**Institutional-Grade Bitcoin Custody: Comparing Multisig, Shamir’s Secret Sharing, and Multi-Party Computation**
For anyone with substantial bitcoin holdings, a custody structure that includes a single point of failure should be seen as unacceptable. If a wallet has a single component that—when lost or stolen—can lead to a permanent loss of funds, then it’s simply too dangerous to consider. Nobody wants to keep significant wealth teetering on the edge of catastrophe.
Individual bitcoin holders have numerous tools available that can help reduce the risk of loss or theft. In a previous article, we covered some of these tools, highlighting modifications commonly applied to singlesig wallets. However, we also explained why these approaches fall short of removing single points of failure entirely.
For a business, government, or other institution that wants to secure a bitcoin treasury, eliminating single points of failure is not just a nice-to-have, but a prerequisite. The only custody models worth considering for these entities are ones that include a threshold requirement in order to access funds. A threshold requirement describes a structure that involves multiple, separately secured components, where a subset of those components are needed to approve any withdrawal. This is the only way of achieving institutional-grade security, with single points of failure eliminated completely.
In this article, we’ll cover how to apply threshold security using three different methods: script multisig, Shamir’s secret sharing (SSS), and multi-party computation (MPC). We’ll also dive into the tradeoffs associated with each approach, and how an institution can choose the best setup to meet their needs.
### What is Multisig?
If you aren’t sure what script multisig is, we recommend checking out our earlier article dedicated to explaining how multisig wallets work and what they’re used for. As a quick review, a multisignature wallet involves multiple private keys, and can be configured so that a specific number (threshold) of those private keys are required to sign any transaction. The signatures can be produced at different times and locations, allowing each key to remain physically separated. Once a threshold number of signatures have been produced, they can be combined into a single bitcoin transaction capable of spending the funds.
This relatively simple way of creating a threshold requirement is highly effective at removing all single points of failure. As long as the spending threshold is greater than one but less than the total number of keys, then any single key can become lost, stolen, or destroyed without bitcoin becoming unrecoverable. The remaining keys could sign a recovery transaction moving funds to a fresh multisig setup.
Satoshi Nakamoto laid the groundwork for multisig when bitcoin was first released, anticipating that it could be a popular mechanism for securing funds. However, it wasn’t until the P2SH softfork in 2012 that multisig started to become a widely used tool. Multisig has since proven itself as a battle-tested security model for more than a decade, across several different address types.
### What is Shamir’s Secret Sharing?
Shamir’s secret sharing (SSS) is a secret sharing algorithm that was developed by renowned cryptographer Adi Shamir in 1979. It can be used as another way of introducing a threshold requirement for protecting bitcoin. SSS allows users to split a key into several distributed “shares,” with only a certain threshold of the shares needed to reassemble the key. This can be used to design quorums like 2-of-3 or 3-of-5, similar to multisig.
However, this approach still leads to single points of failure at certain instances during its lifecycle. One example is when the key is initially split up into SSS shares. This operation is usually done on a single device at a single time and place. If an attacker compromises that device, the key generation process, or the share creation process, they’ve compromised the key. Another example is whenever the user needs to reassemble the key to sign a transaction. A threshold number of shares must be brought together, once again on a single device at a single time and place, which an attacker could exploit.
A fairly simple and widely used method of implementing SSS technology for cryptocurrency custody is through the Shamir backup, developed by Satoshi Labs in 2017. It can be found as an option in certain Trezor hardware wallet models.
### What is MPC?
MPC, or multi-party computation, is a subfield of cryptography that traces back to the 1970s. The goal of MPC is to allow multiple participants to jointly perform a computation, while each participant’s contribution to the computation is not revealed to the rest of the group and therefore can remain private. This allows for multiple parties to collaborate in various contexts without needing to trust each other.
When applied to bitcoin custody, MPC involves distributed “shares,” similar to SSS. However, unlike SSS, the shares are not split from a private key nor used to rebuild a private key. Instead, multiple parties compute a single signature directly from a threshold of their shares.
Unlike SSS, MPC does not necessitate a single point of failure. MPC shares can be generated separately from one another, and they never need to be brought together to operate the wallet. Information produced from a share can be communicated to the other participants, without the share itself being revealed.
Since bitcoin and other cryptocurrencies have primarily used a signature system based on ECDSA (Elliptic Curve Digital Signature Algorithm), MPC had to be adapted for this context. The first practical threshold protocols for ECDSA were published in 2018.
### What are the trade-offs between threshold models?
With three different threshold security models to choose from, the next step is understanding the strengths and weaknesses of each option.
**Tradeoffs with Multisig:**
– Script multisig is a standardized way of achieving threshold security, native to the bitcoin protocol.
– The structure is considered relatively simple and robust.
– The barrier to entry is also small—if a bitcoin user knows how to operate a singlesig wallet, then it’s not a large leap to learn how to set up and use a multisig wallet.
– However, deploying contracts publicly on the blockchain comes with tradeoffs. As bitcoin is spent out of a multisig address, the access control policy for that address must be permanently published on the blockchain.
**Tradeoffs with Shamir’s Secret Sharing:**
– SSS offers another way of designing a threshold requirement based on relatively simple and battle-tested cryptography.
– Unlike multisig, SSS operates completely outside of public-facing addresses and transactions on the blockchain.
– The biggest disadvantage to SSS is that the private key must exist in one place at one time, before it is first split into shares, and also when the shares are recombined for the purposes of approving a withdrawal.
**Tradeoffs with MPC:**
– Much like SSS, MPC enforces the threshold requirement at the key-level instead of the blockchain-level.
– Importantly, MPC manages to avoid the temporary single points of failure that come with using SSS.
– However, MPC for threshold ECDSA is considered very complex cryptography, and there is not an agreed-upon standard for using it.
### Which model is best?
As we just covered, there are numerous tradeoffs between using multisig, SSS, and MPC. They can be arranged in a chart for a visual comparison.
If a business specializes in the custody of many different cryptocurrencies, they might be motivated to hire a team of professionals to carefully set up an MPC custody model. However, if a business or individual were looking for a simple and reliable way to secure bitcoin for the long term, using script multisig and accepting the privacy tradeoffs might be preferable. SSS is rarely used by itself due to its inability to enforce institutional-grade threshold requirements at all times.
### Combining models for collaborative custody
While multisig, SSS, and MPC are often thought of as competing security models, it’s possible to incorporate more than one of them into an overall custody structure. This combination of techniques may sound unnecessary and cumbersome, but there are contexts where it makes practical sense.
Using script multisig to create a threshold requirement as a foundational immutable contract, and then commissioning professional key agents to each protect a multisig key using their own SSS or MPC threshold, is far and away the safest method for an institution to keep bitcoin secured for the long-term.
### New capabilities with Taproot
In November of 2021, the Taproot soft-fork occurred, adding new tools into the bitcoin ecosystem. Some of these tools impact the future of institutional-grade bitcoin custody, by allowing for certain improvements and optionalities.
– Schnorr signatures
– Script type privacy
– Multiple spending paths
These Taproot tools are relatively new, and their adoption is still in the early stages. Many bitcoin softwares and services don’t yet offer full support for what Taproot has to offer. It’s also worth noting that most altcoins don’t have these tools natively available.
### Final thoughts
A growing number of institutions are becoming interested in securing a bitcoin treasury, and they require effective solutions. Avoiding single points of failure and minimizing counterparty risk are paramount considerations. The best way to meet these criteria is by leveraging a multisig structure, where keys can be distributed among various enterprise key agents, none of whom will have unilateral control over the bitcoin. Each key agent can use SSS or MPC to add extra threshold protection for their particular key.
Unchained has pioneered an enterprise custody network, built for institutional clients who want to set up an arrangement like this. It’s easy to use and customizable, so that each client gets to choose whether they’d like to hold a controlling number of keys themselves, or just a single key, or leave the responsibility of securing keys entirely up to the several, independent enterprise key agents. If you’re interested in learning more, schedule a free consultation with us today!
Special thanks to Dhruv Bansal for reviewing this article and providing valuable feedback.
Originally published on Unchained.com.
Unchained Capital is the official US Collaborative Custody partner of Bitcoin Magazine and an integral sponsor of related content published through Bitcoin Magazine. For more information on services offered, custody products, and the relationship between Unchained and Bitcoin Magazine, please visit our website.