public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* [Bitcoin-development] Multisignature transations
@ 2011-09-29 16:07 Gavin Andresen
  2011-09-30 16:25 ` Mike Hearn
  0 siblings, 1 reply; 6+ messages in thread
From: Gavin Andresen @ 2011-09-29 16:07 UTC (permalink / raw)
  To: Bitcoin Dev

Design discussion:  https://gist.github.com/39158239e36f6af69d6f
Pull request:  https://github.com/bitcoin/bitcoin/pull/541

Initial support for multisignature transactions

This adds initial support for three new types of transactions:
(a and b)
(a or b)
(a and b) or c

... where a/b/c are keys. These new transaction types will enable
better wallet security and backup in future versions of bitcoin.

I've taken a conservative approach with this initial pull; the new
transaction types will be relayed and included in blocks, but are
ignored by the wallet code, so will not affect the balance and will
never be considered available to spend. I'm going to start a
discussion on bitcoin-dev to do a bit of a brain-dump on what NOT to
do with multi-signature transactions (there are several potential
attacks that we'll need to be careful to avoid).

I'll be creating a multisig_testing branch in the gavinandresen github
fork that WILL add multisig transactions to the balance, will have a
new RPC call to create multisig transactions, and will be able to
spend the multisig transactions; that will be for testing this PULL
only for now.
=======================

Here's the discussion of potential attacks that occurred to me while I
was working on this:

+ Attacker has an account and a funding address/key ("a") at a
shared-wallet service.  Attacker also has their own address/key ("b").
+ They send 100 bitcoins that can be spent by (a or b).  Note that the
shared-wallet service can't stop the attacker from doing that.

IF the shared-wallet service credits their account (because "a" can
spend the coins), then Bad Things might happen:

+ The shared-wallet service probably assumes that it controls all the
keys in its wallet, and the only time coins in its wallet will be
spent will be when it issues a send* RPC command. But the attacker can
spend using "b" anytime they like.

+ If the shared-wallet service allows importing of keys then the
attacker might be able to get double-credit by importing "b"
(depending on what the 'import private key' code does).

The pull I've submitted doesn't have any of those issues because
multisignature transactions are not credited / added to the wallet.

Going forward, I think the right thing to do is only add
multisignature transactions to the wallet's balance (and make them
available to spend) if the public half of ALL of the keys involved are
known to the wallet.  The private half of the key may not be in the
wallet (maybe it is on another device or maybe it is a deterministic
backup master key protected by a passphrase), but the public key must
be known and in the wallet.


I'd really like to get this into the 0.5 release because it will
enable much better wallet security and backup in some future release
or alternative client (but these transaction types need to be relayed
and mined BEFORE then to make that possible).

-- 
--
Gavin Andresen



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Bitcoin-development] Multisignature transations
  2011-09-29 16:07 [Bitcoin-development] Multisignature transations Gavin Andresen
@ 2011-09-30 16:25 ` Mike Hearn
  2011-09-30 16:32   ` Gregory Maxwell
  0 siblings, 1 reply; 6+ messages in thread
From: Mike Hearn @ 2011-09-30 16:25 UTC (permalink / raw)
  To: Gavin Andresen; +Cc: Bitcoin Dev

[-- Attachment #1: Type: text/plain, Size: 256 bytes --]

>
> This adds initial support for three new types of transactions:
> (a and b)
> (a or b)
> (a and b) or c
>

Does this mean dispute mediation (2-of-3) will not be supported? I thought
the plan was also to allow CHECKMULTISIG for smallish numbers of keys.

[-- Attachment #2: Type: text/html, Size: 431 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Bitcoin-development] Multisignature transations
  2011-09-30 16:25 ` Mike Hearn
@ 2011-09-30 16:32   ` Gregory Maxwell
  2011-09-30 17:21     ` Gavin Andresen
  0 siblings, 1 reply; 6+ messages in thread
From: Gregory Maxwell @ 2011-09-30 16:32 UTC (permalink / raw)
  To: Mike Hearn; +Cc: Bitcoin Dev

On Fri, Sep 30, 2011 at 12:25 PM, Mike Hearn <mike@plan99.net> wrote:
>> This adds initial support for three new types of transactions:
>> (a and b)
>> (a or b)
>> (a and b) or c
>
> Does this mean dispute mediation (2-of-3) will not be supported? I thought
> the plan was also to allow CHECKMULTISIG for smallish numbers of keys.

The ease of omitting useful cases is why I was strongly supporting the
full RPN boolean validation, even though it's harder to get good
testing confidence.



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Bitcoin-development] Multisignature transations
  2011-09-30 16:32   ` Gregory Maxwell
@ 2011-09-30 17:21     ` Gavin Andresen
       [not found]       ` <CAAS2fgRRws5iG_oirKbgmyySZMZ4tzOC2Nq_12psqeuSH4GyDg@mail.gmail.com>
  0 siblings, 1 reply; 6+ messages in thread
From: Gavin Andresen @ 2011-09-30 17:21 UTC (permalink / raw)
  To: Gregory Maxwell; +Cc: Bitcoin Dev

>> Does this mean dispute mediation (2-of-3) will not be supported?

Not with this PULL-- I think wallet security and backup is a critical
feature, so that is what this is for.

> I thought the plan was also to allow CHECKMULTISIG for smallish numbers of keys.

groffer pointed out that might cause problems when transaction volume
ramps up, because each CHECKMULTISIG counts as 20 sigops, and there is
a limit to the number of sigops you can put into a block. And since it
isn't needed for wallet security and backup I dropped it.

Accepting this does not preclude adding more 'standard' transaction
types in the future.

-- 
--
Gavin Andresen



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Bitcoin-development] Multisignature transations
       [not found]       ` <CAAS2fgRRws5iG_oirKbgmyySZMZ4tzOC2Nq_12psqeuSH4GyDg@mail.gmail.com>
@ 2011-09-30 17:29         ` Gregory Maxwell
  2011-09-30 17:57           ` Gavin Andresen
  0 siblings, 1 reply; 6+ messages in thread
From: Gregory Maxwell @ 2011-09-30 17:29 UTC (permalink / raw)
  To: bitcoin-development

On Fri, Sep 30, 2011 at 1:21 PM, Gavin Andresen <gavinandresen@gmail.com> wrote:
> Accepting this does not preclude adding more 'standard' transaction
> types in the future.

I think 2 of 3 is a _far_ more useful example than (a or b),  it is
the prototype for a normal escrow transaction., and still only results
in three address and at most two signatures like the (A and B) or C
case.

You can also replicate the functionality of (a or b) in a hashish and
inefficient sort of way with two of three by simply using a public
known key as one of the roles.



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Bitcoin-development] Multisignature transations
  2011-09-30 17:29         ` Gregory Maxwell
@ 2011-09-30 17:57           ` Gavin Andresen
  0 siblings, 0 replies; 6+ messages in thread
From: Gavin Andresen @ 2011-09-30 17:57 UTC (permalink / raw)
  To: Gregory Maxwell, Bitcoin Dev

RE: 2 of 3 being far more useful:

So create a clean pull request, unit tests, and test plan for an
"IsStandard" 2-of-3 transaction, either using CHECKMULTISIG or
groffers proposal:

0
OVER 2SWAP CHECKSIG SWAP HASH160 {pk1hash} EQUAL BOOLAND ADD
OVER 2SWAP CHECKSIG SWAP HASH160 {pk2hash} EQUAL BOOLAND ADD
OVER 2SWAP CHECKSIG SWAP HASH160 {pk3hash} EQUAL BOOLAND ADD
2 GREATERTHANOREQUAL

The low-level support is relatively easy, reporting these transactions
in listtransactions and figuring out if or how to report them in your
wallet balance is tricky.

I generated and then spent three multisig transactions on testnet:
 http://blockexplorer.com/testnet/block/0000000000cfe382f690777e3b52ea255717122465db6fcfd80efdf2d0080d8b

Code I used to send them is:
 https://github.com/gavinandresen/bitcoin-git/tree/multisig_testing
(that code is NOT intended for mainline bitcoin, I just needed a way
of testing the new transactions).

-- 
--
Gavin Andresen



^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2011-09-30 17:57 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-09-29 16:07 [Bitcoin-development] Multisignature transations Gavin Andresen
2011-09-30 16:25 ` Mike Hearn
2011-09-30 16:32   ` Gregory Maxwell
2011-09-30 17:21     ` Gavin Andresen
     [not found]       ` <CAAS2fgRRws5iG_oirKbgmyySZMZ4tzOC2Nq_12psqeuSH4GyDg@mail.gmail.com>
2011-09-30 17:29         ` Gregory Maxwell
2011-09-30 17:57           ` Gavin Andresen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox