Home < Stephan Livera Podcast < SLP455 Anant Tapadia - Single Sig or Multi Sig?

SLP455 Anant Tapadia - Single Sig or Multi Sig?

Date: January 31, 2023

Transcript By: adamjonas via review.btctranscripts.com

Media: https://anchor.fm/s/7d083a4/podcast/play/64348045/https%3A%2F%2Fd3ctxlq1ktw2nl.cloudfront.net%2Fstaging%2F2023-1-1%2Ff7fafb12-9441-7d85-d557-e9e5d18ab788.mp3

Stephan 00:00:00:

Anant, welcome back to the show.

Anant 00:02:38:

Hey Stephan, thanks for having me again.

Stephan 00:02:40:

So there’s been a lot going on. I think the conversation around learning to self custody is always an important one. It’s always one that’s very fresh on my mind as well. And so we’re seeing a lot of discussion. And I think recently, of course, there was the news about Luke Dash-jr losing his coins, I think, I don’t know exactly how many, but probably something in the range of 200 bitcoins, so a serious amount of coin. And so there’s been a lot of people making some noise about this statement, right? They’ve been saying, oh, look, even if a Bitcoin Core developer couldn’t secure his coins, then what hope does the average person have? They’ve been saying this kind of narrative. Of course, I disagree with that strongly, but I wonder, how do you think about that?

Anant 00:03:22:

See, self-custody, I wouldn’t like to claim that self-custody is mentally the easiest thing to do. It is a new way to secure your stuff. So there are going to be mental hurdles when people are trying to do it. There are going to be new things that people have to learn and it does not come without self-responsibility, right? So no matter how us developers and builders want to make it easier, it doesn’t come without learning and it doesn’t come without self-responsibility. Having said that, and having understood that this is a journey, even five years down the line, Stephan, we’ll be talking about self-custody. And why self-custody? You know what other things can make self-custody more secure? Like, there may be a new wallet proposal or maybe new opcode people are proposing, so there will always be improvements in self custody. Even the mnemonic and the seed words that we use, that was not always there. So what I’m trying to say is that the self-custody is a journey. There’s no perfect self-custody solution. And also self-custody solution is very personal, right? So in case of specifically the incident you’re talking about, that is very, very specific and a very, very niche case. It is more for FUD, it doesn’t really apply to normal users. No one is going to probably have a custom security solution like he had, right? It’s almost a non-issue for regular hodlers. But yes, there is an aspect of people start questioning, okay, is their self-custody solution proper? Is it there is something more than they can do about it and the whole conversation starts again and this is going to happen again and again. But as you and me know, and what I’ve understood from that situation, most of it was honestly, it is more for FUD because I don’t know if there was even a cold storage really involved, the way we term cold storage, air gap storage. So there are a lot of moving parts and it is a developing story. We don’t know all the details of it. So once we know all the details of it, probably there will be some learnings out of it. But we already know that you shouldn’t roll your own self custody. You shouldn’t be doing stuff that is very custom to yourself and it is not really something which people have used and tried and it’s not tried and tested. So these are the few things which we can already draw out of that incident.

Stephan 00:05:51:

So to the whole question around should people self-custody, what we end up having is a lot of conversation around what is the best way? Right? We see people saying oh, just multi signature is too complex. People say things like you should only do single signature, maybe with a passphrase. That seems to be if I had to assess, let’s say the meta on Bitcoin Twitter or in online discussion, that seems to be the meta. They say oh, multi sig, it’s in the too-hard basket for most people. Obviously, I disagree. Again, I think it’s more like if you’re a beginner, you should use maybe a guided solution. Like have a professional help you and intermediate and advanced level people, you can learn. It’s not that hard. Like yes, it’s not that hard. That’s how I’m seeing it. I’m curious how you see it: like, single signature or multi signature?

Anant 00:06:39:

See, first of all, as you know at RST, we have been making the Bitcoin products for a while and we come from a single sig world. Hexa wallet is a single sig solution. It has all the aspects of a typical single sig solution of what a wallet does and we can come to the deconstruction of the wallet, which will probably really help some of the listeners, but essentially we come from that space. So, definitely a very neat solution for people who are just getting started or people who have small amount of money. Obviously that is subjective, but essentially not like life savings or stuff like that. But when it comes to something which you want to hold for long term, you don’t want to hold it for six months and just trade it off and it is a significant amount of wealth, multi sig solution is definitely something you should consider. Consider it, understand it, and then probably you can still take a call that, you know, for me a single sig solution with the hardware wallet and password, that’s a fair thing. If you have a safe or if you have a place where you can keep your hardware wallet and you are 100% sure that no one is going to ever touch it and your heirs are going to automatically figure it out, then probably that might be the solution for you. So my message for a lot of people who I talk to, so I talked to a lot of single people and while building Keeper over the last one, you have been talking to a lot of people who are interested in multi sig. So I do know both sides of the argument. So my message for everyone who, who have significant wealth and want to hold it for long term is actually consider it properly and then take a call. And what I have seen is a lot of people who consider multi sig properly and look at a guided solution like a wizard and the way we have built Keeper, they actually come to appreciate multi sig.

Stephan 00:08:39:

Yeah. And so I think what we see is a lot of discussion about the complexity, the added complexity, the backups aspect, the dealing with, let’s say, if you’re trying to do it the right way or the proper way with different hardware devices and so on. I can understand there’s a little bit of extra complexity, but I think my thinking on this is guided more by my friend Michael Flaxman. I think he’s coming from that he’s more of in the multi sig maxi camp. And I think his view is like it gives you fault tolerance, right? It gives you this extra level of security. You just need to know how to do the backup correctly. And you have to do certain things in the right way, in the basic way that you get these basics right. And then once you get those right, you are just so much more secure. So that’s how I’m seeing it. So if you were advising somebody and let’s say this person is now an intermediate or advanced level, they’re not a beginner anymore. They’re quite comfortable with their single signature set up. Why should they consider a multi sig, in your view?

Anant 00:09:41:

I think you mentioned it correctly, is that the security guarantees of resilience or tolerance that multi sig offers you, you don’t really get that by single sig. Okay, you can add passphrase to it. It adds a little bit of resilience in terms of attack vectors, but it also adds another single point of failure. So it’s not really, people try to recreate the multi sig using a combination of passphrase and single sig and kind of keeping multiple copies of it. But essentially the real optionality or the resiliency that multi sig gives you that those security guarantees you cannot get with single sig. Right? And some of the things people see when you do single sig, if you really break down single sig, if you deconstruct what simply happens in a single sig, then you would realize that actually single sig, the attack vectors are the places where you can get attacked for your funds in a single sig actually is the same as multi sig, while in multi sig you have multiple entities, so you can minimize the trust. Let me try and explain that a little more. So let’s take a single sig and deconstruct it. So there are essentially just four key aspects to the whole system. So the first step really is the user would generate an entropy, right? That’s the first step. The second step is second part of the step of it is how is it backed up? So there’s an entropy. It is backed up. Then the third step is from that entropy, public and private keys are created, right? Public keys are used for receiving funds and balance checking and all that, which we typically call wallet functions. And the fourth category is the signing part of it which is done by private keys. Now, if you look at these four functions, these four functions can actually be performed by completely separate entities. Okay, let’s take an example. So, entropy generation, you can use a simple dice roll or seed picker or something else to generate the entropy. It doesn’t involve any wallet on any hardware device. You can use them as well. But this is an example. Then you could go away and store that entropy in terms of seed words on a metal seed plate, right? You could use a mobile device as a watch-only wallet with the xpub and you could receive funds on that. While you could use a seed signer, which is a stateless device, you could put the seed in it every time you’re signing in or using the seed QR and do the signing from that device. So what you see here is that there are four parts to it which are completely can be handled in different ways. What happens in typical wallets is some of these functions or a lot of these functions are combined together. In the simplest case, I would have one app which does the entropy generation, which does the backup, which does the receiving part and which also signs the tran. That’s the simplest, simplest mobile app. The most common, what we see, Stephan, is that other than the backup, all the three functions are combined in a typical mobile app. So, for example, Hexa Wallet. Hexa Wallet would generate the entropy. You would store a copy of it separately and then the receiving of funds and the balance taken, all that wallet functions and the signing happens from within the same one, right? So if you see these four functions are combined in different ways to give rise to different solutions, right? In all of these situations, the wallet which is used for signing or which is used for receiving funds, they are the places where there can be some attacks or there can be some vulnerabilities. For example, if during the receiving part the wallet might simply change the receive address. If you don’t check it, then the funds, if I’m receiving funds from you, I show an address that I think is mine, but it is someone else’s, it’s completely gone, right? So if Hexa wallet shows you a wrong address and you send money to that, that money is completely gone. Now, let’s bring this multi sig in. The same four things happen with multi sig, but with four of these, with the multiple of these keys combined. Now, if these functions that there are different like the example you took of multiple vendors, like multiple vendors are involved, you could actually, by following some simple thumb rule, you can actually check that receiving address, let’s say in two of the entities. And you are so much safer. There’s not a single wallet which can attack and change your receive address. If you check the receivers of the wallet and maybe one of the hardware devices, it will be really difficult for someone to actually collude across those two systems and steal your funds. So I’m going into the real details of it, but if you really abstract it way back up again, the trust is that you really can minimize the trust across multiple vendors in multiple locations and multiple platforms if you use a multi sig instead of a single sig.

Stephan 00:14:53:

Right? And I think that’s a really important point to understand. And when we have multi sig, it just gives us this whole new level of being able to check things. And so, for example, we can design things in such a way. And I know Stepan is not as, Stepan Snigirev, he is not as actively contributing in the space nowadays but I think he was popularizing this idea of how can I make a wallet or something where even if the coordinator was lying, it could or how can I set something up where if even one of the devices is lying, I’m still safe. And so in a multi sig context, it gives you that fault tolerance, right? Because now the coordinating software, whether that’s Specter Desktop, or Sparrow, or it’s Unchained Capital, or it’s Nunchuk, or it’s Keeper, even if the coordinator app is lying to you, if you’re checking that transaction on the device or in the case of receiving you are checking your receive address on the actual device then you are a whole another level safer because it’s much harder for somebody to compromise you and steal your coins. And then this becomes very valuable once we’re talking about your life savings or even for a corporate context or a fund, or a trust, or any of these business entities or other legal entities that have a very high security requirement. So I think it’s such an important thing. But some of the main hurdles, let’s say, for most people, what would you say are some of the main hurdles that people have to using multi sig? Like, I’m sure you’ve had many conversations with people who are probably doing single sig or just single sig with a passphrase. What kind of excuse do they give you or reason do they tell you this is why I don’t want to do multi sig?

Anant 00:16:37:

Yeah. So like, Stephan, there is definitely a learning curve, right? There is a learning curve when you come to Bitcoin, self-custody itself is a learning curve, and within self-custody, multi sig is definitely steeper learning curve than just because there is a lot of education available around how to backup seed phrases and how to use a simple single sig wallet. And in case of single sig wallet, if you just listen to like a five-minute thing you would understand. But in case of multi sig, yes, it is operationally more difficult, right? You have to ensure more things. But that does give you an order of magnitude better security. Like we explained, it’s simply impossible for one key, one coordinating app to collude with another hardware manufacturer and maybe one more other hardware manufacturer somewhere across the globe to steal just your coins. It is very difficult. It’s sort of magnitude difficult. So coming back to the hurdles is that this operational difficulty is one, right? And that is why it is very important that this is kind of a guided process. It’s not like you are trying to do it with a command line, but there is some kind of a wizard, some kind of guided process which takes you through different steps, tells you at every step, okay, what does this mean? Maybe do this, go into the hardware wallet at this particular place and then try to extract the xpub or something like that. So if there’s a guided process, yes, it will be slightly longer, but it will be handled in such a way that multi sig the operational part of it becomes not that much difficult. So that’s one of the excuses I’ve heard. Not excuses…

Stephan 00:18:19:

It’s a reason, let’s say to be fair to them, right? Not an excuse, let’s say reason.

Anant 00:18:22:

See, I was talking to one of the guys who was in advertising. He’s a very creative guy. He loves Bitcoin, he loves the idea of it, but he just doesn’t have the time to understand multi sig. Beyond to get him on self-custody was a few years, to get him on multi sig would be probably another few years. Which is again, to be fair to him, he is busy, he’s doing his creative stuff. He doesn’t have the time or inclination to learn about multi sig. So that is a genuine reason. But that’s why products that we are building, or a lot of people are building nowadays, the coordinating software are actually kind of an assisted multi sig. So that’s one. The second is the cost. The cost is definitely a factor. So if you do a 3-of-5 multi sig, it might be somewhere around $500 for you. That’s probably a good 3-of-5 multi sig. You can probably reduce the cost by trying out some combinations or using some software-based keys instead of hardware-based keys. And if you use some of these keys it is quite okay in terms of security. So there’s a cost to it. The cost can come down by decent combinations. Plus, there are a lot of companies who are trying to build products which are lower costs, like Tapsigner, like Jade, like there are a few other products. Right. So the costs are going to come down. So these two are the main hurdles I’ve heard. And the coordinating software are trying to do assisted multi sig while hardware manufacturers are trying to reduce the cost. So hopefully this is going to be coming easier and easier.

Stephan 00:20:05:

Yeah. And it may be a question of another cycle or two for the multi sig user experience to get better and popularize this further. I’m bullish on this though. I do believe it will come maybe in a cycle or two. Because once you have a lot of people who have a lot of value in fiat terms, purchasing power terms, it’ll just be so much more applicable for them. But I certainly appreciate that today there are some operational difficulties you have to think about, okay? Is it more difficult to use these different wallets, right? As opposed to just having one Coldcard or one device or whatever you’re using now? You might have to think, okay, I need to know how to use a Coldcard and a SeedSigner and a Tapsigner and a Cobo or a Keystone, rather, whatever. Pick your mix. And not just that, whoever is recovering your coins, right? Because now we’ve also got to think about, okay, you or me, Anant, you and I could probably figure it out, like even, you know, but can our wives and kids figure this out? You know, that’s like, that’s like the other level too, right?

Anant 00:21:10:

Yeah, absolutely. That is where standardization really helps. If you talk about learning how to use different hardware wallets or signing devices, then if it is a standard way that those devices work, it is much easier. Right. If you learn one of them properly, you can use another one. Same as using a phone. If you use one type of phone, there’s a good chance that with a little bit of learning you can use another phone because they have been adopted a lot and there are some basic assumptions of basic capabilities that have been developed. So if there’s more standardization around how these things are used, then definitely it’s going to get easier and easier. Right. So we have PSBT standard, we have the BIPs, we have the very importantly product descriptors, output descriptors and BSMS and all these good standards which are developing, which is going to make this learning easier. Because if you learn it for one device, you will probably know it for another device. So all these things are coming together.

Stephan 00:22:18:

Yeah, sure. And so let’s talk a little bit about the multi sig setup process, right? Just so people understand what’s going on there. Right? So let’s just keep it simple, right? Let’s just say it’s a 2-of-3 with three different device types and we’re coordinating that. What are some of the different steps involved to set up this multi sig and operate that multi sig?

Anant 00:22:37:

Awesome. So let’s, let’s go back to the deconstruction we did earlier, right? And it is going to be exactly the same. First, there is a step of generating the entropy. In this case, as there are three devices, you will generate it in three different places. This itself is going to give you no single point of failure. But let’s say you have a Ledger, a Coldcar, and let’s say Jade or a SeedSigner. When you initialize those devices, you can use an existing seed phrase you might have. Or you can generate a new one from those devices. You can even add passphrase there. So now what you’ve done is you have three devices who have generated different entropy. Okay? So that piece is done. The entropy generation was the first piece. Now, how do you back it up? You can back it up as a device itself. For example. You just want to take care of the device and put it in a safe. And additionally, furthermore, you can actually put down those seed words in a written format on steel and keep it somewhere else so that the backup step is taken care of. Now you have three devices ready and they’re backup secured. The two steps are done. Now, what you would do is you would take those devices to an app like Keeper. You would create the multi sig, right? What creation of multi sig that really step means is multi sig is not really created at that point, but your wallet has the capability of generating the addresses which can be signed with the script, which is a 2-of-3 from these three wallets, right? So what you would do is you would communicate with these three hardware wallets either through NFC or QR code, and pass on the xpub, relevant xpub to the coordinating software. Now, the coordinating software only has the xpub, which are the public key generators, which is the public key generator. It still doesn’t have any control of the private key.

Stephan 00:24:33:

Yeah. So just to be clear, this is like there’s a special menu in some cases, right? Because it’s not necessarily the same as the one that you would use for that device in single signature mode. So, for example, in Coldcard, you go into settings and you have multi signature export, I think it’s in Advanced or Settings. And in there you go to multi sig export, take that out into a SD card, put that in, and then the coordinator app has to sort of take all of those three, right?

Anant 00:24:58:

Exactly. So I think that’s an important step because single sig and multi sig are different standards. So it is good to use the right export in the right path. So you would go into the settings and you would follow the steps to import these three experts from these three devices, right? And when you do that, you can do that through an SD card in Keeper, you can use NFC for Coldcard and stuff like that. So it’s slightly more secure and operationally easier. You don’t really need another computer to get in the middle. So that’s what you would do. Now, your coordinating software has all the necessary pieces to make sure that you can produce addresses which can be signed by that script. So that is the creation part. Now, the sending part is let’s start with…

Stephan 00:25:49:

Sorry, at this point we also do need to once you’ve created that multi sig, then we need to register the quorums into those devices, right? So that’s the other step, where now the coordinating software, whether it’s Specter or Sparrow or Keeper, will give you a little piece of information which again, you either use with an SD card or you do the QR scan back and forth. And then those devices can now register and understand, these are the other devices in my multi sig. So let’s say I’ve got this Codecard and I know that okay, there’s a SeedSigner in my quorum and a Keystone or whatever other device and then you have to well theoretically like if you want to be really secure you want to check and you can read on the device. These are the other xpubs associated for this device. So you can kind of check everything, make sure it’s all matching up.

Anant 00:26:36:

Yeah, so I was trying to explain the receive journey so that it is easier to understand why registration is needed. So it’s absolutely important, the registration step, but why it is needed is because how does receive happen is the coordinating software takes these experts completely independently of hardware wallets and it will show you a particular receive address and one way of doing it, you just send the money to that receive address and you will have funds if the coordinating software is not trying to steal your funds, right. When you are signing it, when your sending transaction in a happy case scenario the coordinating software will build the transaction up using the details that it has. It will construct something called PSBT which is partially signed bitcoin transaction, is just a format of how a transaction is represented with additional data and then it communicates again by NFC or Bluetooth or QR code with these hardware devices or signing devices and they would sign these transactions. Now there are a few things which can go wrong here and that’s why you correctly mentioned the registration step. Now because the coordinating software has the central role of combining the xpub, which has the central role of receive generating the PSBT which a signing device would sign, what if the coordinating software is trying to cheat? What if the coordinating software is trying to manipulate these things so it doesn’t have the private keys but it can manipulate the signing devices to sign the wrong PSBT or you know, give them the wrong address. So that is where the registration step is super important. I think you described it well registration basically means the coordinating software is saying by the way, this is the wallet policy of the multi sig configuration I am trying to do. Do you want to store those details? And at this step the user would look at the details that is getting stored. They would probably call it cold storage or they would probably call it safe or vault or whatever they want to call it and then they would store that in their signing devices. Now what has happened you have created multiple copies of the same configuration right? So next time when signing or receiving happens, coordinating app cannot cheat you independently. You can always have you still have three other entities that you can check and say, okay, there is something wrong here. So registration is a super important step which lets the signing devices independently verify that, okay, if coordinating app or any of the other signing devices is trying to cheat or not. So that’s the essential fundamental benefit of.

Stephan 00:29:29:

Yeah, right. And then as we’re going through and we’re checking so just making sure I’m summarizing everything. So we had our three devices, we’ve initialized all three of them. We either brought or did our own entropy or we used the device entropy to create a 24-word seed or a 12-word seed. Then we ingest the multi sig xpub out of those three into the coordinator. Now the coordinator has the built together policy, let’s say 2-of-3. Now we register the quorum into each of those devices. So now each of those devices knows the other device. And then you, the human, should obviously be checking that and making sure, oh, okay. xpub. Okay. It matches to the other xpubs. There’s no lying here. Everything matches up. Everything’s good. I’ve got my 2-of-3. Yes, take that. And now what’s next? Well, now we can receive, let’s say, a test, a small amount of coin into this wallet. And you can check that on multiple devices, right? Because some of these devices have an address explorer, which is really useful. It’s a great feature because now you can, you can see it on device 1, you can see it on device 2 and device 3. Or maybe what you do is you would check a quorum of the devices, right? Maybe if you’re running a 2-of-3, you might check it on two of the devices and then see okay. On the coordinator, it’s also showing me the same address. Okay, good. Now I can receive some coin into this address, right?

Anant 00:30:45:

Absolutely. So testing, even if you buy a new car, testing it out first for a trial run is always there’s nothing it cannot go wrong. So testing it the way you said is a great idea and we recommend it, and testing it for sending and receiving and doing small bits here and there is definitely something users should do before they transfer more of their funds. There are a few checks that these signed devices do automatically. For example, the change address. When you are receiving funds, there is just in a single address. But when you are sending funds, there is an address that you send to. But any of that change, because UTXO is like a single piece that when the UTXO breaks, a piece of it comes back to your change address. Now, there is a potential where the coordinating software just manipulates and puts their own change address. So this change address is something that any of the devices which have been registered properly can check automatically. The user doesn’t have to manually check it. That’s a very neat feature and a very simple thing because if the change address is incorrect, the sales sign device would simply not sign it. So that’s a kind of a check under the hood that happens, only because there are multiple devices and you register with them. So that’s pretty neat. That may not happen in a single sig where you are just using a mobile app and you have your seed phrase written down somewhere. So this is some of the additional benefits.

Stephan 00:32:20:

And the reason we mentioned this as well is because there have been some attacks like this disclosed historically. Now, I’m not sure if the change one was necessarily used or exploited in the wild, but it was there for some time and then obviously manufacturers found it, it got patched up and so on. And so now there’s a much better awareness and understanding in the industry and I think the products, the software and the hardware are being built with this in mind, right? So that’s there that’s useful. So what’s next in the journey, let’s say?

Anant 00:32:49:

So, I think if you’re really paranoid and if you really want to get to that level, there’s one more step you could do. So what you’ve done, you have set it up, you have registered it, checked the details, that’s like theoretical checking of it. Then you’ve done a practical piece where you actually send around funds and you have checked whether those funds are showing up properly or not. There’s one more step you could do is basically there are now multiple coordinating softwares available, right? Initially there’s only Electrum. That’s it, nothing else. So you couldn’t really know. And there were others were closed-source, so you couldn’t do much. But with the help of literally in the last year, there are many more. There’s Sparrow, the Specter, there’s Nunchuk, there’s Keeper. What you could do is recreate the wall. Let’s say you have created a 2-of-3 in Keeper. You could take the output descriptors, which we can talk about in a little bit, but basically the wallet multi sig configuration, put it in Sparrow and check whether it is showing the same addresses and when you’re doing the testing at that time, also you can check the balance from Sparrow and from Keeper. You can try to send from Sparrow and check it in Keeper. So now what you have, you also have a redundancy or not redundancy, that is the right word, but multiple places you can check the coordinating software.

Stephan 00:34:07:

Back to the show in a moment. Now, as we’re talking about multi signature, Unchained can help you with multi signature. This is particularly important if you are a beginner and you need a guided pathway into multi sig. With Unchained Capital you can create a 2-of-3 vault where you hold two keys and Unchained holds the third key. Now they can guide you into this process. They have a Concierge Onboarding program. You can pay up front, they will ship you some hardware devices if you need them and they will do a call with you and walk you through that process. And Unchained have a really easy platform to use which is perfect for you if you are a beginner and you just need some help to guide you through this process. They also have an inheritance checklist which comes as part of the Concierge Onboarding program. So this can help you in terms of having things like a step by step checklist, letters for the executor or trustee, and other things. Go to unchanged.com/concierge to get this. And finally, coinkite.com are my favorite producer of hardware signing devices, most notably the Coldcard. But they have a range of products and gear that you will find really handy. With the Coldcard, obviously, it’s one of the most popular Bitcoin hardware signing devices. You can use it in single signature or you can use it as part of a multi signature and it has all these features that really make it easy for you to do that. So you can register the multi signature quorum, you can check the addresses on the device which gives you some more security. You can initialize the whole thing offline without even connecting to a computer. So there’s just so many features and it’s such a reliable and versatile player that you can use as part of your Bitcoin security setup. So go to coinkite.com, order your Coldcards and other gear there, use code LIVERA and you’ll get a discount on your Coldcards. Now, back to the show. Yeah, I guess it’s just an extra layer of verification, right? And certainly these are things that you do when you set up your multi sig, right? And so I think this is a great way for people to give themselves that peace of mind as well because this is one of those things that’s really kind of crazy, but it’s this idea that the keys can be ported are portable in a way that you can take the key. Like theoretically I could have set up that same key in like a Trezor, but then imported into a Coldcard and it’s going to sign the same way, it’s going to sign the same coins in a way. So that’s kind of useful and that’s a step that, you know, people are doing to help verify. Okay, my access to my coins is, you know, or another one that people might do is do a test recovery, right? Like, let me send $30 into this multi sig and then just practice, oh, I’ve lost one of the devices or I’ve lost this other thing. Can I recover? Do I have the right pieces together to be able to recover if something goes wrong? And then this can give you that extra peace of mind. Okay, I was able to recover. Okay, I’m safe. Right?

Anant 00:36:55:

Exactly. And the best part, Stephan, is that every single user doesn’t have to do this. If a lot of users have done it initially, or some users do it regularly, then if any of these pieces, if any one of the coordinating software, any one of the hardware devices trying to do something funny, they’ll be caught. So the incentive to actually try and steal funds when there are a lot of entities involved is actually reduced. So this is the very, very key part. One of the things in Bitcoin we know is the security is also because of the numbers, right? Because there are so many private keys possible, it’s not easy to guess them. It is not the same scale. But the idea is if you have multiple entities, then you can minimize trust in any one of them. You don’t need to trust a coordinating software. I can use another one. I don’t need to use a signing device, I can use another one. Right. So as these things develop and we have like 12 or 13 signing devices available now, five or six coordinating apps available now, so this becomes easier and easier and people will get more and more confident about it. There’s a lot more talking about it, a lot more education than goes about it. People who are listening to this podcast might come back with questions. They might feel slightly more comfortable. So things are converging with standard, with the ecosystem, and with education. And like yourself, I’m also very bullish on multi sig.

Stephan 00:38:19:

Yeah. And so let’s talk about spending now. So let’s say I’ve set up my 2-of-3 and now I want to send some coins to you, Anant. So I say, Anant, give me an address, I’m going to pay you 0.01 bitcoin or whatever. What steps do I go through?

Anant 00:38:33:

Perfect. So if I give you an address and you have a 2-of-3 multi sig set up, the first thing to do is to check that address. I’m showing it to you on a screen or I have messaged you that particular address. So when you put that address in your coordinating software, and the coordinating software would probably take, you know, produce a PSBT transaction, you would take it to your first hardware device. On that hardware device, the first thing is to make sure that you check whether that send to address is correct or not. That’s the first step. Like I said, the change address is automatically checked if that particular device is registered. So these are the two checks that happen during sending if all the devices are registered. So all you have to do, because they are successfully registered, if you have chosen the right wallet from the signing device, then these are the checks that happen.

Stephan 00:39:30:

And I think maybe it’s also obviously in this case it’s a 2-of-3. So I’d have to go and let’s say I have one device at home and then another device in a vault or some other location somewhere, I have to go to that other location and get the signature from that device or from that signing device to get the second signature, bring that back to the coordinating application. So in this case, if it’s Keeper or Specter or Sparrow or whatever, and then once I’ve ingested that second PSBT signature, then it’ll say this transaction is now valid and you can broadcast it. Right?

Anant 00:40:09:

Absolutely. You explain the user steps really well. So those are the checks that happen at one place, but then you take it to another location. The same kind of check you can do there. You can check the receiving address at your office or any other location you have. Then you put it back to the coordinating software. Not the coordinating software because specific transaction has been signed and there’s no way to for the coordinating app because it doesn’t have the private keys to change it. You can let the coordinating app broadcast the transaction.

Stephan 00:40:40:

Right. And I think one other point just on practicality that might be useful for some people because I’ve been playing around with devices for years, right. So I think for me in practice, I have found there are times where QRs can be difficult, right, because the QR flow, like as an example, it depends on the device you’re using. Sometimes the resolution is bad or the camera on the other device is bad. One tip that I’ve found useful is if you can have the QR scanning device, that could be maybe your home device, and then if you’ve got like one that’s in a vault as an example and you might have a mix, right, you might have a mix in your quorum. And so then the devices in the vault, maybe they can be a little bit easier to have a microSD for signing because they are a little I think it depends on the flow, right? It depends on the coordinating app and everything. But if you just have a microSD card and you’re just going into the vault area or into an office or somewhere, then maybe it’s a little easier to kind of get the signature done. Because if you’re kind of out in a remote location and you’re trying to scan the QR and the signature is not working and things like this where it can be a bit difficult, right. So I think in that case it might be a little easier. Now, of course there is NFC as well, so there’s NFC devices, things like the Tapsigner is an example. But I guess there is one downside with devices like the Tapsigner is you’re getting less. Yeah, because you can’t check the addresses on this thing, there’s less that you can check about the transaction. So there’s tradeoffs with all of these things. It is a cheaper device, but I guess if you’re storing serious, serious money. Well then maybe you’re going for the device, the bigger devices with a screen and with a keypad and things like this. So those are a few tips, I guess that I would just offer for listeners as well when you’re thinking about if you’re crafting your own multi sig. Yeah. Okay. So let’s talk a little bit about the backups and the output descriptor and BSMS. Can you decipher a little bit of this at least? Current state of play as we talk today is the 31 January 2023. What’s the current state of play with multi sig and backups?

Anant 00:42:48:

See, one thing Stephen, I want to mention, because you touched on very important point. When you are keeping something in the safe and you want to use SD card vs. QR code, one of the things people forget is some of these devices used to not have a battery, right. So what you don’t want to do is actually get that device back into your home and then do the stuff and then take it back. So if you have it in a safe, it is not a bad idea either. That most of the new devices, that’s why they have some kind of battery. The new ledgers, the jade, they have battery. Or if you have like a cold card that requires a battery, it’s not a bad idea. Just carry the battery with you. So carry the battery and SD card with you. You know, just do the piece there either through QR code or SD card and then come back. Do not carry the signer. You don’t have to carry the signing device back. You can keep it back safely.

Stephan 00:43:38:

Right? Yeah. So just to explain there, so the idea here is let’s say we’ve got a two or three multi sig and just doing like a big amount of coin on this or whatever. The whole point is to not have to have like okay, yes. At the start when you set up that quorum yes. All three devices can be in the same location because you haven’t put any coins on there. But once you put coins on, then you don’t want to bring them back together because theoretically you’re vulnerable at that point, right. Like if a criminal or someone comes to, you know, try to attack you at that point you’re vulnerable.

Anant 00:44:07:

Yes. Even at creation, actually, because the way between multi sig, it’s not really interactive that way you can actually not have them at the same location at any point of time.

Stephan 00:44:24:

Right, yeah, of course. I mean, I was just saying more from a practicality because you might want to let’s say you want to set it up and then test, recovery test with small amounts before you separate the devices and put them into different locations. One in the mountain, one in the one in the vault, one in the office, one in somewhere. So I think that’s probably where I was saying that just from a practicality point of view. But then once you put the coins on there like serious coin on there, then you don’t want to pull them together because now that’s where the risk is. So anyway, we’ve spoken about that. Let’s get back to the backups question. So typically this means you save a PDF or an output descriptor or BSMS. Can you tell us what’s the current state of play there?

Anant 00:45:03:

Yeah. Why do we need these output descriptors or wallet configuration is because even if you have two of the three keys, you cannot recover your funds. Right, I just want to repeat that. In a multi sig, if you, let’s say in a 3-of-5 multi sig, it doesn’t mean that if you have three of the five keys you cannot even recover any of your funds. The reason being is that, okay, you have the three keys to the safe. Let’s imagine an analog is safe. So you have three keys of the safe and you can open the safe, but how do you find that safe? How do you get to that safe? That is, the map in that terms is what the wallet configuration is. And that wallet configuration or the multi sig configuration file contains the map details or it basically contains the other public details of the other keys that you would need to need to unlock your funds, basically, or get access to your funds. Just to want to be clear why multi sig configuration files are so important. Now that is where things like output descriptors and BSMS and all these things come through. So output descriptor is a very neat standard. It takes care of all the different aspects of what a configuration means. Configuration doesn’t just mean the expert also means the path and the script type that you are using and stuff like that. Right. So that is what forms output descriptor in a simple sense, I’m not getting into time lock in multi sig yet, but that’s an output descriptor and if you have the output descriptor and if you have the minimum number of keys, you can definitely access the funds. If you have three keys out of five and you have the multi sig configuration file or output descriptor, you do not need the other two keys. That’s the importance of it. Output descriptor is a format which a lot of wallets use. Now, like I said, there are multiple pieces in there like the xpub, the path, the master fingerprint, the script type. So these are the part of output descriptor. I would say an improvement to that is the BSMS which is bitcoin secure multisig setup, I think. But BSMS essentially has the output descriptors given a specific output descriptor template. But it also has some other details. One very neat detail that BSMS has is actually it has the first address of the multi sig. Right? I really like this part and why that is important. So let’s imagine you have these five devices. One of the option after registration is you go away and check all these five devices for all the xpubs, all the paths, and all the derivations and this and that, right. That’s one way of doing it. But alternatively, what you could do is you could, if it’s a normal multi sig, you can just check the first address, right? Because the first address is a derivation of all these components. So if the first address is correct or it’s matching across the five devices, then there is no way they could have changed one of the xpubs or they could have changed one of the paths because they will not get the first receiving address. So by checking one piece, you have actually checked multiple of these items. Right?

Stephan 00:48:25:

As you were mentioning, the BSMS has the first address. And so you were saying that basically because the first address has to be the same, then I guess you’re saying that’s the reason why you find it useful as a wallet developer when you’re coding or making and building this right.

Anant 00:48:43:

Even from a user point of view, instead of checking for like five different things. Because they have to check all the cosigner xpubs, so they’ll have to check five xpubs, plus they will have to check the five derivation paths, plus they will have to check the five script types. If any of this going wrong will mean that it’s a completely different wallet. So instead of that, what you could do in a simple case, there are complex case where that doesn’t apply. But in a simple case, what that means is if you check the first address, you essentially have checked all the input parameters to the first address. So if I check this one address across the five devices, I know it is the right registration. So these are the kind of improvements that are happening from a standards point of view. And that is why I said standards are leading towards a better UX in the multi sig space.

Stephan 00:49:31:

I see. Yeah. Okay. And so let’s talk a little bit about Keeper then, specifically, let’s talk a little bit about some of the, sorry, one other thing. So with this whole output descriptor BSMS, I guess the important point just for people to remember is that you can keep multiple backups of this. Now, yes, it impacts your privacy, but it helps your redundancy and your ability to recover if something goes wrong. So this piece, this output descriptor, the BSMS, the wallet configuration file, whatever it’s called, make sure you have multiple backups of that. You might even think about having a copy of that with your lawyer or someone who you’re doing inheritance planning with, because it will be essential as part of the recovery process there. So that’s just something to keep in mind.

Anant 00:50:15:

One other thing you could do with those files, which is very practical, is if you have the signing devices, let’s say in a safe, you can keep a copy there. If you have like three devices in three safes in three different locations, just keep one copy with each of them.

Stephan 00:50:29:

Get a USB, put one in each.

Anant 00:50:32:

Yeah. Or you can just have it in a PDF or something. So that’s a very practical way of doing it. What some of the hardware wallets also are doing, Stephan, is when you are registering, this is very neat. When you’re registering, you’re actually giving those details to the hardware wallet. Codecard lets you export that back. So now I don’t need to store another copy of the wallet configuration with a Coldcard if it’s in a safe, I can use the same wallet configuration from Coldcard to get that back. So things are becoming much easier. You don’t have to keep that separate, right?

Stephan 00:51:11:

Yeah. So it’s even more redundancy then. So let’s talk a little bit about the inheritance stuff because I know this is something you are looking at for Keeper as well. So what’s the plan there?

Anant 00:51:21:

Inheritance can be looked at in different ways, right. A lot of extreme Bitcoiners might say, okay, I don’t care about the legal aspects of it and I just want to make sure my coins are safe and I can pass it on. Some even believe that they just want to die with their coins and just donate it to the network. I am not of that opinion. I want to plan it for generations and a lot of people want to do it that way. Once you have a future generation that you can look at, you would want to pass that wealth on for general reasons. So when you’re doing inheritance planning, there are two aspects to it. One is obviously the access to the keys and then the second is the right to have the keys. Right. When it is about the right, it is the legal construct of your jurisdiction that you have the rights to hold the keys. A lot of time this aspect of the legal title or the rights to have the keys is missed out. What we want to do with Keeper is try to look at both these aspects and assist in both these things. Okay. If, let’s say your partner is going to get the coins off, if something happens to you and you have told them all the locations where three of your devices are, then probably the access part of is easy. But there is no reason that someone else after you are not there can claim that, okay, that person has access to it, but actually that person is not the rightful owner, then they would be in a mix and you don’t want to let them get into that kind of situation. So that is why having your legal title clear it’s very easy. It’s not very complicated. Is a very important way to secure things and make it easy for your loved ones that they don’t have to get into a hassle of figuring out where the keys are and then also trying to prove that why those keys belong to them.

Stephan 00:53:23:

Why you’re the rightful owner or heir of those coins.

Anant 00:53:26:

Exactly. So these are the two aspects. What Keeper does is obviously it tells you what are the safeguarding tips, like we talked about using a battery, using the SD card of how to secure your keys and not just for yourself. You might remember the pin, but what about as soon as your kids are trying to access it, would they know the pin? So it gives you a lot of safeguarding tips of how to secure your keys, not just for yourself, even for future generations. And that’s the access part of it. It also helps you identify that particular wallet or the multi sig wallet in a very unique way so that you can put a simple part of your will that, okay, I have funds in this particular multi sig and this is how you identify this multi sig. And anyone, this person, X-Y-Z is actually the rightful owner of them. How do they get access? Doesn’t have to be put in the will at all. So that if you don’t want to trust a lawyer or the guy who is writing the will, you don’t have to put the access part there at all, but you do have to put how you can uniquely identify those things and how that particular fund belongs to the heir.

Stephan 00:54:42:

Yeah, I mean, there’s all these privacy concerns aspects of it too, because there are people who might say, I don’t want to disclose how many coins I have, or whatever. So some of that is going to be a little bit you have to find a way.

Anant 00:54:55:

So we think we have found a way, and we’ve been talking to a lot of lawyers and a lot of people in this space how this makes sense, and we’ve got great feedback on that. So what you put in the will, it doesn’t have to be the xpubs. You don’t really need to put the xpubs. You can put your master fingerprint there, you can put some other details there which doesn’t leak privacy at all. Right. So there are some other ways of establishing the uniqueness. Basically what you want to do at the end of it is in the will, if there’s an heir who is uniquely identified that this is the heir, this is their legal name, this is where they live, or those kind of details. And you have uniquely identified as best as possible, uniquely identified which funds, then essentially that’s all that will needs. So using other methods rather than putting xpubs is a way to get across that privacy issue.

Stephan 00:55:56:

Got you. Yeah. And certainly, as I mentioned before, some people might be comfortable with maybe giving like an output descriptive to a lawyer, but other people very much not. But of course, people should just listen, should be aware there is a privacy consequence to that. So obviously think that through some people, they’re not comfortable with that and they would rather keep that away from the lawyer or away from those other locations. And maybe that output descriptor is only backed up in a location that your family can see it. Something like that. But you just have to also consider the trade off of redundancy, right? The more copies of that out there, the more redundancy and the easier it is for somebody to help recover in the case of that output descriptor information somehow being lost, right? Because it’s possible and we’d hate for people to lose access to the coins. Right, so those are probably a few important points. Also, I guess there’s some of the more advanced stuff that’s coming, right? So I did an episode recently about Miniscript. There’s been some discussion about MuSig2. Do you see applications for any of this stuff or is it maybe a bit early?

Anant 00:56:54:

It is definitely a bit early, but we are keeping a close look at it and we are very excited with Miniscript and MuSig2 for our stuff. It is definitely early because as you would appreciate, there are situations, not situations. There are still cases in terms of when you’re using a MuSig2, or you have interactivity involved there, which is not really the best thing when it comes to security. You don’t want to really either bring the keys together or go to them multiple times, right? Neither do you want to make them interact with each other. So there are some unsolved problems in that space, but a lot of amazing people are working towards it. So that will probably get solved sooner or later. Miniscript has been actually Miniscript has been around for a while now, right? And people often ask us why not Miniscript yet? Why not Miniscript yet? We have looked at Miniscript, we have played at Miniscript, but the practical aspect of it is reasonable that Miniscript essentially generates a safe Bitcoin script, right? Miniscript is going to generate a safe Bitcoin script. However, other than multi sig, the safe Bitcoin script it generates with multiple spending conditions and multiple branches and all that, it doesn’t really have that much of an importance when it’s a simple multi sig, that can be done with a simple script. But when it comes to multiple spending policies, that is when really like like a 2-of-3 plus 1-of-2 plus time lock or, you know, some kind of a combination. That is when Miniscript really comes to the fore. Now, though that right now, but really there are three problems to it because Taproot is still not Taproot or MuSig is still not out there. So you wouldn’t really be able to benefit that much from Miniscript right now, as you would once these things are in place. So Minuscript can be used, but it is not effective without these other factors. So once these factors are there and then there’s less interactivity and the hardware wallets are able to showcase those policies on the small screen, these are unsolved problems. Yet that is when Miniscript will really be useful. So we are looking forward to those kind of developments in the ecosystem to be able to use these advanced features.

Stephan 00:59:20:

Yeah. Any thoughts on time locks as well? Because this is something where people love to I guess it’s one of those areas where people love to philosophize and talk about this and that. And now Bitcoin does have time locking, like on-chain time locking, but I think practical uses of that, outside of, let’s say, the smart contracting stuff like Lightning, which is a different kettle of fish here, but in terms of multi sig and stuff like that, are you seeing much interest in this or much practical use?

Anant 00:59:49:

Yeah, absolutely. There are a lot of people interested in time lock. There have been people okay, are you going to do time lock? Are you going to do time lock is absolutely, time lock is something which we have done internally. But the time lock and we spoke about the registration and how you verify the details and all that, that particular piece is still not there for time locks. So you can implement time locks, but you may not have a particular signing device supporting it. Now Ledger is working towards it and we are working with Ledger to see how we can implement it. But essentially at this point in time, there is no real hardware support for time locks. Right, so you might have, I think, again from your podcast and otherwise we know that I think Liam is trying to use time locks but there is no signing device support for it. And even if there is a signing device support, it will be without registration. So you are losing out onto some security to have some security. What we are trying to get towards with Miniscript and all is trying to get to a situation where you don’t have to lose security too much to gain time lock as a feature.

Stephan 01:00:51:

Yeah, totally fair. The whole reason why we’re using multi sig to begin with is the security benefits. So obviously we’re not going to throw that out the window. So, yeah, I think that’s important. So I guess a couple of tips that maybe we should leave listeners with. Just make sure when you’re doing your multi sig, you keep it simple, right? Like don’t do something crazy, don’t… Sort of stay in the well-trodden pathways. I think there are good reasons to use the typical, like 2-of-3 or 3-of-5. I think for most people, unless you have a specific use case, I think for most people, 2-of-3 or 3-of-5 is probably going to be a good quorum for people making sure you keep those backups. As we mentioned, the backup of the output descriptor or the BSMS? I think those are important points to remember, but yes, I guess. Do you have any other kind of tips on multi sig before we finish that?

Anant 01:01:40:

I think it’s just a quick TL;DR on what we discussed. Like, okay, there are these two good configurations available and a lot of software wallets like Keeper offer that, so stick to that. Take backups, test it out, like we said, test it out on multiple hardware, hardware devices, any devices, and also test it out probably on multiple coordinating software like Sparrow and Keeper and Specter Wallet. And when you do that, you will be so comfortable because you’re seeing three different things telling you exactly the same balance and the same output. So it’d be like, yeah, you know what? I kind of trust this situation of this system that I’ve built. So if you do these few things, then multi sig is not that difficult.

Stephan 01:02:30:

Yeah. So I think it’s worthwhile for a lot of people now, certainly not for the beginners, but I think for people who are, let’s say you’re a longtime Bitcoiner and your stack is worth a reasonable amount, it’s worth your while, right. I think people lose perspective sometimes, right? Because they might be, like, someone who maybe bought some coins a few years ago or whatever, and the prices run up and now they’ve got over a million dollars worth of coin, or let’s say over 20, 25 coins in, like, a single signature hardware wallet or hardware signing device or hardware signer. And maybe it’s time for you to think, hey, if you’re holding over 20 or 25 coins worth, what’s, like a few hardware devices and some metal seeds, that’s nothing for you, right? So it’s important to think about the perspective.

Anant 01:03:16:

Yeah, sorry, just on that point, we did some backup, then look calculation. But like I said, a typical multi sig today costs $500. And let’s say even if you have bitcoins worth $5,000, which is probably a quarter of a bitcoin, a 0.2 bitcoin, depending on the price, that will be something around 5% to 10% of the security cost. Now, in bitcoin, you know that it can 10x very easily, and if it does 10x, then it will become like 1% of your cost. Having a security cost of 1% to secure the whole amount is a decent security cost. Right? So if you think about it in those terms and put in some hours of effort, actually you have orders of magnitude better security, and the cost is not really it is 1% of the total amount, potentially. So that’s probably one way to think about it.

Stephan 01:04:13:

Yeah. Okay, so I think that’s the multi sig aspect. Let’s talk a little bit about Bitcoin For India. So I unfortunately couldn’t make it last year because of clashes and stuff, but I’m looking forward to being there. Off the top of my head is October 14 and 15th, I think. Yeah. Do you want to just give us an update on Bitcoin For India?

Anant 01:04:30:

Absolutely. So this is a community piece that some of us are involved in with other volunteers. But more than happy to put it on this platform as well that Stephan will be in person there and there will be many other Bitcoiners who would be there, who would be talking to plebs in India and talking multi sig, talking passphrase, talking a lot of stuff. How to do, how to do probably running a node. So it will be a mixed conference like it was this time. There will be a technical track and there will be a main track, but we are very excited about it and we are obviously going to look for more and more participation this time from speakers and from audience. So, yes, this is in October 14th, 15th is the date as of now.

Stephan 01:05:23:

Fantastic. And in Bangalore, right? And so I’m also, you know, it’s been one year now, like Bitcoin, well, it will have been you’ve already had the first conference. You’ve been growing this meet up network, let’s say, of more committed Bitcoiners. And so hopefully there’ll be a growth in the community by then. And who knows, maybe there’ll be a lot of people joining the community between now and then, so maybe they’ll all be there as well. So, looking forward to that and yeah. Any other points you wanted to mention before we finish up?

Anant 01:05:54:

No, I think by the time this probably the pod goes out, the Keeper app would be available on mainnet. Till now it was on testnet. It is still beta, but it is available on mainnet. It’s very easy for people to test out. So do give it a run, try it out with small amounts of small amounts of sats and give us some feedback. It is an awesome product and we hope you love it.

Stephan 01:06:19:

Fantastic. Okay, Anant, thanks for joining me.

Anant 01:06:21:

Thanks, Stephan. Thanks for having me again. Cheers.

Stephan 01:06:24:

I hope you found that discussion helpful and make sure to share this episode with any family or friends who are curious about setting up multi signature and Bitcoin security. It’s been a while since we’ve really walked through some of the details of this. Of course, I have those earlier episodes with a range of people talking about these things. I will include those in the show notes also. But I think this one is a good overview episode for people who want to understand where things are at today with multi signature. So share the episode and the show notes are available at stephanlivera.com/455. Thanks for listening, and I’ll see you in the citadels