Building A Best-In-Class Hardware Wallet For Bitcoin Multisig

Things to know:

– Since the launch of the Ledger Bitcoin 2.0.0 app, and with various improvements over the past year, one of our core missions has been to improve the security and user experience for multisig wallets. – By enabling multisig wallets to be easily and fully verified on the device, Ledger now represents the best-in-class hardware wallet for securing bitcoin in multisig cold storage.  – All of the new Ledger multisig functionality is available for use with Unchained and certain open-source applications such as Caravan for all Ledger models.

What Is Multisig?

In a typical single-signature bitcoin wallet, your Ledger secures the only key needed to spend your bitcoin. This makes it easy to transfer your bitcoin around whenever you’d like, but it also means that there is a single point of failure in your bitcoin security. If someone finds your recovery phrase or gains access to your Ledger and somehow learns your PIN, they have everything they need to be able to spend your bitcoin.

In a multisig bitcoin wallet, multiple keys are used to create the bitcoin wallet, and multiple keys must be used to spend the bitcoin. The most common type of multisig wallet is created from three keys, and two out of three keys must be used to spend the bitcoin. It makes managing your security more complicated, but the trade-off is a significant improvement in security — even if someone gains access to one seed phrase or compromises one of your hardware wallets, they do not have the ability to spend your bitcoin.

Why multisig wallet is hard

Historically, hardware wallets across the industry have been optimized for single-signature custody. But as bitcoin matures, multisig is emerging as an increasingly popular option for both individuals and businesses to secure bitcoin for the long term. Unfortunately, hardware wallets generally haven’t kept up, with many continuing to provide multisig users with clunky user experiences and lower levels of on-device transaction verification.

There are three main challenges with designing a hardware wallet for multisig: 

1. Address manipulation: During the creation and signing of a multisig wallet, a malicious attacker could try to sneak in additional keys so that they have a majority control of the bitcoin, or try to send transaction change to a very obscure address that is technically part of the multisig wallet but is far removed from standard addresses and is unrecoverable without paying a ransom. 
2. Address verification: If all the public key data for the multisig wallet is not registered on the hardware wallet, verifying that you are sending change to the right address is a manual process requiring you to verify the change address on your device or through reconstructing your wallet elsewhere. Not registering the multisig wallet is also a problem when depositing to your multisig wallet. If you can’t verify on your device that you are sending bitcoin to your multisig wallet, you are trusting that your internet-connected computer is not trying to trick you into sending it to an attacker’s address. 
3. Information leak: If the multisig wallet is stored on the hardware wallet, it means that an attacker that gains access to your PIN or coerces you to unlock your hardware wallet can now immediately see that the hardware wallet is part of a multisig wallet, which reveals more information about your security set-up than is necessary.
4. Lack of account segregation: If you use the same device/seed to take part in different multisig wallets, it is no longer enough to know that you are spending from one of the wallets you are part of: you also want to know from which of them you’re spending from. The hardware wallet should check that for you.

Finally, one of the biggest challenges is that of minimizing the UX impact: if using multisig wallets is too complicated or cumbersome, users are likely to skip or sloppily apply the necessary security measures. For the majority of users, multisig is only secure if it’s easy!

Ledger to the rescue

Previously, the Ledger bitcoin application could be used for multisig wallets, but it was unable to register all of the keys that were used to build the multisig wallet, and as a result, could not verify with absolute certainty that it was signing for the right multisig wallet and verify that the change was going back to the right place. After our recent update, the Ledger is now the premier multisig hardware wallet by leveraging all of the most recent software advancements in bitcoin.

We worked closely with Unchained to validate and improve our approach to multisig, in an open-source collaboration. Unchained works day-in-day-out helping thousands of bitcoiners upgrade their bitcoin security with multisig, so they were the perfect partners to help us build the best multisig support possible.

From registering your multisig vault on the Ledger device to verifying your multisig addresses and sovereign recovery with other open-source tools, the updated bitcoin application makes Ledger best-in-class for multisig.

Verify everything – Trust Nothing

Now to get a bit technical for those curious. To make all of this work, Ledger implemented a policy registration mechanism based on a HMAC. An HMAC, or hash-based message authentication code, is a specific type of authentication code that confirms the origins and the content of certain information.

When a multisig (or, miniscript) wallet policy is registered on the device, and only after the user has inspected it and confirmed it with the secure screen, the device returns a unique HMAC for that policy.

This HMAC allows the device to confirm that the Ledger is one key in a known multisig wallet that was previously registered and validated on the secure screen. The beauty of using HMACs in this way is that the Ledger doesn’t need to store the entire multisig wallet on the device, which as mentioned above unnecessarily reveals that the Ledger is used in multisig configuration. The HMAC can be stored by the multisig coordination tool (such as Unchained) and is passed to the Ledger during bitcoin transaction signing.

This allows you to verify all information about a multisig transaction on the device and confirm that nothing about the multisig wallet was changed in the future, without trusting any internet-connected device. In other words, after the one-time registration procedure, you can receive from, and send to a multisig wallet controlled by your Ledger with a user experience that is very similar to the one you are used to for single signature transactions.

This new functionality is best experienced during multisig wallet setup with Unchained, where once the wallet is generated, Unchained will prompt you to register the wallet on the device. You’ll be given the opportunity to review all of the relevant information about the multisig wallet and confirm with your Ledger. This confirmation is then stored as an HMAC and is used moving forward to remedy all of the primary multisig problems mentioned above.

Upgrade your multisig game now

All of the new Ledger multisig functionality is available for use with Unchained and certain open-source applications such as Caravan for all Ledger models. We hope that all multisig providers and tools will implement Ledger multisig registration and device address confirmation, improving security and usability for their users. These features are critical for the long-term security of bitcoin, and we are happy to see teams like Unchained implement the new functionality and advance the state-of-the-art of bitcoin security.

Read this article for a technical deep dive.