BlockchainCommons / Gordian-Developer-Community

Discussions of Gordian principles, Gordian specifications, Gordian references, and making it all a reality.
Other
65 stars 18 forks source link

Recovery of Multisig Problems for Regular People #3

Open ChristopherA opened 4 years ago

ChristopherA commented 4 years ago

One thing I believe that we are under-thinking for multisig for regular people is that backup is significantly harder than it is for single signature. To backup a single key, you can't put just 12 or 24 words on titanium in a vault (as I recommend in the free #SmartCustody book, you also have to store all the other pubkeys.

Best I've been able to puzzle through something that offers similar fire-proofness and resilience but it that means another BIP39-like system that would put 36 words on titanium for 2of3 to 56 words (3 of 5). This is doable on 2 to 4 typical plates. But OUCH.

The 2nd alternative suggested by Peter Denton @fonta1n3 was that one QR code (with a privatekeyless wallet descriptor) be printed on paper for every key. Some people don't like printing any kind of key, but there is less risk as these are only public keys. The idea being that you are unlikely to have every paper burn if you keep keys in multiple locations.

Currently Blockchain Commons has a 2nd iOS app called QR Vault, that captures a QR code which locks it to the iOS keychain securing it both the biometric and 2FA (Sign in Apple). Right now the FullyNoded2 app would save as QR one private key in the descriptor with all the other public keys. So for a 2 of 3 you'd need 3 iOS devices. You'd could have an iPod Touch or another iPhone on each, and ideally each are on a different Apple account, so this is less than ideal (though very easy for users.) Also, there is the inevitable bitrot that happens to computer equipment

Any ideas I'm missing?

-- Christopher Allen

ChristopherA commented 4 years ago

BTW, I worked on a successor to BIP39 that turned keys into poetry a few years ago. Some of what we learned from that help create the better word-list for SLIP39 (no homonyms, greater hamming distance, etc.)

Original concept of details on word lists: https://github.com/ChristopherA/iambic-mnemonic

Some node.js code used to create a proof-of-concept https://github.com/ChristopherA/password_poem

Part of the design was to pick words with high valence (emotional context) and/or high concreteness (real, visualizable) items.

Here is a preliminary 2048 word list that could be used with BIP39 that would be more memorable.

https://github.com/ChristopherA/password_poem/blob/master/words.csv

With larger number of words, we were able to make iambic pentamer poems, and even use the English word order of the sentences to encode some bits.

Our goal was to make randomness come out something like this:

the hazards of bliss are pleasing the lounge
unfair was cinnamon to search and scrounge
the stained vibrant lasers give us lectures
prayer saves the valley from conjectures

-- Christopher Allen

tkendal commented 4 years ago

These are NOT trivial issues when thinking about mass-market adoption. Vaulted titanium seed phrases don't exactly map to anything the general public is familiar with...like not at all. That said, I love the idea of multisig recovery leading to a greater appreciation for iambic pentameter poetry :)

How lovely such a future could be...

love looks not with the eyes but with the mind;
and therefor is winged cupid painted blind.
we assume then love said to be a child;
because in choice she is often beguiled.
Fonta1n3 commented 4 years ago

Love the rhyming words!

It is indeed difficult for me to envision a future where regular people knowingly use multi-sig.

I more see it as infrastructure for the next generation of banks/corps. And as an incredibly useful tool for those who need it or want it. A back-end tool to keep funds safu. For now it is super niche and only the most enthusiastic Bitcoiner's use multisig.

They simply must understand that they will not be able to recover funds if they don't save each seed and their xpubs.

In my opinion the simplest way to achieve this is via Bitcoin Core public key descriptor's in QR code format. As a minimum each saved seed should be accompanied by the public key descriptor. In reality the pubkey descriptor should be stored in many physical and digital places independently of the seeds.

JayOceans commented 4 years ago

i also wrote an article - how to memorize seed-words

format like this ~

satoshi love people hodl friend cookie wish dream live coco panda banana

// i can Still remember some old ones from years ago...

i like words b/c they Can be memorized & taken over borders QR codes & iphones can not...(in the same way) (but, there's probably a low limit that's easy to memorize)

when in plain text, they also can be easily copied

for 2+ years, 'regular' people have held 12 seed-words AND pass-phrases, as part of my storage set-up and it's easy for all & working well...

i'm pretty "regular" (not super technical) and most my signatory-friends are Very "regular" BUT, they - as my Signatories, for over 2 years, have held 12 of 24 of my seed-words, so that i have avoided being a single-point-of-failure... and pass-phrases - to segregate Inheritance accounts

this essentially, gives me all the benefits of a "Multi-Sig AND Multi-Location" storage set-up...

BUT without all the Disadvantages of Multi-Sig

it seems to me that - "simple seed-splitting" has some advantages over traditional multi-sig, in practical use for me, such as -

So, here's a crazy idea -

use a single-sig & just manipulate the seeds & passphrases more... that could even be abstracted away into an app...

i don't really see any benefits of multi-sig as it is today as 'm of n'... // maybe, surely, i'm just not seeing them...

also, seed-splitting allows for "weighed" signatories

example- she has 6 words (because you only trust her a little) he has 12 they each have 9 he has all pass-phrases; she has none

--- all kinds of different combos - can execute for different conditions... And all by simple manipulation of seed-words...

just a crazy idea...

it's been working very well for me (a simple version that is)...

https://medium.com/@summerstarlight321/counter-wrench-attacks-83c75bfbb3de

always, Very happy to get critiques.... thanks !

Fonta1n3 commented 4 years ago

I think it really depends on how we define regular people!

To each their own but I think manipulating seed words is risky, and the number one reason for lost Bitcoin stashes are forgotten passphrases (statistically speaking as per @ChristopherA Smart Custody research).

Benefits of multisig being:

JayOceans commented 4 years ago

hey @Fonta1n3 thanks! to comment on your Multi-Sig benefits -

the ONLY benefit i see is, as you mentioned,

quick rebuke your other points -

"Benefits of multisig being:

you don't need to memorize anything

can share seeds with others without having to worry about them being able to brute force your other seeds (take it a step farther and use SSS)

can lose seeds and still recover funds

you do not need to rely on potentially biased entropy or hacked software giving you a compromised seed as you can generate multiple seeds independently of each other using different methods/devices.

can genuinely make it impossible for a wrench attacker to succeed by geographically diversifying your storage

lastly, regarding, "I think manipulating seed words is risky"

JayOceans commented 4 years ago

hey @ChristopherA

if i can also critique, your Single-Sig backup recommendation from your Smart-Custody whitepaper :

Home Safe.................. Words #1-16 Safety Deposit Box........... Words #1-8, 17-24 Lawyer........................ Words #9-24

technical...

strategic...

my seed-splitting set-up (CWAP) : by separating 12 & 12 avoids brute-force theft... and by making a kind of "master" share, which is kept with the main Hodler, the risk of collusion is eliminated, albeit with reduced accessibility for inheritance...

thanks!