|
Title: Multisig implementation / proof of private key ownership question Post by: hashman on November 08, 2012, 11:12:39 PM Suppose you create an 8 of 10 multisig address and send a coin to it. Can you now: With any 8 of the 10 private keys digitally sign some text as proof of ownership? What public key(s) need to be made public to do so? Can you prove you have just one of these 10 keys? OK leaving the current BIP as I understand it for now, is there some way a number of keys (say 20) could go into a signature in such a way that the 20 key holders do not know if theirs was one of the 8 ones which make the signature valid for the ownership of the coin? Title: Re: Multisig implementation / proof of private key ownership question Post by: casascius on November 08, 2012, 11:21:08 PM I think if you were to sign a message, you'd just be generating 8 signatures. Multisig would work the same way, you actually need 8 signatures to unlock funds. The signatures themselves aren't combined in any way.
As I understand it, if you have a valid signature and the message you're signing (specifically its hash), you can derive the public key and the bitcoin address from just those two things. The public key ends up being an artifact of the signature checking process, and by hashing that, you have the bitcoin address. Scaled to "multisig", if you have 8 signatures signing the same message with different keys, you can derive the 8 public keys, one per signature. Multisig has nothing to do with it - Bitcoin has no facility for validating signatures other than one at a time - so the closest you'd get is to manually check 8 signatures and then confirm that the 8 public key hashes were the same as the multisig transaction you're interested in. Title: Re: Multisig implementation / proof of private key ownership question Post by: MatthewLM on November 08, 2012, 11:58:58 PM Isn't the only standard multi-sig implementation the P2SH one? In that case you'd provide the script that corresponds to the P2SH hash and then you can take any of the public keys from that script and prove you own the private keys to them. And indeed in this case you need to provide all of the public keys but only make signatures for 8 keys to show you can redeem coins.
Title: Re: Multisig implementation / proof of private key ownership question Post by: casascius on November 09, 2012, 12:30:20 AM P2SH isn't multisig. P2SH is a kind of multisig transaction, and simple multisig has existed longer than P2SH. P2SH allows the redemption script to be provided by the person redeeming the funds rather than the person spending them. The advantage is related to the fact that multisig generally offers security benefits to the recipient of a transfer, not the sender, and the person sending the money is usually not the person in a position to know what the script should be. The P2SH sending address encodes a hash of the redemption script rather than the script itself, so the resulting address is similar in length to a normal bitcoin address, rather than potentially being miles long.
Title: Re: Multisig implementation / proof of private key ownership question Post by: MatthewLM on November 09, 2012, 12:38:40 AM Looks like you are right: https://en.bitcoin.it/wiki/BIP_0011
Though P2SH does include the multi-signature transactions. Title: Re: Multisig implementation / proof of private key ownership question Post by: kjj on November 09, 2012, 02:05:00 PM Suppose you create an 8 of 10 multisig address and send a coin to it. Can you now: With any 8 of the 10 private keys digitally sign some text as proof of ownership? What public key(s) need to be made public to do so? Can you prove you have just one of these 10 keys? OK leaving the current BIP as I understand it for now, is there some way a number of keys (say 20) could go into a signature in such a way that the 20 key holders do not know if theirs was one of the 8 ones which make the signature valid for the ownership of the coin? There are two ways to do multisig right now, Conventional and P2SH. In a conventional multisig, you provide a list of public keys and a count of how many signatures are required for the transaction. As soon as you transmit that transaction, the entire network knows the list of public keys. In P2SH, you create that list, but you don't send it to the network. You hash it, and send that hash instead. Now the entire network knows that there is a transaction, and they will be able to verify that the right keys are signing it later, but until that transaction is redeemed, they won't know what any of the keys are. All of the public keys are revealed at the same time. If you want to prove ownership of a P2SH transaction without redeeming it, you can provide the script and people can verify the hash. Obviously, you'd need to provide the whole script for that, and that would have all of the public keys in it. You can sign arbitrary messages using any/all of the private keys, and people would be able to confirm that you did indeed possess whichever keys you used in this way. How many of them you'd need to use to convince them is up to them. 1 would prove that you are involved. 8 would prove capability of spending. 10 should strongly suggest that you created it in the first place. Title: Re: Multisig implementation / proof of private key ownership question Post by: jgarzik on November 09, 2012, 08:29:57 PM Isn't the only standard multi-sig implementation the P2SH one? Multi-sig and P2SH are two totally different things. P2SH requires a script -- any script, containing CHECKMULTISIG or not -- to redeem. Multi-sig scripts may appear in non-P2SH transactions. P2SH is a layer on top of scripts, essentially. |