Author

Topic: determining which keys signed a multisig tx (Read 131 times)

legendary
Activity: 3472
Merit: 10611
August 12, 2021, 09:42:06 PM
#6
However, there is still a small chance it is not the order of signing but the order of key holders in the MultiSig that determine which signatures end up in the witness data which I cannot rule out.
The signatures are placed in witness field of a transaction when the output being spent is a SegWit output not because of the order. The order of those signatures (whether they are in witness or signature script) is based on the redeem script's public key order.
newbie
Activity: 7
Merit: 1
Small addition. After parsing the Partially Signed Bitcoin Transaction (PSBT) text shared for signing a 4 out of 6 MultiSig, I found that the first four who signed had their signatures ended up being in the witness data.
However, there is still a small chance it is not the order of signing but the order of key holders in the MultiSig that determine which signatures end up in the witness data which I cannot rule out.
legendary
Activity: 3472
Merit: 10611
Is that what the bitcoin consensus layer does, try each sig against all keys?
That means a running time quadratic in the total number of keys!
Yes that is how it works, you can see the code for OP_CheckMultiSig(Verify) here: https://github.com/bitcoin/bitcoin/blob/9948f114f8e6fa7c998c4ede84719f5d1699e5e7/src/script/interpreter.cpp#L1129-L1239
The time depends on how many keys are used and are required and on where the keys are located. For example a 1of15 setup where the first key is used will verify on first check.

Quote
But I'm looking for something like a python or perl script that does it separately and offline,
just for the signature checks, and which I can feed arbitrary tx data, including inputs that are not in the UTXO set. I cannot do any of that with a bitcoin node.
You'll have to search github for python or perl bitcoin implementation and then modify the part where the transaction verification looks up the inputs in the UTXO set.
A good library is usually not tightly coupled specially for testability so you should be able to do it easily.
legendary
Activity: 990
Merit: 1108
What needs to be done is to check the signature against each public key and see if there is any duo that passes the verification then move to the next signature with the next public key to find the next match. Repeat until you run out of signatures (pass) or public keys (fail).
Quote
Is that what the bitcoin consensus layer does, try each sig against all keys?
That means a running time quadratic in the total number of keys!

Any software capable of verifying bitcoin transactions does this.

But I'm looking for something like a python or perl script that does it separately and offline,
just for the signature checks, and which I can feed arbitrary tx data, including inputs that are not in the UTXO set. I cannot do any of that with a bitcoin node.
legendary
Activity: 3472
Merit: 10611
Is it possible to tell from this script which of the 6 public keys got signed for?
Not with a quick look. What needs to be done is to check the signature against each public key and see if there is any duo that passes the verification then move to the next signature with the next public key to find the next match. Repeat until you run out of signatures (pass) or public keys (fail).
For example in: OP_0 | sig2 sig5 | pub1 pub2 pub3 pub4 pub5 (2 of 5)
check sig2+pub1 -> fail
check sig2+pub2 -> pass
check sig5+pub3 -> fail
check sig5+pub4 -> fail
check sig5+pub5 -> pass
=> final result -> pass (we now know corresponding keys of pub2 and pub5 signed the transaction).

Quote
Is there any software that can validate just the signatures in this transaction data?
Any software capable of verifying bitcoin transactions does this.
legendary
Activity: 990
Merit: 1108
I have a question about the multisig tx at
https://hashxp.org/cfbc3792e42a6832825f5b4f9dcb264d7a84662f0365661a05c1db591546bac3

The Decoded rawdata Witnesses #0/1 shows

vin0 Witness Count: 6
0080: .. .. .. .. .. .. .. .. 00 .. .. .. .. .. .. ..
vin0 Witness 0 Length:0 0 bytes:
0080: .. .. .. .. .. .. .. .. .. 47 .. .. .. .. .. ..
DER vin0 Witness 1 Length:71
[deleted]
DER vin0 Witness 2 Length:71
[deleted]
DER vin0 Witness 3 Length:71
[deleted]
DER vin0 Witness 4 Length:71
[deleted]
vin0 Witness 5 script: 207
01a0: .. .. .. .. .. .. .. .. .. .. 54 .. .. .. .. ..
***OP_4
[deleted]
***PUSHDATA 33 bytes: 0217dc227f2409969e154a651b47f5b8ec3add571e22febbd28e8e0d65318f25c4
[deleted]
***PUSHDATA 33 bytes: 021b80c3b386759e0b155ed999b5b8e8ee396837222f535c04fe5b6bbd757bde66
[deleted]
***PUSHDATA 33 bytes: 023beb227ad56f92fc0e2d112bb2d61f950e640853d355dd75607be79ea07b47d6
[deleted]
***PUSHDATA 33 bytes: 025546eea541af399b51e93e209b8f41945540e70fac595d1234430e46d057872f
[deleted]
***PUSHDATA 33 bytes: 026ce222b609736e330da692d8d620f4b17c8dfa198bb938074d56d68c42ce7a46
[deleted]
***PUSHDATA 33 bytes: 0311996c195b65975e992ad314d83577b0c1e096fcb5913c90ece9d557fcf60ad0
0270: .. .. .. .. .. .. .. 56 .. .. .. .. .. .. .. ..
***OP_6
0270: .. .. .. .. .. .. .. .. ae .. .. .. .. .. .. ..
***OP_CHECKMULTISIG

The PUSHDATAs correspond to the 6 public keys and the 4 vin0 Witnesses to 4 signatures meeting the threshold.

Is it possible to tell from this script which of the 6 public keys got signed for?

Is there any software that can validate just the signatures in this transaction data?
Jump to: