Shamirs still requires having the (single) private key present for signing.
Multisig is far superior for Bitcoin security. The keys can remain geographically separate at all times. Each signing operation requires only the partially signed transaction (PSBT) and the other public keys.
The gold standard is multi-sig with at least 3 hardware signing devices.
Devices can be permanently geographically distributed, protecting from disaster in any single location. This is superior to shamir’s because it never requires the single all-powerful private key to exist, removing that as a single point of failure/compromise.
So far this is only 100% achievable with Bitcoin as far as I know.
Shamir's secret isn't safe because it requires you to have both parts of the key and put them together on the same server. Standard bitcoin multisig does not use Shamir's secret, it does a pay to script hash transaction which is safer. You can try it out yourself here https://bitcore.io/api/lib/transaction
SSSS is worse than using OP_CHECKMULTISIG because one has to put all the secrets at once on a single machine to produce the final private key. If the machine is compromised, such key can be stolen right away. Using multisig script allows you to have several (possibly compromised) machines sign a transaction independently without ever producing any "master secret".
Here's my suggestion on how to use multisig with blinding so you can lock your bitcoins with N friends and have your financial privacy at the same time:
http://oleganza.com/blind-ecdsa-draft-v2.pdf
Shamir's Secret Sharing and multisig Bitcoin transactions support arbitrary n-of-m pieces/keys, e.x. a 3-of-6 scheme would require 3 of the 6 pieces to reconstitute the key/sign a transaction, so any 3 pieces could be lost.
2-of-3 is common for end-user multisig. Generally you'd have 1 key physically backed up on paper in a secure place, 1 key on one of your devices (phone or computer), and 1 key either on another device (hardware wallet or phone) or controlled by a 3rd party that does risk analysis/fraud detection on your transactions.
However, I still don't really get the usage difference between SSS and multisig. In a M of N situation, you give N secrets to N people, and M people together can spend the funds.
In my mind, Shamir secret sharing wallets (e.g. Armory) belong to the family of multisig wallets.
It would be nice if you could elaborate on that point.
Multisig needs to be on-chain, and involves multiple disparate signatures. MPC creates a single signature offchain without any one party having a complete private key.
The Bitcoin protocol supports multisig transactions. You can use it to implement escrow by including a third party public key and require 2 of 3 parties to sign the transaction.
This is incorrect. You can have servers using multisig too, it increases the overall security of the transactions, especially if the different private keys are stored in different environments (different datacenters, different OS, etc.).
Regarding the blind signature: yes, you can check it and in most cases it's just checking a series of bytes at a given position in an array. One line of code. Building a multisig transaction locally? Good-luck doing that.
Also I've heard many times arguments along the lines of "my security is better than yours, I don't trust you". It's reminiscent of those arguments about cloud providers like AWS, "my outages are better than yours". The point is we are focusing solely on block chain infrastructure: the security, performance,and reliability. It's our expertise. Is it yours?
Multisig can be a nice compromise between security and convenience. There is a service that allows you to store Bitcoins in a 2 of 3 multisig address where you control two keys (one in offline wallet one in hot wallet) and the service has one key. When you do a transaction they send you one time code (SMS or something like that) if you respond they sign the transaction. So to spend you need to receive their code and your own key. This is kind of 2FA. If the service disappears you can take your offline wallet key together with your hot wallet key to unlock funds.
Multi-signature security via Coinbase accounts is a great first step, but true multi-signature via Bitcoin private keys is the feature that will make transactions and storage much more secure -- regardless of whether you store them personally or with a company like Coinbase.
With M-of-N multisignature you don't need to fully trust any single party.
With Electrum you have to have a fully trusted machine to sign transactions. Using M-of-N multisig transaction is safe even if NSA secretly owns your machine.
Can you go into more detail about how multisig helps? I assume one of the signatures is my hardware wallet. Who holds the other signature? Do they have SIPC insurance?
You don’t need splitting the private key. Bitcoin has multisig setup. For example, you can setup your wallet such that 6 out of 10 private keys need to sign in order to transfer funds. Spread that 10 private keys out. Or 3 out of 10. Or 2 out of 5. Any n out of m.
Based on the construction of the multisig we never have custody over the Bitcion, even if we store the encrypted key (we don't).
> If the funds can be lost through loss of user keys, then this offers little practical advantage over bill-less bitcoin
There are several; easy key diversification across multiple wallets. Easy offline storage away from connected devices. Easy onboarding.
It would be possible to backup the user keys on the notes independent of the note, we just believe that having them function more like cash guides the user to make choices where they are far less likely to lose them -- e.g. storing in a fireproof safe, safety deposit box, etc.
I was replying to your question on how to sign transactions. Multisig is the real and the best solution for this task. Maybe I don't understand the problem with "multisig forces you to use the blockchain". If you sign a bitcoin tx, then sure you need to get it on the blockchain. Or am I missing something?
The difference between multi-sig and no private key is that the former is an implementation of the blockchain protocol (e.g. different in Stellar and Ethereum) while the latter is a generic algorithm/service. Different layer.
Multisig is far superior for Bitcoin security. The keys can remain geographically separate at all times. Each signing operation requires only the partially signed transaction (PSBT) and the other public keys.
reply