đź“… Original date posted:2011-06-22
🗒️ Summary of this message: Satoshi gave little information on implementing MULTISIG transactions. Custom logic is better than hard-coding new standard script templates. A new type of bitcoin payment address may be needed for triggering such transactions via the UI. Establishing a higher level protocol would be needed for triggering such transactions. The 2-of-2 case is most interesting for merchants and exchanges.
đź“ť Original message:> Mike: Â Did Satoshi ever tell you what he was thinking for the best way
> to implement MULTISIG transactions?
He didn't. Satoshi told me very little unfortunately. What he did tell
me, I've written up about half of it. I still have high frequency
trading and some details of obscure SIGHASH types to go, but I wanted
to find examples to illustrate them first as Satoshi only gave the
vaguest of outlines.
> I'm wondering if hard-coding new standard script templates in
> script.cpp Solver():
CHECKMULTISIG allows up to 20 keys, I think. So it'd probably be
better to just have a bit of custom logic that checks if the script is
of the right form.
> ... would be the right approach to support 1/2 of 2 and 1/2/3 of 3
> signatures. Â It'd be nice if there were generic
> OP_N << OP_PUBKEY_N << OP_N Â ... template matching opcodes, but there aren't.
I suppose they could be added if need be. Template matching opcodes
might come in useful later when clients only want to download
transactions of interest to them.
> I'm also wondering if it makes sense to just support 2-of-2 (for
> validate-on-multiple-devices) and 2-of-3 (for escrow) for now.
Given the costs involved with adding new transaction types, I'd go for
allowing any number of signatures up to the max.
> I think all of these could use a new type of bitcoin payment address;
> it might make sense for THAT to be generic, maybe containing:
> Â version byte
> Â m
> Â n
> Â hash of xor of all n public keys
> Â checksum
I don't understand what this is for. For triggering such a transaction
via the UI, I think establishing a higher level protocol would be
needed. It's a separate step.
For instance, it's not safe to use escrow until you've checked that
the escrow key is owned by who you think it is. Otherwise a buyer
could give you a 2-of-3 transaction where they own both keys. So there
needs to be some kind of protocol (probably HTTP based) where the
buyer communicates to the merchant a list of acceptable escrow
agencies, the merchant intersects with the list of agencies it
accepts, there needs to be a way to request a pubkey from a remote
domain, one side needs to be able to challenge that domain with a
nonce, etc. It's quite complicated and would need to be specced out
independently of supporting multipay transactions.
> I'm most interested in the 2-of-2 case; I think merchants and
> exchanges need bitcoin deposit/payment addresses that they can make
> secure by requiring a 2-step signature process for spending those
> funds.
Yes it's one way to achieve security. Having BitBanks that store your
coins and require you to verify tx acceptance with an external device
is even stronger, because that external device can be guaranteed
virus/clone-proof. Some banks do this today for wire transfers (they
implicitly assume you get the wire details out of band or that no
virus can rewrite wiring instructions to point somewhere else).
But it'll be a while yet before any such company arises. Until then
2-of-2 transactions are probably a good halfway point.
Mike Hearn [ARCHIVE] /
npub17t…4qgyd
2023-06-07 01:20:47
in reply to nevent1q…atrd
Author Public Key
npub17ty4mumkv43w8wtt0xsz2jypck0gvw0j8xrcg6tpea25z2nh7meqf4qgydPublished at
2023-06-07 01:20:47Event JSON
{
"id": "be87ce040bfd413090cc17d651dc16184e1ec5af3c9d7088b075f0410ae99495",
"pubkey": "f2c95df3766562e3b96b79a0254881c59e8639f23987846961cf55412a77f6f2",
"created_at": 1686100847,
"kind": 1,
"tags": [
[
"e",
"612f4757c0c09c2f3ac4514e7e313d4f65cedff61756b948c8a32794951343ac",
"",
"root"
],
[
"e",
"38bfed65b38dccf25b253725485b808459ee70e385494a768334e3e2b8e23f7d",
"",
"reply"
],
[
"p",
"857f2f78dc1639e711f5ea703a9fc978e22ebd279abdea1861b7daa833512ee4"
]
],
"content": "📅 Original date posted:2011-06-22\n🗒️ Summary of this message: Satoshi gave little information on implementing MULTISIG transactions. Custom logic is better than hard-coding new standard script templates. A new type of bitcoin payment address may be needed for triggering such transactions via the UI. Establishing a higher level protocol would be needed for triggering such transactions. The 2-of-2 case is most interesting for merchants and exchanges.\n📝 Original message:\u003e Mike:  Did Satoshi ever tell you what he was thinking for the best way\n\u003e to implement MULTISIG transactions?\n\nHe didn't. Satoshi told me very little unfortunately. What he did tell\nme, I've written up about half of it. I still have high frequency\ntrading and some details of obscure SIGHASH types to go, but I wanted\nto find examples to illustrate them first as Satoshi only gave the\nvaguest of outlines.\n\n\u003e I'm wondering if hard-coding new standard script templates in\n\u003e script.cpp Solver():\n\nCHECKMULTISIG allows up to 20 keys, I think. So it'd probably be\nbetter to just have a bit of custom logic that checks if the script is\nof the right form.\n\n\u003e ... would be the right approach to support 1/2 of 2 and 1/2/3 of 3\n\u003e signatures.  It'd be nice if there were generic\n\u003e OP_N \u003c\u003c OP_PUBKEY_N \u003c\u003c OP_N  ... template matching opcodes, but there aren't.\n\nI suppose they could be added if need be. Template matching opcodes\nmight come in useful later when clients only want to download\ntransactions of interest to them.\n\n\u003e I'm also wondering if it makes sense to just support 2-of-2 (for\n\u003e validate-on-multiple-devices) and 2-of-3 (for escrow) for now.\n\nGiven the costs involved with adding new transaction types, I'd go for\nallowing any number of signatures up to the max.\n\n\u003e I think all of these could use a new type of bitcoin payment address;\n\u003e it might make sense for THAT to be generic, maybe containing:\n\u003e  version byte\n\u003e  m\n\u003e  n\n\u003e  hash of xor of all n public keys\n\u003e  checksum\n\nI don't understand what this is for. For triggering such a transaction\nvia the UI, I think establishing a higher level protocol would be\nneeded. It's a separate step.\n\nFor instance, it's not safe to use escrow until you've checked that\nthe escrow key is owned by who you think it is. Otherwise a buyer\ncould give you a 2-of-3 transaction where they own both keys. So there\nneeds to be some kind of protocol (probably HTTP based) where the\nbuyer communicates to the merchant a list of acceptable escrow\nagencies, the merchant intersects with the list of agencies it\naccepts, there needs to be a way to request a pubkey from a remote\ndomain, one side needs to be able to challenge that domain with a\nnonce, etc. It's quite complicated and would need to be specced out\nindependently of supporting multipay transactions.\n\n\u003e I'm most interested in the 2-of-2 case; I think merchants and\n\u003e exchanges need bitcoin deposit/payment addresses that they can make\n\u003e secure by requiring a 2-step signature process for spending those\n\u003e funds.\n\nYes it's one way to achieve security. Having BitBanks that store your\ncoins and require you to verify tx acceptance with an external device\nis even stronger, because that external device can be guaranteed\nvirus/clone-proof. Some banks do this today for wire transfers (they\nimplicitly assume you get the wire details out of band or that no\nvirus can rewrite wiring instructions to point somewhere else).\n\nBut it'll be a while yet before any such company arises. Until then\n2-of-2 transactions are probably a good halfway point.",
"sig": "fc2cb9279cbd9e82a9c4b9920fab3ee376998212b80ad615767f9468eb2559923f22619b74744cc3062cc47463a7e7c4326187662843eb471f99a3fcd732a9b7"
}