Bitcoin: Multisig vs. Shamir’s Secret Sharing Scheme
The pros and cons for organisations using either of two bitcoin key distribution methods
By Phil Geiger and Neil Woodfine
Individuals typically store their bitcoin under singular private keys. Put as simply as possible, this means that only one bitcoin key is required to move the owner’s bitcoins. But for organisations storing significant amounts of bitcoin, this approach is not secure.
Instead, control over the organisation’s bitcoin should be distributed over multiple people to ensure that there are checks and balances when spending, and also that no one becomes a target for theft (or worse).
To distribute control to multiple parties, there are three commonly used methods:
- Bitcoin multisignature transactions (multisig)
- Shamir’s Secret Sharing Scheme (SSSS)
- Dedicated Hardware Security Modules (HSMs)
Without a doubt, bitcoin multisig will be the optimal choice for most organisations making investments in physical bitcoin. It is well-tested, cheap to deploy, flexible, auditable, and supports regular transactions. However, SSSS is still being used by some organisations today, and has its place in niche situations, so we thought it would be worth comparing the two to help organisations that are exploring their storage options.
Multisig vs. HSMs may be the topic for a future article.
Private Key Basics
Private keys can be thought of like keys to a car. The keys to your car are the only keys that can move your car, and every car has unique keys. In Bitcoin, private keys are used to move bitcoin that are stored in publicly visible addresses. Each address has its own unique key.
A “wallet” is a collection of addresses owned by a single individual or organisation. The addresses and keys to the addresses are generated from one master private key.
Whoever controls the master private key, controls the wallet. And if the keys are permanently lost or destroyed, the bitcoin associated with the master private key can be considered lost forever.
The Problem with Single Keys
When an organisation decides to store bitcoin with a single master private key, they only have two options:
- Give the key to one person: That person can “fat-finger” mistakes, lose their device, forget passwords, be threatened by thieves, or even succumb to the temptation to take some of the funds for themselves. If they are on holiday or sick, the bitcoin can’t be spent until they come back. If they pass away without telling anyone their password…the bitcoin just turned into a very long-term “investment.”
- Share the same key with multiple people: if one person loses their key, or if one person is unavailable, the bitcoin can still be moved. However, each key holder still poses the same risks described above. The inability to verify whose key spent each transaction means there is little accountability in the event of a theft. It also provides each key holder with iron-clad plausible deniability should they want to commit an inside job — if three people hold a key, and the coins move, how do you know which of the three moved them?
Shamir’s Secret Sharing Scheme
One solution is Shamir’s Secret Sharing Scheme (SSSS), which allows a company to split up their master private key to be distributed to multiple people.
Background
Predating bitcoin (discovered in 1979), SSSS is a cryptographic scheme used to break up a small piece of data (like a private key) into multiple parts. The scheme is totally customisable, allowing users to define the total number of parts (m) and the number of parts required to recreate the whole (n).
Under SSSS, holding one part does not reveal partial data. Also, any combination of n parts will work — they do not need to be combined in any specific order.
A common example would be a 2-of-3 split, which would split the data into three parts, where any two of the three parts are required to restore the data. But almost any m-of-n combination is possible, such as 4-of-6, or 15-of-15.
SSSS in Bitcoin
Applied to bitcoin, an organisation can use SSSS to split apart a master private key into different parts that will only reveal the key if m of n parts are combined. These individual parts can then be distributed to multiple members of the organisation, who need to cooperate in order to spend the organisation’s bitcoin.
Pros
- Better than a standard single key: as long as SSSS is generated securely (see setup risk below), then it can offer an organisation protection from theft, loss and inside jobs of long-term bitcoin investments. Multiple parts must be compromised (without other participants finding out) to achieve access to the stored bitcoin.
- Supports altcoins: for anyone investing in altcoins (not advisable), SSSS can be used to split any private key.
- Hides balances from participants: with SSSS, no individual part-holder is able to see the balance of the bitcoin wallet. This can be shared selectively with certain people after setup, providing both privacy over the company’s bitcoin holdings and the benefits of distributed key security.
Cons
- Setup risk: when it comes to producing the individual parts, the private key must be generated first, then split with SSSS software. If a bad actor is involved during the setup, SSSS does not protect the private key from being stolen or mishandled.
- Single-use: SSSS scheme is only secure for a single use under specific conditions. Once the private key has been reconstructed using m of n parts, the private key is no longer secure.
- Not auditable: There is no way for SSSS participants to verify that their parts are necessary to spend the stored bitcoin. Multiple full copies of the private key could have been created and stored elsewhere.
- Technical: Setting up SSSS yourself requires some technical knowledge.
SSSS in the Wild
Coinbase Custody claim to use an SSSS-like scheme (or SSSS itself) internally to secure clients’ coins, in order to be “chain agnostic.” There are also hints that Winkelvoss twins may be using SSSS for their bitcoin holdings.
SSSS Solutions
Setting up your own SSSS can be a bit more tricky and requires some hands-on technical experience. We don’t endorse or recommend any of the following solutions but have included a list for people doing their own research: Ian Coleman’s SSSS Tool; point-at-infinity; KPN-CISO. Remember, when it comes to handling your private keys: don’t trust, verify!
Bitcoin Multisig
Background
Bitcoin natively supports multiple types of smart contract. One of the most commonly used smart contracts is multisig. Very similar to SSSS, a user can create bitcoin addresses that cannot be spent until m of n people use their private keys to sign the contract.
In a bitcoin multisig, each participant has their own private key. To create a new multisig wallet, each participant only needs to reveal their public key to other participants, keeping their own private key safe.
Any bitcoin sent to the multisig wallet will, from that point on, require the m of n keys to be moved again.
Pros
- Minimised setup risk: Unlike SSSS, at no point in time are the individual private keys required to be revealed to the other participants, either in setup, or when making a transaction.
- Multi-use: Because the private keys are never revealed to one individual, bitcoin multisig is safe to use multiple times.
- Auditable: Participants in the multisig can cryptographically verify that the bitcoin are held in the multisig and as well as the multisig’s parameters. Unlike SSSS, they can be confident that no one else outside of the multisig has access to the bitcoin.
- Easier to deal with key loss: if any participant loses a private key, the remaining m of n participants can easily move the bitcoin into a new multisignature address, and generate a new key to replace the lost one.
- Off-the-shelf solutions available: the technical process of setting up and managing a multisig has been made very user-friendly by a number of startups (see Multisig Solutions below).
Cons
- Limited support for altcoins: multisignature contracts are native to Bitcoin, meaning that altcoins are not necessarily able to function in the same way, as demonstrated by 2017’s Ethereum Parity hack. Only a small subsection of altcoins that are based on bitcoin’s codebase support bitcoin-style multisig, e.g. Litecoin and Dogecoin.
- Don’t lose the public keys: in addition to keeping their own private key safe, each participant should keep a copy of every other participants’ public key, so that they can reconstruct the wallet in case of loss.
- Privacy: multisig transactions are clearly displayed on the blockchain as a special transaction type. Counterparties (and possibly blockchain intelligence companies) will be able to identify that your bitcoin are held in a multisig wallet, as well as how many keys are required to spend them[1]. Also, all participants in the multisig will be able to see the company’s bitcoin balance and transactions.
Multisig Solutions
As the gold standard of secure bitcoin storage, there are an increasing number of multisig solutions that would allow an organisation to distribute keys among its team: Electrum, Casa, BitGo, Blockstream Green, Unchained Capital, and of course, Clavestone!
Wrapping up
When to Use Multisig
- The vast majority of situations where an organisation needs to reliably distribute control over its bitcoin holdings.
When to Use SSSS
- When you absolutely must distribute control over altcoin holdings.
- When you need to ensure that third parties cannot observe that control over the bitcoin has been distributed.
- More suited to personal holdings than organisational holdings due to trust required in the person setting up the SSSS.
- When you need to distribute one or all of a multisig’s private keys (SSSS can be used together with multisig).
Interested in setting up secure multisig for your organisation? Clavestone can help. We provide guidance for super-secure multisig key setup and transaction management.
Drop us an email to storage@clavestone.io for more information.
Disagree with any points in the article? Did we miss anything? Leave us a message in the comments!
