UA
Multisignature (Multisig)

[ GUIDE / MULTISIG ]

Multisignature (Multisig)

16 min read · Guide 7 of 7

How multi-key setups eliminate single points of failure — from basic quorum policies to advanced multi-sig architectures for individuals and organizations.

What is multisig and how does it secure your Bitcoin?

What Is Multisig?

Multisignature (multisig) is a security model where multiple separate keys are required to authorize a transaction. Instead of a single private key controlling access to funds, a multisig wallet requires a defined number of approvals from a group of key holders.

This is expressed as M-of-N, where:

  • N — the total number of keys in the setup
  • M — the minimum number of keys required to sign (the quorum)

Think of multisig like a bank vault that requires two officers to turn their keys simultaneously. No single person can open it alone, and losing one key doesn't lock everyone out (as long as there are enough remaining).

For example, in a 2-of-3 multisig, three keys exist but any two of them can sign a transaction. This means:

  • No single key holder can steal funds unilaterally
  • Losing one key still allows recovery using the remaining two
  • An attacker must compromise two separate, independently stored keys

Why should you use a multisig wallet?

Why Use Multisig?

Multisig solves the single point of failure problem that plagues standard single-key wallets. With a regular wallet, the security of your entire holdings depends on one seed phrase — if it is stolen, copied, or lost, everything is at risk.

Key Benefits

  • Theft resistance — an attacker must compromise multiple keys stored in different locations. Stealing one key is useless.
  • Loss tolerance — in a 2-of-3 setup, losing one key does not lock you out. You can still access funds with the remaining two and migrate to a new setup.
  • Reduced trust requirements — no single individual (including yourself) needs to be fully trusted. Organizations can require multiple approvals for spending.
  • Coercion resistance — even under physical threat, you cannot unilaterally move funds because additional signers are required.
  • Inheritance planning — distribute keys to family members and a lawyer, enabling fund recovery after death without giving any single party full control.
Trade-Off Multisig adds complexity. Setup, backup, and recovery are all more involved than a standard single-key wallet. The increased security is worth the complexity for significant holdings, but may be overkill for small amounts.

What are common multisig configurations like 2-of-3 and 3-of-5?

Common Configurations

2-of-3 — Personal Sovereignty

The most popular configuration for individuals. Three keys, each stored on a different device or medium in a different location:

  • Key 1hardware wallet at home
  • Key 2 — hardware wallet (different brand) in a bank safety deposit box
  • Key 3 — seed backup on metal plate at a trusted family member's secure location

Any two can sign. Loss of one device or location does not result in lost funds.

3-of-5 — Organizational Governance

Designed for businesses, DAOs, or family trusts. Five key holders, three required to approve:

  • Distributes signing authority across leadership
  • Tolerates two simultaneous key compromises or losses
  • Can assign keys to individuals, departments, or legal representatives

2-of-2 — Collaborative Custody

Two keys, both required. Useful for:

  • Joint accounts (both spouses must agree to spend)
  • Collaborative custody services (you hold one key, a trusted service holds the other)
Warning With 2-of-2, losing either key means losing all funds permanently. There is no redundancy. Only use this when both keys have robust, independent backups.

How do you set up your first multisig wallet?

Setting Up Your First Multisig

Setting up a multisig wallet requires careful planning. Here is the general process for a 2-of-3 setup:

  1. Choose your coordinator software — Sparrow Wallet, Electrum, or Nunchuk are popular options with built-in multisig support
  2. Generate three independent keys — ideally on three different hardware wallets from different manufacturers
  3. Export the extended public keys (xpubs) from each device
  4. Create the multisig wallet in your coordinator by importing all three xpubs and setting the quorum to 2-of-3
  5. Back up the wallet descriptor — this file contains the xpubs and quorum policy, and is required for recovery alongside the seed phrases
  6. Test the setup — send a small amount, then complete a full spend using two of the three keys to verify everything works
  7. Store keys and backups in separate, secure locations
Critical The wallet descriptor file is as important as the seed phrases. Without it, you cannot reconstruct the multisig wallet even if you have all three seeds. Back it up alongside each seed in each location.

How do Bitcoin Script and OP_CHECKMULTISIG work?

Bitcoin Script and Multisig Transactions

Multisig in Bitcoin is enforced at the protocol level through Bitcoin Script — a stack-based programming language embedded in every transaction. The spending conditions are not enforced by wallet software; they are enforced by every node on the network.

OP_CHECKMULTISIG

The original multisig mechanism uses the OP_CHECKMULTISIG opcode. A 2-of-3 redeem script looks like:

2-of-3 Multisig Redeem Script
OP_2 <pubkey_1> <pubkey_2> <pubkey_3> OP_3 OP_CHECKMULTISIG

When spending, the witness/scriptSig must provide exactly M valid signatures corresponding to M of the N listed public keys.

Script Wrapping (P2SH, P2WSH)

  • P2SH (Pay-to-Script-Hash) — the redeem script is hashed; only the hash appears in the output. The full script is revealed at spending time. Addresses start with 3.
  • P2WSH (Pay-to-Witness-Script-Hash) — SegWit version. Moves the witness data outside the base transaction, reducing effective size and fees. Addresses start with bc1q (longer than single-sig bc1q addresses).
  • P2SH-P2WSH — nested SegWit for backward compatibility. The outer P2SH wraps an inner P2WSH. Addresses start with 3.
On-Chain Fingerprint Traditional multisig reveals the quorum policy (M-of-N) and all public keys when a UTXO is spent. This is a privacy consideration — an observer can see that the output was controlled by a multisig setup and identify the exact policy. Taproot (see below) addresses this limitation.

What are output descriptors and how do they help multisig recovery?

Output Descriptors and Wallet Recovery

Output descriptors (defined in BIPs 380-386) are a standardized way to describe the spending conditions for a set of addresses. For multisig wallets, the descriptor encodes everything needed to reconstruct the wallet:

Output Descriptor (2-of-3)
wsh(sortedmulti(2, [fingerprint_1/48h/0h/0h/2h]xpub_1/0/*, [fingerprint_2/48h/0h/0h/2h]xpub_2/0/*, [fingerprint_3/48h/0h/0h/2h]xpub_3/0/* ))#checksum

Descriptor Components

  • wsh() — wrapping type (Witness Script Hash = native SegWit)
  • sortedmulti(2, ...) — quorum of 2, with keys sorted lexicographically (BIP67)
  • [fingerprint/path]xpub — each cosigner's extended public key with its derivation path and master fingerprint
  • /0/* — receive addresses (change uses /1/*)
  • #checksum — descriptor checksum for integrity verification

Recovery Requirements

To fully recover a multisig wallet, you need:

  1. M seed phrases (for signing capability)
  2. All N xpubs (to reconstruct the address set)
  3. The quorum policy (M-of-N)
  4. The derivation paths for each cosigner
  5. The script type (P2SH, P2WSH, P2TR)
Backup Strategy Store the full wallet descriptor alongside every seed phrase backup. Without the descriptor, having M seed phrases is insufficient — you won't know which addresses to derive or what script template to use. Each backup location should contain: one seed phrase + the complete descriptor file.

How does Taproot improve multisig privacy with MuSig2?

Taproot Multisig and MuSig2

Bitcoin's Taproot upgrade (activated November 2021) introduced Schnorr signatures and MAST (Merkelized Abstract Syntax Trees), which fundamentally improve multisig privacy and efficiency.

Key Path Spending with MuSig2

MuSig2 is a Schnorr-based multi-signature scheme where all N participants cooperatively produce a single aggregate signature. On-chain, this is indistinguishable from a regular single-signature Taproot transaction:

  • Only one 64-byte Schnorr signature appears in the witness
  • The output looks identical to a single-key P2TR output
  • No public keys, quorum policies, or script complexity is revealed
  • Transaction fees are identical to single-sig Taproot

Script Path Fallback

If not all N signers are available (e.g., for an M-of-N threshold where M < N), the transaction can fall back to a Tapscript leaf that encodes the threshold policy. Only the specific branch used is revealed on-chain; unused branches remain hidden in the Merkle tree.

Taproot Output Structure
Taproot Output
Key Path
MuSig2(all N keys)
cooperative · most private
Script Path (MAST)
Leaf 1
2-of-3 threshold
Leaf 2
timelock + key D
Leaf 3
3-of-5 threshold
Privacy Advantage With Taproot + MuSig2, a multisig setup looks exactly like a regular payment on-chain. This is a massive privacy improvement over P2WSH multisig, where the script reveals the exact M-of-N policy and all involved public keys upon spending.

How do you manage keys and vendor diversity in multisig?

Key Management and Vendor Diversity

The security of a multisig setup depends not just on the quorum policy but on the independence and diversity of the keys.

Vendor Diversity Principle

Use hardware wallets from different manufacturers for each key in your multisig setup. This protects against:

  • Firmware vulnerabilities — a zero-day exploit in one vendor's firmware can only compromise one key
  • Supply chain attacks — a compromised manufacturing batch affects only one device
  • Correlated failures — a hardware defect specific to one model doesn't affect other brands

Geographic Distribution

Store keys in physically separate locations to protect against:

  • Natural disasters (fire, flood, earthquake) destroying multiple keys
  • Burglary or physical attack at a single location
  • Legal seizure or government confiscation at one jurisdiction

Operational Independence

For organizational multisig, each key holder should:

  • Generate and store their key independently, without sharing the seed with others
  • Use their own hardware and secure storage infrastructure
  • Not have access to more than one key (violating this defeats the purpose of multisig)
Anti-Pattern Generating all multisig keys on the same device, storing all seeds in the same location, or having one person hold all keys reduces your multisig to an expensive single-sig with extra complexity. The entire value of multisig comes from independence between signers.

What are collaborative custody services and how do they work?

Collaborative Custody Services

Collaborative custody is a model where a third-party service holds one key in a multisig setup, providing recovery assistance and additional security without taking custodial control of your funds.

Typical 2-of-3 Collaborative Model

  • Key 1 — held by you (hardware wallet)
  • Key 2 — held by the collaborative custody service
  • Key 3 — held by you in cold storage (emergency recovery)

Normal transactions require your key (Key 1) and the service's co-signature (Key 2). If the service disappears or becomes unresponsive, you recover using Keys 1 + 3. If you lose your primary device, you recover using Keys 2 + 3 (after identity verification with the service).

Evaluating Collaborative Custody

  • Does the service hold a minority of keys? — they should never be able to unilaterally move funds
  • Can you recover without the service? — you must be able to access funds independently using your own keys
  • Is the service open-source? — can you verify the key management and signing protocols?
  • What identity verification does the service require? — understand the trade-off between convenience and privacy
Self-Custody Preserved A well-designed collaborative custody setup preserves self-sovereignty. You always retain the ability to move funds without the service's cooperation (using your two keys). The service provides convenience and a safety net, not control.

[ FREQUENTLY ASKED QUESTIONS ]

FAQ

[ READ NEXT ]

Continue Learning

Wallet Types Comparison

Hot wallets, cold wallets, hardware devices. Compare trade-offs and find the right fit for your setup.

The 25th Word (Passphrase)

How an optional BIP39 passphrase adds an extra security layer and enables hidden wallets.

Self-Sovereignty

The philosophy and practice of being your own bank — why self-custody matters and how to achieve it.

Test Your Knowledge

Take a quick quiz to check your understanding of this guide.

Take the Quiz