Bitcoin Forum
November 24, 2017, 05:12:55 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Multisig implementation / proof of private key ownership question  (Read 1394 times)
hashman
Hero Member
*****
Offline Offline

Activity: 915



View Profile
November 08, 2012, 11:12:39 PM
 #1


Suppose you create an 8 of 10 multisig address and send a coin to it.

Can you now:

With any 8 of the 10 private keys digitally sign some text as proof of ownership?
What public key(s) need to be made public to do so?

Can you prove you have just one of these 10 keys? 

OK leaving the current BIP as I understand it for now, is there some way a number of keys (say 20) could go into a signature in such a way that the 20 key holders do not know if theirs was one of the 8 ones which make the signature valid for the ownership of the coin? 

1511543575
Hero Member
*
Offline Offline

Posts: 1511543575

View Profile Personal Message (Offline)

Ignore
1511543575
Reply with quote  #2

1511543575
Report to moderator
1511543575
Hero Member
*
Offline Offline

Posts: 1511543575

View Profile Personal Message (Offline)

Ignore
1511543575
Reply with quote  #2

1511543575
Report to moderator
1511543575
Hero Member
*
Offline Offline

Posts: 1511543575

View Profile Personal Message (Offline)

Ignore
1511543575
Reply with quote  #2

1511543575
Report to moderator
Join ICO Now Coinlancer is Disrupting the Freelance marketplace!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511543575
Hero Member
*
Offline Offline

Posts: 1511543575

View Profile Personal Message (Offline)

Ignore
1511543575
Reply with quote  #2

1511543575
Report to moderator
1511543575
Hero Member
*
Offline Offline

Posts: 1511543575

View Profile Personal Message (Offline)

Ignore
1511543575
Reply with quote  #2

1511543575
Report to moderator
1511543575
Hero Member
*
Offline Offline

Posts: 1511543575

View Profile Personal Message (Offline)

Ignore
1511543575
Reply with quote  #2

1511543575
Report to moderator
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1358


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
November 08, 2012, 11:21:08 PM
 #2

I think if you were to sign a message, you'd just be generating 8 signatures.  Multisig would work the same way, you actually need 8 signatures to unlock funds.  The signatures themselves aren't combined in any way.

As I understand it, if you have a valid signature and the message you're signing (specifically its hash), you can derive the public key and the bitcoin address from just those two things.  The public key ends up being an artifact of the signature checking process, and by hashing that, you have the bitcoin address.

Scaled to "multisig", if you have 8 signatures signing the same message with different keys, you can derive the 8 public keys, one per signature.  Multisig has nothing to do with it - Bitcoin has no facility for validating signatures other than one at a time - so the closest you'd get is to manually check 8 signatures and then confirm that the 8 public key hashes were the same as the multisig transaction you're interested in.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
MatthewLM
Legendary
*
Offline Offline

Activity: 1092



View Profile WWW
November 08, 2012, 11:58:58 PM
 #3

Isn't the only standard multi-sig implementation the P2SH one? In that case you'd provide the script that corresponds to the P2SH hash and then you can take any of the public keys from that script and prove you own the private keys to them. And indeed in this case you need to provide all of the public keys but only make signatures for 8 keys to show you can redeem coins.

Bitcoin Extra Wallet | Peercoin Android Wallet
BTC: 1D5A1q5d192j5gYuWiP3CSE5fcaaZxe6E9  PPC: PH7fVn1Xs7nkUFmdwCX2ZRYfLPCSwGxAq9
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1358


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
November 09, 2012, 12:30:20 AM
 #4

P2SH isn't multisig.  P2SH is a kind of multisig transaction, and simple multisig has existed longer than P2SH.  P2SH allows the redemption script to be provided by the person redeeming the funds rather than the person spending them.  The advantage is related to the fact that multisig generally offers security benefits to the recipient of a transfer, not the sender, and the person sending the money is usually not the person in a position to know what the script should be.  The P2SH sending address encodes a hash of the redemption script rather than the script itself, so the resulting address is similar in length to a normal bitcoin address, rather than potentially being miles long.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
MatthewLM
Legendary
*
Offline Offline

Activity: 1092



View Profile WWW
November 09, 2012, 12:38:40 AM
 #5

Looks like you are right: https://en.bitcoin.it/wiki/BIP_0011

Though P2SH does include the multi-signature transactions.

Bitcoin Extra Wallet | Peercoin Android Wallet
BTC: 1D5A1q5d192j5gYuWiP3CSE5fcaaZxe6E9  PPC: PH7fVn1Xs7nkUFmdwCX2ZRYfLPCSwGxAq9
kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
November 09, 2012, 02:05:00 PM
 #6


Suppose you create an 8 of 10 multisig address and send a coin to it.

Can you now:

With any 8 of the 10 private keys digitally sign some text as proof of ownership?
What public key(s) need to be made public to do so?

Can you prove you have just one of these 10 keys? 

OK leaving the current BIP as I understand it for now, is there some way a number of keys (say 20) could go into a signature in such a way that the 20 key holders do not know if theirs was one of the 8 ones which make the signature valid for the ownership of the coin? 

There are two ways to do multisig right now, Conventional and P2SH.

In a conventional multisig, you provide a list of public keys and a count of how many signatures are required for the transaction.  As soon as you transmit that transaction, the entire network knows the list of public keys.

In P2SH, you create that list, but you don't send it to the network.  You hash it, and send that hash instead.  Now the entire network knows that there is a transaction, and they will be able to verify that the right keys are signing it later, but until that transaction is redeemed, they won't know what any of the keys are.

All of the public keys are revealed at the same time.  If you want to prove ownership of a P2SH transaction without redeeming it, you can provide the script and people can verify the hash.  Obviously, you'd need to provide the whole script for that, and that would have all of the public keys in it.

You can sign arbitrary messages using any/all of the private keys, and people would be able to confirm that you did indeed possess whichever keys you used in this way.  How many of them you'd need to use to convince them is up to them.  1 would prove that you are involved.  8 would prove capability of spending.  10 should strongly suggest that you created it in the first place.

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
jgarzik
Legendary
*
qt
Offline Offline

Activity: 1484


View Profile
November 09, 2012, 08:29:57 PM
 #7

Isn't the only standard multi-sig implementation the P2SH one?

Multi-sig and P2SH are two totally different things.

P2SH requires a script -- any script, containing CHECKMULTISIG or not -- to redeem.

Multi-sig scripts may appear in non-P2SH transactions.

P2SH is a layer on top of scripts, essentially.


Jeff Garzik, Bloq CEO, former bitcoin core dev team; opinions are my own.
Visit bloq.com / metronome.io
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!