search

btcguide / btcguide.github.io

https://btcguide.github.io/
MIT License
90 stars 49 forks source link

Multisig isn't additive, its multiplicative #82

Open fresheneesz opened 3 years ago

fresheneesz commented 3 years ago

I just want to say that I agree with the concepts presented in the Why Multisig? page, however I think a better way to describe multisig is that its multiplicative. I'm gonna copy something I wrote elsewhere:

If devices A and B have a 10% probability of being successfully attacked in a 10 year time, its very likely (barring identical design flaws or shared code) that a 2 of X multisig wallet would have a far less chance than 10%^2 = 1% of being compromised. Why far less than 1%? Because not only would they both have to be attacked, but they would have to both be attacked at the same time in a coordinated way. This might be more like the chance that both are attacked in the same day, which would be (10%/10/365)^2 = 0.000000075%.

So that's what I mean by multiplicative. Just food for thought.

mflaxman commented 3 years ago

In the naive bayes sense it is multiplicative, but in the worst-case it's only additive. Let's assume there's an upstream vulnerability (software, hardware, protocol, etc), then the chance that multisig saves you is the odds that < m of your wallets are impacted.

Having different implementations can only add, but it's not guaranteed to be that powerful and I don't want to make outlandish claims. I'd be open to a reference of the multiplicative power of multisig in the advanced section if it can be worked in cleanly. Does that make sense?

fresheneesz commented 3 years ago

Hmm, so you're saying a worst case scenario might be, for example, where two different hardware wallets use the same component that causes the same vulnerability in both. Then the security is simultaneously reduced in both, so the additive difficulty is only in the attacker obtaining some kind of access to both wallets? I would actually think that the worst case is actually non-additive. The worst case is where the same attack can compromise both hardware wallets. Eg if a mutual component with a vulnerability as described above manifests in a remote attack vulnerability, where a virus on a compromisd machine could extract the key from one, then the other as they're used to sign a transaction. This would actually mean the fact that multisig is used there would have no additional security, additive or multiplicative.

Do you have a case where the security is additive? I can't quite envision a case where it would be. It seems like its always either multiplicative or provides no improved security (in special cases with identical vulnerabilities) .

However the above is quite a rare circumstance. But I take your point that its not guaranteed to be multiplicatively effective. But I would say that in most circumstances where a vulnerability comes about, it is pretty darn likely to have a multiplicative security enhancement. I wonder if you agree with my line of thinking.