public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Gavin Andresen <gavinandresen@gmail.com>
To: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: [Bitcoin-development] Multisignature transations
Date: Thu, 29 Sep 2011 12:07:41 -0400	[thread overview]
Message-ID: <CABsx9T2QzafV-uzn7yL01gs2mrzLaP0FCgjt_O--Ldw+s-Xm9w@mail.gmail.com> (raw)

Design discussion:  https://gist.github.com/39158239e36f6af69d6f
Pull request:  https://github.com/bitcoin/bitcoin/pull/541

Initial support for multisignature transactions

This adds initial support for three new types of transactions:
(a and b)
(a or b)
(a and b) or c

... where a/b/c are keys. These new transaction types will enable
better wallet security and backup in future versions of bitcoin.

I've taken a conservative approach with this initial pull; the new
transaction types will be relayed and included in blocks, but are
ignored by the wallet code, so will not affect the balance and will
never be considered available to spend. I'm going to start a
discussion on bitcoin-dev to do a bit of a brain-dump on what NOT to
do with multi-signature transactions (there are several potential
attacks that we'll need to be careful to avoid).

I'll be creating a multisig_testing branch in the gavinandresen github
fork that WILL add multisig transactions to the balance, will have a
new RPC call to create multisig transactions, and will be able to
spend the multisig transactions; that will be for testing this PULL
only for now.
=======================

Here's the discussion of potential attacks that occurred to me while I
was working on this:

+ Attacker has an account and a funding address/key ("a") at a
shared-wallet service.  Attacker also has their own address/key ("b").
+ They send 100 bitcoins that can be spent by (a or b).  Note that the
shared-wallet service can't stop the attacker from doing that.

IF the shared-wallet service credits their account (because "a" can
spend the coins), then Bad Things might happen:

+ The shared-wallet service probably assumes that it controls all the
keys in its wallet, and the only time coins in its wallet will be
spent will be when it issues a send* RPC command. But the attacker can
spend using "b" anytime they like.

+ If the shared-wallet service allows importing of keys then the
attacker might be able to get double-credit by importing "b"
(depending on what the 'import private key' code does).

The pull I've submitted doesn't have any of those issues because
multisignature transactions are not credited / added to the wallet.

Going forward, I think the right thing to do is only add
multisignature transactions to the wallet's balance (and make them
available to spend) if the public half of ALL of the keys involved are
known to the wallet.  The private half of the key may not be in the
wallet (maybe it is on another device or maybe it is a deterministic
backup master key protected by a passphrase), but the public key must
be known and in the wallet.


I'd really like to get this into the 0.5 release because it will
enable much better wallet security and backup in some future release
or alternative client (but these transaction types need to be relayed
and mined BEFORE then to make that possible).

-- 
--
Gavin Andresen



             reply	other threads:[~2011-09-29 16:08 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-09-29 16:07 Gavin Andresen [this message]
2011-09-30 16:25 ` [Bitcoin-development] Multisignature transations Mike Hearn
2011-09-30 16:32   ` Gregory Maxwell
2011-09-30 17:21     ` Gavin Andresen
     [not found]       ` <CAAS2fgRRws5iG_oirKbgmyySZMZ4tzOC2Nq_12psqeuSH4GyDg@mail.gmail.com>
2011-09-30 17:29         ` Gregory Maxwell
2011-09-30 17:57           ` Gavin Andresen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CABsx9T2QzafV-uzn7yL01gs2mrzLaP0FCgjt_O--Ldw+s-Xm9w@mail.gmail.com \
    --to=gavinandresen@gmail.com \
    --cc=bitcoin-development@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox