig
February 12, 2023, 05:20:11 AM
#41
Quote from: Saint-loup on February 11, 2023, 05:35:23 PM
This means you are using 2 x 3 (6) seeds while a thief just needs to find 2 of them to be able to steal your funds.

for what it's worth, that's not entirely true. Considering no address reuse, even with two seeds and no xpub of the third seed they can't really do anything.
o_e_l_e_o
legendary
Activity: 2268
Merit: 18503
Re: Xor or multisig
February 12, 2023, 04:34:07 AM
#40
Quote from: Saint-loup on February 11, 2023, 05:35:23 PM
This means you are using 2 x 3 (6) seeds while a thief just needs to find 2 of them to be able to steal your funds. That's half more risky than using 4 shares of a split seed scattered in 4 different locations, and 2x times more risky than using a 2-of-3 split seed.
A m-of-n multi-sig provides the exact same redundancy in its back ups as an identical m-of-n SSS, without all the disadvantages of SSS. You can then add a passphrase on top of either system if you so choose.

Quote from: Saint-loup on February 11, 2023, 05:35:23 PM
If your 100% safe device goes out of order or if you mistakenly delete your seed from it, SSS will help you, because your seed will still be safely stored elsewhere.
If your device breaks down then any back up will recover your wallet, not just SSS. But the process of setting up SSS in the first place is vastly inferior to multi-sig, and to recover your SSS wallet you need to rely on your replacement device being free from compromise since it is a single point of failure, which is not the case for multi-sig.
Pages:
Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software
Jump to: