Multisignature

From Bitcoin Wiki
This is the approved revision of this page, as well as being the most recent.
Jump to: navigation, search
Multisignature Ethereum Wallet

Multisignature is a digital signature scheme which allows a group of users to sign a single document. Usually, a multisignature algorithm produces a joint signature that is more compact than a collection of distinct signatures from all users.[1]

Multisignature can be considered as generalization of both group and ring signatures.

Description[edit]

Multisignature (multisig) refers to requiring more than one key to authorize a Bitcoin transaction. It is generally used to divide up responsibility for possession of bitcoins.

Standard transactions on the Bitcoin network could be called “single-signature transactions,” because transfers require only one signature — from the owner of the private key associated with the Bitcoin address. However, the Bitcoin network supports much more complicated transactions that require the signatures of multiple people before the funds can be transferred. These are often referred to as M-of-N transactions. The idea is that Bitcoins become “encumbered” by providing addresses of multiple parties, thus requiring cooperation of those parties in order to do anything with them. These parties can be people, institutions or programmed scripts.

Consider the following scenario:
Suppose I am working with a company that wants to accept Bitcoin for international trades.

The company, for security reasons, would not want a single one of its employees to have access to the company BTC wallet's password. Any transaction would have to meet the approval of more than one employee.

Is this possible already? If not, how could it be implemented with public-key cryptography?

History of Multisignature[edit]

Multisignature has been used for thousands of years to protect the security of crypts holding the most precious relics of saints. The superior of a monastery would give monks only partial keys for gaining access to the precious relics. Thus, no single monk could gain access to and possibly steal the relics.

Multisignature Wallets[edit]

A number of companies have developed multisig wallets:

Multisignature in cryptocurrencies[edit]

What is Multisignature Technology?

Multisignature (often called multisig) is a form of technology used to add additional security and for bitcoin transactions. Multisignature addresses require another user or users sign a transaction before it can be broadcast onto the block chain. The required number of signatures is agreed at the start once people agree to create the address.[2]

The first multisignature wallet was launched in August 2013 by BitGo.[3]

Multisignature allows the creation of 2-of-3 escrow services. For example: when Alice wants to pay Bob, she sends a transaction to a multisignature address, which requires at least two signatures from the group "Alice, Bob and Trent" to redeem the money. If Alice and Bob disagree on who should get the money (Alice wants a refund, whilst Bob believes he fulfilled his obligations and demands the payment), they can appeal to Trent. Trent grants his signature to Alice or Bob, so one of them can redeem the funds.

Despite the name, multisignature in bitcoin is just a tuple of distinct user's signatures, not a single entity.

Multisignature scheme is also implemented in other non-bitcoin-based cryptocurrencies.[4] Usually it replicates the same functionality via several distinct signatures.

Implementations[edit]

Shamir's Secret Sharing Scheme is a general software implementation of multisig.

Specific to Bitcoin, GreenAddress, for example, has 2-of-2 and 2-of-3 accounts (requiring at least two keys to authorize a transaction). Electrum allows a multisig wallet made of any combination of m-of-n. Coinbase also offers 2-of-3 and 3-of-5 multisig, which they call Vault. BlockTrail offers 2-of-3 multisig.

This javascript page can create and spend from multisig addresses: https://coinb.in/

See also the Electrum tutorial: http://docs.electrum.org/en/latest/multisig.html

Multisignature Applications[edit]

  • 1-of-2: Husband and wife petty cash joint account — the signature of either spouse is sufficient to spend the funds.
  • 2-of-2: Husband and wife savings account — both signatures are required to spend the funds, preventing one spouse from spending the money without the approval of the other
  • 2-of-3: Parents’ savings account for child — the kid can spend the money with the approval of either parent, and money cannot be taken away from the child unless both parents agree
  • 2-of-3: Buyer-seller with trustless escrow: buyer commits money into a 2-of-3 address with the seller and a third-party arbitrator. If transaction goes smoothly, then both buyer and seller sign the transaction to forward the money to the seller. If something goes wrong, they can sign a transaction to refund the buyer. If they cannot agree, they both appeal to the third-party who will arbitrate and provide a second signature to the party that it deems deserves it. The arbitrator cannot steal the money as they have only one key.
  • 3-of-5: Low-trust donation address: five trusted people from a project each hold a private key. Three people are required to actually spend the money but anybody can donate to the project's address. Reduces the risk of embezzlement, hacking/malware or loss due to a single person losing interest in the project. Which private key was used in the final signature is visible on the blockchain which aids accountability.
  • 2-of-2: Two-factor authentication wallet: One private key is on your primary computer, the other on your smartphone — the funds cannot be spent without a signature from both devices. Thus, an attacker must gain access to both devices in order to steal your funds (much more difficult than one device)
  • 2-of-3: A board of three directors maintaining funds for their organization — those funds cannot be spent unless any two of those directors agrees. Bigger multi-signature transactions are possible for bigger organizations, such as 3-of-5, 5-of-9, etc.
  • 2-of-3: Improved Hot wallet security for businesses: A bitcoin business such as an exchange holds one private key online and one private key as paper backup. A separate bitcoin security firm holds the third key online and will only sign transactions after checking certain conditions (blacklists, whitelists, not more than X withdrawn per time period, two-factor authentication, comply with regulatory environment, etc). If the bitcoin business or the security firm's hot wallets individually get hacked, the bitcoins cannot be stolen. If the bitcoin security firm disappears the business can use the paper backup to access coins.
  • 4-of-6: Distributed cold storage vault: three of the keys to a long-term storage wallet are kept in the home. The other three keys are distributed to a close friend, kept in a bank safe deposit box and stored in the workplace office. The home vault is not vulnerable to raiding or burglary because spending the money requires a visit to either the friend, bank or office; but if those places collude they cannot steal the money as they together only have three keys.
  • 2-of-2: Smart contracts building block such as tumblebit, coinswap and Lightning Network.

Creating a Multisignature Address with Bitcoin-Qt[edit]

A 2of3 multisig address can be created by following these steps:

  1. Gather (or generate) 3 bitcoin addresses, on whichever machines will be participating, using getnewaddress or getaccountaddress RPC commands (or copy and paste from the GUI).
  2. Get their public keys using the validateaddress RPC command 3 times.
  3. Then create a 2-of-3 multisig address using addmultisigaddress; e.g. bitcoind addmultisigaddress 2 '["044322868cb17d64dcc22185ae2d4493111d73244c3668f8ac79ecc79c0ba8d30a6756d0fa20157 709af3281cc721c7f53321a8cabda29b77900b7e4fe0174b114","..second pubkey..","..third pubkey.."]' addmultisigaddress returns the multisignature address. Be a little careful, the public keys are raw hexadecimal and don't contain checksums like bitcoin addresses do. You can then send funds into that 2-of-3 transaction using the normal sendtoaddress/sendmany RPC commands, or the GUI (or anything that's been updated to recognize multisig addresses).

Gavin Andresen has an example of using multisig with bitcoin-qt Raw Transactions: https://gist.github.com/gavinandresen/3966071

Notable examples in practice[edit]

  • The cold storage wallet of the Bitfinex exchange is a single 3-of-5 multisig address 3D2oetdNuZUqQHPJmcMDDHYoqkyNVsFk9r which as of December 2017 contains 141 177 btc ($1.5 billion). Presumably the keys are kept very safe by Bitfinex's operators.

Multi-signature is a tool[edit]

Just like any other instrument, a multi-signature can be used to achieve different results. Among its applications: distribution and neutralization of the risk of complementaly or loss of keys, backup and shared accounts which may be used by multiple parties (as well as for the distribution of wages in the organization).

Multi-sign is not a security plan. It can be a powerful component of a well-designed security plan, not the plan itself. Simply saying "multi-signature" without considering its specific application, how it is used and what goals we are trying to achieve, we do not say anything[5].

It doesn't have a "magic pill" for security, but many security tasks become easier with it. In order to understand what she can and can't do, we need to understand a little more about how she works. You should not think that this article is for technical specialists — it is written for anyone, but not for them.

Multisig scheme

Create an address with a multi-signature. To create such an address, you will need more than one public key. Let's look at an example. Alice, Bob and Charlie organized a meeting of supporters of bitcoin and opened a fundraiser for this venture. But they want one person to be unable to manage all the money. So Alice, Bob, and Charlie make an address with a multi-signature by using software from CoPay. It allows you to select a configuration where two of the three signatures are required to sign a transaction and make it valid. In this case, such user combinations are possible-A&B, B&C, A&C.

What happens behind the scenes of the deal at this time? Their software does two things: runs the script and the instructions are written, how many signatures are required, what are the common keys correspond to the private keys that have the power to put a signature (m-of-n), and taking the hash of the bitcoin address associated with the script. The script is also often referred to as a “payment script” because it contains transaction requirements that allow you to transfer funds from a wallet with a multi-signature.

You can think of a payout script as a set of permanent, immutable access control rules. They limit access to address-level of bitcoin. This means that when sending funds to a certain address, the script must check if the rules are correct: whether it is possible to make a transaction. Rules are created when you create a bitcoin address and can never be changed. In the literal sense of the word, the rules are part of the address. This is one of the most powerful advantages of multi-signature. Because of this feature, many believe it is more secure than a regular signature embedded in any bitcoin wallet. When a multi-signature is used as part of a holistic security plan, it can provide additional protection against embezzlement, error, loss, fraud, access point failure because it requires multiple parties or multiple devices to validate the transaction.

What Multisignature cannot do[edit]

You can't set a spending limit; anything on the account can be withdrawn by a single, properly signed transaction.

  • It has no time limit; once a transaction is signed, it allows you to withdraw all funds immediately.
  • It has no daily limit on the number of transactions: you can create thousands of transactions per minute.
  • It has no notifications; you don't get an SMS or email when the account status has changed[6].

Access controls are not part of the concept of multi-signature. At this stage, you may have difficulty with the choice, as many bitcoin wallet providers offer multi-entries and other additional services. They advertise additional services as security and management tools. But you need to take into account that these are the services provided by the company, not the bitcoin Protocol. This is important because it means that control can be bypassed, limits can change. At the same time, the scripting language of Bitcoin continues to evolve, and some new features, such as blocking transactions over time, are already implemented. However, they have not yet been widely disseminated.

Exposure: today's rules are not as safe as they may seem. In fact, the security level is at the security level of your computer's system settings. Unfortunately, many people believe that this is enough.

The holders of the keys have the possibility of automatic signature-based security rules. Many wallets with multi-entries (but not all) now support automatic transactions, as one of the features of control of funds on the wallet. In these implementations, the wallet company owns one of the keys that is used to create a multi-signature address. The key and a rule associated with it the signature under the control of the provider's company of the purse, often called a signature Oracle or Oracle. When you create an address in addition to public keys, wallet company accepts user-defined access rules. For example, the user can limit the daily withdrawal limit to $1 000.00. This means that when creating an address, it sets such parameters (such Oracle).

The signing process usually looks like this — the user creates a transaction (for example, $500.00), signs it, AI sends a wallet provider for verification signature. The Oracle scans the transaction, checks for compliance with the rules (in this case, the control is passed, since $500 is less than$1000.00), makes a verification signature and releases the transaction in the Bitcoin network. Fast, convenient, efficient. Safely? It may be. Maybe not. In any case, the procedure looks more secure than the one used now.

  • Safety depends on a large number of factors. And not only from how many keys are involved in the signing of the transaction.
  • This depends on the rules and how they are enforced: Who can change spending limits? Time constraint? Notifications?
  • When can they be changed? Is there a period of reflection and negotiation during which no transactions are signed at all?

Also depends on the internal security policy adopted by the company: Who has access to Oracle or signing keys? When are backups made and who has access to them? Who writes the Oracle software and does it have open source? This is only a tiny portion of examples of tasks in the field of security, which does not solve multipoles. Multi-signature means that more than one key can be used to specify starting address parameters. Nothing more. It is not a synonym for the word security. By itself, it will not make the storage of your funds on the wallet more secure[7].

Security cannot be outsourced. We all have to stop confusing the transfer of the right to sign to outsource with the transfer to security outsourcing. Simply handing over key signatures and defining security policy rules to a third party will not protect you or your customers. We need safety standards, such as CCSS, and annual inspections with a security audit. More importantly, we need to understand what the risks really are and explain the risks to the users.

External links[edit]

See also[edit]

References[edit]

  1. Identity-Based Multi-signatures from RSA
  2. The Year of Multisig: How is it Doing So Far?
  3. How 2014 Became the Year of MultiSig
  4. NXT Teases Voting System, 'Two Phase Transactions' and a Foundation
  5. Coinb.in - Multisig
  6. What is multisig?
  7. Multisignature Ethereum Wallet


Licence.png