Next-Generation Private Multisignature Wallets

Alekos Filini - @afilini

#HCPP20, Prague

Next-Generation Private Multisignature Wallets

The Future of Bitcoin Wallets

Alekos Filini - @afilini

#HCPP20, Prague

The Future of Bitcoin Wallets

Better Tools for Better Multisignature Wallets

Next-Generation Private Multisignature Wallets

Alekos Filini - @afilini

#HCPP20, Prague

If you are a Bitcoin user today...

• Average, non-technical person
• You probably use a BIP-39 single-sig wallet
  • You have a mnemonic somewhere on a piece of paper
• Fairly easy to use
• Many options to choose from
• Wasabi, Samourai, Electrum, ...

How could you lose money?

• Hacked device
  • Mitigated by hardware wallets or air-gapped devices
• Forget passphrase
• Hide the mnemonic too well
  • Make multiple copies
• Don't hide the mnemonic well enough

Multi-signature Wallets

• More than one signature to spend
  • All of the keys or a threshold
• Mitigate the risk of a "single point of failure"
• Not that many options today
• Electrum, Bitcoin Core, Casa
  • FullyNoded, Specter

How could you lose money?

• Similar to single-sig, but more of a function of your setup
• High threshold (n-of-n or high-m-of-n)
  • Lower theft risk
  • More "accidental loss" risk
• Low threshold is the opposite
• More keys make transactions larger

Wallets Privacy

• Towards the developer/service provider
  • XPUBs, addresses collected
  • Depends on the way the wallet interacts with the blockchain
• Towards the public
  • Transaction fingerprinting
  • Best for single-sig since it's used by many people
  • Worst for very specific custom scripts

Wallets Privacy

Wallet	Provider-Privacy	Public-Privacy
Wasabi
Samourai (no Dojo)
Electrum (single-sig)
Electrum (multi-sig)
Bitcoin Core (multi-sig)
Casa
Green (CSV)
Ideal Timelocked-multisig wallet

If this table hurts your feelings, I'm sorry :(

Why Better Tools are Important

• Makes it easier for developers to build better wallets
• Simplify dealing with critical parts of Bitcoin transactions
  • Developers can focus on their product instead
• More options to choose from for the user

Miniscript

• Lets you write spending policies very easily
• Optimizes them to save space
• Provide tools to work with generalized scripts
• Example of product using it: Revault

BDK

• Provides a modular wallet implementation
• Developers can use default modules or write their own
• Uses Miniscript, thus supports generalized scripts
• Adds on top a lot more
• As a developer you focus on higher-level problems and not low-level Bitcoin stuff

BDK - Practical Example

• GDK (Green Development Kit)
  • 11180 lines of C++ code
  • As of release_0.0.11, no Liquid
• neerg - (Clone of GDK written using BDK)
  • 718 lines of Rust code
  • (only supports the default 2-of-2)

What The Future Looks Like

• Future Bitcoin upgrades can improve privacy even more
• Specifically the "Taproot" upgrade
  • Currently in the review stage
  • Improves the "Public-Privacy" considerably

Schnorr Signatures

• Similar to ECDSA which is currently used by Bitcoin
• Patented until Feb 2008
• Support key aggregation

Taproot

• Having addresses that are both "pay-to-pubkey" and "pay-to-script"
• P2PK is currently used for single-sig
  • Schnorr lets us use it for multi-sig too
• Attach extra conditions that can be revealed and satisfied if necessary
• Builds on the idea that most of the time there's no need to enforce "safety clauses"

Taproot - Example

• Alice wants to sell Bitcoin to Bob
• Alice creates a Taproot address:
  • PK: A + B
  • Script: 2-of-3 of A, B, Escrow
• Alice sends Bitcoin to that address
• If everything goes smoothly, A + B sign and send to B
• If B doesn't pay, A reveals the script and asks E to sign
• if B pays and A refuses to sign, B reveals the script and asks E to sign