Topic: Xor or multisig (Read 747 times)

They can, it's just a tedious and unfriendly process. Print out the xpubs on the same piece of paper where you will write down the seed by hand. You can even add lines for where the seed words will be written later.
Backup: 1. _____ 2. _____ 3. ______ etc.,    xpub 1

True, which is why after you have written down your xpubs (or indeed, made any back up of anything in any form), you should test your back up by using it to recover from. If you can successfully recover from it, then you know it is correct. The same goes for seed phrases. I would never create a wallet, write down the seed phrase, and then send coins to the wallet before first testing that the seed phrase I wrote down does indeed recover the same wallet.

Having said all that, if you don't want to write down the xpubs then you can of course print them out. In order to generate addresses to send coins to in your multi-sig set up, you must have all the xpubs together on the same device at some point in order to create the wallet in the first place. Attaching a (dumb) printer to that device in order to print out the xpubs introduces very little additional risk.

For this setup to work correctly against physical attacks on your cryptocurrency holdings, all your backups need to be spread geographically, preferably across multiple jurisdictions with different laws regarding your rights to keep your personal information secret. One of them is obviously should be Wyoming. Yes, the first evil person to attack your bitcoin is going to be your own government trying to protect you from supposedly wrong investment decisions, which often results in citizens handing over their gold or something else valuable in exchange for questionable protection. Of course, people who work for the government know about all the established strategies of signature separation, but the xor strategy is somewhat modern, which means there is a tiny chance that they are not aware of how it works exactly. It is up to you to decide which approach to follow, but in my opinion, the best security approach does not involve sharing it on the Internet. Keep it secret how you keep your secret.

not because i am lazy af but it's error-prone... imaging you need to note down 3 xpubs.. any wrong character in the xpubs will later cost all the funds.

why not? sure it's a bit long and inconvenient but surely nothing is preventing you from writing it out by hand?

looks like a very solid backup plan. One thing i am not sure with the xpub backups is that since it's xpubs... they can't be really backed up offline or by hand writing....

You will have to either print it out or keep the file in a digital form..

Meaning, if a person uses a multisig setup, he will likely backup the xpubs or the whole setup of his multisig in a digital form.

Manipulating and extracting data from chips and physical devices isn't something that many people know. Especially not home robbers. Your security should be strong enough so that you have time to recover and move your coins from one of your backups while someone (may or may not be) is working on getting access to the stolen device.

Old age and sickness changes the mind. It makes you forgetful and uncareful. I am looking at my dad, who is no longer a young man, and compare him to the person he was decades ago. He has problems understanding what he hears on TV, he can't keep up with our conversations, and forgets important things. A few weeks ago, he revealed a family secret to some people that had no business knowing it during a family dinner. He didn't think about what he was saying. Later when we asked him why he did it, he was sad and didn't know. I forgot that we weren't supposed to talk about it, he said.   

Because the human brain is incredibly fragile, and you can easily forget your seed phrase through no fault of your own with zero warning.

Then all the more reason to use multi-sig and split up your back ups, which protects against this particular threat.

You can simply print out your master public keys with a dumb printer, but you don't have to. As sad-error has explained above, his multi-sig setup does not require backing up the master public keys alongside the seed phrases, although personally I wouldn't choose this method.

I don't understand why remembering your seed would be a bigger disaster than keeping your seeds at home, into your devices? By doing that you have to trust any people able to access your home when you're outside, guests, family, workers, etc and taking strong and expensive physical security measures against burglars. In addition, with a multisig wallet you need to store master public keys along with your seeds, while they are very weak against alteration because few missing characters can lead them to be unrecoverable. While mnemonic seeds are still usable with many missing characters and even with few whole words missing.

I don't recommend remembering any seed phrases. That is a recipe for disaster.

If you want to use a multi-sig on only one device (as you would with SSS), you can do that too by simply importing two seed phrases in to the same device, while still benefiting from the 2-of-3 set up for your back ups. But multi-sig gives you the option to not have a single point of failure, which SSS fails to do.

Why would I need to store 5 or 6 seed phrases with a 2-of-3 multi-sig? I've just shown above what my three back ups would be. A 2-of-3 SSS or a 2-of-3 multi-sig needs 3 back ups (unless you want to duplicate for added redundancy). A SSS requires one device to spend from, which is a single point of failure. A multi-sig can be spent from one device if you want, or can be spent using multiple devices for added security. Anything you are doing here with SSS, a multi-sig does better and more securely.

If you add a passphrase, it adds another element to remember or to care about. And if you are not able to remind it or if you lose it, you will lose all your funds.
As I said above a m-of-n multi-sig doesn't provide the same "redundancy in its back ups as an identical m-of-n SSS", because when you use a split seed you only need to remember one seed (the original one), so you don't need to bring your seeds with you each time you need to use your wallet.
In order to use your multisig wallet you need to store 2 seeds in your devices, with a split seed you would just need to enter the remembered seed in your device when you need to use it. This means you would need to store 3 seeds, and not a single extra one, to use your wallet with a 2-of-3 SSS seed, instead of 5 or 6 ones.

It's usually at this moment that you realize that your backup seed is not readable anymore, is encrypted with a key/password you've lost or is not where you think you hid it 3 years ago...

Absolutely. If this is your chosen set up, then the only thing I can see to add would be to airgap your computer, if it isn't already. Encryption at rest is obviously a good thing, but if you are decrypting on an internet connected device, then there is still a potential risk there to your descriptor/pub keys. I have a handful of different multi-sig wallets which I use for storing larger amounts of bitcoin, but the computer involved is always airgapped. Once the transaction is fully signed by a combination of computers, hardware wallets, whatever, then you can load it on to an internet connected computer to be broadcast.

My back ups for a 2-of-3 multi-sig take the following form:
Back up 1: Seed A, xpub B
Back up 2: Seed B, xpub C
Back up 3: Seed C, xpub A

That way any two back ups are sufficient to fully restore the wallet, while the compromise of one back up provides the attacker with nothing useful. Using this system, I don't also have to back up my public keys elsewhere, as you have done in your password manager.

you are absolutely correct on all counts. I have also mentioned that address reuse is a problem with this in my initial post. I think I have taken all necessary precautions - the wallet file itself is also encrypted and on top of that the whole hard drive is enrypted as well. As for the seeds, these are all in industrial grade vaults where only I have access - i think it's fairly unlikely two of these would be breached without me finding out about the first breach. In the end it's always a balance of security and redundancy, isn't it? You can't really have both.

You need to very careful with address reuse using your set up. Whenever you spend from an address, then the three individual public keys for that address are revealed in the transaction data. If someone was to then compromise a single one of your paired back ups, they would have all the information required to spend any other coins on that address.

I'd also be quite uncomfortable about the wallet files on your PC, depending on your set up. If your wallet files are simply on an online computer then that is not very safe, since you are relying on the secrecy of your wallet descriptor/public keys not to reduce an attacker to only needing 1-of-3 of your back ups to compromise your wallet.

exactly. yes, I use selfhosted bitwarden. I don't keep offline backups, if push comes to shove (I lose access to all the wallet files on the pc, all my hardware wallets with the multisig descriptors *and* the password manager) I think I have enough redundancy to be able to get all three seeds.


if seeds are A, B, C i keep three backups, AB, BC, AC in separate locations.

Interesting solution. The compromise of your password manager leads to a complete loss of privacy, but your coins cannot be spent. Is your password manager local only, on your own server, or synced to some third party cloud provider? Or do you keep offline back ups?

I'm not sure I follow you here. Are we talking about a 2-of-3 multi-sig? You keep two seed phrases backed up in each location, so the compromise of a single location means someone has access to the threshold number of seed phrases (but not the third xpub)?

I have the descriptor in a password manager - separately from my seeds that are on paper, for this very reason.  I keep 3 distinct pairs of seeds backed up together in physically separate and secure locations, so each seed is backed up twice.

I'm curious as to how and where you are backing up your xpubs if you are not backing them up alongside your seed phrases?

I generally back up n minus m xpubs with each seed phrase (in a specific pattern) so that with the threshold number of back up shares I can fully recover the wallet, while the compromise of one back up is not enough to spy on my wallet.

for what it's worth, that's not entirely true. Considering no address reuse, even with two seeds and no xpub of the third seed they can't really do anything.

A m-of-n multi-sig provides the exact same redundancy in its back ups as an identical m-of-n SSS, without all the disadvantages of SSS. You can then add a passphrase on top of either system if you so choose.

If your device breaks down then any back up will recover your wallet, not just SSS. But the process of setting up SSS in the first place is vastly inferior to multi-sig, and to recover your SSS wallet you need to rely on your replacement device being free from compromise since it is a single point of failure, which is not the case for multi-sig.

This means you are using 2 x 3 (6) seeds while a thief just needs to find 2 of them to be able to steal your funds. That's half more risky than using 4 shares of a split seed scattered in 4 different locations, and 2x times more risky than using a 2-of-3 split seed.

I don't understand what you mean, being 100% safe and completely immune to compromise, doesn't mean being immune to breakdowns and being indestructible... If your 100% safe device goes out of order or if you mistakenly delete your seed from it, SSS will help you, because your seed will still be safely stored elsewhere.

So use multi-sig +/- a passphrase.

I have a 2-of-3 multi-sig wallet which I use in a single location as multi-sig between an airgapped laptop and a hardware wallet. The third set of keys only exists on paper. The three back ups are in different physical locations. I can use the wallet from a single place, while maintaining maximum protection against malware or compromise of one of my devices, while still having the redundancy you describe in the back ups. Additionally, I don't have any exposure to bad SSS implementations, weak share generation, or a single point of failure.

I see nothing that SSS provides that a multi-sig set up can't also provide, but I see many pitfalls in SSS. If the device you used to generate your SSS shares or to recombine them later is compromised, then your entire SSS system is useless. And if there was such a thing as a device which is 100% safe and completely immune to compromise, then you don't need SSS in the first place.

It mitigates this issue at the expense of another one unfortunately : the exposure one. By doing that you are doubling the risk that your seed will be found and hacked. With a split seed you don't have to store a copy of any share at any other place, each one can stay unique. If you split your seed in 4 elements like what you have currently, each one can be kept in one single place. And the safety of the accessibility of your funds would be better in addition, because if you use a 2 of 4 scheme you would need to lose at least 3 elements to lose the access of your funds. While with a seed and passphrase copied if you lose your 2 passphrase back ups or your 2 seeds, you will be locked.

Multisig wallets have not "a single point of failure" as you say, if you are using them with other people not knowing them each other, or if you are able to use them from several places(which is not convenient at all) but if you are only able to use your multisig wallets at the same place, they can be destroyed by a fire or another disaster, or be stolen by a burglar, each time you need to use them in the same way as a common seed. With a split seed you have only one seed to remember(the original one), so you don't need to bring them with you each time you need to use your wallet.  

You should have a minimum of two back ups of each part, which mitigates this issue.

XOR is risky for the reasons I mentioned in my first post in this thread. Predominantly, you are entirely dependent on the implementation you are using being safe, secure, and not disappearing in the future, whereas passphrases are now standard across all good wallets.

Which is the same as using a multi-sig set up, which again, is standard across all good wallets, and does not have a single point of failure.

I don't understand why it would be "superior" as you say. When you are you using a passphrase you have 2 things to take care of : the seed and the passphrase, because if you lose one of them you can't access your funds anymore. It means you have 2 times more risk to lock your funds, than with a single seed. It's just like using this XOR function at the end, except you can choose your passphrase. If you use a split seed with a 2 of 3 scheme, you have 2 times less risk to lock your funds than with a single seed because you need to lose at least 2 seeds instead of one to lose access to your funds. It means you have 4 times less risk to lock your funds with a 2 of 3 split seed than with a seed and a passphrase. Without increasing the exposure of your real seed on top of that.
It allows you, for example to split a seed in a 2 of 4 shares scheme, in order to safely being able to store one seed at home, one seed online, one seed at a relative's home, and another one in a hole in the middle of a forest or wherever you want on earth(you will need to lose 3 seeds at the same time to lock your funds in this case).

Fair points, but the implementation issue is only a single weakness out of many and so it doesn't change the fact that SSS is a poor suggestion for all the other reasons. This mitigation also relies on individuals using that specific implementation, and not other experimental ones, such as the one listed on Ian Coleman.

If you want a single sig wallet but with multiple back ups required to restore it, then I would say a seed phrase plus an additional passphrase is still superior to SSS. This set up can also be used to hold any altcoins which derive their keys via a seed phrase.

Well, if you are not aware of that, SLIP39 is precisely a standard implementation of SSS in fact.
https://github.com/satoshilabs/slips/blob/master/slip-0039.md

Your article is a little bit outdated but it refers to it actually :
As Jameson Lopp said above several implementations in several languages already exist. And FYI Electrum already supports it.



A multisig wallet has nothing to do with splitting a seed in reality. Daily users of Bitcoin can't use several wallets on several devices each time they(we) need to send a transaction, moreover I'm curious to know how you are making a LN transaction with a multisig wallet? In addition a split seed can be used to store different cryptocurrencies, not a multisig wallet.

SSS is a poor method to use for a number of reasons. It requires the necessary threshold of shares to be brought together in one place on one device to recreate the wallet in question, which creates a single point of failure and compromise. There is no standard implementation, meaning you are completely dependent on the software you used to generate your shares, and without a copy of that exact software, it may be entirely impossible to recreate your wallet. There is also no guarantee whatsoever that the software you are using is actually secure, and the vast majority of users will be unable to audit the code for themselves.

Have a read of the following for more information: https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/

A far more secure approach is to use multi-sig.

A multi-sig still allows you to hide your seed phrases in several places.

Again, you can do this with multi-sig, without all the disadvantages that come with SSS.

I disagree with you, hiding efficiently your seed is the most important thing in cryptocurrency security. And hiding your seed in several places isn't riskless, since the more places you use, the more likely your seed can be found by someone else. So you can't say being able to split your seed in several parts doesn't bring any security. Unfortunately this XOR method is not the best one since you need to take care of all the seed parts "(not M of N, always N of N)".
But other methods like the Shamir Secret Sharing Scheme or SLIP39 allow to get back your seed with only a subset of the shares. It is not meant to replace a multisig wallet since all seeds need to be reassembled by someone but it can be useful if you want to hide safely your seed in several places. For example, you can leave one share at a friend or parent home, he won't be able to do anything with it and if he loses it you will still be able to retrieve your seed thanks to the other shares (if you used a M of N scheme).

https://github.com/satoshilabs/slips/blob/master/slip-0039.md
https://github.com/trezor/python-shamir-mnemonic
https://iancoleman.io/slip39/

Why don't you make it like the traditional XOR operation where you take two 12 word seeds (or any number of words seeds actually, as long as they have the same number of words), and then convert them back into entropy, apply the XOR operation on it, and then convert the entropy back into a mneumonic?

But then again, neither of these methods would actually provide any security, just obscurity.

As ETFbitcoin and Pmalek say, it's a privacy concern. Perhaps I don't want someone to be able to link every address in that wallet together under common ownership, or know the total amount of bitcoin in the wallet, or be able to watch all my future transactions, etc.

But, as I mentioned above, in order to even create the multi-sig wallet in the first place and generate addresses to send coins to, all your xpubs must be on the same device at some point. There is no other way around it. And so printing them out from that device presents very little additional risk to your privacy then the risks you have already exposed yourself to (and hopefully mitigated) by setting up the wallet in the first place. If you do it all on a live OS on a permanently airgapped computer and printed the xpubs using a dumb printer (i.e. one without internal memory or wireless hardware), then the risk of leaking your xpubs in such a manner is almost zero.

It depends on what you personally consider an issue. It's not a problem in the sense that you will loose your bitcoin if someone gets hold of your xpub. You won't. But knowing the extended key provides knowledge of all child keys. In essence someone would have the means to track all addresses of your wallet. They would know how much you own and whenever you send or receive coins to addresses associated with that wallet. You have to judge yourself if someone else having that information is an issue for you or not.   

I guess it's a tradeoff. I would be happier copying and pasting the xpubs rather than writing them by hand, as the most likely way to lose access to funds is by losing the xpubs rather than coming under a sophisticated attack.

Why is that an issue?

I understand it sucks. And is prone to error, if done sloppily / hastily. However if you take your time it's not THAT big of a deal, even though uncomfortable and definitly an unfamiliar procedure.
However, good security always takes some work and attention to details, so yeah, I think this example is still manageable.

Agreed, a tool to convert back-and-forth from and to a mnemonic phrase would be nice to have.

I don't think so. Both systems have the same underlying goal - require the combination of multiple different back ups in order to spend the relevant coins.

Whether you are splitting a private key or a seed phrase using SSS is more or less irrelevant. The weaknesses and vulnerabilities are the same.

Correct. If one of your devices containing all your xpubs is compromised, then the attacker can view your wallets.

You should absolutely back up the xpubs along with the seed phrases, but you don't need to back up every xpub with every seed phrase, which again protects your privacy in the event that an attacker discovers one of your back ups.

That's a good idea. You print them, and then check in an airgapped device if they're printed correctly. The additional risk, I suppose, is privacy related?

I think it is more appropriate to hold a backup of the printed xpubs along with a seed phrase. There is an additional risk (again, privacy related) but you ensure that you only lose access to the xpubs if you've lost every single seed phrase (which would lock you out anyway).

This article talks about the comparison between SSS and multi-sig which I consider wrong. If we want to compare, we must compare SSS vs Xor OR any other split methods not multi-sig .
and by poor article use splitting the private key using SSS and not the wallet seed.
SSS can give a dynamic for multi-sig if hacking/add new members is happen and by changing the polynomial occasionally of multi-sig, xpubs can divided to new members without creating a new one.

I never said it was easy. But yes, I have hand written xpubs like that before. Sure, it takes time, and it takes even longer to then type them back in to your computer from your hand written back up in order to check the accuracy, but you only have to do it once when you set up your wallet. I'm obviously not doing it for every wallet I own, but for a one off super safe cold storage wallet, I don't mind spending the time doing so. It's the same argument as when people say flipping a coin 256 times takes too long so cut corners and end up with some harebrained and insecure scheme instead.

But as I said, you can also opt to print off your xpubs with minimal additional risk. All the xpubs will be present on each electronic device which holds one of your multi-sig wallets anyway. So if you have a dumb printer, there is very little additional risk to plugging it in and spitting out however many copies of each xpub.

The more the xpubs, the more the pain and chances to mess it up somewhere. I triple checks addresses when I'm sending bitcoin to my cold storage, let alone what I'd do if I had to ensure it's the correct xpubs. I mean think about it, you have to write down a nightmare like this:

By hand. Clean writing. About 560 characters, case sensitive. How come there hasn't been a mnemonic standard for xpubs?

Yes you need to back up the xpubs, and yes that is a pain/error-prone to do by hand. I don't think that means you need to back up electronically, though. You can still write them by hand, provided you take your time, use clear writing, and triple check everything (including checking that you can successfully recover each share before you fund the wallet). There is also less risk involved in printing out xpubs than there is in printing out seed phrases or private keys, for obvious reasons. Provided you have set up your multi-sig properly (e.g. using 3 different and completely separate devices for a 2-of-3 multi-sig), then printing out xpubs from each device presents minimal risk.

And of course, you do not need to store every other xpub with every seed phrase, but rather n minus m xpubs with each seed phrase (provided you pick the correct ones, of course). Doing so also brings a privacy benefit since an attacker with access to one back up cannot even view your wallet.

That is true, but master public keys must be taken into account. To spend from a 3-of-5 multi-sig, you need to ensure access to all 5 master public keys. One thing I dislike about multi-sig (and please correct me if I'm wrong) is that you can't back it up in the same comfortable and easy manner as a single-sig, because master public keys aren't meant to be written down on paper as seed phrases. So, you need to store it electronically, which is also prone to fail overtime.

It would be impossible to get accurate figures, but I agree the number will be very low.

Let's look solely at P2SH outputs as an example: https://txstats.com/dashboard/db/p2sh-repartition-by-type

We currently have around 4.7 million BTC in P2SH outputs. 3.2 million of those outputs are on addresses which have never been spent from, so we can't say anything about their script. Of the 1.5 million which we do know the scripts, over half are nested segwit scripts, and only about 600k are in multi-sig addresses. However, we also know that there are some major centralized exchanges which hold tens or even hundreds of thousands of bitcoin in multi-sig wallets, meaning that number of 600k becomes significantly smaller when considering coins held in multi-sig set ups by individual users.

Now obviously there are P2WSH multi-sigs, there are probably some P2MS outputs still kicking about, there are now P2TR outputs which we don't know if they are multi-sig or not, and there are all the unspent outputs which are in multi-sig set ups that we don't know about yet. But even extrapolating the above numbers out to cover all this, multi-sigs will very much be in the minority for the average user.

Thanks for clearing up this stupid mistake / mistype. Yes, I ofc meant if a share is lost you cannot recover your keys, even if you have a 10-share XOR and still have 9 of them.

On a side note: I wonder how many people using paperwallets / other cold storage options actually do multi-sig? Anyone got any numbers?
Maybe I'll try creating a poll, but ofc it's gonna be very biased just based on who actually clicks the topic, is active on bitcointalk etc. But still, could be interesting. My guess is, it's not a high percentage at all.

That's not quite right. If one of your seed phrases is compromised in the XOR set up, the attacker can still gain nothing, just as in a multi-sig set up. The difference is that if one of your seed phrases is lost in a XOR set up, it is impossible to recover your wallet since you need all the shares, unlike multi-sig which is set up to require m-of-n shares.

Given this, if you were using 3 shares in a XOR set up, you would want each of them backed up at least twice, since the loss of one share means the loss of everything, which then necessitates 6 separate secure back up locations. At that point a 3-of-5 multi-sig is much preferable, as you say.

Not an expert on the field (yet ; ) but multi-sig 3/5 is a great one to have because it offers a wonderful mix of
- attacker cannot access funds even if they manage to access 2 of the 5 seeds
- very secure even if two of your houses / storage places get burned down (/ are for any other reasons not accessible)

XOR - never heard of it, but if I understood correctly by some of the replies, this would be problematic as soon as one seed-phrase is compromised  lost/destroyed -> You lose all your funds. With 3 places to store them at, it is 3x as likely to happen.

At that point you then lose the plausible deniability that each share is an individual standalone wallet and not part of a bigger XOR scheme.

The most talked about implementations of SSS I am aware of (and please correct me if there are other common ones, as I tend not to pay much attention to SSS implementations for the reasons I've discussed above) are Trezor's (https://github.com/satoshilabs/slips/blob/master/slip-0039.md) and Ian Coleman's (https://iancoleman.io/shamir39/ and https://iancoleman.io/shamir/ - he has two different ones). All of them are completely incompatible with each other, and a wallet generated with one is unrecoverable with the others. Not a safe choice.

That's true, i was thinking people would do both things (write down seed and print manual) at same time and then store both of them are same location. And i definitely agree multisig is safer option.


But don't forget there are trade off where SSS recovery can't be done manually with hand and you need to check software which implement SSS doesn't have any bug or weird config which makes it harder to recover with different software.

But it is yet another thing to back up, and yet another thing where the loss of a single component could potentially result in complete loss of your coins. Multi-sig remains safer. If the code for recovering multi-sig wallets is no longer available anywhere online, then bitcoin itself will no longer exist.

SSS is a poor choice for a wide number of reasons:
https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/
https://en.bitcoin.it/wiki/Shamir_Secret_Snakeoil

Again, multi-sig remains the better choice, or even just a single sig wallet with an additional passphrase and multiple back ups.

Multisig is always a better and safer option than SeedXor or alternatives like Secret Shamir Sharing that uses splitting of seed words.
You can also ask yourself why only Coldcard hardware wallet is supporting Xor and no other hardware wallet.
With Multisig setup you don't have single point of failure and I think this is not the case with Xor and other alternatives.

It's the first time I've heard of seedxor, but from my reading of this article https://seedxor.com/, I can say that comparing it to multisig is wrong there is a huge differences between them.

The logical comparison lies between seedxor and Shamir's Secret Sharing (https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing). In terms of comparison, I prefer Shamir's Secret Sharing because of the ability to set the threshold, which means the minimum number of shares are needed, a feature that is not present in seedxor.

• Seedxor will fail when compared to any other method of splitting seeds.
• Using SSS and multisig will give you better results if you lost one of your wallet seed

thank you all for the input here.
now i think it's safe to say multisig wins.

if you are passing around an unsigned raw TX to different devices, where each device creates a signature. where only signatures and raw tx are passed. is better security than having ANY key system where all keys sign from same device

whether they mix and match seeds to create a superkey, or are separate signers using separate keys but in both cases are all done on same device is less than great security in comparison

theres no point in elaborate key separation/mixing to create a super key. if its all done on one device. because if that one device is exposed/compromised, so are all keys

if you want to do that. ensure keys are on separate devices/paper and then online combine them when you want to spend. but have the 'change'/remainder of spend go to a keyset not exposed to the device you are using online to spend, but address.. of which was calculated using separate keys on separate devices
......
.. its not just about hijacking a device to grab keys. its also hijacking a device simply to change the funds destination to a hackers preferred address rather then the one you intend it to go to


so still be aware of the risk the software on device might change the funds destination address at the signing process.. so again for best security have different devices sign a raw tx, that way you have multiple opportunities/stages to check and sign the destination. therefore ensure it goes to destined spend recipient by knowing the signatures match the tx details you want(destination)... that way if one device was compromised and changed destination. it would have different signature "messages" and txids which will get that tx rejected at broadcast because the signatures dont all match the same raw tx

but all this is overkill for most users

I would use multi-sig over XOR for a number of reasons.

Firstly, XOR is not widely used. The code provided is not widely audited, and if you do it yourself you are prone to making mistakes. If the code disappears, would you remember how to combine your seed phrases and regenerate your original seed phrase? Seems unlikely to me. Multi-sig is a standardized feature of bitcoin and can be recovered using many different wallets.

Further, with a 3-of-3 system like XOR (or any other number) the loss of one share means you have lost everything. A 3-of-5 multi-sig means an attacker still has to compromise the same number of shares to access your coins (3), but you have 2 additional shares to provide redundancy in your system.

A XOR system requires all the shares to be brought to one place to be combined in to a single wallet on a single device. That's multiple single points of failure. A multi-sig system can have each wallet remain on entirely separate systems and avoids any single point of failure.

The benefit that ColdCard give about each XOR share being a valid seed phrase which can generate a wallet and therefore provide plausible deniability holds equally true for every seed phrase share in a multi-sig set up.

the idea of XOR Seed was created by coldcard, which should be trusted but i'd rather like to know if it is widely audited by other veterans.

I have no idea which one is better: both have their pros and cons, and both can be used in an incorrect way that may lead to a loss of funds. But if I faced the necessity of choosing between these two, I would go for the xoring scheme because it is easier to understand and maintain. Unlike in a multi-signature scheme where you need to store both private and public keys to be able to reconstruct your address and move funds, the xor scheme requires you to keep only "pieces of your puzzle." The other advantage is that you can manually reconstruct the initial seed phrase, without employing any software tools. But if you wish, you can purchase a hardware wallet like ColdCard that offers an in-built functionality of creating xor seeds.[1]

[1] https://seedxor.com/

a xor scheme, like you have one 12-word seed (A) and separate it into three 12-word seed (B,C,D), each of which is a new wallet. But the real one which you actually want to hide is the one (A) that can only be reconstucted by B,C,D.

the xor, i am surprised you haven't heard of that.

I have no idea what you mean by "xor scheme" but security of your wallet depends on how you use it. For example if you have a 15-of-15 multi-sig wallet but you store all 15 keys in one place that can be compromised all at once (eg. on your online PC), you don't really have any security. Compare that with a simple single-sig wallet that you keep on an air-gap PC that is encrypted.

A single-sig wallet can be safe enough if the user puts a little effort in. A multi-sig setup can provide additional security if the user needs it as long as the keys are created and stored separately and all in secure environments. A 2-of-3 setup is better than 2-of-2 because the third key is used as a failsafe in case any of the first two keys were lost.
But when you use muti-sig, you are increasing the size of your transaction hence paying higher fees for each transaction you want to make. Of course you can always use Taproot and pubkey aggregation but there still is not user friendly way of doing that.

let's discuss on the security level of one having a 2/2 xor setup and a 2/3 multi-sig setup.

So, let's say I am to create two wallets using the xor scheme and 2/3 multisig respectively.
Both setups use a 12-word seed and no passphrase at all.

Which one do you like better?
1. security (i know even a single sig wallet is already good enough, I am asking which one of these two is better)
2. usability (error-prone, convenience)
3. attack surface/vector (similar to point 1)
4. hww support
5. hidden facts that people don't know about?

thanks