Multisig & Output Descriptors

Single-key custody has a brutal failure mode: one secret, one point of failure. Lose it and your coins are frozen; leak it and they’re stolen. Multisig breaks that single point of failure by requiring k of n keys to authorize a spend. And once a wallet is more than one key, you need a precise way to describe it — which is what output descriptors were invented for.

k-of-n: spreading trust across keys

A multisig output locks coins so that spending them requires signatures from at least k of a set of n public keys:

2-of-3 multisig:
   keys:  A   B   C        (any 2 of these 3 must sign)
   spend: A + B   ✓
          A + C   ✓
          B + C   ✓
          A only  ✗   (one signature is not enough)

The power is in choosing k and n to match a real threat model:

Setup	Good for
2-of-2	Two-party control — both must agree (e.g. you + a co-signer). Also the shape of a Lightning channel.
2-of-3	Personal security with backup: you hold 2 keys in different places, a trusted third party or service holds 1. Lose one key and you can still recover.
3-of-5	Business treasuries / boards — no single executive can move funds, survives losing a couple of keys.

Why 2-of-3 is the self-custody sweet spot

With 2-of-3, a single lost or stolen key is not catastrophic: a thief with one key can’t spend, and you with the other two can still recover and move funds to a fresh setup. You’ve eliminated both the “single key stolen” and the “single key lost” failure modes at once. This is why most serious self-custody and collaborative-custody products are built on it.

Modern multisig is cleanest with Taproot key aggregation (MuSig2), where a cooperative multisig can be made to look like an ordinary single-key spend on-chain — see Taproot, Schnorr & MuSig2. Classic (pre-Taproot) multisig instead reveals all the public keys and the policy on-chain.

Output descriptors: saying exactly what you can spend

Here’s the problem multisig exposes: a seed phrase alone is not enough to recover a multisig wallet. The seed gives you your keys, but to watch and spend you also need to know the other public keys, the threshold k, the script type, and the derivation paths. Lose that metadata and your funds can be unrecoverable even though you still hold your seed.

Output descriptors (sometimes “descriptor wallets”) solve this with a compact, explicit string that fully describes a set of scripts:

wpkh([d34db33f/84'/0'/0']xpub6.../0/*)
│    │                    │         │
│    └ key origin: the    │         └ wildcard: every index in this branch
│      master fingerprint │
│      + derivation path  └ the extended public key
└ script type: wpkh = native SegWit single-sig

A 2-of-3 multisig descriptor names the threshold and all three keys at once:

wsh(multi(2,
    [fp1/48'/0'/0'/2']xpubA.../0/*,
    [fp2/48'/0'/0'/2']xpubB.../0/*,
    [fp3/48'/0'/0'/2']xpubC.../0/*))

From this one string, any descriptor-aware wallet can regenerate every address and verify every incoming payment — no guessing about script type or paths. Descriptors also carry a checksum so a corrupted backup is detected rather than silently producing the wrong addresses.

Back up the descriptor, not just the seeds

For multisig, your recovery kit is all the seeds (or your seed + the others’ xpubs) AND the descriptor. A common, painful mistake is backing up only the words and assuming that’s enough — for multisig it isn’t.

PSBT: how the signers actually cooperate

Since no single device holds all the keys, multisig needs a way to pass an unsigned transaction between signers. That’s PSBT (Partially Signed Bitcoin Transaction, BIP174): a standard container that carries a transaction plus everything each signer needs, gathering signatures one device at a time until the threshold is met, then finalizing into a broadcastable transaction. It’s the same tool that lets an air-gapped hardware wallet sign without ever touching the internet.

The thread

How does this help untrusting strangers agree on one ledger? Multisig lets parties who don’t fully trust each other — co-founders, a user and a custody service, family members — share control of coins under rules the ledger itself enforces, with no escrow agent who could run off with the funds. Descriptors then make that arrangement portable and verifiable across software, so the agreement doesn’t depend on trusting any one vendor’s app. It’s trust-minimization applied to custody itself.

Check your understanding

1. In a 2-of-3 multisig, why is losing a single key recoverable while a single-key wallet’s loss is not?
2. Why is a seed phrase alone insufficient to recover a multisig wallet?
3. Read this descriptor aloud in plain English: wpkh([fp/84'/0'/0']xpub.../0/*).
4. What problem does PSBT solve that arises specifically because multisig keys live on separate devices?
5. What two things make up a complete backup of a 2-of-3 multisig wallet?