Multi-SignatureDeep Dive

Benedict Chan, BitGo

@bencxr benchan@bitgo.com

Agenda

● Basics of P2SH and Multi-sig● Emerging Multi-sig models● BitGo Multi-Sig API/SDK hands-on● Our Service Architecture

The Input

script signature to prove ownership

references previous output to spend

The Outputs

Spending a P2SH outputOutput

Input (in spending transaction)

signature 1 signature 2

Redeem script (multi-sig)

Pay to Script Hash (P2SH)

● Bitcoin address that requires successful execution of a script corresponding to a hash○ “Claim only if xyz conditions were satisfied”

● ~8% of BTC held in P2SH addresses, mostly multi-sig

P2SH - Hash-Locked Contract ● Example: A and B want to trade BTC for DOGE● A thinks of any x and hashes it to H(x)● On Bitcoin chain:

○ A creates transaction TX0 to a P2SH script to ■ Pay BTC to B if x of H(x) is known and signed by B or■ Pay BTC to A if signed by A and B

○ A creates refund transaction TX1 (with TX0 as input) valid at a future date (3 days later) for B to sign

● On Dogecoin chain:○ B does similar (refund not shown), sends to P2SH script “Pay

2,000,000 doge to A if x of H(x) is known and signed by A”● When A claims DOGE by revealing x, B can claim BTC

P2SH - Multi-Signature Address

● Spend an input if only M of N signatures were provided○ Script: M PUBKEY..PUBKEY3 N OP_CHECKMULTISIG○ Spend: 0 SIG1..SIG2 REDEEMSCRIPT

● Commonly 2 of 3● Eliminates a single point of failure● Often combined with BIP32 (HD Addresses)

Multi-Signature Models

● Bitcoin minimizes human trust dependency but increases requirements on key security

● Businesses need to correctly map operating scenario to key models

Storage on Multiple Devices

● Create and use keys on separate devices● Hacker must compromise multiple machines● Redundancy● Examples:

○ Bitcoind, Armory Lockboxes○ Hardware Wallets

Joint Wallet with Multiple Parties

● Family savings (birthday gift, holiday funds)● Custodial child wallet● Business partnership

Multi-Sig Escrow

● 2-of-3: Buyer, Seller and Escrow● Buyer/seller send funds into shared wallet● If buyer receives item in good order, create

payment transaction with seller● Otherwise escrow agent can mediate● Escrow agent can never steal funds with only 1 key

Micro Payment Channel

● Customer creates TX0 to shared 2-of-2 address● Provider sends Nlocktime refund for full amount● Publish TX0● Replace off-chain transactions

○ 0.99 to customer, 0.01 to provider○ 0.98 to customer, 0.02 to provider○ …○ 0.55 to customer, 0.45 to provider

● Broadcast only last transaction to close channel

Instant Confirmations

● 2-of-2 Multi-sig address● “Clearing house” creates address for customer

to pre-fund● Payments guaranteed “instant confirmations” ● Clearing house would never double-sign the

same input

BitPay Impulse

Co-Signing Service

● 2 keys held by user, 1 key held by service● To transact, user creates transaction for

service to co-sign● Co-signer evaluates rules:

○ Velocity limits / transaction limits○ Bitcoin address whitelists○ Human approval with 2FA○ External callbacks / state○ IP lockdown, kill switch, time locks..

Enterprise Treasury

● Backup Key held by company CEO/Lawyers● Multiple users on a wallet share user key● BitGo holds co-signing key

○ Require 2FA and User Auth● Employees able to spend limited amounts● CEO, CFO able to approve large withdrawals● Example customers: Bitcoin Foundation,

ChangeTip, BitFury

ATM Provider

● Shared wallet with multiple machines● One access token per machine● IP lockdown for each token● Tokens may be individually revoked● Example customers: Lamassu ATMs

Exchange Hot Wallet

● Exchange maintains single hot wallet for all deposits and withdrawals

● Outgoing withdrawal amount limited per day● Callback on each transaction to accounts

database● Examples: Bitstamp, BitSpark, BitQuick, ...

Exchange-owned Segregated Wallet

● One wallet per exchange user● Per-user-wallet policy granularity● Withdrawals require user 2FA● Transactions to house wallet whitelisted

● Every customer holds their own private key● Backup key held by arms-length custodian● Buy orders can go directly to user wallet● Sell orders can be confirmed by exchange instantly● Great for places that allow you to just “buy

bitcoin”

User-owned Wallet Linked With Exchange

Exchange+User Joint Wallet

● User and exchange each hold a private key● Instant confirmation● Withdrawals depend on

○ Webhook call to exchange to ensure user has sufficient margin

Co-Signer Oracle Contracts

● HTTP callback enables external logic to be implemented

Shared Multi-Sig

Wallet

UserA BTC Collateral (1BTC)

UserB BTC Collateral (1BTC)Winner creates/signs tx for 2BTC out

BitGo Co-signer

Webhook oracle gets BTC price at contract date to

determine winner

cosign/transmitBitcoin P2P Net

● Available interfaces○ Javascript○ Bitcoind RPC (BitGoD)○ Local REST Service (BitGo Express)○ Pure REST API

BitGo Platform SDKs and APIs

● Objects○ Keychains○ Wallets○ Addresses○ Users○ Policies

● Also available: ○ Blockchain Data○ Webhooks

BitGo Platform - Open Source SDK

Javascript SDK1. Create a wallet2. Get new addresses3. Fund the wallet4. Get transactions and balances5. Send coins

Implementation Walkthrough

Exchange Integration

Peatio Open Source Exchange● https://github.com/peatio/peatio● Ruby on Rails● Uses BitcoinD● Pooled wallet for customer funds● Integration path: BitGoD

BitGo Service ArchitectureIndexing ServiceBitcoin P2P

Network

Front Ends

Client SDK/APIWeb Client

Chrome App

BitGo Express

BitGoD

DB

Key service

BitGo.com Load Balancers

External Services(e.g. Authy)

Task Workers(Webhooks, etc)

Ledger Service

Send Queue

● Third party key custodian services● Compatibility with multiple wallets● Privacy improvements● Multiple oracle contracts

Future Multi-sig Development

Thank you

visit: https://www.bitgo.com/platformtwitter: @bencxremail: benchan@bitgo.com