Bitcoin security is not only about multi-signature technology

" How can multi-signature fail? Why do people lose money? I thought multi-signature technology was secure ." Through the Bitfinex hack, it is clear that people do not really understand the characteristics of Bitcoin multi-signature. There seems to be some confusion about multi-signature technology, making people still not understand what it can do or prevent essentially. This article aims to clear up some of the most common misunderstandings, explain how multi-signature works, why policy controls are not a substitute for organizational security, and what you can do to protect yourself?

Multi-signature technology is a tool. Just like any other tool, it can be used to achieve multiple different outcomes. It can be used to spread or reduce the risk of key compromise or loss, as a backup redundancy, to create joint accounts so that all parties can spend from the same pool, and it can also play a role in separation of duties in an organization.

Multi-signature technology is not a security plan. It can be a powerful component of a well-designed security plan, but it is only one component. Simply put, “multi-signature” is a meaningless exploration of how to implement and apply the technology, and what goals it can achieve. Because multi-signature is not a security mantra, if it were, it would be much easier.

In order to understand what multi-signature can and cannot do, we need to understand a little bit about how it works. If you are not a technical person, don’t worry, this is not written for them, this is written for everyone.

Create a multi-signature address. You only need more than one public key to create a multi-signature address. Let's look at an example where Alice, Bob, and Charlie are the organizers of a local bitcoin exchange. They all want to raise funds to support the operation of the exchange but don't want to let one person control the funds. So they use the CoPay software to set up a multi-signature address, which gives them a 2/3 configuration, meaning that for a transaction to be made, two of the three of them must authorize it. In this example, the possible signature combinations could be A & B, B & C, A & C.

What is going on behind the scenes? Their software does two things: First, it generates a script that specifies how many signatures are needed and whether the public key corresponding to the private key can be authorized. In addition, it also generates a hash corresponding to the script, which starts with the number 3, which is the Bitcoin address. The script is often called a "redemption script" because it contains the funds required to redeem or spend from the multi-signature address.

You can use a redeem script as a permanent, immutable set of access controls. These limited access controls can be embedded into the Bitcoin address itself. This means that when funds are sent to the corresponding address, the funds can only be moved if the conditions of the redeem script are met. The rules are set when the address is created, and they can never be changed. The rules are literally part of the address itself. This is one of the reasons why multi-sig is so powerful, and why many people consider it more secure than traditional single-sig Bitcoin addresses. When multi-sig is used as part of an overall security plan, it requires the participation of multiple people and devices to approve a transaction, which can provide additional protection against embezzlement, mistakes, losses, fraud, single points of failure, and more.

But please note that there are some things that multi-sig cannot do.

1. Multi-signature has no spending limit, you can withdraw all funds with the correct signing and transaction.

2. There is no time limit for multi-signatures, and you can withdraw funds instantly with a correct signature.

3. Multi-sig has no transaction volume limit: you can create thousands of transactions per minute.

4. There are no notifications for multisig; you will not receive emails or text messages when funds are spent.

Policy controls are not an inherent part of today’s multi-signature technology. You may be confused at this point because many wallets offer this type of add-on service. They are advertised as having additional security measures and additional controls. What is less clear is that these services are implemented by company software and internal policies, not the Bitcoin protocol. This is very important because the above incidents can bypass these controls, and the restrictions can be changed. While Bitcoin’s scripting language is evolving and protocol-based policy controls such as lock-time can be utilized, they are not yet widely implemented.

Takeaway: Today’s policy controls are not as secure as they appear. In fact, they are only meant to be a security system to control policy changes. Unfortunately, this is less secure than most people think.

Sometimes key holders sign agreements automatically based on policy controls. Many multi-signature wallets (but not all) include automatic transaction signing as a feature of their wallets based on policy controls. In these implementations, the wallet company controls the key used to create multi-signature addresses. This key and its associated signing function are controlled by company-written software, which is often called an oracle or signing oracle. When creating an address, in addition to the public key, the wallet company also collects the policy controls defined by the user. For example, a user might set a daily maximum transaction limit of $1,000. The corresponding address can then be created and the signing oracle will also set the signing parameters.

The signing process generally looks like this - user creates a transaction (e.g. $500), signs it, and sends it to the wallet provider for confirmation. The Oracle sees the transaction, checks the policy controls (here $500 is less than $1000), countersigns, and broadcasts the transaction to the Bitcoin network. Fast, convenient, efficient. So is it secure? Maybe, maybe not. Maybe it's more secure than it actually is.

Security depends on many factors - not just how many keys are needed to sign a transaction. It depends on the policy controls in place: Who can change spending limits? Time limits? Text notifications? When can they make changes? Is there a cool-off period after they change if no transactions are confirmed? It also depends on the internal security of the company: Who has access to the oracle or signing keys? Are there backups of these things and who has access to the backups? Who wrote the oracle software and is it open source? These are just some examples of security issues that multi-signatures don't solve. Multi-signatures mean that multiple keys are required to create an address. However, this does not mean that the security objectives have been achieved, and multi-signatures are far from enough to ensure the safety of funds.

Security cannot be outsourced. As an industry, we need to stop the outsourcing of messy and outsourcing of security keys. Handing over signing keys and process control to a third party does not protect yourself or your customers from theft. We need to opt into security standards like CCSS and annual security audits. Most importantly, we need to focus on understanding the risks and accurately explaining them to users.

Finally, always remember: "If you don't have your keys, you don't have your money."

Notes: 1. If you are reading this article, I will assume that you understand the basics of Bitcoin. Bitcoin is based on public key cryptography. For more information, see https://en.wikipedia.org/wiki/Public-key_cryptography.

Technically, this feature is called P2SH or pay-to-script-hash, not multi-signature. However, the most common implementation of P2SH is to implement multi-signature. Multi-signature technology has long been a widely used means of implementing P2SH.