Bitcoin is stored in “addresses” which are based on public/private ECDSA key pairs. For most of Bitcoin’s history, each address was based on a single private key. Even at the time of writing (November 2014), 97% of Bitcoin is stored using single-key addresses. These addresses (aka “standard addresses”), can be recognized by the fact that they always start with a “1.” Anyone who knows the one private key corresponding to a given single-key Bitcoin address can move those funds — period. It’s often said that possession is nine-tenths of the law, but with Bitcoin, possession of the private key is the law, since transfers are effectively irreversible. As far as the Bitcoin network is concerned, if you possess the private key for an address, you are authorized to move funds. This black-or-white nature of single-key storage has led to a number of critical problems for Bitcoin.
At the simplest level, a single-key Bitcoin wallet is little more than a collection of private keys which allow the user to spend his or her bitcoin, while attempting to keep those keys safe from theft. Keys for a single-key wallet are typically generated and stored on a single machine, using encryption to secure them while on disk. However, despite taking best practices for securing keys, any machine which stores a single-key wallet represents a single point of failure. If the wallet file can be stolen, the encryption can be attacked offline, or the hacker or malware can simply lie in wait and key-log the user’s password. As Bitcoin has grown more valuable, existing malware has been re-engineered to specifically target Bitcoin wallets. It is this fundamental security risk of single-key storage that has led to the development of elaborate protocols for generating and storing keys completely offline, in physical vaults (generally referred to as “cold storage” in the industry.) However, cold storage has its own risks and weaknesses. If the random number generator (RNG) on the single machine used to generate the key had weaknesses, funds may be at risk even without any breach of the machine itself. Offline cold storage solutions do alleviate some security concerns, but at the expense of introducing significant operational burdens.
Problem: Access Control
How can businesses effectively use Bitcoin? Businesses usually delegate responsibility for technology integration to their IT staff. But offloading responsibility for a Bitcoin wallet to the IT department is like leaving a pile of $100 bills on a table in the middle of the office. Since anyone with access to the keys can move the money without leaving a trace, if multiple people have access to the keys, there is no real way to achieve accountability or prevent insider theft. Bitcoin’s history is littered with insider thefts which are publicly claimed to be external hacks. The Bitcoin businesses which have successfully avoided theft have tightly controlled the number of people who have access to the keys. They have relied on the principals of the businesses to be the ultimate gatekeepers, as well as using physical safeguards and key-splitting techniques to ensure a single person cannot transact on his own. But for larger businesses to embrace Bitcoin, it is not a tenable solution to require the CEO and CFO to be involved in every transaction. Organizations need to be able to define their own internal policies on who can transact, for how much, and with whose approval. They need the type of controls that they would be able to have with standard corporate treasury banking software. One way to achieve such controls is to delegate complete custody of the business’s Bitcoin to another entity, essentially a Bitcoin bank. But there is also another way.
The Solution: Multi-sig
Since early 2012, Bitcoin has had an alternative to single-key addresses. Around that time, a new type of address called pay-to-script-hash (P2SH) was defined and standardized. P2SH addresses can be recognized by the fact that they begin with a “3” instead of a “1.” Among the functionality supported by P2SH addresses is the ability to require multiple private keys in order to transact, known as multi-signature, or more commonly, multi-sig. A P2SH address can support arbitrary sets of N keys, any M of which are required to transact — this is commonly referred to as “M-of-N.” In practice, the blockchain does enforce some limits as to the size of N, and by far the most typical multi-sig implementations are of the form 2-of-2 or 2-of-3. (Note that using this terminology, a single-key address would be considered 1-of-1.) The easiest real-world analogy for explaining multi-sig is a safe deposit box with 2 keys, one held by the customer, the other held by the bank. In order to open the box, both keys are required, making a safe deposit box analogous to a 2-of-2 multi-sig address.
There are some immediate advantages that can be gained from using multi-sig technology. First, we can completely eliminate single points of failure by ensuring that the keys for an address are generated and stored on completely separate devices. For instance, one key might be generated on the user’s laptop, while the other is generated on the phone, making it necessary to have both devices in order to transact. Malware which infects the laptop cannot steal any funds, because it does not have the key stored on the phone. Secondly, we can achieve redundancy. In the previous scenario, what happens if the user loses their phone?
If a third key were kept offline in a vault, and a 2-of-3 scheme were used, then the user could tolerate losing either device, and still manage to recover his funds using the remaining device in conjunction with the offline key. Third, we can begin to address the access control problem. A husband and wife can construct a multi-sig wallet which requires both of them to transact, while a 3-person partnership can create a wallet which requires at least 2 of them to be in agreement. Additionally, entirely new possibilities can be unlocked by multi-sig technologies — consider the following scenarios.
Alice wants to send Bitcoin to Bob, but only if Bob delivers the merchandise he has promised. Bob wants to ensure he is paid for his merchandise. They both trust Trent to adjudicate a dispute but do not wish to trust him with the funds. They create a 2-of-3 multi-sig address with one key each from Alice, Bob and Trent. If the transaction goes smoothly, Alice and Bob can jointly release the funds without Trent’s involvement. If there is a dispute, Trent can adjudicate, and can move the funds in conjunction with either Alice or Bob. During the course of the transaction, the Bitcoin is effectively in a kind of limbo, since no one person can move the funds on his own.
A company desires to set up a Bitcoin wallet accessible by 3 of its employees, but require 2 of them to be involved on any transaction exceeding $5,000. In order to do so, it creates a 2-of-2 multi-sig address where it holds one key, and an outside policy-enforcement service holds the other key.
When one of the three employees wishes to transact, he signs the transaction with the company’s key, authenticates to the service, and requests a co-signature. The policy service uses the pre-arranged spending limit to determine whether to co-sign the transaction or to request a secondary approval from one of the other two employees. The service cannot steal funds, but it can block the company’s ability to transact. If that is not desirable, the company can instead use a 2-of-3 configuration in which another employee or security officer retains an additional backup key which allows the company to recover the funds in the case the policy service becomes uncooperative.
A user wishes to trade on an exchange, but does not wish to entrust full custody to the exchange, since he does not fully trust their security measures. He establishes a 2-of-2 wallet in which he and the exchange share a single key, and an outside policy-enforcement service holds the other key. He deposits Bitcoin into the wallet which the exchange allows him to use as margin for trading, loans or other purposes. The role of the policy enforcer in this case is to ensure that the customer cannot withdraw funds while he has outstanding ordersor unsettled trades, while assuring the customer that the exchange cannot unilaterally steal or lose all funds.
As the above scenarios demonstrate, multi-sig can strongly benefit both individuals and organizations in improving security, establishing access controls, and enabling the delegation of partial trust. As exchanges and other businesses begin to enable customers to deposit without fear of loss, there will be increased consumer pressure on other businesses to adopt similar technology. And if the risk of loss can be minimized, there should be substantial benefits to transparency and liquidity across the entire ecosystem. For these reasons, it is anticipated that the majority of Bitcoin will, over time, be moved to P2SH multi-sig addresses.
In the traditional world of finance, a custodian is a trusted third party who holds assets on behalf of another. It’s important to note that with Bitcoin, there is no longer always a clear custodian of funds. In a 3-of-3 multi-sig wallet where Bank of America, JP Morgan and State Street each hold 1 key, who is the custodian? With Bitcoin, final custody lies only with the blockchain, which is, of course, decentralized itself. As a consequence, lawmakers and regulators will need to understand this new paradigm as they best determine how to adapt existing regulations and create new ones.
Ben Davenport is co-founder and chief product officer of BitGo, a leading multi-sig Bitcoin security company.