Bitcoin Forum
December 04, 2016, 12:20:28 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Modify OP_CHECKSIG  (Read 1015 times)
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
August 24, 2011, 12:50:56 AM
 #1

Here is an idea: why not just modify the OP_CHECKSIG (which currently checks a single signature) so it itself supported multiple signatures that could be joined with logic?

Right now, we take the HASH160 of a single pubkey A to match the address, and OP_CHECKSIG matches that pubkey A to signature A.

What if OP_CHECKSIG were enhanced so that what we provide as A, could also be a binary-serialized expression?  Right now, you input A and a valid signature for A, and get true.  With enhancement, into OP_CHECKSIG you input "(A AND B) OR C", and three signatures A B C (which aren't more parameters, they are merely more bytes stuffed into the same parameters via binary serialization).  Not all three signatures have to be valid, just enough have to be valid to make the expression evaluate to true.  Of course, pubkey "A" by itself is still a valid expression, one which validates only with a valid signature for A, and which is what is considered a standard transaction today.

Since a bitcoin address is based on what amounts to HASH160(A), with this modification you could have a normal-looking Bitcoin address based on the entire expression, since it would merely be HASH160 of the binary serialization of the expression.  There would be no need to bloat the addresses or introduce a new format.

The sender would know no different.  The sender's script would be exactly the same.  The only difference is the bitcoin address is based on the hash of a multi-pubkey expression rather than a single pubkey.  The spender would need to provide the entire original expression and just enough signatures to satisfy it.  Voila.


Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
1480854028
Hero Member
*
Offline Offline

Posts: 1480854028

View Profile Personal Message (Offline)

Ignore
1480854028
Reply with quote  #2

1480854028
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480854028
Hero Member
*
Offline Offline

Posts: 1480854028

View Profile Personal Message (Offline)

Ignore
1480854028
Reply with quote  #2

1480854028
Report to moderator
Gavin Andresen
Legendary
*
qt
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
August 24, 2011, 12:59:16 AM
 #2

Here is an idea: why not just modify the OP_CHECKSIG (which currently checks a single signature) so it itself supported multiple signatures that could be joined with logic?

Because I want to enable these features reasonably soon, and modifying the way CHECKSIG works means a blockchain fork for clients that haven't upgraded.  Which means giving at least 6 months notice to give everybody time to upgrade their clients.

At some point that will make sense, but with what I'm proposing it is not necessary. When SHA3 is finalized or a weakness is found in ECDSA or SHA256 maybe it'll be time to do that...

How often do you get the chance to work on a potentially world-changing project?
theymos
Administrator
Legendary
*
expert
Offline Offline

Activity: 2492


View Profile
August 24, 2011, 03:36:39 AM
 #3

I was thinking recently that it might be a good idea to write the code for all of the proposed (and agreed-upon) changes to Bitcoin's core structure and put them in place, but keep them disabled until a transaction version increase is forced by some critical bugfix.

An enhanced version of OP_CHECKSIG could also specify which hash algorithm is used for hashing the transaction before signing.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
etotheipi
Legendary
*
expert
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
August 24, 2011, 04:47:32 AM
 #4

+1 for this idea. 

I have no comments about integration, release, and not forking the blockchain, in general.

The only concern is that other parties have no other way to know they are part of a particular transaction unless you send them the serialized string and the transaction hash.  They can see the string includes their address in the appropriate place and that it hashes to the "address" in the specified transaction.  This creates an extra step to "executing" a transaction, as it's not really complete until all parties are notified by the original sender about.

Of course, people don't have to use it. I do like this as an option.

-Eto

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
August 24, 2011, 04:57:01 AM
 #5

The only concern is that other parties have no other way to know they are part of a particular transaction unless you send them the serialized string and the transaction hash.  They can see the string includes their address in the appropriate place and that it hashes to the "address" in the specified transaction.  This creates an extra step to "executing" a transaction, as it's not really complete until all parties are notified by the original sender about.

The way I see it, of those three parties, two of them are yourself, and the third one is your "wallet security provider".  Each address will have been generated in a short ceremonial webservice exchange between the two said parties, and so should be recognized by both parties.  See the example I posted at https://bitcointalk.org/index.php?topic=38928.msg477009#msg477009 .

In a scenario where we use "(A AND B) OR C", parties A and C are both yourself, the user.  A is a private key on your hard drive, C is your private key you keep in your safe as a recovery tool, and B is a keypair whose private key is known only by your wallet security provider and which will only sign transactions when authorized by you (preferably "out-of-band" e.g. SMS).

So, JimBob is running this safe Bitcoin client and is configured to use the wallet security provider YourBitcoin.com.  When he clicks Generate Address, his client makes a webservice call to YourBitcoin, providing public keys for A and C.  YourBitcoin.com returns a newly generated public key B, and with that, both parties can calculate the resulting "safe" Bitcoin address.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
etotheipi
Legendary
*
expert
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
August 24, 2011, 12:54:30 PM
 #6

There's more uses to the multi-sig functionality than just what you're talking about.  I always think of a 2-of-3 transaction online, where the buyer puts 110%*purchase price into such a 2-of-3 transaction between seller, buyer and third-party.  When the goods arrive and the purchase is complete, both buyer and seller offer their signatures to give the 100% of purchase prices to the seller, and return 10% to the buyer.  If there is any dispute, no one gets the money until it is resolved.  If one of the parties is too stubborn or disappears, the other party can appeal to the third-party to get their signature, and give them the 10% for arbitrating.

In this case, the buyer created the 2-of-3 tx with two other parties, but the other two parties don't know about it until the buyer explicitly tells them.  I still like the idea, I was just commenting that it adds an extra step if you want all the other parties to know that they're involved.

-Eto


Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
August 24, 2011, 06:09:47 PM
 #7

For those other multi-sig uses you mention, these are already possible without a change to OP_CHECKSIG, and would not be inhibited by such a change.

Changing OP_CHECKSIG would allow normal people to send normal transactions that require 2-of-3's or similar schemes to unlock.  This would be for the receiver's security, so he can leave his client offline and his coins are already protected without him having to manually resend them to a 2-of-3 scheme (which would require him to stay online).

On the other hand, if the sender of the transaction is trying to join a 2-of-3 scheme on purpose, he can simply emit a transaction that contains the script with all three of the addresses.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
etotheipi
Legendary
*
expert
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
August 24, 2011, 07:17:25 PM
 #8

I think we're promoting slightly different things here.  My only point is that this OP_CHECKSIG modification has some "different" behaviors than a "standard" multi-signature transaction, and thus, we should work for both to be supported as "standard" scripts.   I really like your idea, and fully support getting into the client design.  But I don't think it precludes us from having to answer Gavin's post about how to standardize multi-signature scripts that are currently possible without your modification.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
August 24, 2011, 07:55:22 PM
 #9

I think we're promoting slightly different things here.  My only point is that this OP_CHECKSIG modification has some "different" behaviors than a "standard" multi-signature transaction, and thus, we should work for both to be supported as "standard" scripts.   I really like your idea, and fully support getting into the client design.  But I don't think it precludes us from having to answer Gavin's post about how to standardize multi-signature scripts that are currently possible without your modification.

Yep you're right.  Standardize them as proposed, I say...

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!