Multisig Wallet
A Bitcoin wallet requiring multiple private keys to authorize transactions, providing shared control and eliminating single points of failure.
Key Takeaways
- A multisig wallet requires m-of-n private keys to authorize a transaction: for example, 2-of-3 means any two of three keyholders must sign before funds can move, eliminating single points of failure in key management.
- On-chain multisig reveals the spending policy publicly, but Taproot with MuSig2 enables multisig transactions that look identical to single-signature spends, dramatically improving privacy and reducing fees.
- Multisig differs from MPC wallets: multisig uses independent keys coordinated via PSBTs, while MPC splits a single key into shares that never exist in one place.
What Is a Multisig Wallet?
A multisig wallet (short for multi-signature wallet) is a Bitcoin wallet that requires multiple private keys to authorize a transaction. Instead of a single key controlling funds, the wallet enforces an m-of-n threshold: m signatures must be provided from a set of n authorized keys before any Bitcoin can be spent.
Think of it like a safe deposit box that needs two keys to open: the bank holds one and the customer holds the other. Neither party can access the contents alone. Multisig wallets apply the same principle to Bitcoin, distributing trust across multiple keys, devices, or people.
Bitcoin has supported multisig natively since its early days through the OP_CHECKMULTISIG opcode. Unlike MPC or threshold schemes that operate off-chain, traditional multisig is enforced directly by Bitcoin Script: the blockchain itself verifies that enough valid signatures are present before allowing a spend.
How It Works
Setting up a multisig wallet involves generating multiple independent key pairs, combining their public keys into a multisig script, and deriving addresses from that script. When spending, the required number of keyholders each produce a signature, which are assembled into a valid transaction.
Creating a Multisig Wallet
- Each participant generates their own key pair, typically on a separate signing device or cold storage wallet
- Participants share their extended public keys (xpubs) with each other or with a coordinator
- A multisig script is constructed specifying the threshold (m) and including all n public keys
- Addresses are derived from this script, and the wallet is ready to receive funds
Spending from a Multisig Wallet
Spending requires coordination between keyholders. The standard workflow uses Partially Signed Bitcoin Transactions (PSBTs), a format defined in BIP 174 that enables safe, interoperable passing of unsigned transactions between wallets:
- One participant creates a PSBT containing the transaction details (inputs, outputs, amounts)
- The PSBT is passed to each required signer via file transfer, QR code, or network share
- Each signer reviews the transaction on their device and adds their signature to the PSBT
- Once m signatures are collected, the PSBT is finalized into a complete transaction
- The signed transaction is broadcast to the Bitcoin network
Because PSBTs are a standardized format, signers can use different wallet software and hardware devices. A Coldcard, Trezor, and Ledger can all participate in the same multisig wallet without compatibility issues.
Script Types for Multisig
Bitcoin supports multisig through several script formats, each with different tradeoffs:
| Script Type | Address Prefix | Max Keys | Notes |
|---|---|---|---|
| P2SH multisig | 3... | 15 | Legacy wrapped multisig, widely supported |
| P2WSH multisig | bc1q... | 20 | Native SegWit, lower fees than P2SH |
| P2TR (Taproot) | bc1p... | No fixed limit | Uses MuSig2 or Tapscript; best privacy and fees |
P2WSH is the most common format for multisig today. It provides a fee discount because witness data is weighted at one quarter, and it supports up to 20 keys versus 15 for P2SH.
Descriptor Backups
A critical difference between single-sig and multisig wallets: a seed phrase alone is not enough to recover a multisig wallet. You also need the threshold value (m), the derivation paths, and the xpubs of every cosigner.
Output script descriptors encode the complete wallet policy in a compact, human-readable string:
wsh(sortedmulti(2,
[fingerprint1/48'/0'/0'/2']xpub6ABC...,
[fingerprint2/48'/0'/0'/2']xpub6DEF...,
[fingerprint3/48'/0'/0'/2']xpub6GHI...
))The sortedmulti variant (defined in BIP 383) sorts keys lexicographically, ensuring that the same addresses are generated regardless of the order cosigners are listed. Every participant should back up the full descriptor alongside their own seed phrase.
Common Configurations
2-of-3: Personal Security
The most popular multisig configuration for individual self-custody. A typical setup distributes keys across three locations:
- Key 1 on a hardware wallet kept at home for regular access
- Key 2 on a second hardware wallet stored off-site (safety deposit box, trusted location)
- Key 3 held by a collaborative custody provider as a recovery backup
Any two keys can authorize a transaction. Losing one key does not result in loss of funds, and a single compromised key cannot move Bitcoin. Services like Unchained and Casa use this model, holding one backup key while the user retains two.
3-of-5: Institutional Treasury
Organizations managing significant Bitcoin holdings often use 3-of-5 or 4-of-7 configurations to distribute signing authority across executives, board members, or geographic regions. This tolerates the loss or compromise of up to two keys while requiring consensus from a majority of keyholders.
2-of-2: Joint Control
Used when two parties must agree on every spend: business partners, joint accounts, or exchange withdrawal workflows. The tradeoff is zero redundancy: if either key is lost, the funds are unrecoverable without additional measures like Miniscript timelocks.
Multisig vs MPC vs Threshold Signatures
Three approaches exist for distributing control over Bitcoin, each with distinct tradeoffs:
| Property | On-chain Multisig | MPC Wallet | Threshold Signatures |
|---|---|---|---|
| Key structure | Multiple independent keys | Single key split into shares | Distributed key generation |
| On-chain footprint | Reveals m, n, and all pubkeys | Single signature | Single signature |
| Signing | Asynchronous via PSBT | Synchronous (all signers online) | Synchronous (threshold signers online) |
| Quorum changes | Requires moving funds on-chain | Key refresh without moving funds | Key refresh without moving funds |
| Auditability | Fully transparent on-chain | Opaque to observers | Opaque to observers |
| Transaction cost | Higher (multiple sigs and pubkeys) | Same as single-sig | Same as single-sig |
For a deeper comparison, see the Bitcoin custody solutions research article.
Taproot and the Future of Multisig
Taproot (activated November 2021) transforms how multisig works on Bitcoin. Using MuSig2, multiple signers can aggregate their public keys into a single Taproot key. When all signers cooperate (key-path spend), the resulting Schnorr signature is indistinguishable from a regular single-signature transaction.
This provides two major advantages over traditional multisig:
- Privacy: observers cannot determine how many signers were involved or what the spending policy is
- Fees: a single 64-byte signature replaces multiple signatures and public keys, with BitGo reporting approximately 30% fee savings compared to P2WSH multisig
MuSig2 is strictly n-of-n (all signers must participate). For true m-of-n thresholds on Taproot, FROST (Flexible Round-Optimized Schnorr Threshold) signatures offer a path forward, though FROST remains experimental without a finalized BIP. See the FROST deep dive and MuSig2 explainer for technical details.
Privacy Considerations
Traditional multisig has a significant privacy cost. When spending from a P2SH or P2WSH multisig wallet, the full script is revealed on-chain, exposing:
- The exact m-of-n threshold (e.g., 2-of-3)
- All n public keys of the cosigners
- That the wallet is multisig at all, making it a target for analysis
Chain analysis firms can use this information to cluster addresses, identify institutional wallets, and track spending patterns. This is one reason Taproot (P2TR) multisig is increasingly preferred: key-path spends via MuSig2 leave no on-chain evidence of multi-party control.
Even with Taproot, script-path spends (used when the key path fails) do reveal the specific spending condition that was used. However, unused conditions remain hidden in the Merkle tree, preserving partial privacy.
Multisig Management Platforms
Several services and tools simplify multisig setup, signing coordination, and key management:
| Platform | Model | Configuration |
|---|---|---|
| Unchained | Collaborative custody | 2-of-3 (user holds 2 keys, Unchained holds 1) |
| Casa | Managed self-custody | 2-of-3 or 3-of-5 depending on plan |
| Nunchuk | Self-custody app | Flexible m-of-n with Taproot MuSig2 support |
| Sparrow Wallet | Open-source desktop | Arbitrary m-of-n with full PSBT workflow |
| Caravan (by Unchained) | Open-source web tool | Stateless coordinator for hardware wallets |
| Liana | Open-source desktop | Decaying multisig with Miniscript timelocks |
For a broader comparison of custody approaches, see the self-custodial vs custodial wallets research article and the multisig wallets deep dive.
Use Cases
Personal Security
Individuals holding significant Bitcoin use 2-of-3 multisig to protect against theft and loss. A single compromised device cannot drain the wallet, and a single lost device does not make funds unrecoverable. This is the primary use case driving multisig adoption among self-custody advocates.
Business Treasury
Companies and DAOs use 3-of-5 or higher configurations to ensure no single employee or executive can unilaterally move funds. The m-of-n threshold enforces a governance process directly at the protocol level.
Inheritance Planning
Multisig combined with Miniscript timelocks enables inheritance schemes: for example, a 2-of-2 wallet that degrades to 1-of-2 after 12 months of inactivity, allowing a designated heir to access funds without requiring the original holder's key.
Exchange Security
Exchanges and custodians use multisig for hot wallet and cold storage management. Cold storage often requires 3-of-5 or higher, with keys distributed across geographic locations to protect against physical theft.
Risks and Considerations
Increased Complexity
Multisig introduces coordination overhead that does not exist with single-signature wallets. Every spend requires passing a PSBT between multiple signers, which can be slow and error-prone. Lost descriptors or forgotten cosigner xpubs can make funds permanently inaccessible, even if enough seed phrases are available.
Higher Transaction Fees
Traditional (non-Taproot) multisig transactions are larger than single-sig transactions because they include multiple signatures and public keys. A 2-of-3 P2WSH input is roughly 104.5 vBytes compared to about 68 vBytes for a single-sig P2WPKH input. This gap shrinks significantly with MuSig2 Taproot key-path spends (approximately 57.5 vBytes per input).
Key Loss Risk
While multisig adds redundancy, it also increases the total number of keys that must be managed. In a 2-of-3 setup, losing two keys means total loss of funds. Proper backup procedures for both seed phrases and wallet descriptors are essential.
On-Chain Privacy
As noted above, P2SH and P2WSH multisig transactions are identifiable on-chain. Users concerned about privacy should consider Taproot MuSig2 setups or complement multisig with techniques like CoinJoin to reduce traceability.
This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.