one of two multi-sig scenarios with hidden public keys

19 replies 402 views
ryan2011Member
Posts: 5 · Reputation: 57
#1Jun 24, 2022, 12:41 PM
So I've got this 1 out of 2 multi-sig setup where seed A is in location A, seed B is in location B, and the public keys are stored in location C. For question 1: If seed A gets compromised, does that mean the attacker can't access the funds since they still don’t have the public key for seed B? Question 2: Is this setup any safer than just having one seed split between two different spots? Now for question 3: Can an attacker get any useful info if one of the seeds is part of a multi-sig arrangement? And finally, question 4: With this 1 out of 2 multi-sig, can I hold some smaller amounts in addresses tied to a single-sig setup? Like, would that make the attacker think they got something valuable when actually they just got access to some small funds?
7 Reply Quote Share
gang2014Member
Posts: 20 · Reputation: 189
#2Jun 24, 2022, 04:34 PM
Since it is 1 of 2 means one key is enough to move funds. There are no point to have a 1 of x wallet.
5 Reply Quote Share
ryan2011Member
Posts: 5 · Reputation: 57
#3Jun 24, 2022, 06:38 PM
You can move funds without knowing both public keys and with only one private key (seed)? When I create a multi sig wallet with Electrum, it's showing the following warning: "Warning: to be able to restore a multisig wallet, you should include the master public key for each cosigner in all of your backups." This suggest you cannot send funds with ONLY one private key (seed). Am I reading this wrong?
2 Reply Quote Share
Posts: 43 · Reputation: 203
#4Jun 24, 2022, 08:14 PM
you've read this right. wallet has a single cosigner. either you or that guy can perform this duty
3 Reply Quote Share
gang2014Member
Posts: 20 · Reputation: 189
#5Jun 24, 2022, 11:18 PM
To restore the wallet you need one key and both public key but to move funds you do not need more than one key.
2 Reply Quote Share
ryan2011Member
Posts: 5 · Reputation: 57
#6Jun 26, 2022, 10:17 PM
Sorry, it's not 100% clear for me. If that other guy doesn't have both public keys, can he still transfer the funds? Sorry, it's not clear yet for me. I'm trying to ask questions which could be answered with yes or no, but your answer is confusing me. Without both public keys, it's not possible to move funds (question 1)? I understand, if you have both public keys and have one private key, you can move the funds, but that's not what my confusion is about.
1 Reply Quote Share
humbleledgerLegendary
Posts: 1027 · Reputation: 6554
#7Jun 27, 2022, 12:56 AM
As far as I know: yes. But, if the address has been used to send a transaction in the past, the public keys can be found on the blockchain already. It depends on your threat model: safer from an attacker means an increased risk of losing access by yourself. See 1. Yes. But isn't that what passphrases are for (by extending the seed phrase with a custom passphrase)?
6 Reply Quote Share
w0lf404Hero Member
Posts: 801 · Reputation: 2381
#8Jun 27, 2022, 03:19 AM
The purpose of having a 1 of 2 multi-signature wallet is that you can make transaction with with having access to 1 out of 2 backups. A 1 of 2 multi-signature wallet with such setup works like a 2 of 3 multi-signature wallet. Because, you have three backups and you need two of them for making transaction. So, why not go for a 2 of 3 multi-signature wallet?
2 Reply Quote Share
Posts: 43 · Reputation: 203
#9Jun 28, 2022, 01:32 AM
these pubkeys may only have something to do with redeemscript (which you'll not have with electrum anyway). anyone who knows private key and wallet address(which you wont know from that private key) can do createrawtx , signrawtx , then broadcast it . https://bitcoin.stackexchange.com/a/51366
5 Reply Quote Share
alt21Senior Member
Posts: 398 · Reputation: 1732
#10Jun 28, 2022, 05:46 AM
Please, do it, but pray that if they try to compromise your wallets, they 'll do it without you being there. It's such a violent act, being tied up in a room, forced to reveal your wallets. (see here for incidents like this: https://github.com/jlopp/physical-bitcoin-attacks/blob/master/README.md) Unfortunately, the attackers that know what bitcoin wallets are, are not ignorant anymore. They 'll know your trick, they 'll be prepared for it.
1 Reply Quote Share
Posts: 43 · Reputation: 203
#11Jun 28, 2022, 09:44 AM
in your plan they already know you have big cash that's why they came. how i understand  you have no plans to be involved in firefight or so means you'll take a hot shower (law and disorder in jo-burg) so you'll have somewhat new mindset you know
2 Reply Quote Share
gr3g.0rbitHero Member
Posts: 1025 · Reputation: 2646
#12Jun 28, 2022, 02:38 PM
The redeem script may not be displayed in Electrum, but the information to produce it on demand is saved in the wallet file since it's required to be included to the signed raw transaction. A client/wallet will not be able to sign by having only the private key of a single signer without the redeem script or cosigner's public key to reproduce it. In the link's instructions, the redeem script is saved in the wallet after using "addmultisigaddress" command. That enables it to sign using "signrawtx" without adding the redeem script, otherwise (if the wallet just contains the private key via importprivkey), it will fail to sign. The key point is written in the "Details" part below that post. But I agree that it's not recommended to use 1-of-2 MultiSig.
4 Reply Quote Share
Posts: 43 · Reputation: 203
#13Jun 28, 2022, 02:54 PM
no, it doesn't. it'll be able. think for yourself if it's true or not checking the replies. https://github.com/bitcoinjs/bitcoinjs-lib/issues/1034
3 Reply Quote Share
gr3g.0rbitHero Member
Posts: 1025 · Reputation: 2646
#14Jun 28, 2022, 05:32 PM
That reference doesn't even support your reply since they're trying to add the redeem script. The issue is in OP's raw transaction created by his code which was fixed by a series of replies including the last. If you're talking about the replies about "coinb.in" that can include it, it's because for P2SH, the redeem script is the first requirement to create a transaction there. If inputs are manually included, the redeem script should be manually provided. Here's a reference: The redeem script is required as stated in BIP16 (P2SH) standard: https://github.com/bitcoin/bips/blob/master/bip-0016.mediawiki#specification As per number 2 in its rules, its hash needs to match the hash in the outpoint's sciptPubkey for validation to succeed.
1 Reply Quote Share
ryan2011Member
Posts: 5 · Reputation: 57
#15Jun 29, 2022, 07:24 PM
@LoyceV Thank you for your answers. RE Q1: I understand the public key will be available on the blockchain if transactions are already done, but how does the attacker know which transaction? The public key of a seed differs if it's part of a multi sig wallet or a single sig wallet right? RE Q2: Safer from an attacker RE Q4: That's also an option, but passphrases can be forgotten. I'm not saying this setup is a good idea, I just want to know the details and make a good decision. @alexeyneu I'll read that stack exchange page. Thanks. @hosseinimr93 This is for a wallet with less funds and I want it to be able to manage it with max 2 wallets. @apogio Thanks for the link. @alexeyneu It's not a given attackers know how much you have. @nc50lc "A client/wallet will not be able to sign by having only the private key of a single signer without the redeem script or cosigner's public key to reproduce it." Clear! It's essential to store the public key of each cosigner. If they are not leaked, the private key can't move funds.
2 Reply Quote Share
gr3g.0rbitHero Member
Posts: 1025 · Reputation: 2646
#16Jun 30, 2022, 12:50 AM
Just to clarify, since you're using Electrum, you need the cosigner's 'Master Public Key' listed under "keystore" in your wallet info window (Menu: Wallet->Information). The public keys leaked in your spend transactions' redeem script are for the specific MultiSig address used in the input, can't be used to your other addresses. And to expand that quote, it's possible to generate a signature without the redeem script because the 'message hash' can be generated without it. But (for example) an Electrum wallet that only contains the signer's private key without the pubkey of the cosigner will not try since the signed raw transaction has to include the redeem script for the transaction to be valid. It can be tested by creating a sample 1-of-2 MultiSig Electrum wallet and restore one of the seed phrase as a standard Electrum wallet. Despite having the correct private keys, it will not sign the (unsigned) PSBT provided by the MultiSig wallet. In Bitcoin Core (legacy), you can test by using signrawtransactionwithkey and provide only the private key without the redeem script. Or signrawtransactionwithwallet using a wallet containing only the private key imported via importprivkey without the redeem script from addmultisigaddress command. Both will fail to sign the raw transaction.
2 Reply Quote Share
humbleledgerLegendary
Posts: 1027 · Reputation: 6554
#17Jun 30, 2022, 05:40 AM
Maybe, maybe not. But are you willing to risk it? If it's a targeted attack, chances are they know your address. I'm no expert on multisig cryptography, but as far as I know they could just test every multisig public key ever used. You're basically turning a 1-of-2 multisig into something where you need 2-of-3 locations to recover the funds. Why not use a 2-of-3 multisig the way it's intended, and add all public keys to each share? Maybe I can add an option: have you seen "split mnemonic cards"? To me, this is a lot more intuitive than multisig (although I've never used it in practice). Example: This accomplishes exactly what you want: you need 2-of-3 locations to restore the private key, and if someone gets their hand on one share, I don't think brute-forcing 8 missing words is viable any time soon.
3 Reply Quote Share
diamond365Full Member
Posts: 136 · Reputation: 744
#18Jun 30, 2022, 08:24 AM
Seed splitting is a bad idea according to Antonopoulos. Bitcoin Q&A: Why is Seed Splitting a Bad Idea? It is hard if you don't have full mnemonic seed to recover your wallet later and it's possible issue with seed splitting. How to Back Up a Seed Phrase
5 Reply Quote Share
humbleledgerLegendary
Posts: 1027 · Reputation: 6554
#19Jun 30, 2022, 01:14 PM
I don't have time for a 10 minutes video (what happened to just writing text?), can you give a summary? If you don't have your full multisig it's hard too
5 Reply Quote Share
ryan2011Member
Posts: 5 · Reputation: 57
#20Jun 30, 2022, 05:39 PM
Thanks for the clarification. This confirms my assumptions. Not a summary, but my own opinion: partially leaked seeds are vulnerable for brute forcing at some point in time. Shamir's secret sharing can be used instead. That's a good question. A difference is that with 1-of-2 you don't need to deal with partially signed transactions, which might be a convenience with less experienced bitcoiners (like my heirs).
2 Reply Quote Share

Related topics