What information can a third party derive about a multisig wallet if one of the xpubs in the setup is known? For example, for a 2-of-3 setup, I know 3 of the xpubs are needed to generate wallet addresses, which initially led me to think that revealing 1 (or 2) xpubs would not reveal any information about the wallet. However from poking around on the block explorer I now think the situation is more like the following, which I would like to confirm:
- Each xpub is used to derive a sequence of public keys which are used in the spending script. These public keys are revealed at spending time, so while the full set of wallet addresses/UTXOs cannot be generated from one xpub, someone who knows one xpub could find transactions on the blockchain that spent from the multisig wallet. (This could be relevant for e.g. a collaborative custody setup such as Unchained if an xpub that is shared with them is also used in a separate private wallet setup).
- Similarly, using the same xpub in multiple multisig wallets setups seems like a bad privacy practice as transactions from the different wallets could potentially be linked together – in particular transactions spending from the same address index in each. e.g. if one setup uses xpub1, xpub2, xpub3 and the other xpub1, xpub4, xpub5, then the spending script for address index k in the two wallets will contain something like (pubkey1k, pubkey2k, pubkey3k) and (pubkey1k, pubkey4k, pubkey5k) – so they are linked by having the same pubkey1k in each.
- The solution to avoiding the above issues would be to use different derivation paths, which would generate different xpubs from the same private key, e.g. using different account numbers in the derivation path for a private vs. collaborative custody setup. (For this reason, revealing a multisig xpub would not reveal info about single sig wallet and vice versa).
Can someone with more knowledge about how these setups work and what info is actually revealed on the blockchain help check/correct my understanding here?