How to use Nano Multisig

Owning a cryptocurrency such as Nano involves owning a key that secures your funds. With Nano the most common method is to generate a master key called a seed, which can be used together with an index number to derive billions of private keys. Each private key unlocks one Nano account (address) that hold the funds.

Multi-signature is a way for multiple participants to own one private key each and combining them in a way so that only one common account is used to store the funds. Each participant only needs to know their particular key. Then by exchanging safe cryptographic data between the participants, a block hash signature is produced that can publish the corresponding block to the network. Multisig exists in many other cryptocurrencies and is a very secure way for big entities such as Exchanges to handle their cold wallets. It could also be a way for individuals to securely store funds by having two or more private keys hidden at different locations.

The most common approach is to enforce at least 50% of the participants to take part, while the current Nano implementation requires 100%. It’s more secure but also involves a higher risk since it’s a higher chance that one of the keys goes missing and funds locked forever. This type of implementation will probably change in the future to aim for 50% instead.

The Nano multi-sig library was built by Lee Bousfield (PlasmaPower), a former protocol developer at the Nano foundation. A working simplified demo can be found here.

The multisig in action at Keytools

Multisig with Keytools — Create an account

One Nano multisig implementation can be found at Nano Keytools. To create a multisig account you can follow these steps (Or watch the Demo Video):

  1. Visit https://tools.nanos.cc/?tool=multisig
  2. If you already have a block hash and private keys for multi-sign, skip to “Multisig with Keytools — Signing Locally / Remotely”.
  3. To get a new multisig account, enter two or more Nano accounts. Doesn’t matter if they have been used or not but you will need one private key each for them. To create new key/account pairs you can use the Key Converter. Store the keys in a safe place. The multisig account can now be funded and tested.
Example of key / account pair
Example of a combined multisig account

Multisig with Keytools — Create a new block

1. To test the multisig account you can create a block yourself and publish it. One way is by using the Block Processor tool.

2a. (Image 1–5) Select “open account”. Enter the multisig account as “opening address” and chose a representative (can be the same account in this case). Activate the QR and send Nano to it with a mobile wallet like Natrium.

2b. (Image 6–7) Grab the pending hash and transaction amount from the network by using the “cloud buttons”.

2c. (Image 8) Copy the resulting block hash to the next step. Keep this tab open so you can process the block later.

Example of creating an open block using the block processor tool

Multisig with Keytools — Signing Locally

If you own the private keys yourself and just want to use one computer.

  1. Open as many tabs as you have private keys for the multisig. Then check the “Multi-Tab Mode” box, enter number of participants (tabs including current tab), hash and private keys. The participant count, hash and tab-mode will sync automatically between the tabs. Press “Start Signing”.
Setting up automatic multi-tab signing

2. The tabs will communicate with each other in an asynchronous pattern (regardless of how many you have) and do the signing for you! They should all output the same signature. Copy it to the “Publish a Block” step.

Automatic multi-tab signing — Result

Multisig with Keytools — Signing Remotely

If you are several participants using different computers.

1. Paste the block hash in the multisig tool, enter your private key and select the number of participants (including yourself). Press “Start Signing”.

Initiating the signing procedure

2. Each participant now need to do the same. The easiest way is to use the “Share Signing URL” and give that to the others. If you are doing this yourself, just open another tab, paste the URL and use the “Multi-Tab Mode”.

3. Each participant will enter their private key and start the same process (if using the shared URL the participant count and hash will be prefilled when the page loads). Now copy the data from “Output Data” and give it to each other participant. They will paste the data from each participant in the “Input Data” and share their output data back to you. If you only use 2 participants then only one data input is needed.

Participant 1: Copy output TO participant 2 -> Paste the input FROM participant 2
Participant 2: Copy output TO participant 1 -> Paste the input FROM participant 1

4. Now repeat this for all three steps. It’s also a good way to double-check the multisig account. If the wrong private keys are used the account will not match. It’s automatically filled after step 1. In the final step, you will get the block signature. Copy it to the “Publish a Block” step.

Double checking the multisig account
Final block signature

Multisig with Keytools — Publish a Block

  1. If you have a signature, go back to the block processor tab. If you didn’t save the tab, just redo the block creating step. The block hash will always be the same. Now paste the signature, create a proof of work with the “hammer button” and publish the block!
Final signature and PoW
Block processed

2. You can verify the transaction by copy the block hash to a block explorer or just use the Network Inspector tool.

Published block — Confirmed

Multisig with Nault Wallet

Now available!
https://docs.nault.cc/2021/04/20/multisig.html

A concept for Automated Multisig

As you may have seen multisig is not super user-friendly because it involves a lot of data to be shared back and forth between the participants. One idea would be to use the Nano network to pass the data automatically.

It would use the corresponding account for each private key to send transactions and other participants can listen for changes on the sending account’s representative field. See the following figure.

  1. All participants enter the block hash they want to multi-sign and their private key. Also, the participating accounts because each sender must have the recipients available from the start. For simplicity, in this case, we use two participants. Only the initiating participant (1) will need to have funds in the account because it can fund the other ones if more than 2 participants in total.
  2. Participant 1 would start by sending a raw amount corresponding to a unique identifier that will only be valid for this particular session. The rep field is set to the block hash that we want to multi-sign.
  3. Participant 2 listens on its account and acknowledge back if the block hash matches with what’s set. Sending back the same raw amount (unique ID).
  4. Participant 1 read the acknowledgement and checks if the raw amount matches. That’s enough information to start the signing. Sending data 1 in the rep field and unique identifier to all participants. Each participant responds back.
  5. After all 3 steps, the signature can be produced!

Issues

  • Each participant must know the participating accounts. Not a big issue
  • The accounts must have funds in them to work. Can be solved by participant 1 share funds with the other.
  • A lot of transactions are needed for this process.
    2 participants: 8 tx
    3 participants: 20 tx
    4 participants: 38 tx

I would love to hear inputs on this idea! Maybe some other system can be used for the data transfer. But how to make it decentralized?

A similar functionality is now possible with Keytools using the “Multi-tab Mode”. It passes information between the tabs asynchronously similar to how the Nano network functions, but locally in the browser.

Donation

Found this helpful? Consider a small Nano donation or sponsor me on Github😉

nano_1gur37mt5cawjg5844bmpg8upo4hbgnbbuwcerdobqoeny4ewoqshowfakfo

Crypto Follower