Are Threshold Signatures Really More Secure Than MultiSig?
I was informally chatting with the security architect for a major financial services company earlier this week and he candidly asked “are threshold signatures really more secure than MultiSig or is it just a more effective way of achieving the same level of security?” As we continued the discussion I realized it was a really important question that I hadn’t addressed directly enough in our discussion about cryptocurrency wallet security.
He ultimately shared that asking a company with existing solutions in place to adopt a new technology just to be more efficient was difficult to justify, even if it reduced operational expense. But, if he can make a clear case that it’s obviously more secure and lower in cost then it’s a far easier internal sale.
I shared the same response that our CTO, Jakob Pagter, shared with me when I asked that same question. He said that “ultimately, if an exchange implements a 2 out of 3 approval scheme using either MultiSig or ThresholdSig (Threshold Signatures), the achieved level of security is effectively the same. One can argue that ThresholdSig discloses less information about the security policies which implicitly reduces risk and increases transaction privacy, but quantitatively it’s difficult to justify that it’s meaningfully more secure.” He went on to say “but that’s the wrong question.”
“The right question is can we effectively achieve a higher level of security with ThresholdSig than with MultiSig, without introducing any material increased burden of expense, approval latency, or degradation of user experience for the end user. The answer to that question is absolutely!”
A critical difference between ThresholdSig and MultiSig is that ThresholdSig adds only a single Elliptic Curve Digital Signature Algorithm (ECDSA) signature to the transaction record whereas MultiSig adds multiple ECDSA signatures. It turns out that the ECDSA signatures are a substantial percentage of the overall transaction record for Bitcoin and most other cryptocurrencies. As a result, a 2 of 3 party MultiSig transaction can be as much as 62% larger than a single signature. A 3 of 3 party MultiSig can be more than twice as large as a single signature.
Since Bitcoin uses fixed length blocks, MultiSig transactions limit the number of transactions per block, so miners charge higher fees and perhaps more importantly may deprioritize processing MultiSig transactions during peak traffic periods. As a result, it’s highly uncommon for MultiSig implementations to go beyond a 2 signature (2 of 3) model. In contrast, ThresholdSig only generates a single standard ECDSA signature on the transaction, regardless of if the transaction is approved with a 2 of 3 or a 19 of 20 approver model.
Now in practice, it’s difficult to justify the complexity of a 19 of 20 approver model. But even a 3 of 3 approval model would substantially increase security. For example, the typical 2 of 3 approval model requires the end user and the exchange to approve a transaction before funds can be withdrawn from a wallet. But what if a malicious insider or a hacker identifies the wallets of the major accounts. They could potentially hack the end user’s wallets and drain the account funds by also defeating any exchange level security systems.
In contrast, with a 3 of 3 approval scheme, the end user, the exchange, and trusted third party could all be required to approve a transaction before funds can be withdrawn. In the above scenario, the hacked end user and exchange might approve malicious transactions, but the trusted third party which is ideally an independent organization would detect the deviation from approved policies and block the transactions. An example of this scenario is highlighted in a wallet demonstration as part of a 9 minute video that can be viewed on our website or on YouTube.
Sepior’s implementation of Threshold Signatures executes the partial approval for each approver in sub-milliseconds. So, adding a third automated approver to the transaction should add imperceptible latency, assuming that the defined policies can be verified with minimal latency.
The bottom line is ThresholdSig makes it highly practical to achieve a higher level of security than is economically practical to achieve with MultiSig. So yes, in the real world ThresholdSig wallets are more secure than MultiSig.