Building a 2-of-(1+(1-of-2)) multisig transaction [i.e A + (B or C)]

[weex]

The standard multisig is 2-of-3 where any two of the three keys can sign a redeem script to make it valid. I would like to build a redeem script that requires one key and either of two other keys. So for keys A, B, and C. The redeem script is valid if signed by A and (B or C). How can I do this? I would prefer if I had a tool like coinb.in that I could use for the process. Any ideas?

[achow101]

I do not believe that this is currently possible.

[weex]

I do not believe that this is currently possible.

https://twitter.com/jgarzik/status/472574342514368512

[weex]

I checked with gmaxwell on irc and he said there's no software written that does this easily but if the script is p2sh then it can work. If anyone has any recommendations for p2sh tools, your posting them is greatly appreciated!

[achow101]

I checked with gmaxwell on irc and he said there's no software written that does this easily but if the script is p2sh then it can work. If anyone has any recommendations for p2sh tools, your posting them is greatly appreciated!

This tool, hashmal: https://bitcointalk.org/index.php?topic=1168604.0, is quite useful for testing whether scripts work or not.

[weex]

Pretty sweet. I'll try it out and report back whatever I can put together.

[amaclin]

The redeem script is valid if signed by A and (B or C).

1. take 3 pubkeys

2. create a redeem script

Code:

<pubkeyA> OP_CHECKSIGVERIFY OP_1 <pubkeyB> <pubkeyC> OP_2 OP_CHECKMULTISIG

3. hash it and receive p2sh address 3xxxxx

4. fund this address

5. create raw transaction spending this address

6. sign it with ( <privkeyB> and <privkeyA> ) or ( <privkeyC> and <privkeyA> )

7. create scriptSig for your raw transaction

Code:

OP_0 <signature_B_or_C> <signatureA> <redeem>

8. voila!

[weex]

Awesome. To clarify,  the equivalent of creating this address is just up to step 3. Then funding and spending can be done later by anyone who has the address and redeem script (plus keys) respectively. That's a lot simpler than I thought it would be. BTW, I created a bounty for this at bountify.co if you want to claim it.

[weex]

Btw, the reason why I asked is to be used in a decentralized market protocol with more info at https://bitcointalk.org/index.php?topic=1232915

[thelink2012]

The redeem script is valid if signed by A and (B or C).

1. take 3 pubkeys

2. create a redeem script

Code:

<pubkeyA> OP_CHECKSIGVERIFY OP_1 <pubkeyB> <pubkeyC> OP_2 OP_CHECKMULTISIG

3. hash it and receive p2sh address 3xxxxx

4. fund this address

5. create raw transaction spending this address

6. sign it with ( <privkeyB> and <privkeyA> ) or ( <privkeyC> and <privkeyA> )

7. create scriptSig for your raw transaction

Code:

OP_0 <signature_B_or_C> <signatureA> <redeem>

8. voila!

isn't there the need, at the redeem script, to put a OP_DROP after the OP_CHECKSIGVERIFY as that pushes true to the stack, which will be confused with the signature for OP_CHECKMULTISIG?

[weex]

Tried to get an answer from IRC but no luck. Will ask again later.

[amaclin]

BTW, I created a bounty for this at bountify.co if you want to claim it.

I can do it by standalone C++/Qt program. Just to prove the concept.
Sorry, my knowledge in javascript/web is too poor to write financial applications.

[weex]

BTW, I created a bounty for this at bountify.co if you want to claim it.

I can do it by standalone C++/Qt program. Just to prove the concept.
Sorry, my knowledge in javascript/web is too poor to write financial applications.

Thanks Amaclin, sorry but that ship has sailed. Do you have any comment on the OP_DROP question?

[amaclin]

after the OP_CHECKSIGVERIFY as that pushes true to the stack

Thanks Amaclin, sorry but that ship has sailed. Do you have any comment on the OP_DROP question?

OP_CHECKSIGVERIFY does not push true to the stack

[thelink2012]

Thanks Amaclin, sorry but that ship has sailed. Do you have any comment on the OP_DROP question?

If it's me piloting the ship, I don't really mind him doing that instead. You probably will be better with his experience on the matter, I'm learning about these things not long ago and thus I both do it slower and with doubts popping up.

after the OP_CHECKSIGVERIFY as that pushes true to the stack

Thanks Amaclin, sorry but that ship has sailed. Do you have any comment on the OP_DROP question?

OP_CHECKSIGVERIFY does not push true to the stack

Oh, doesn't it? I've been looking in the table at this wiki page and on the outputs of this opcode there's a bool. Is there another place I can find more trustworty documentation about those ops?

By the way, as I mentioned, I'm new to bitcoin development, and I'm confused about one thing. This is a non-standard transaction, right? If I broadcast it to the network, chances are the money will be unspeadable because nodes don't want to run those kind of transactions? Also, weex, is the purposes you need that to broadcast to the bitcoin network or...?

[amaclin]

Oh, doesn't it? I've been looking in the table at this wiki page and on the outputs of this opcode there's a bool.

You should not mess OP_CHECKSIG and OP_CHECKSIGVERIFY

Is there another place I can find more trustworty documentation about those ops?

For free?

By the way, as I mentioned, I'm new to bitcoin development, and I'm confused about one thing. This is a non-standard transaction, right?

This is standard transaction today.
https://bitcoin.org/en/glossary/p2sh-address

A Bitcoin payment address comprising a hashed script, allowing the spender to create a standard pubkey script that Pays To Script Hash (P2SH). The script can be almost any valid pubkey script.

[weex]

By the way, as I mentioned, I'm new to bitcoin development, and I'm confused about one thing. This is a non-standard transaction, right? If I broadcast it to the network, chances are the money will be unspeadable because nodes don't want to run those kind of transactions? Also, weex, is the purposes you need that to broadcast to the bitcoin network or...?

When I did a multisig transaction before it was a simple 2-of-3 redeem script and coinb.in's source code was the simplest way for me to get it done in a way that had a nice interface. There are other apps that do it but they're less flexible.

I want a A+(B or C) type of transaction because I'm thinking it would be a good way to pay a mediator to a transaction. 2-of-3 doesn't work as well because the buyer and seller could collude to cut the mediator out. Not that that would be great for their reputation but I'd also like to see more complicated redeem scripts be easier to generate. Coinb.in's site and source are useful anyways(for signing and broadcast) but this is the best project to extend in this way.

[thelink2012]

Nice, it worked great (tx). Thanks amaclin
I'll make sure it's all fine and open a PR on coinbin, weex.

[weex]

Very cool, except I'm actually having a hard time parsing that redeem script with anything. I guess I'll need to try it with hashmal. Any ideas?

0048304502210097c8efca04e2f8ada930f3bccdb145598ac5b9d89f52e99cd109174dae41973c0 22066acbccf66a833b1cfb174b154c1841232d4314bc915c5f1455e5598af7b32db014830450221 00b0410b62a539c22deb3b0410209087415bcb99a75dccc1b2ec2b14476a2c449602203b3758654 e2a86a4028b07936d298ebca39937eda98bb75204cc22684fe8c69001483045022100b03ce2e1f3 72c6ec95667b77101479da2613de1a72629fd31f1da719d184e9a702200e2eb309d3495eb58c7f0 4c8d0e7aa6dd94f64c2c3863331ebd76ff2b033d0dc014c8c210362d792df06ec0fd954d28a94d0 71451e39aad4df7fc2e65b4beb39d4a19edf7ead522102a7d3c5d155c592917af2dc2f9c0168627 dc80463d396882d2e80da5a36f3636021035b7c902e47f3e48d57c5031d4a30c8f4f93cbdc4d2cd 57e9af66ccb591a1bb462103f4d266a0404a26b643e66b5712d997c2efdba22cb1bbe53bf79ed14 65a54801253ae

[amaclin]

Nice, it worked great (tx). Thanks amaclin
I'll make sure it's all fine and open a PR on coinbin, weex.

http://webbtc.com/script/1c41724a7b16ecd5e11867864d834eb24e9d22b372c86aa7869c4cc0b6b36d52:0

this is 1 + (2-of-3)

Code:

0362d792df06ec0fd954d28a94d071451e39aad4df7fc2e65b4beb39d4a19edf7e
OP_CHECKSIGVERIFY
2
02a7d3c5d155c592917af2dc2f9c0168627dc80463d396882d2e80da5a36f36360
035b7c902e47f3e48d57c5031d4a30c8f4f93cbdc4d2cd57e9af66ccb591a1bb46
03f4d266a0404a26b643e66b5712d997c2efdba22cb1bbe53bf79ed1465a548012
3
OP_CHECKMULTISIG

[weex]

Seems like that will work fine. Just for my own understanding, is there any reason that couldn't be  a 1 + (1 of 2). I suppose then it would depend more about how individual signatures are handled.

[amaclin]

Seems like that will work fine. Just for my own understanding, is there any reason that couldn't be  a 1 + (1 of 2).
I suppose then it would depend more about how individual signatures are handled.

It could be any of (k + (m of n)) where k + m + n <= 15

Update: where k + n <= 15

[weex]

I meant for this case. The second part only needs to be 1 of 2 so the transaction could be smaller.

[thelink2012]

It's easily changeable how many k, m and n you'll use on the form  
Left the PR in coinbin, though their broadcaster doesn't seem to accept those transactions at all, one have to use the blockchain.info broadcaster for instance.

If there's already a name for this kind of p2sh let me know, I named it Mandatory Multisig for the lack of imagination.

[amaclin]

thelink2012, perfect work!

http://webbtc.com/script/cdf3b234610e4224116220ef08198a5fa354451490983972c077fd2cf57efa43:0
2 + ( 2 of 3 )

http://webbtc.com/script/d04b2d714737f355d6cbc6d2d2307ed383835e425a85d06757689ce50ba0bccf:0
1 + ( 1 of 2 )

http://webbtc.com/script/1edccd06efaf2d7d610f45911506437a0ac258f8f902616fc26f260b6f30a5fd:0
3 + ( 1 of 3 )

[weex]

It's easily changeable how many k, m and n you'll use on the form  
Left the PR in coinbin, though their broadcaster doesn't seem to accept those transactions at all, one have to use the blockchain.info broadcaster for instance.

If there's already a name for this kind of p2sh let me know, I named it Mandatory Multisig for the lack of imagination.

Thanks thelink2012, I'll check it out shortly.