Coordinate multi-sig wallet

Sjors commented at 8:20 pm on February 13, 2020: member

Multiple people, or even just one person with multiple devices, want to setup a multi-sig wallet. The end result is a descriptor wallet, perhaps miniscript enhanced.

Problem: how do you coordinate this setup? See Electrum thread about the same issue: https://github.com/spesmilo/electrum/issues/5715

Bonus points: it should also work with a protocol like MuSig that requires more than one round of communication.

Current situation

I made a tutorial and screencast of a setup flow, in this case using two signers: a ColdCard and an iOs app that I’m working on. It’s based on the flow ColdCard uses to setup a multisig between two of their devices. Specter wallet uses a similar flow and the same file format, last time I checked.

The general idea there is for each cosigner to export a (JSON) file with information about their public keys, and for the other signers to import that. Derivation paths are standardised (see also #16895). All participating devices will derive the same addresses; the user just needs to enter the (same) threshold on all devices.

The above is pretty easy to implement.

Flexible signer policies

The above approach requires everyone to contribute a single key. Individual participants can’t do fancy stuff like having their own internal multisig setup or some backup key after a timeout. Yet this could be very useful, e.g. imagine a user with two hardware wallets who wants to use an external service provider as the third key. That service provider may have some super fancy setup, but they don’t want to ship custom software to the user, let alone merge their special sauce into Bitcoin Core. What if you could use the Green Address service, but with your favourite orange QT wallet?

A more flexible setup could use miniscript, where each participant provides a policy language snippet they want to use. These are then aggregated with thresh(M, policy1, policy2, ... policyN). The result is then compiled by a coordinator (one of the participants) and shared with the others. Each participant could use a simple public key, or some super convoluted scheme. The cool thing about miniscript if that each participant can verify, without understanding the policy of the others, that they indeed control 1/Nth.

IIUC the plan is to combine the powers of miniscript and output descriptors, and eventually add that to the wallet. Hopefully this allows for putting xpubs and origin info in both the policy language and the miniscript itself.

There is no current plan to add the policy language to miniscript compiler to Bitcoin Core, but we can start with a naive concatenation of participant miniscripts. Also AFAIK existing hardware wallets don’t support anything other than plain OP_CHECKMULTISIG (thresh_m(2, xpub1, xpub2, xpub3)) anyway.

In other words, we would use future proof syntax like the policy language, but in practice “compile” only to trivial, non-optimized, miniscript(s) that match what we can already do with descriptors.

Wallet composer file?

What I have in mind is to (wait for someone else to) design a (binary) format, perhaps similar to PSBT, to compose a wallet interactively.

It would start with a coordinator. They populate the file with the “shape” of the wallet (YAML for illustrative purposes):

0- descriptor: null
1- policy: thresh(2, participant_1, participant_2, participant_3))
2- participant_1:
3   - policy: null
4- participant_2:
5   - policy: null
6- participant_3:
7   - policy: null

Then the first participant, probably the coordinator, fills in their details. They can also list their (advanced) capabilities, e.g. if they’re able to decompile miniscript or only understand very basic policies.

0- descriptor: null
1- policy: thresh(2, participant_1, participant_2, participant_3))
2- participant_1:
3   - policy: c:pk([00000000]/m/48h/0h/0h/2h/xpub_1/{0,1}/*)
4   - can_decompile_miniscript: false
5- participant_2:
6   - policy: null
7- participant_3:
8   - policy: null

The file is then passed to participants 2 and 3. Participant 3 will have all the info it needs to construct a final descriptor (set), and it can prompt the user to “commit” to that wallet:

0- descriptor: multi(2, [00000000]/m/48h/0h/0h/2h/xpub_1/{0,1}/*, ......)
1- policy: ...
2etc...

({0,1} is a fake descriptor syntax; for now you need a separate receive and change descriptor)

Each participant needs to “commit” to the wallet, in the sense of storing it in their memory. This lets them display receive addresses, and it lets them check the change address before signing a transaction.

It then passes it to the other participants. If the devices all have screens, the user can now compare the first receive address as a sanity check.

Bitcoin Core should be able to import this a watch-only descriptor wallet (or maybe it has one of the keys).

If any of the devices isn’t smart / powerful enough to figure out the descriptor, then it needs to go back to the coordinator first. Conversely you could start with a round where each participant announces their capabilities (support for lock times, if they can decompile miniscript and understand their role in the top policy, taproot support, resource limits, etc). A coordinator can then propose a top level policy based on that.

Additional fields can be added e.g. to include nonces for a musig pubkey generation ritual. Also additional fields could contain friendly names for the participants.

Ideally the whole thing is small enough to copy-paste or put in a QR code (e.g. bech32-ish encoded).

Sjors added the label Feature on Feb 13, 2020

gwillen commented at 11:24 pm on February 13, 2020: contributor

This seems critical, thanks for the link on IRC (and the link to the cosigner electrum issue here.) I feel like I saw something on the bitcoin-dev mailing list go by awhile ago, which didn’t get much attention, regarding cosigner xpubs in PSBT for the purpose of constructing change addresses – I forget the details, though.

Sjors commented at 8:33 am on February 14, 2020: member

Indeed there is a mailinglist proposal to add xpub’s to PSBT, which may have its own utility, but a signing device also needs to know those xpub’s before it receives coins. That way it can display a receive address without having to trust a connected computer to give it the right cosigner pubkeys.

kanzure commented at 2:49 pm on February 14, 2020: contributor

Multisig setup is certainly important, but there are many aspects of interaction between parties to make, use, and rotate a multisig wallet. Maybe the wallet composition/proposal file should include information about communication channels for contacting each party?

I would also worry about flexibility. There are many kinds of exotic wallets (including lightning) that should fit into this kind of model, but right now they require significant custom protocol development.

I recognize this is “kitchen sink” style software that I’m proposing, but I do think there’s value in thinking about the full lifecycle of a wallet and its users.

mcelrath commented at 10:56 pm on February 14, 2020: none

I’m pretty concerned about cross-device mutual authentication, and compromise of the computer that coordinates signing. I’m assuming a descriptor-based wallet is already used and devices are a “little smarter”. How does one wallet device know that the other devices are doing what they’re supposed to, and what attacks are possible because they don’t? Since each device knows the pubkeys of all the others, those same keys can be used to bootstrap cross-device mutual authentication for the multisig signing set. The security of the assets is also a function of the coordinating wallet (online with UTXO set), which is kind of an invisible party to the security of the keys. Cross-device mutual authentication can solve the following problems:

Has any device signed a transaction that the others didn’t? (e.g. less than m keys in m-of-n have been compromised – detect probing or failed attack)
m of n operators can collude to create one extra transaction by signing two transactions per access to the signing device, and sharing the second transaction with the other m-1 operators. After m trips to cold storage signing legitimate transactions, they can create one extra arbitrary transaction that the coordinating computer (providing UTXOs) doesn’t know about. (A single compromised operator with access to all m different signing devices, at different times, could accomplish the same thing)
Have the devices been used to sign for forked coins or a 51% attack? (unexpectedly)
Is the coordinating computer compromised (e.g. remove a threshold number of devices from the signing entity and take them to a different coordinating computer).

Private communication channels between (offline) devices can generically be created using the SNICKER half-DH idea (if necessary – but it seems like signatures might be sufficient), since each device knows the pubkeys of all the others. This can then be relayed, but not falsified by the coordinating computer. This creates an encrypted out-of-band communications channel between offline devices, to share whatever state is necessary to ensure that the data being fed to them is consistent across devices. The coordinating computer(s) is then holding some state, so kind-of is an epsilon participant in the (m+epsilon)-of-n wallet. I have two ideas that might be interesting:

A rolling state hash: each device maintains an “epoch” hash defined as h_{epoch} = hash(h_{epoch-1}|serialized_transaction). After signing, each device updates its epoch hash and signs the new epoch hash for relay to the other devices. Devices excluded from signing but used later (n-m of those) can be relayed the entire history of signing by the coordinating computer (or another signing device).
UTXO set accumulator: each device can be fed the set of known/available UTXOs for storage. When one is spent, it removes it from its memory (and could refuse to sign a double-spend if desired). The device refuses to sign unknown UTXOs (forked coins). NiPoWPoW can be used to prevent falsifying the UTXO set.

One could define a BIP32 key path for mutual device authentication or half-DH/SNICKER encrypted communication.

It might be interesting to consider whether such “rolling state” could be used as entropy for determining the k value in MuSig. I’d love to kill that extra round of communication…

What other attack vectors can be mitigated by giving offline devices an encrypted communications channel, and do you think this is valuable enough to implement?

Sjors commented at 9:37 am on February 15, 2020: member

I think we should take small steps :-)

Similar to PSBT, whatever format we come up with can have proprietary fields, which people can use to try out new (authentication) protocols.

I would like to limit the scope of this issue to initial wallet setup. For many wallet types you can derive all future addresses during setup. PSBT can be expanded for things that happen before / during / after signing.

Other wallet types, like Lightning, can’t derive addresses at wallet generation. Some of that information can piggy-back in PSBTs as most steps in the lightning protocol involve generating a new transaction. But maybe interactive addresses generating requires yet another mechanism.

mcelrath commented at 5:30 pm on February 15, 2020: none

I think proprietary fields will cover everything I mentioned. Thanks!

MarcoFalke added the label Brainstorming on Feb 16, 2020

instagibbs commented at 3:22 pm on February 18, 2020: member

({0,1} is a fake descriptor syntax; for now you need a separate receive and change descriptor)

To be pedantic, the receiving and change chains need to be separate and marked appropriately. One is useful for eliding outputs from display during transaction signing, and the other for displaying addresses on the screen for depositing verification purposes.

instagibbs commented at 3:28 pm on February 18, 2020: member

I think an interesting security problem is validating the data being put together to define the on-chain policy, i.e., making sure the composer file hasn’t been owned by a malicious or fault actor. It needs to be simple to re-compute by hand.

Sjors commented at 8:19 pm on February 18, 2020: member

@instagibbs I’ve been tinkering with the format a bit, including splitting receive and change: https://gist.github.com/Sjors/c7342cb27a7cf5f2d35469bb06eae4f4

Sjors commented at 7:33 pm on February 28, 2020: member

@achow101 suggested on IRC (wallet meeting 2020-02-28) to just pass a miniscript policy around and have each participant fill out the details. I think that covers at least simple use cases. Though we need a way to:

add placeholders to policy language (and still be able to reason about them)
add origin info to policy language (I think #16800 does that?)
check if your policy is part of the overal policy, and of the final compiled miniscript (not supported yet in c++ miniscript)

Rspigler commented at 7:57 pm on November 10, 2020: contributor

I think that this post from last year (https://shiftcrypto.ch/blog/the-pitfalls-of-multisig-when-using-hardware-wallets/) and this very recent blog post (https://shiftcrypto.ch/blog/how-nearly-all-personal-hardware-wallet-multisig-setups-are-insecure/) by ShiftCrypto do a very good job demonstrating that there isn’t any well defined and observed standard for secure multisig setups.

There are many attacks that need to be defended against, various data that needs to be confirmed/verified (which needs to be properly communicated to the user - the design community wants to start working on this), and bad practices that need to end (we shouldn’t be using Zpubs/Ypubs etc, wallets should be using descriptors).

Is the wallet composer file being discussed here intended to be Core policy, or a larger industry wide standard? I have tried to summarize everyone’s points here: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-August/018132.html

craigraw commented at 12:20 pm on November 11, 2020: none

For the situation of a central multisig co-ordinator doing a wallet setup from multiple hardware wallets, it may be worthwhile to consider the Uniform Resource (UR) specification, specifically the UR Type Definition for BIP44 Accounts.

UR is a standard mainly used to structure data concisely for transmission over QR codes. The specification in the link above allows hardware wallets to share details of a particular BIP44 account they can sign for. All the common script types are supported through an array of output descriptors, which is supplied along with the master fingerprint for the device. This allows the co-ordinator to select the appropriate output descriptor depending on the script type for the wallet it is creating, and then add the device to the multisig setup.

Rspigler commented at 8:15 pm on November 11, 2020: contributor

Thank you for the link, I wasn’t aware of that research.

Blockchain Commons have also worked on a standard for URIs and QR codes for PSBTs, wallet info, etc (BCR-2020-005) linked here: https://github.com/BlockchainCommons/Research/blob/master/papers/bcr-2020-005-ur.md

My concern would be that we should all be going through the existing standards process (bitcoin-dev; BIP) to create a secure standard(s) for coordination of (offline) multisig wallets (where offline can be HWWs or offline Core). Here is where I brought up the same concerns with Blockchain Commons https://github.com/BlockchainCommons/Airgapped-Wallet-Community/issues/28

There is also the existing BIP 45 https://github.com/bitcoin/bips/blob/master/bip-0045.mediawiki

I don’t think this should be Core policy or a standard within Blockchain Commons (I was not a part of these discussions, so maybe my interpretation is incorrect).

Or, with Musig, Schnorr, and Taproot, do we just continue the work on implementing Musig keytrees for multisig? And say that pre-Schnorr multisig was never securely standardized/implemented?

ChristopherA commented at 10:19 pm on November 12, 2020: none

@Rspigler wrote:

I think that this post from last year (https://shiftcrypto.ch/blog/the-pitfalls-of-multisig-when-using-hardware-wallets/) and this very recent blog post (https://shiftcrypto.ch/blog/how-nearly-all-personal-hardware-wallet-multisig-setups-are-insecure/) by ShiftCrypto do a very good job demonstrating that there isn’t any well defined and observed standard for secure multisig setups.

One thing that we’ve been concerned about lately is reuse of the xprv/xpub path (what I call a keyset) in multisig wallets. This is where the same keyset is used for two different multisigs. It isn’t as dangerous as address reuse, but it does mean compromise of one keyset’s private key also compromises all multisig account descriptors that it is used with.

Currently Gordian Signer (a multisig signing-only app) doesn’t store seeds, but instead using offline airgapped tools like LetheKit to derive the xprv/xpub. But we do have to store state as to what keysets have been offered to other multisig descriptors. I’d really like to see a standard approach on how to manage against keyset reuse to enable interoperability and portability.

ChristopherA commented at 10:28 pm on November 12, 2020: none

This thread is timely, as this is exactly what we are puzzling through right now with Gordian Signer (for Mac, iOS and Android), which is a co-signing only app (no PSBT initiation, solely co-signing). In general, all the Gordian apps (wallet, signer, coordinator, server, etc.) are explicitly descriptor and multisig-centric — we are even considering dropping single sig. They also all are able to be airgapped and torgapped based on different security models.

https://github.com/BlockchainCommons/GordianSigner-macOS https://github.com/BlockchainCommons/GordianSigner-Android https://github.com/BlockchainCommons/GordianSigner-Catalyst https://github.com/BlockchainCommons/bc-keytool-cli

All of the above can already sign PSBTs, including animated QRs for large PSBTs, but the important design question is a standard way to accept a policy request (“will you participate in a 3 of 5 with a timelock to 2 of 3”), and if that is acceptable offer a keyset (e.g. [d34db33f/48’/0’/19’]xpub6ERApfZwUNrhLCk…", and hopefully get an account map back (an account map is a descriptor with no xprvs in it].

ChristopherA commented at 10:31 pm on November 12, 2020: none

/cc @fonta1n3 @wolfmcnally @jollyjoker992 @ksedgwic

Rspigler commented at 4:29 am on November 19, 2020: contributor

@benma @achow101 @hugohn @stepansnigirev @prusnak @jlopp

Rspigler commented at 10:04 pm on December 12, 2020: contributor

So if my understanding is correct, the BCR-2020-015 standard offers an array for all script types, because the use case is for the offline signer to supply the coordinator with all the information that might be needed (the coordinator will then choose the one descriptor that is necessary to create the wallet). That seems superfluous. Why not have the coordinator start the creation process, send a ‘policy request’, and get a ‘keyset’ back like @ChristopherA talked about? That seems much nicer, no? The coordinator could then transfer ‘account maps’ to all offline signers.

Besides that, a concern I have with BCR-2020-015 is the use of ‘BIP48’, which isn’t actually a standard.

Is there a BCR in process for policy requests or account maps? I guess that’s why we’re all here.

ChristopherA commented at 1:46 am on December 13, 2020: none

I raised this topic, originally as an issue, but given lack of consensus I moved to to a discussion (a new GitHub feature).

https://github.com/BlockchainCommons/Airgapped-Wallet-Community/discussions/32 @Rspigler I’d appreciate you also adding your thoughts there.

craigraw commented at 6:24 am on December 13, 2020: none

Why not have the coordinator start the creation process, send a ‘policy request’, and get a ‘keyset’ back

On the contrary, this seems superfluous to me, requiring two data exchanges rather than one. When it’s easy to derive different public keys, why put additional burden on the user? The complete output descriptor can then be shared when known with BCR-2020-010.

Besides that, a concern I have with BCR-2020-015 is the use of ‘BIP48’, which isn’t actually a standard.

I find this concern to be impractical. The use of the 48’/… paths is so well accepted and common that there is no multisig capable hardware wallet that does not conform. There is no way to replace it with something else without causing great confusion and “loss” of funds.

ChristopherA commented at 7:47 am on December 13, 2020: none

@craigraw write:

The use of the 48’/… paths is so well accepted and common that there is no multisig capable hardware wallet that does not conform.

I’m still quite uncomfortable with the so-called 48’ conventions. They result in key reuse with multsigs, which I believe to be a bad idea. Less risky than address reuse, but still an issue.

I also don’t like that you can’t create sub-accounts like you can with single-sig.

I’m fine with a multisig coordinator suggesting a a specific path, but it should be able to handle when it is returned a keyset “[m fingerprint/path]xpub” — it may have already given that path to another multisig.

Rspigler commented at 9:48 pm on December 13, 2020: contributor

We’re also assuming the coordinator is trusted, so wherever/whenever this is implemented, there should be some UX warning to not accept a policy request or to send a keyset to/from a coordinator that you don’t know or recognize. @craigraw You bring up a good point. All signers will need to know all other signers info to securely sign PSBTs (@benma has done good research on this). So this means the coordinator will need to send account maps back to all signers after creation of the wallet (last step).

If we create the wallet your way (BCR-2020-015), there may be redundant information, but it means there are only 2 data exchanges. Signers send the BIP 44 arrays, the coordinator creates the wallet, and sends back to the signers all the account maps.

My proposed way would require 3 data exchanges. (Coordinator proposes wallet to signers, signers send back specific BIP44 descriptor, then coordinator sends back account maps).

Rspigler commented at 8:23 pm on December 14, 2020: contributor

What is the authentication scheme here? Is it just trust on first use, with warnings if data changes?* Encourage out of band/in person authentication?

Is there a need to encrypt or authenticate the PSBTs in transit?

*From Benma’s articles, (at least) the following needs to happen for secure offline multisignature:

To receive securely, the offline signers need to be able to verify the following:

The receive address, which has to encode the hash of an ordinary multisig redeem script with no other spending conditions
The key of the hardware wallet, which has to be one of the public keys in the redeem script
The keypath of the displayed address in order to avoid ransom attacks if no restrictions are enforced by the hardware wallet
The number of cosigners in order to prevent an attacker from adding more
The threshold of required signatures to not be higher or lower than intended
The xpubs of the cosigners in order to prevent an attacker from swapping them

It is advised that in order to prevent human error or hardware/firmware vulnerabilities, to verify receive addresses on multiple devices.

To send securely, the offline signers need to be able to verify the following:

The recipient’s address, displayed and confirmed by the user like with singlesig
The change address, having the same cosigners and threshold in an ordinary multisig script with no other spending conditions
The change goes to an address at a keypath recoverable by the user

All major HWW vendors (Trezor, Ledger, Coldcard, and Bitbox) have been vulnerable to a remote attack due to at least one of the above, so I think that’s why this is such an important task.

Although we’re just working on a standard right now, hopefully good software and UI could check all of the above and alert the end user instead of them having to do the checks manually.

Just trying to put all my thoughts down.

Fonta1n3 commented at 2:12 am on December 15, 2020: none

@craigraw write:

The use of the 48’/… paths is so well accepted and common that there is no multisig capable hardware wallet that does not conform.

I’m still quite uncomfortable with the so-called 48’ conventions. They result in key reuse with multsigs, which I believe to be a bad idea. Less risky than address reuse, but still an issue.

I also don’t like that you can’t create sub-accounts like you can with single-sig.

I’m fine with a multisig coordinator suggesting a a specific path, but it should be able to handle when it is returned a keyset “[m fingerprint/path]xpub” — it may have already given that path to another multisig.

I was under the impression you can create sub accounts with 48':

account 0: m/48'/0'/0'/2' account 1: m/48'/0'/1'/2'

ChristopherA commented at 2:30 am on December 15, 2020: none

@Fonta1n3 wrote

I was under the impression you can create sub accounts with 48':

account 0: m/48'/0'/0'/2' account 1: m/48'/0'/1'/2'

I wasn’t aware that any current wallet software was using these sub-accounts in an interoperable way. I had a report from at least one implementor that had investigated it with no good results.

Is anyone watching this issue successfully using 48’ sub-accounts?

– Christopher Allen

Fonta1n3 commented at 2:32 am on December 15, 2020: none

@Fonta1n3 wrote

I was under the impression you can create sub accounts with 48':

account 0: m/48'/0'/0'/2'

account 1: m/48'/0'/1'/2'

I wasn’t aware that any current wallet software was using these sub-accounts in an interoperable way. I had a report from at least one implementor that had investigated it with no good results.

Is anyone watching this issue successfully using 48’ sub-accounts?

– Christopher Allen

I propose we do support that and we get an actual BIP written up so we no longer need to speculate.

SomberNight commented at 10:42 am on December 15, 2020: contributor

I was under the impression you can create sub accounts with 48':

account 0: m/48’/0’/0’/2’ account 1: m/48’/0’/1’/2'

I propose we do support that and we get an actual BIP written up so we no longer need to speculate.

I was the one who originally came up with this 48h scheme. We needed a default derivation path to use for segwit multisig of bip39/hw-cosigners for Electrum. At the time no other wallet seemed to have any interest in such a scheme [0], and we wanted to have something out, so instead of creating a BIP, we just rolled a “custom” scheme with properties we considered reasonable.

See e.g.: https://github.com/spesmilo/electrum/issues/4352#issuecomment-398028047 https://github.com/spesmilo/electrum/pull/4465

Re account support, as said there, the scheme is: m / purpose' / coin_type' / account' / script_type' / change / address_index but also:

For multisig accounts, there is no way to autodetect any accounts

[0]: I asked devs from trezor/ledger/bitbox privately. (benma from bitbox expressed interest but said they were busy with other things and had not had time to look into multisig yet. johoe ~from trezor had constructive feedback, see linked issue. No response from ledger.) I have also tried to find other wallets besides Electrum that supported multisig and at least had segwit on the roadmap, to solicit feedback, but could not find any.

Rspigler commented at 6:56 pm on December 15, 2020: contributor

Thanks for the link to https://github.com/spesmilo/electrum/issues/4352

the 48’ makes more sense to me now (BIP44 with script_type to support future updates). I still think it’d be best to standardize it with a BIP as proposed by @Fonta1n3 (maybe most devs would prefer to have a BIP for each script type, like was done for BIP 49 and 84, I don’t know. That’s the purpose of the standardization process).

How does it work without a cosigner_index? I can’t find any documentation.

ChristopherA commented at 8:21 pm on December 15, 2020: none

There is more discussion about documenting or revising the 48’ derivation, and more links, in the Airgapped Wallet Community discussion in GitHub https://github.com/BlockchainCommons/Airgapped-Wallet-Community/discussions/16

ChristopherA commented at 8:31 pm on December 15, 2020: none

@ghost43 There does not seem to be any “sub-account” (not 0 but 1+) capability for this using the same xpubs. Is that correct?

As I interpret the difference between a BIP44 definition of account, vs its usage in multisig under 48, the possessor of an xpub level -1 in BIP48 can create and watch all sub-accounts. This is not true under 48, as each account may have different other xpubs involved in their descriptors, thus can’t watch them.

Related, how does Electrum increment its account to prevent xpub reuse? Do you have some state that increments for each multisig you has been requested?

ChristopherA commented at 8:38 pm on December 15, 2020: none

I wonder if there is some way for script_type’ to hash the wallet descriptor Account Map (subtracting the xpubs). That way common descriptor types could be differentiated and discovered without requiring registration?

For instance, use as account_index’ the hash of “sh(wpkh())” instead of 84'?

ChristopherA commented at 8:51 pm on December 15, 2020: none

Another example: the has of wsh(multi(2,,,)) is the account_type’ for a P2WSH 2-of-3.

BTW, Gordian Wallet (a Bitcoin multisig & descriptor centric wallet) calls these empty descriptors like wsh(multi(2,,,)) as a ”Policy Map”. We use them in a protocol when initiating a new account on a co-signing device. Your device gets one of these Policy Maps as a request, and you decide if you want to participate. If later you receive a descriptor (aka Account Map) or a PSBT that doesn’t match that Policy Map, you refuse to sign it.

/cc @fonta1n3 @wolfmcnally

Rspigler commented at 11:25 pm on December 15, 2020: contributor

Is it possible to fix the sub-account issue? Instead of m/48’ we could make a ‘BIP-45’ like BIP per script type - however, BIP45 doesn’t have accounts. Could we add accounts to the derivation?

I guess there is also the option to write a BIP44 type BIP with specific BIP43 purpose fields per script type, then remove the specially createdscript_type index, which would leave you with a normal BIP44 derivation path and working accounts?

Rspigler commented at 11:41 pm on December 15, 2020: contributor

That way common descriptor types could be differentiated and discovered without requiring registration?

The signers still need to register to the coordinator, for a total of 2 data exchanges? (https://github.com/bitcoin/bitcoin/issues/18142#issuecomment-744073781). What does having some of the derivation written from itself benefit?

Your device gets one of these Policy Maps as a request…

I guess any comprehensive standard should support either the signer or coordinator initiating the wallet creation (the array of descriptors method described in BCR-2020-015, or the Policy Map request method).

If later you receive a descriptor (aka Account Map) or a PSBT that doesn’t match that Policy Map, you refuse to sign it.

Those checks are good way to prevent some of #18142 (comment)

SomberNight commented at 10:21 am on December 16, 2020: contributor

@ChristopherA

There does not seem to be any “sub-account” (not 0 but 1+) capability for this using the same xpubs. Is that correct?

As I interpret the difference between a BIP44 definition of account, vs its usage in multisig under 48, the possessor of an xpub level -1 in BIP48 can create and watch all sub-accounts. This is not true under 48, as each account may have different other xpubs involved in their descriptors, thus can’t watch them.

You misunderstand BIP44 then. Even in BIP44, you cannot generate the public keys for multiple accounts from any xpub. xpubs are only possible for specific accounts, not across accounts. See BIP32 (note that the account level is hardened in both “purpose48” and BIP44).

Fonta1n3 commented at 2:03 am on December 17, 2020: none

I was under the impression you can create sub accounts with 48’: account 0: m/48’/0’/0’/2’ account 1: m/48’/0’/1’/2'

I propose we do support that and we get an actual BIP written up so we no longer need to speculate.

I was the one who originally came up with this 48h scheme. We needed a default derivation path to use for segwit multisig of bip39/hw-cosigners for Electrum. At the time no other wallet seemed to have any interest in such a scheme [0], and we wanted to have something out, so instead of creating a BIP, we just rolled a “custom” scheme with properties we considered reasonable.

See e.g.: spesmilo/electrum#4352 (comment) spesmilo/electrum#4465

Re account support, as said there, the scheme is: m / purpose' / coin_type' / account' / script_type' / change / address_index but also:

For multisig accounts, there is no way to autodetect any accounts

[0]: I asked devs from trezor/ledger/bitbox privately. (benma from bitbox expressed interest but said they were busy with other things and had not had time to look into multisig yet. johoe ~from trezor had constructive feedback, see linked issue. No response from ledger.) I have also tried to find other wallets besides Electrum that supported multisig and at least had segwit on the roadmap, to solicit feedback, but could not find any.

It would be great to get your input (and anyone else here!) to help make BIP48 a reality, I have gone ahead and essentially modified bip44 to what my interpretation of what a bip48 would look like https://github.com/Fonta1n3/bips/blob/master/bip-0048.mediawiki. I am not interested in doing this on my own, but it needs to be done. Any feedback, contribution or proposal would be appreciated.

Rspigler commented at 3:28 am on December 17, 2020: contributor

@achow101’s proposed new PSBT v1:

https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-December/018300.html

Rspigler commented at 0:43 am on January 14, 2021: contributor

Does this help streamline the process at all? https://github.com/bitcoin/bitcoin/issues/17190

Rspigler commented at 7:46 am on May 13, 2021: contributor

See BSMS for a standard for coordinating multisig wallets

Sjors commented at 1:28 pm on September 6, 2022: member

BSMS / BIP 129 seems reasonable, but afaik only Nunchuk uses it. Some Coinkite folks were involved with the standard, but it’s not yet anywhere in their firmware. Specter Desktop doesn’t support it either yet.

A good place to start for Bitcoin Core might be implementing the Coordinator and Signer role as a Python helper script. It’s easiest to implement with encryption disabled. The script could make calls to HWI (directly or via External Signer RPC calls).

I added a reference to BSMS to the multisig labyrinth guide in #24861, closing this.

Sjors closed this on Sep 6, 2022

Rspigler commented at 7:28 pm on September 6, 2022: contributor

@Sjors sounds great! There is also a lot of demand for other Bitcoin Core clients to act as the signers (not just external signers), but that can be discussed in the future

bitcoin locked this on Sep 6, 2023

Coordinate multi-sig wallet #18142

Current situation

Flexible signer policies

Wallet composer file?