Topic: BIP 16 / 17 in layman's terms (Read 38973 times)

Right now, I think you'd need to write the script by hand and probably mine it yourself too.

Maybe not a good place for this, but I want assign some coins to the chain which can only be spent if N out of M private keys sign the transaction.

What's the best way to do this?   Thanks

I'm convinced. Linode robbery could have been avoided if multisig where at work.

http://www.youtube.com/watch?v=vjaqM4yd_RA

I apologize to Gavin for picking up on him regarding multisig txs. Hope he finds the best solution to make it real for all of us reaching to an agreement with Luke and the community.

to rassa. thanks rassa that sounds the best way as kjj outlined and I guess that would be available if the protocol is imported. From my point of view it only adds one additional step in running the app between sending the transaction and it actually being sent. So the small additional time taken and not having to access another device is worth the increased wallet security. By not access another device I know you would of course need to introduce a usb or similar storage medium but the fact kjj said that could be loaded offline  appeals to me and not having to use a mobile or use an online wallet service would be preferable. So in laymans terms what I am doing is sending BTC and then asking myself to verify the transaction by a key only I know (because it was produced offline and is only on the usb say) before the BTC is transmitted (irreversibly) to the receiver. Is that about it? reg.

Kjj posted pretty much what I said, except the key I said to pot in the safe would still require the one on your USB key, while in his example the safe key is all you'd need (his is better). This is something that requires a protocol change and can't be done with software.
Regarding a "simple app," it can just be a small program on your USB key that you can run without needing to install it. It only needs to do two things, communicate with the online wallet, and sign cryptographic transactions. You come to any computer, plug in the key, go to the online wallet, send money to whatever address you want, then run the app on your USB key and sign it to verify it.
Currently your only option is to store a copy of the private key in the online wallet and in your safe. Although that will protect you if the online service dissapears (you still have the key to your money), if the online service gets hacked, the hackers can take all your money.

to Rassa. read your outline again and it sounds really possible and has allayed my concern that whatever is eventually applied to the core program  I can stay anonymous and better protected .  Does not that require two out of three key system though. I think it could still be done with something like kjj suggested but without the extra key option. I will wait on the side lines in anticipation but hope you are not too upset that I do not even know what a "simple app" is or how to apply it. I hope someone will come up with a cunning plan when the dust has settled. thanks for your explanations .I feel somewhat relieved that there is light at the end of the tunnel. regards reg.

They are explaining how the new feature will work. You do not need to use the new feature. Your user experience with the system will remain unchanged, unless you wish to use the new feature.

Herbert,   I do not intend to at the moment but it was not clear at first I had that choice and my point was/is, of course I would like better wallet/exchange security, but nothing I have heard proposed either does that relatively easily and improves what we have. I am just too old to get a degree in computer sciences to run a secure system! reg.  edit: Rassas proposal deserves a look at was posted whilst I was eating thanks for that info rassa. reg

But it doesn't have to be that way.  The service doesn't have the ability to spend your money, and if you set things up right, they can't prevent you from spending it either.

Think of a script in a transaction that can be redeemed either with Key C, or with the pair (Key A + Key B).  This is usually called "(A and B) or C".

You generate a bunch of these offline.  Key C is protected somehow and is never in a computer connected to a network, like printed on paper and stuffed in a safe.  Key B goes to the service (or comes from the service, either way).  Key A goes in your wallet.dat.

So, if someone breaks your computer and gets Key A, they can only spend small amounts, depending on the policy you've established with the service, and only until you realize that someone else has your keys and you tell the service to not sign anything any more.

If someone breaks the service and gets Key B, or if the service isn't trustworthy, or if the service is coerced by the government, they can't spend your money because Key B isn't sufficient.  They can stop you from spending it, at least until you go to your safe and fetch Key C, but that would instantly show that they have been compromised.

Another example of how it could be used:
You create a 2-of-3 signature for your wallet. One you stick in your safe, one you keep on your USB key, and one you send to an online anonymous wallet service. Using the combination of USB key with a simple app, and the online wallet service, you can send bitcoin from any computer. The online service can't spend your bitcoin without your permission, since it requires both of you to sign a transaction. The computer you plug the USB key into can't spend your bitcoin no matter how many viruses and key loggers are on it, since it still needs the online service to sign any transactions you sign. And if the anonymous service does a MyBitcoin and dissapears, since your key is 2-of-3, you can go to your safe, grab the third key, and use your USB key and safe key to get your bitcoin out. This is something you can even run through Tor anonymizer, since you don't have to trust the wallet service.

Jeez, then just don't use it. What was your point again?

to kjj, thank you for your well thought out reply and constructive comments. I also do not wish to argue about this just understand it. I agree with you and probably almost everyone else that a more secure wallet is desirable (even necessary) to get BTC a bit further towards acceptance. But wallets/exchanges are where the hacks occur not in the core protocol. All the measures you outline in the second verification process mirror the existing fiat currency verification procedures and would (in my opinion) be accessible and controllable by those authorities. I know my usage of BTC at the moment is probably horrifying to any computer literate person from the security aspect. But it is probably replicated thousands of times across the network. If I show you what I feel is the only practical way for me to operate maybe you can appreciate my difficulty in moving to a (proposed)system that needs as yet un-invented solutions to work.
I have downloaded BTC v5 on my computer. I can buy with fiat on intersango BTC and transfer anonymously to GLBSE to purchace dividend paying shares. I can do the reverse and my only interface (regrettably) is between the bank and and the exchange. I do download my wallet.dat to a usb (unplugged mostly) and that is it!. I know I may already have compromised my wallet by having key loggers to log my pass phrase but what can I do ? I am not able to download a new windows xp version and work offline to use my pass phrase! If I use an online wallet service I have just doubled my exposure and risk. I have a landline telephone but that is tapped by MI5. I suppose I could use a public telephone but here in the uk when I asked where the nearest one was everyone said why not use your mobile and did not even know where they were. At the moment it would be very complicated and time consuming to adopt a second sig aproach for me. reg

I think that the universe of bitcoin users can be divided into two groups: those that want multisignature capabilities and know it, and those that want it, but don't know it.  I'm pretty sure that you are in the second group, even if you think you are in a third group, those that are aware of multi-sig, and really don't want it.  I really, truly believe that you do want it but don't know that you want it, but it isn't something that I'm willing to argue about. 

The example using the mobile phone is pretty common.  I have no idea who first came up with it, but I fleshed it out in detail showing one possible way that it really could work in real life.  But there are other ways to do it.  Most of the other ways to do it haven't even been invented yet, so I have no idea what they will be.

If we want, we can abstract my mobile phone example back a step or two, and come up with something less specific, but still clear (I hope).

Step 1, I tell my client to send 5 coins to address XYZ.
Step 2, my client creates that transaction, signs it with the key it has, then sends it to my wallet service.
Step 3, my wallet service looks up my policy preferences, and since the transaction is more than 2 BTC but less than 10 BTC (my policy), it invokes a verification step.  The verification step involves either me contacting the service, or the service contacting me, using some communication channel other than the one used to communicate the transaction.  This could be a text message on a cell phone, a regular phone call, a personal visit to the local branch office, a telegram, a website, email, a USENET post, snail mail, smoke signals, carrier pigeon, semaphores, chalk marks on mailboxes, etc.  This will be either a little bit slower (SMS) or a lot slower (chalk marks).  You will customize your policy preferences to balance your desires for speed and safety.
Step 4, the communication involves some means of mutual verification, such as challenge-response, code words, photo identification verification, etc.
Step 5, if I am satisfied that I am talking to my service, and they are satisfied that they are talking to me, I can approve or recant the previously sent transaction.  If approved, they countersign using their key.
Step 6, my wallet service now sends my double-signed 2-of-2 key transaction out to the bitcoin network.
Step 7, the bitcoin network checks that the two signatures on this transaction match the P2SH signature that was provided earlier, and the BTC shows up in the vendor's wallet.

This is a basic model that has already been invented, and in the abstract sense is actively used all around the world every day.  The specifics can be adapted in many ways to meet different needs while still keeping some essential features and characteristics.  Other models may also work that accomplish the same goals.

And I want to stress two important things that I think are easy to overlook in this discussion.

First, no one can force you to use multisignature systems.  Even if there was a proposal to modify the network to totally disallow single signature transactions (a change which would be approved by pretty much no one at all), it would be trivial to be your own verification service.  Your computer would run bitcoin, and also run a second program just to approve them.  This could either be automatic or manual.  If automatic, it would be exactly the same as what everyone is using now, as far as they are concerned.

And second, bip16/bip17 are totally not about whether multi-sig is good or not, or will be included or not.  They are about how multi-sig will work behind the scenes.

to Holiday,  Thanks for that- as the remaining sole user and therefore owner of the bitcoin protocol I would like to thank all the developers and miners  for giving me the tool to retain my intellectual rights over my anonymous bitcoin transactions. Should anyone struggle as I would with the proposed changes as its downward compatible please feel free to rejoin me on BTC v5. reg.

To Kjj,   I accept all of your points but as the only one who does not want to change I hope you will accept my right to say that. It does seem that you think multi sig is the way to go and that also reflects gavins point in his original post but in his case I think "everyone  agrees" means the three main developers. Has he asked every one on the bitcoin network (he could there is a way to vote). As a non techie (I know that negates my position) it has been shown that multisig is already in the os program but not used due to bugs. So future development and alternative branches are not ruled out. Also I may seem paranoid to you but I am english and here the police have just trawled millions of phone calls and e-mails stored from the last few years to arrest  Sun journalists for phone hacking. Eventually (my main point) it was yourself who outlined in step by step how a multi sig would work and it looks difficult (to me) and time consuming defeating the speed of current transactions. So please put my mind at rest and do it again for someone like me, an average user who has no mobile, access to only one personal computer and here in the uk internet cafe's are rare and the public library controls access to its database? reg.

This is great news! It's about time.

The new switchover date is the 1st of April so there is plenty of time for miners to upgrade.

This isn't about mobile phones.  That is just one example of one possible way to improve security.  There are countless other ways, most of which haven't even been conceived yet.  What they all have in common is that they require a way to divide signing authority so that a single point compromise isn't fatal.

P.S.  If this current single point system works for you, you can keep using it in the future.  It isn't going away.  But lots of people (approximately everyone but you) want the ability to use multisignature systems.

P.P.S.  Loosen your tinfoil cap a bit, and maybe poke some air holes in it.  And I say that as someone that keeps an old Palm Treo working because I don't want Google, Apple or Microsoft to "own" my phone.

hi, I hope Gavin reads these posts! I am just a user but agree with Teramanga on this. There is nothing fundamentally wrong with bitcoin from my viewpoint- it's never been hacked. If wallets need better protection this should be a separate project. I refuse to use a mobile because it is a tagging device, it can and is used by authoritarian  regimes to download all contacts, information and data for further possible use by the state. Many third world countries do not have mobile penetration anyway. How the hell am I going to use separate signatures from one system? I for one will stay with the current version which works fine and hope that deepbit does as well! I do not think this has been thought through and would think the core program will be compromised and accessible and controllable by external authorities. reg.

You kinda did just there, and that also proves my point!

Anyone want to point out to rupy that multisig transactions were already in the protocol, as Satoshi intended, and that BIP16/17 is just a fix to better implement it, because the original setup was so buggy and prone to hacks that it has to be turned off? I don't want to bother.