Holy moly that was easy!  All I had to do was modify one call to compute the balance and utxoList differently if Coin Control was selected, and it seems to work flawlessly!  It treats your coin-selection as if it was your wallet, yet the dialog pretty clearly identifies that you are in CC mode.

If anyone in Linux or OSX wants to try it right now, you can do so by checking out the "coincontrol" branch.  You don't even need to recompile (well, you do if you haven't upgraded to 0.85 yet).   It is only available under "Expert" usermode.  I recommend running it in the terminal, so that you can see the output when you hit the "Send" button.  It will dump the coin-selection to the terminal so you can verify that the selection was made correctly.  Alternatively, you can click "Create Unsigned Transaction", copy the tx to the clipboard, then re-enter it on the next window and then "Click here for more information about this transaction."

Test this thing!  Tell me if something doesn't work or if it's missing something.  If it's stable enough, I'll make it official ASAP.  There's been so much demand for it over the past year, that I think it deserves its own release!

Yeah, thanks for the PM, but I'm actually quite fond of the 10.04 theme, so I don't really have any incentive to switch.  But thanks for the offer.

Got a few more things to work out before it actually works.  But so far, it's going much faster than I expected...

Amazing!  Now that I have all this experience with PyQt and a super-versatile library under-the-hood, making the interface was not hard at all!  How's it look? 



That's purely the interface, showing you all non-zero-balance addresses, and updating the send-BTC dialog to show you the result of your selection.  It doesn't actually work yet (it still selects from all addr).  Getting that part working is my project for after dinner...

...and then people set up fake merchant identities and countless fake customer identities, and bump up their own trust ratings as high as they want before each scam.  The best way to prevent this from happening is to elect third parties that are trusted by lots of people, to check identities before letting them into the system... oh wait, I just described the CA system...

The CA system isn't perfect, but those who succeed in breaking it are usually high profile (like Mike Hearn was saying: state-sponsored, etc), and they're not going to waste their time stealing the $42 I paid BitBrew for some coffee.  But using self-signed certificates, anyone in the coffee shop with me can MitM me if they, perhaps, set up their system with the same SSID and I mistakenly connect through them when making my purchase.

Anything that is big enough to be worth stealing on a massive scale is usually done through direct merchant-customer interaction -- you don't usually buy a $17,000 car on the internet with your credit card... such large transactions usually use a second-level (or more-reliable) form of authentication beyond CAs.  For "regular"-sized purchases, it makes complete sense to piggyback off of a "complete" system that is already in place, for which everyone who's ever bought anything on the internet is already capable of using.

One good thing about Bitcoin is that there is not something like a credit card number to steal.  The worst someone can do is redirect a given transaction, but nothing like getting your CC number and draining your available credit, leaving you to spend hours on the phone with credit agencies trying to restore your "trust."  Therefore, a passive eavesdropper who is able to decrypt the payment stream cannot directly benefit like they would with credit card transactions:  with CC, they decrypt and steal databases of CC numbers and sell them on the black market (probably with BTC).  But getting a database of past transactions executed in this way (via BTC) does not offer the attacker anything.  

The answer is:  it makes MitM attacks dramatically more difficult to execute by an arbitrary attacker.  Self-signed certificates are useless against MitM attacks.  I consider that a huge benefit for an irreversible payment system, even if it's not 100%.

Then, I guess we might as well start using http:// for credit cards transactions and email now.  Since there's no value added by the CA system...

If you are doing things that require ultimate security, at the risk of millions of dollars, I agree with you.  But for sending $23 over the internet to pay for your water bill, it does exactly what it is supposed to do.

Just because there have been security breaches, doesn't mean that the system is useless.  While the system could be improved, the alternatives are terrible.  If you don't use an established system, then you need to build up a whole new "web of trust", and users and merchants will be doing a lot of work, outside an established system, just to accommodate this use case (Bitcoin payments).

If what you suggest is true, then credit card payments on the internet are a joke, too.  Really, it's not quite black and white like that...

I too, felt uncomfortable about using the CA system.  It feels like a psuedo-centralized, corporate-privileged system that milks little guys for high profits.  I feel like it's not "in the spirit" of Bitcoin...

But then reality set in -- which is that the CA system does provide quite a bit of value.  Regardless of how much you get pay to get a signed a certificate to run your website from some "corporate overlord," you are getting security against MitM attacks.  And that is important, especially for invoices and payment requests with irreversible Bitcoin transactions.  This protocol can slide right into the existing CA infrastructure, and instantly provide on the protections that the system already gives to most other security-sensitive internet services.

In that sense, it is a massive boon to be able to piggyback off the existing infrastructure, since Bitcoin already has enough hurdles to get wider acceptance.  This won't be one of those hurdles.

What is a DVC tip?  I always accept tips

Given the magnitude of implementation complexity, I guess it makes sense to jump into coin-control now... compared to how long it will take to do the new wallets, it looks like noise...

Btw, the latest version should have a warning window pop up now, telling you it detected this condition, and please stop Armory until Bitcoin-Qt is sync'd.  It's not the best solution.  But it makes the user aware that the bizarre behavior is not a "feature."

Well then, don't do that!   

To be fair, it sounds like I need to put some more protections on some of the dialogs when the user is using a watching-only wallet.  I thought I had caught a lot... but I guess not yet.   Getting people to test has been hard, so I keep finding stupid stuff like this that has been in there months.  Perhaps I need to start offering 0.1 BTC bounties for finding bugs in the software -- I bet I'd get a lot of people digging in hard!  Or I might go broke...




He actually already contacted me and I suggested that there will be room in the new wallet format for including "extra attributes" with the addresses.  I don't plan to mess with colored coins myself, but it might make it easily extensible by others.



You're not the first person, by far, who has asked for this.  I suppose I could bump it on the priority list for after beta -- because not only is it in high demand, I don't think it will be that hard.  I think I already know how to do it, I just need to devote a day or two to implementing and testing.  Luckily, the underlying libraries already have all the hooks I need (I just create a new wallet in RAM with only the specified addresses, and retrieving its balance and creating transactions with it is trivial).  And I think I already know how to create the window to let you select the set of addresses from which you want to spend coins...

Maybe I'll do it this weekend!  I am already kinda stuck with the new wallet format, while I wait for feedback about my design ideas...

Armory does not support coin-control, but I think it will not be terribly difficult to support.  I just have some other priorities.  I *do* plan to add it when I'm feeling stuck with some major other feature upgrade

You wouldn't be the first.  Right now, this is the cost of the features that come with Armory.  However, I should be able to pull down the system req'ts after I'm done with the wallets (at the expense of using more HDD space).  And eventually I want to have an actual-lite version (also known as "Standard usermode" -- it would be a purely pruned version, and only track your balance, not the transaction history)

The answer is:  you just seeded an excellent discussion about the far future of Bitcoin escrow/contracts, but I think that future hasn't arrived yet.  And when it does arrive, I'd love to see that discussed and developed into an inter-client standard.  Until then, the M-of-N cases are dramatically simpler, and can actually be used right now, thus it warrants a separate [simpler] treatment   (plus, there will probably be some lessons learned from M-of-N execution to be applied to the more-general case)

This is really unfortunate.  I'm not sure why threading is causing such problems, since it doesn't seem to have anything to do with the multi-threading I implemented.  I definitely cannot setup a print dialog myself, I most definitely need Qt to help with that.  I wonder if there's any other dialogs that cause this problem...

---

Unless I hear something compelling, I think I've made my last change for beta.  It was an update to signature encoding that the Bitcoin-Qt devs would like to make more rigorous...  and I pulled in the terminal-signing-script for offline computers ("python extras/cli_sign_script.py wallet.file some.unsigned.tx").  

It seems I've already had 300 downloads of the version I posted a couple days ago!  People must be using it, and it can't be that bad if I haven't gotten any real bug reports yet  (besides the OSX issues).  If you've been using 0.84.5, please post here and let me know that you have been, and any comments about it, with regards to my plan to make it beta!   I am looking for that boost of confidence I need to pull the trigger on it!

P.S. -- While looking at the new wallet format I want to create, I figured out how I'm going to integrate unicode support.  It won't be part of beta, but it will definitely be part of the new wallet release.  Sorry to all you non-US that use all those weird characters in your tx comments and filenames   That support is coming!

@Casascius,

I recognize that you are proposing something of ultimate flexibility and versatility.  And I actually really like the idea for arbitrarily complex transaction types.  But M-of-N transactions are a degenerate case of that large space of possible transaction types.  Combined with the fact it will be spectacularly more-common than those other cases, I think it's not unreasonable to have a separate "shortcut" method for setting them up.  

However, I do like where your idea is going, and worth some further discussion.  I'd really like to have a way to document and execute these crazy transaction types, I just think a fully developed solution for that is out-of-scope for now.  I think I will leave room in my design to accommodate "relationship" entries in the wallet.  When it is fully developed, I can switch all multi-sig tx over to that...

Though, why can't such relationships be developed by a central organizer?  Rather than distributing the relationship object and letting each person pick a place... there is at least one person that already knows how it should be setup.  Have everyone send that person a public key/wallet, and he will set it all up.  Perhaps the final result can be signed by the private keys of all included public keys, or something like that.

But for now, I think it makes sense to shortcut the couple degenerate cases of 1-of-2, 2-of-2, 2-of-3, 3-of-3, and handle all the details automatically for the user.  A user simply wants the transaction to require 2 of 3 signatures, and has his own private chain and the other two public chains.  He doesn't care about the internal ordering of keys, but he does require everyone to use the same ordering.  He also wants to avoid address collisions in the event that multiple parties try to create transactions at the same time with the same ordering.  I think this technique resolves all of that, and can be represented quite simply to the user.

---

The issue with look-ahead in deterministic wallets is an annoying problem.  Most regular users, really don't need more than 10 addresses lookahead, 100 to be safe.  However, e-commerce users/merchants might need significantly more lookahead than that.  For that reason, I defaulted to 100 address lookahead with Armory, and added a button to let users extend the lookahead as far as they want.  I expect that any business users interested in this application, will have the knowledge to know which knobs to tweak -- i.e: set lookahead to 10,000 addresses & disable second chain.  

Therefore, Armory users using two-factor auth as I have described, only have 100 extra addresses in their wallet.  One time.  If the second chain is never used, then it never increases.  The way Armory scans the blockchain, search time is O(log N) in the number of addresses in the wallet (because they're stored in a BST in RAM, so that's how long it takes to check if an address is in your wallet).  As such, 100 extra addresses is trivial, both in HDD space, and extra computation time.  If the user needs more than 100 lookahead, they are also likely knowledgeable enough to know what options to change for their application.

I already have an "extraAttributes" field which is intended to accommodate non-Armory addresses and address chains.  I don't know who else would be leveraging the code base, but at least it gives me room to, say, import and maintain an Electrum-deterministic wallet chain and store any necessary extra information in that field that doesn't fit into the Armory-specific structure.   I'm not sure of exact implementation details, yet, but I do want to try to leave room for things I haven't thought about, yet.  I suppose colored-coin attributes could go there, too.

My understanding is that we don't have real capability to do ((A and B) or C) yet (or at least, it's not standard), and that only M-of-N multisig is really enabled.  I know you could execute any arbitrary script if you find a miner to do it for you, but that's not in scope for me -- I'm sticking with transactions that will be accepted by the network without special actions.  (I just confirmed with Gavin that non-M-of-N transactions are not standard; redeeming such a P2SH script would require a miner's help)

However, I agree that the design here should be extensible to these cases, when they become available in the future.  But it also seems unnecessary to require extra user-interaction for regular M-of-N transactions where the specific ordering is actually irrelevant to the users, as long as it is deterministic and accessible to all participants.    As a user entering a 2-of-3 wallet with two other parties, I don't actually care what order they go in, and asking the user to specify a totally arbitrary ordering is not only confusing, but ripe for people to do it wrong -- i.e. user A chooses {A,B,C}, but user B accidentally sets up their wallet with {B,A,C}, and then things get all out of whack...

Also, I don't see a reason why there should be a special case for desktop+second-factor (smartphone) vs shared-spouse-wallets.  Just have all 2-of-2 wallets pretend that both chains could be used, because the resource usage of watching for a few extra addresses is trivial.  If it's really a concern, there can be an option in "Expert" usermode to disable the second device chain if you know it won't be used.  

Ahh, so it does make sense to use P2SH for paired/linked wallets, and regular multi-sig for escrow tx, etc.  For some reason, I was under the impression that P2SH was intended for everything.  I do prefer plain multi-sig for those escrow tx.

@Mike,

I'm not sure the payment protocol changes this much.  It means that the decision about which form to use will be irrelevant to those using the payment protocol, but there will still be users who will do it the "old" way, which should still be accommodated.  Though it sounds like we already have a consensus ... it makes sense to use P2SH for linked wallets, and regular multi-sig for isolated escrows and contracts.

---

@Casascius:  I was just about to post an expanded idea for linked wallets, but I think you already did it.  I'll restate it, though, for clarity, and maybe add a little.

Let's say I make wallet A/j, and my spouse creates wallet B/j.  We exchange the root of the external/internal chains.  Meaning, we exchange the data needed to not just generate one chain of addresses, but both the primary chain and change chain.  

So, I give her A'/j and she gives me B'/j.  All addresses generated by my wallet will be of the form 2of2([A'/j/0/x, B'/j/0/x]) and all change will go to 2of2([A'/j/1/y, B'/j/1/y]) -- external chain is 0, internal chain is 1.  The order will be switched for her wallet:  she will create addresses of the form 2of2([B'/j/0/x, A'/j/0/x]) and change will go to 2of2([B'/j/1/y, A'/j/1/y]).  So each wallet will only generate addresses from its own two chains, but watching for addresses on all four chains.  

I'm pretty sure that's very similar to what you suggested.  


EDIT: to avoid ordering issues for 3+ wallets, the addresses should be ordered by wallet fingerprint order, and each wallet always generates addresses starting with their own in that list, wrapping around.  So if the wallet fingerprints end up ordering the wallets  B, A, C,  then all 2-of-3 addresses generated by wallet B will be {B,A,C}, wallet A will be {A,C,B} and wallet C will be {C,B,A}.  That makes sure there are only N possible address orderings (one per party), instead of N-factorial

(1) You're right, computer freezes should not happen.  The whole computer freezes?  Or just Armory?  For how long?  If you do experience it, can you please email me a copy of the log file?  (File --> Export Log File) (etotheipi at gmail dot com)
(2) There are no .dat files in Armory.  What are you deleting?  And please don't delete any files in the .armory directory -- that's a good way to lose stuff you didn't want to lose -- everything you need to be able to do should be accessible from Armory itself.  At least make paper backups of your wallets before you delete anything...
(3) Wallets are very delete-able -- just open the wallet properties and click on "Delete/Remove Wallet" on the right-hand side.
(4) Bitcoin-Qt encrypts your wallet by hashing your passphrase 25,000+ times, and using the result as an AES256 encryption key (this is called key-stretching).  This slows down an attacker trying to brute-force your password quite a bit.  However, hashing and AES can be implemented very efficiently on GPUs, so any Bitcoin miner could use his mining rig to brute force an encryption passphrase fairly efficiently.  On the other hand, Armory key-stretching uses a process that not only requires a lot of computation, but also requires multiple megabytes of cache/RAM.  GPUs are super fast because they have thousands of threads working in parallel, but each thread usually only has a tiny amount of fast local/shared memory.  If each thread needs 8MB of cache, it just won't be able to do the computation at all --- or the GPU must run with dramatically-reduced parallelization so that it can allocate that much memory to each thread.  This is what is meant by "GPU-resistant key stretching."