Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1R9J9Y-0006pm-3Y for bitcoin-development@lists.sourceforge.net; Thu, 29 Sep 2011 16:08:04 +0000 Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.161.47 as permitted sender) client-ip=209.85.161.47; envelope-from=gavinandresen@gmail.com; helo=mail-fx0-f47.google.com; Received: from mail-fx0-f47.google.com ([209.85.161.47]) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1R9J9X-0001iA-3m for bitcoin-development@lists.sourceforge.net; Thu, 29 Sep 2011 16:08:04 +0000 Received: by fxi1 with SMTP id 1so2789036fxi.34 for ; Thu, 29 Sep 2011 09:07:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.5.76 with SMTP id 12mr16481639fau.103.1317312461766; Thu, 29 Sep 2011 09:07:41 -0700 (PDT) Received: by 10.152.25.105 with HTTP; Thu, 29 Sep 2011 09:07:41 -0700 (PDT) Date: Thu, 29 Sep 2011 12:07:41 -0400 Message-ID: From: Gavin Andresen To: Bitcoin Dev Content-Type: text/plain; charset=ISO-8859-1 X-Spam-Score: -1.6 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (gavinandresen[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 AWL AWL: From: address is in the auto white-list X-Headers-End: 1R9J9X-0001iA-3m Subject: [Bitcoin-development] Multisignature transations X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2011 16:08:04 -0000 Design discussion: https://gist.github.com/39158239e36f6af69d6f Pull request: https://github.com/bitcoin/bitcoin/pull/541 Initial support for multisignature transactions This adds initial support for three new types of transactions: (a and b) (a or b) (a and b) or c ... where a/b/c are keys. These new transaction types will enable better wallet security and backup in future versions of bitcoin. I've taken a conservative approach with this initial pull; the new transaction types will be relayed and included in blocks, but are ignored by the wallet code, so will not affect the balance and will never be considered available to spend. I'm going to start a discussion on bitcoin-dev to do a bit of a brain-dump on what NOT to do with multi-signature transactions (there are several potential attacks that we'll need to be careful to avoid). I'll be creating a multisig_testing branch in the gavinandresen github fork that WILL add multisig transactions to the balance, will have a new RPC call to create multisig transactions, and will be able to spend the multisig transactions; that will be for testing this PULL only for now. ======================= Here's the discussion of potential attacks that occurred to me while I was working on this: + Attacker has an account and a funding address/key ("a") at a shared-wallet service. Attacker also has their own address/key ("b"). + They send 100 bitcoins that can be spent by (a or b). Note that the shared-wallet service can't stop the attacker from doing that. IF the shared-wallet service credits their account (because "a" can spend the coins), then Bad Things might happen: + The shared-wallet service probably assumes that it controls all the keys in its wallet, and the only time coins in its wallet will be spent will be when it issues a send* RPC command. But the attacker can spend using "b" anytime they like. + If the shared-wallet service allows importing of keys then the attacker might be able to get double-credit by importing "b" (depending on what the 'import private key' code does). The pull I've submitted doesn't have any of those issues because multisignature transactions are not credited / added to the wallet. Going forward, I think the right thing to do is only add multisignature transactions to the wallet's balance (and make them available to spend) if the public half of ALL of the keys involved are known to the wallet. The private half of the key may not be in the wallet (maybe it is on another device or maybe it is a deterministic backup master key protected by a passphrase), but the public key must be known and in the wallet. I'd really like to get this into the 0.5 release because it will enable much better wallet security and backup in some future release or alternative client (but these transaction types need to be relayed and mined BEFORE then to make that possible). -- -- Gavin Andresen