3.3. Generating Secure Multisig Addresses (hot and coldwallet)
In case you want to read up on how multi-signatures work in IOTA, please click here. For exchanges intending to setup cold / hot storage setup, we encourage you to setup multi-signatures for your cold storage setup with just the iota.lib.js
Javascript library.
The beauty of IOTA is that you can make use of all the cryptography functions - including the sensitive ones for signing and generating addresses - without having to install the Core client. This means that you can securely generate multi-signature addresses in a secure offline environment (e.g. laptop that was never connected to the internet). The main thing that needs to be securely stored is the seed, as that is being used to derive private keys from, and thus for signing transactions.
When generating a multisignature address offline or online, what you mainly have to do is share the key digest in the correct order and generate the multi-signature that way. We have implemented validation functions so that you can be ensured that the generated multi-signature address is correct. Sharing key digests is secure (you can’t derive a private key from the key digest).
It should be noted that it is of utmost importance to ensure proper key index management. Because IOTA uses one-time signatures,you should never reuse keys, as such, you need to be sure which key index has already been used to participate in a single or multi-signature, and which wasn't.