However, I still don't really get the usage difference between SSS and multisig. In a M of N situation, you give N secrets to N people, and M people together can spend the funds.
In my mind, Shamir secret sharing wallets (e.g. Armory) belong to the family of multisig wallets.
It would be nice if you could elaborate on that point.
- SSS can be bad if just your own client gets it wrong, multisig can be bad only if the blockchain itself is implemented incorrectly and somehow everybody who's been poking at its crypto for years with billions of dollars at stake has missed it.
- With SSS, once you reconstruct the key, there's one person holding that single key who will sign a transaction with it. You'd better trust that person. With multisig, each of the m keys can be controlled by a different person and they don't have to share. So (unbroken) SSS is fine for protecting your own key, but an organization that wants to distribute responsibility should use multisig.
So, slightly paraphrasing, IIUC :
- multisig is more adapted for organizations, there is no need of trust between the key holders. And it's more secure, because it uses a more widely audited code than that of wallets.
- SSS seems more adapted for individuals. It has more flexibility and privacy in N and M, since no P2SH script identifier is sent to the blockchain. I guess transaction fees should also be lower.
Wow, that's very informative. Thankyou. I had just written a comment talking about SSS, but I didn't realize that Bitcoin has multisig in the actual protocol. That is definitely a lot better.
https://btcarmory.com/fragmented-backup-vuln/
edit: the problem has been fixed since