Bitcoin Shamir's Secret Sharing vs multisig

Bitcoin Shamir's Secret Sharing vs multisig

Despite closely following the news about Bitcoin, I learned something about it quite recently. It's about splitting the secret key in multiple pieces, so that at least several of those pieces are required to be able to spend the funds. For instance, a 3 of 5 wallet will generate 5 secrets and 3 of them will be needed to be able to generate a valid transaction. 3 and 5 being integers chosen by the user. A 1 of 5 wallet would mean that any holder of a secret can spend the funds. A 5 of 5 wallet means that all secret holders have to agree to spend the funds.

There seems to be two use cases for such fragmented wallets.

  • First, when you do a backup of your own private funds. You don't want to put all the eggs in the same basket, e.g. your laptop, or a paper wallet, that could be lost, stolen or destroyed. So you split the wallet and put the fragments in different locations. A bank's safe, a notary, friends you trust, family. If things go south, you can ask them to give you back the pieces of the puzzle.
  • Second, when an organization needs to reach consensus before spending. At least 3 of the 5 board directors should agree to spend funds related to their org. They do not trust each other.

The solution adapted the private backup use case is Shamir's Secret Sharing (SSS). It's a way to split a secret in N different pieces, so that M pieces are required to calculate the original private key (with 1<=M<=N). Note that the person in charge of gathering the pieces has access to the private key before generating the transaction. You better trust that person, because he or she can do anything with the funds at that point.

The solution adapted to organizations is multisig addresses. Instead of sharing a private key in pieces like with SSS, private keys are generated for each of the N holders. The multisig address is of a special type, a subset of "P2SH" addresses, aka "pay to script hash". P2SH adresses contain identifiers of the kind of script that will allow or block the spending of the funds. Those addresses begin with a 3 instead of the classic Bitcoin addresses that begin with 1. More info available here on wiki.bitcoin.it. To be valid, a transaction must carry enough signatures from the holders, and the verification of the signatures happens at the blockchain level.

Pros of SSS:

  • more privacy, more flexibility as the M and N numbers are not stored in the blockchain.
  • simpler transactions, so lower fees

Pros of Multisig wallets:

  • a more throughout audit of the crypto
  • no trust needed before spending

For further reading, an interesting Reddit post on that topic: https://www.reddit.com/r/Bitcoin/comments/2uj2qe/difference_between_shamir_secret_sharing_scheme/co9hp6t/