Multisig: The Future of Bitcoin
by Vitalik Buterin on March 12, 2014
[…] Some people, initially including myself, are seeing this as a “changing of the guard” moment for the Bitcoin community, where it was amateur and badly managed services that were at fault for their own thefts and professionals would soon come in and take over. If this was a mere one or two thefts, then this would indeed be a reasonable, and fully satisfactory, explanation.
In reality, however, Bitcoin users and services are losing substantial sums of bitcoin every week, and without chargeback-like consumer protections there are several high-profile stories of companies particularly in the mining industry taking users’ bitcoins and only delivering a low-quality product several months too late, if at all. Given the sheer number of these cases, and the sheer difficulty that even highly competent individuals face trying to secure their funds, a large portion of the intelligentsia, and the press, is willing to pronounce Bitcoin 1.0 dead.
As it should be; Bitcoin 1.0 has been around for five years and given what we know now is already very much an outdated technology. Rather, now is the time for Bitcoin 1.5 to shine.
So what is Bitcoin 1.0, and what is this Bitcoin 1.5 that I am so boldly claiming will come to replace it? In short, Bitcoin 1.0 can be described as a simple send-receive system. In a Bitcoin account, there is a set of 34-character Bitcoin addresses, like 1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T, that you can use to receive bitcoins, and each address has an associated 64-character private key, in this case c4bbcb1fbec99d65bf59d85c8cb62ee2db963f0fe106f483d9afa73bd4e39a8a, that can be used to spend bitcoins that are sent to the address.
Private keys need to be kept safe and only accessed when you want to sign a transaction, and Bitcoin addresses can be freely handed out to the world. And that’s how Bitcoin wallets are secured. If you can keep the single private key safe, everything’s fine; if you lose it the funds are gone, and if someone else gains access to it your funds are gone too – essentially, the exact same security model that we have with physical cash, except a thousand times more slippery.
The technology that I am calling Bitcoin 1.5 is a concept that was first pioneered and formalized into the standard Bitcoin protocol in 2011 and 2012: multisignature transactions. In a traditional Bitcoin account, as described above, you have Bitcoin addresses, where each address has one associated private key that grants the keyholder full control over the funds. With multisignature addresses, you can have a Bitcoin address with three associated private keys, such that you need any two of them to spend the funds. Theoretically, you can have one-of-three, five-of-five, or six-of-eleven addresses too; it just happens that two-of-three is the most useful combination.
Choose Your Own Arbitrator
So how can multisig be used in practice? The first major use case of the protocol is consumer protection. When you make a payment with a credit card, if later on you do not get the product that you paid for you can request a “chargeback”. The merchant can either accept the chargeback, sending the funds back (this is what happens by default), or contest it, starting an arbitration process where the credit card company determines whether you or the merchant have the better case.
With Bitcoin (or rather, Bitcoin 1.0), transactions are final. As soon as you pay for a product, your funds are gone. And in Bitcoin 1.0, we saw this as a good thing; although it harms consumers to not have chargebacks, we would argue, it helps merchants more, and in the long term this would lead to merchants lowering their prices and benefitting everyone. In some industries, this argument is very correct; in others, however, it’s not. And in Bitcoin 1.5 we recognize that, instead providing a real solution to the problem: escrow.
Multisignature escrow works as follows. When Alice wants to send $20 to Bob in exchange for a product, Alice first picks a mutually trusted arbitrator, whom we’ll call Martin, and sends the $20 to a multisig between Alice, Martin and Bob. Bob sees that the payment was made, and confirms the order and ships the product. When Alice receives the product, Alice finalizes the transaction by creating a transaction sending the $20 from the multisig to Bob, signing it, and passing it to Bob. Bob then signs the transcation, and publishes it with the required two signatures.
Alternatively, Bob might choose not to send the product, in which case he creates and signs a refund transaction sending $20 to Alice, and sends it to Alice so that Alice can sign and publish it. Now, what happens if Bob claims to have sent the product and Alice refuses to release the funds? Then, either Alice or Bob contact Martin, and Martin decides whether Alice or Bob has the better case. Whichever party Martin decides in favor of, he produces a transaction sending $1 to himself and $19 to them (or some other percentage fee), and sends it to that party to provide the second signature and publish in order to receive the funds.
Currently, the site pioneering this type of approach bitrated.com; the interface at Bitrated is intuitive enough for manual transactions such as contracts and employment agreements, but it is far from ideal for consumer to merchant payments. Ideally, marketplaces and payment processors like BitPay would integrate multisig technology directly into their payment platform, and Bitcoin wallets would include an easy interface for finalizing transactions; if done correctly, the experience can be exactly as seamless as Bitpay or Paypal are today.
So all in all, given that this multisig approach does require intermediaries who will charge fees, how is it better than Paypal? First of all, it’s voluntary. In certain circumstances, such as when you are buying from a large reputable corporation or when you’re sending money to an employee or contractor you have an established relationship with and trust, intermediaries are unnecessary; plain old A to B sends work just fine. Sending to charities is a similar circumstance, because charities don’t really owe you anything when you send them money in any case.
Second, the system is modular. Sometimes, the ideal arbitrator for a particular transaction is a specialized entity that can do that particular job much better; for example, if you’re seling virtual goods the ideal arbitrator would be the operator of the platform the virtual goods are on, since they can very quickly determine whether a given virtual good has been sent. At other times, you might want a generic arbitrator, but you’re in an industry where mainstream providers are too squeamish to handle the task. And, of course, at other times a generic Paypal-like institution is indeed the best approach. With multisig, you can easily choose a different arbitrator with every single transaction, and you only pay when you actually use arbitration; transactions that go through as planned are 0% fee.
Solving the Bank Problem
Although multisignature escrow is a very interesting application in its own right, there is another, much larger issue that multisignature transactions can solve, and one that has been responsible for perhaps the largest share of Bitcoin’s negative associations in the media, dwarfing even Silk Road, in the last three years. That issue is the concern of security and trust.
One of the larger philosophical divides throughout the course of human history has been one between two different methods of achieving security. One of these is individualism: every person having the power, and responsibility, to directly protect themselves and their families by putting the ultimate, base-level tools for doing so directly under their control. The other is delegation: trusting centralized authorities with high levels of resources and expertise to manage security for everyone.
In the United States, this is the dichotomy between every family keeping a gun in their cupboard and not having any civilian-owner guns at all and letting the police do the work. In Cyprus, it’s the question of whether to store one’s money under one’s mattress or in the bank. In every case, both sides of the debate have their merits and both sides have their faults.
And the same situation is true with Bitcoin. Some people, faced with the large number of exchanges getting hacked, see technologies like paper wallets, offline laptops and brainwallets with prepended usernames and twenty-character passwords as the solution; essentially, a return to the tried-and-tested best practices for storing gold in the twentieth century, plus a bit more complex technical magic built in. Others, however, see the sheer difficulty that even technically skilled individuals face properly securing their funds, and see better centralized services, like Coinbase, as the solution.
In the case of physical security, either the wholesale victory of one strategy or some crude linear combination of the two – centralized storage of 90% of one’s cash and local storage of 10%, or keeping a gun but having it locked up in a safe in the basement, are the only possibilities. And in the case of Bitcoin 1.0 exactly the same holds true as well. In the case of Bitcoin 1.5, however, we are dealing with a world of factum law and decentralized technology, so we can be much more clever with how we combine two approaches – arguably, in fact, it is possible to get the best of both worlds.
Leading the Charge
The company that is currently taking the lead on bringing Bitcoin 1.5 technology to the world at large is CryptoCorp, created by Tradehill co-founder Ryan Singer. CryptoCorp’s core offering is something that a large number of people, including myself, have been trying to implement and push forward for nearly a year: multisignature transaction wallets.
The way that a multisignature wallet works is simple. Instead of the Bitcoin address having one private key, it has three. One private key is stored semi-securely, just as in a traditional Bitcoin wallet. The second key the user is instructed to store safely (eg. in a safety deposit box), and the third key is stored on the server.
Normally, when you want to spend your funds, your wallet would make a transaction and sign it locally, and then it would pass the transaction on to the server. In the simplest implementation, the server would then require you to input a code from the Google Authenticator app on your smartphone in order to provide a second verification that it is indeed you who wants to send the funds, and upon successful verification it would then sign the transaction and broadcast the transaction with two signatures to the network.
What CryptoCorp is doing is taking this basic idea, and applying two major improvements. First of all, CryptoCorp is introducing a technology that it calls “hierarchical deterministic multisignature” (HDM) wallets; that is, instead of having three private keys, there are three deterministic wallets (essentially, seeds from which a potentially infinite number of private keys can be generated). Address 0 of the HDM wallet is made by combining public key 0 from the first seed, public key 0 from the second seed and public key 0 from the third seed, and so on for addresses 1, 2, etc. This allows the CryptoCorp wallets to have multiple addresses for privacy just like Bitcoin wallets can, and the multisignature signing can still be performed just as before.
Second, and more importantly, CryptoCorp is doing much more than just doing two-factor authentication. Every time the CryptoCorp server receives a transaction to co-sign, it will run the transaction through a complex machine-learning fraud-detection model taking into account the amount, the frequency and amount of prior transactions and the identity of the recipient, and will assign the transaction a risk score.
If the risk score is low, the server will simply co-sign the transaction without asking. If the risk score is higher, the server can ask for a standard two-factor confirmation via Google Authenticator or by sending a code as a text message to the user’s phone number. Email confirmation is another option. At very high risk levels, the server would flag the transaction for manual review, and an agent may even make a phone call or require KYC-style verification.
What is important to note is that none of this is new; such risk metric schemes have been in use by mainstream banks and financial institutions for over a decade, and they have existed in low-tech form in the form of withdrawal limits for over a century.
All that CryptoCorp does is marry these benefits of the traditional financial system with the efficiency, and trust-free nature, of Bitcoin – even if CryptoCorp denies your transaction you can still process it yourself by getting your second key from your safety deposit box, and if CryptoCorp tries to seize your funds they would not be able to, since they only have one key.
The Future of Cryptocurrency
So what will the Bitcoin world of 2015 look like? First of all, if either CryptoCorp proceeds according to plan or CryptoCorp fails and some competitor decides to take charge, nearly every address will start with a ‘3’. The question of “where do you store your funds?” will be dead; instead, the question will be: “what are the withdrawal conditions of this account, and what is the policy of each key?”.
Consumer wallets will all be 2-of-3 multisig, sharing the keys between either a low-security local-storage key, a high-security key in a safety deposit box and a central provider, or two central providers and a low-security key. The way CryptoCorp is designed is as a highly modular “verification oracle” service that anyone can plug in. If a user wants to make their wallet have CryptoCorp as one of the keyholders, they will be able to. If a company wants to have CryptoCorp, and a similar competitor, serve as two of their five treasurers, they will be able to; the underlying math is exactly the same.
In the long term, the multisig story gets even more interesting once cryptocurrency 2.0 technologies go into full tilt. Next-generation smart contract platforms allow users to set arbitrary withdrawal conditions on accounts; for example, one can have an account with the rule that one out of a given five parties can withdraw up to 1% per day, and three out of five parties can withdraw anything. One can make a will by setting up a account so that one’s son can withdraw any amount, but with a six-month delay where the account owner can claw the funds back if they are still alive.
In these cases, CryptoCorp-style oracles will play an even larger role in the cryptocurrency world, and may even fuse together with private arbitration companies; whether it’s a consumer-merchant dispute, an employment contract or protecting a user from the theft of his own keys, it’s ultimately all a matter of using algorithmic and human judgement to decide whether or not to sign a multisig transaction.
As we sit here today on the other end of what may well come to be known as the “great crisis of MtGox”, the merger of cryptography and finance is only just beginning.
If you want to play around with the multisig technology yourself, feel free to check out CryptoCorp.
Trackback from your site.