attack vectors for your ‘multi-sig’ set-up
now, that the $5 wrench-attack problem is solved & your bitcoin can’t be simply stolen, our next challenge is to defend against and defeat the next level of attack — a RANSOM
when setting up your MS/ML (multi-signature, multi-location) cold-storage so as not to be a SPoF (single-point-of-failure), you need to make 2 choices :
- “single” signatory — vs — “multiple human” signatories
- multi-sig software — vs — separating access information
Spoiler Alert — separating access information & using “multiple/p2p” signatories, is better! — & here’s why…
“single” vs “multi” signatory set-ups
a “signatory” — is someone who signs a transaction
some current vocabulary is misleading, so we need to clarify things
usually, we think in terms of :
“single” — i’m the only person signing… i travel to the different locations and control all the hardware devises myself
“multiple” — other people are signing the transactions that i create
but, in reality —
almost all multi-sig setups are multi-signatory
someone is always verifying …
usually, people leverage traditional infrastructure, like bank vaults & security guards
true “single” signatory
the other possibility — a true “single” signatory set-up would involve no one knowing or helping you… for example, your other hardware devises are buried under trees out in the forest
ok, that’s pure “single-signatory”, but it’s not much better than SPoF (single-point-of-failure) because an attacker could simply impel you to divulge the locations…traveling would slow down the attack, but there are no further defenses/no Signatories to protect it…
more accurately, the options today are :
“centralized” vs “p2p” signatory set-ups
“single” is misleading as it uses multiple people…
the clearer defining-quality is that they’re clustered or centralized in giant banks, private vaults & boutique companies…
p2p is opposite, right ?…
but, regardless of definitions, the game-theory is what’s important —
Who will get kidnapped — you OR your loved ones ?…
when you use a “single/centralized” set-up, attackers can not target you because, as we all know, they would have no leverage. they can’t come with you into the bank vault, because you would simply alert the guards before…
So — this set-up forces attackers to kidnap your loved ones — then, under duress, you could travel & sign all the transactions by yourself…
when you use a “multiple/p2p” set-up, attackers have a choice. they could target your loved ones, but they probably won’t, because — then, you are the only point that can fail. In contrast, if they kidnap you — then, each of your signatories is a possible point of failure. all other things being equal, Attackers would obviously choose the strategy that provided more opportunities for success…
so the incentives are clear —
- “single, centralized” — incentivize a loved-one’s kidnapping
- “multiple/p2p” — incentivize your-own kidnapping
and the only moral choice is obvious…
again, the big problem with “single” is that it’s “centralized” —
even if the best private-key custody services of today, like Casa, proliferate and expand — banks, Brinks & private companies will hold most private-keys…
governments will extort & seize these giant honey pots until Bitcoin fails…
How can centralized private-key custody scale ?…
please don’t say — “hold your own keys” — as this is pre-bank, stone-age…
and whereas, sometimes — you may need to use both centralized services & p2p relationships, please consider the effects of your actions on the future of the network…& so, please don’t use only centralized solutions !
“p2p” signatories
everyone’s situation is different, so i’ll only make some generalizations —
who has more skin-in-the-game ?…
- “centralized” — security guards and bank/company employees
- “p2p” — your friends and family
for p2p, consider the quality of your signatories —
- vetted — don’t have major vulnerabilities, like a gambling addiction, that could be exploited or may lead to problems
- trained — you should train them appropriately
- familiar — the better that they know you, the better they will be able to detect if you are in destress or even if you are trying to deceive them
- incentivized —increase the quality of their work by monetizing it
multi-sig software — vs — separating access information
problems with using multi-sig for cold-storage
the only tested/trusted multi-sig software today is limited to [m-of-n] configurations…
multi-sig with a — “p2p/multiple” signatory set-up
- your wallet’s balance is exposed — No privacy
- there’s potential for signatory collusion
multi-sig with a — “single/centralized” signatory set-up
the above 2 issues are avoided, But —
- incentivizes a loved-ones kidnapping
- requires physical travel
these & related issues are discussed in more detail, in the article below
separating access information
there are 2 main ways —
— separate [seed-phrase] from [pass-phrase]
- potential for weak, user-generated pass-phrases
- can’t use pass-phrases for heir’s wallets for inheritance
— seed-splitting
- simple, non-technical, free
for a more detailed comparison —
to Summarize —
you MUST use “p2p/multiple” signatories so that you don’t incentive Attackers to kidnap your loved-ones
and you CAN’T do that today with current multi-sig software !…
separate your access-information !
set-up secure storage with Signatories !
& HODL Safe with CWAP !…
