Topic: Multi-signature transaction interface suggestions (Read 2823 times)

My idea is that the human readable part is the machine readable part - what you see is what you get.

The human readable part would be parsed and would deterministically produce a single transaction.  It would have to serialize predictably, otherwise the signatures would have no meaning.  Someone who moved a decimal place would be creating a different transaction and would invalidate all of the signatures.

The only thing that would require mandatory validation in the client is the keys and signatures themselves.  One cannot determine just from looking whether or not they are valid, but the worst case scenario is that a funding source that looks "signed" really is not.

I am not sure there is a specific benefit to saving vertical space in this case, especially if it's information relevant to the transaction.  In my mind, I'm willing to actually waste vertical space in the form of whitespace to add clarifying section breaks - but these would be completely optional and not a mandatory part of the spec.  (In the spec the way I imagine it, blank lines would be ignored).

My biggest concern is redundant information:  an attacker could lie about the type of input transactions, and/or the output amounts and addresses (among other things).  I can construct a TxDP that has encoded all the outputs going to me, but the human-readable part suggests they're all going to you.  Or, I manipulate the amounts so the number of output transactions look the same, but I've shifted two of the decimal places in the actual transaction to redistribute the outputs more to myself -- hoping you won't notice, because you based your decision to sign it on the human-readable parts forget to examine it closely in your client before signing.

You can avoid this by removing all serialized data, and requiring the developer to reconstruct the output based on just the human-readable parts, but that leaves open the possibility of some clients re-constructing (and thus signing) slightly different transactions, not to mention it requires them to implement more logic to implement TxDP handling.   My proposed serialization contains the exact scripts/tx that we want signed, and the developer only has to blank out the other input scripts to sign their part of it.

I think the human-readable parts should solely be for developers and advanced users that are interested in "debugging" or casually inspecting them, but no one should be trusting the human-readable parts of it if it comes from another party that is untrusted.   

If you look more closely at my serialization, nearly every part of it is identifiable to someone by eye who takes a minute to figure it out.  Most importantly, its "block" form makes it easy to identify where the TxDP starts and ends, fitting into the least amount of vertical space possible.

I may have missed it.  The only human-readable components I could perceive would suffice to inform me that it was a proposed transaction, but would offer no idea what the transaction was.  It looked more like a PGP message.  I see no problem with a PGP message being un-human-readable, since that's the purpose of PGP.  I don't think that virtue applies here.


Can you provide an example of what a deceptive one might look like?  I suppose the comments could be deceptive, but that could be handled by eliminating or forbidding them.

The transaction block would only contain specific words that are defined by its spec, and only in the sequence permitted by the spec.  Arbitrary words would only belong in comments, if allowed, where they would be ignored.

At a glance, one could read the transaction and quickly see what was proposed.  They would see what is signed and unsigned.

Upon pasting it into their application, a user would see one of only a few possible responses:

1. This is not a well-formed transaction.
2. This is a transaction awaiting signatures.  You can sign it, and then it will be complete and can be executed.
3. This is a transaction awaiting signatures.  You can sign it, but it needs further signatures to be complete.
4. This is a transaction awaiting signatures.  You do not have any of the keys it requires, and cannot sign it.
5. This transaction contains signatures that are not valid.  The transaction may have been changed since it was signed.  Remove the invalid signatures?
6. This transaction is complete but has not been submitted to the network.  Submit it now?
7. This transaction is void because one or more of its funding sources has already been spent or redeemed.

Wow, you took my statements to an extreme that doesn't match what I have been promoting.  I wrote the spec to have human-readable components to it.  I think it's critically important that the block is not entirely opaque.  But I think ease of implementation by developers and handling blocks to be highest priority, with the ability for a human to visually parse it be next.  No matter what, it is still going to have to be signed by a computer, which means it will be parsed by a piece of software that will be presenting it in a much more human-readable form, anyway.  To me, it's not critical to make it "pretty," and we can respectfully disagree about that. 

I'd actually prefer it look a little more code-like and encourage only advanced users examine it by eye.  Not only will humans-reading it never be the norm, but trying to make that the norm opens up small issues with the encodings.  With arbitrary symbols/words in the format, it can lead to deceptive practices of giving people TxDPs that look like one thing to the eye, but turns out to encode something else.

In reality, none of this is critical.  Your way would work fine as long as we add line-wrapping to fit it into 80 columns.  Because I think it's important that it doesn't force horizontal scrolling if it is posted inline in an email or in a forum post. 

 

So you would rather make the data completely unreadable to humans for the benefit of saving about 20 lines of code in the source?


So what you are saying, is that because the most common use case doesn't involve looking at this data, we should make looking at it (without an external tool) totally impossible?

If you want the world to buy off on this, it's best to make it user friendly.  Apple and Microsoft didn't get where they got by making things needlessly obscure and geeky.  These are NOT good reasons to intentionally choose a data format that REQUIRES a tool to interpret, versus one that does not.

Your suggestion isn't that hard to parse, I agree with you.  But it could be easier -- just think of C++ using ">>" operators to read the data in:  there's going to be a lot of "dead" strings, where the implementer is going to have to count how many fields to skip to get to the next useful field...for every field.  I just think we'd be best to prefer compact and dirt-simple to parse, and let the client make it human-readable.

However, I do like the idea of having comment lines in the TxDP, then the person reading it can just preprocess the block by throwing out all lines beginning with '#' (or whatever comment character is chosen). 


I technically agree with you, but like Mike Hearn said-- that's not going to be the standard use case.  I definitely think the standard should support all ASCII, clipboard-able data (which you have), to support all use cases.  But it should be tailored towards the most common one, which is that average users won't ever be seeing these code blocks.  They will be parsed by client software and presented to the user in the client-specific way.  It may be less safe, but it's going to be by far the most common way for users to interact with it.



I am not saying that third-parties won't be involved, I just want to make sure that it's possible to use this system without third-party services and without needing 3 months experience developing Bitcoin to do it. 

I dont' think third party can't play a part in bitcoin, when bitcoin can play without third party.

There are third party everywhere: 
SilkRoad is a third party
MtGox is a third party
Bittorrenz is a third party
GLBSE is a third party

Why isn't this machine readable?  I find this very easy to parse, and would consider writing code to parse it very elementary.

All of the lines are of the following construct:

Name: Value

Parsing the block is as simple as splitting it on CR/LFs, discarding the comments, looking for a colon on each line, taking everything before the colon as name, taking the rest as value.  And if the line starts with a space, treat it as a continuation of the previous value.

Cutting and pasting text is so much safer than having people open file attachments.

Casascius, I think the number one priority for TxDPs (or whatever we want to call them) should be machine-readability.  That's not to say your suggestion is terribly difficult to parse via code, but it's definitely much more focused on human-readability--which I think should be one of the lower priorities.  I think the standard use case will be users getting this TxDP as an email attachment, and then their client will automatically detect it and display it in human-readable form anyway. 

As such, I believe that we should definitely have a format that has minimal whitespace, extra words and punctuation.  And we should definitely limit it to 80 columns to make sure that identifying and copying it by hand is super easy (I hate getting emails where text is running off the right side of the screen... it's should be a compact representation).  After these two priorities are satistified, then we should start adding stuff for human-readability for those of us that might be inclined to manually inspect it.  But I think, even for advanced users, the code blocks will usually be loaded/copied-into a program that will present the data in a pleasant, human-readable form, and thus, we should focus on ease of client implementation, not human-readability.

I believe including the TxIn amounts and a comments field is a good idea.

This is a higher-level implementation detail.  For someone writing a client or starting a service for helping people to do multi-sig transactions, they should implement it in such a way that the user never sees a TxDP block.  But that doesn't mean that we should ignore the use case where advanced users might actually find it useful to work with raw blocks.  The goal of BIP 0010 is provide a compact way to represent the data that should work well for all use-cases.  It's up to the client/app implementer how much they want to expose to their users..

If someone is trying to make a super-simple client for average users and it requires them to copy these code blocks around, it's not going to be very successful.  But there's no reason that BIP 0010 can't also support the advanced users that might actually prefer to copy the code blocks around, while at the same time defining an interoperable way for all users to accommodate it.  For instance, a "simple" user can send me a .txdp via email attachment without ever seeing any code because their client can create an Outlook/Thunderbird email window with the attachment already there.  I could install software to automatically detect and handle this attachment without exposing any of the code to me... or maybe I'll open the attachment myself and manually inspect and sign it with my CLI tools.  It costs us nothing to support all these use cases, and it really does support all use cases and guarantees interoperability, there's a good chance other developers will use it.


Again, third-parties handling these things is a higher-level implementation detail.  I really want a "standard" that is usable without a third party (even if only by advanced users) , and then the third-party services can step in to accommodate the less-advanced users.  I believe that with some kind of ASCII encoding as defined in BIP 0010 (or Cascasius' suggestion), it's possible to write client software that requires only a few steps to execute a multi-sig transaction without a third party.  It would be awesome if we succeeded at this -- and it's completely within the spirit of Bitcoin to have a system that can be usable without third-parties, even if most users will end up using one.

So, just to reiterate what I said on the mailing list, I think any UI that involves seeing something (base64,hex,base58) encoded isn't going to work.

The goal should be very simple - the user should never see any codes at all. That is the UX a professional software company would be aiming for and Bitcoin should be no different.

Gavin is on the right track - files or magic URLs that can be handled by the software the user is running are the way to go here. For escrow setup, the user should be presented with a list of escrow providers that the merchant finds acceptable and some useful data about each one (logo, name, link to their website, some promotional text, etc). Then you just select one and the rest is automatic.

Other than preferring Base64 over hex, this is how I envision it:

What you said is essentially what I envisioned.  Any kind of multi-sig transaction can be serialized in this way, and then anyone who follows this wannabe-standard can interoperate with others who do the same.  If someone wants to set up a service for exchanging these blocks, they can, or someone can just make a client that recommends sending them inline in emails.  I just wanted to define a consistent way to circulate information that works in ASCII fields and is usable by even the most lightweight clients (no blockchain needed, to use sign it).


I don't know if I'm at the bleeding edge of this field, but I envision that there would be a third-party service that freely gives out addresses.  The buyer will put up 110%-120% of the cost of the merchandise into the multi-sig tx, and then the buyer will get that 10% back when the transaction is complete (thus giving him incentive to finish the transaction, even after he receives the goods/service).  If something goes wrong, the buyer and/or seller can contact the third party to mediate, and the third party would get the 10%.  It's only when something goes wrong that the mediator gets involved or gets any money.

Arguably, this isn't ideal because it means the buyer is always paying for the mediator.  You could have buyer and seller both put up 5%-10%, but that would require another multi-sig tx in order to seed the transaction, in addition to the one to unlock the funds afterwards.

A couple of questions which I think were touched on a little:

First, would the recommended approach be to add calls to the API?  For example, a call that allows low-level crafting of the transaction or at least the script could be used by multiple UI's so that the presentation is separated from the inner workings.

Second, the case of buyer-seller-mediator can be handled with a 2-of-3 signature transaction.  My question is: does the mediator get paid in a separate transaction?  What if the mediator expects a small fee if the transaction goes properly, and a larger one if he has to intervene?

There's not really any overlap between what we're encoding and what PGP is encoding, so I'm not sure how necessary it is.  However, I agree that Base64 encoding would result in less characters on-screen, and there may be other things to learn from PGP.  Though, if anything, I would expect Base58 would be better since any BTC software would already have a method for the conversion.  Either way, any of this is open for discussion.

The other difference is that PGP basically encodes everything into a single opaque block of Base64, whereas I'm interested in keeping a little bit of human-readable information outside of the encoding.  To someone who doesn't know/care what's between the begin/end tags, it doesn't make a difference.  But it makes a huge difference for those of us who are inclined to visually inspect these code blocks.  I envision getting an email where someone copied the TxDP into the email and said "please add second signature and broadcast."  I don't have to fiddle with any programs to know that they forgot to sign it.

So, this is temporarily in gist, but I'd really like to get it into something more like what you have here, or at least figure out how to get gist to apply some kind of reasonable formatting to it.  Perhaps someone can help with this.  Once I get it pretty'd up, I'll forward it to the btcdev mailing list.    EDIT: got converted to a "markdown" document in Gist, now it looks pretty good!  I might leave it on there for now, and duplicate it on the wiki when it's back up

RE: BIP 0010 :  Cool!

Suggestion:  if we're going to borrow PGP's file format, then we should be as compatible as possible, and reference their standards document:  http://tools.ietf.org/html/rfc2440

In particular, they use Radix64 encoding, not hex...
 

By the way, I just posted BIP 0010 to gist:  https://gist.github.com/1321518

Unfortunately, I couldn't figure out why word-wrapping is failing, so you might have to click the "raw" link to see it rendered in plain-text with wrapping.  

Keep in mind that the entire second half of that BIP is actually pseudo-code.  So it may appear long at first glance, but it's only half of what it seems.  On that note, I saved the gist as .py so if you examine the code from the original link, it will be a little easier to read with code highlighting.

I think it's a mistake to assume that users won't be using Bitcoin from their own computers.  One core attraction of Bitcoin is the decentralization, and by assuming that end-users will flock to centralized "access points," we're creating a self-fulfilling prophecy.  We won't try to make it usable by the end-user directly, and then there will have to be third-parties to dumb it down for users.

My attitude is to not concede to third-parties until we know we have to.  Polish the hell out of the interfaces, make it as intuitive as possible, and give the users a chance to manage their own money.  If a user can succeed without paying a fee to a third-party, why would he?  Obviously, the 2-of-3 escrow transactions have a third-party, by definition, but that's a different topic than whether users will be managing coins on their computer or through a service.  I think light-clients that don't download the blockchain (or take 4-48 hours to load), with encrypted wallets, will make a huge difference in usability for "regular" users.  (most regular people use online banking... why not BTC?)

Additionally, I think one of the most important things, is the ability for management at small companies to handle BTC without having to hire/divert employees to deal with it.  Any benefits of BTC seen by small companies would be overrun by the cost to maintain it.  And without companies using it, BTC won't get very much attention.

Regardless, I totally agree about hiding all this stuff behind an "Advanced" tab/menu.  I think "regular" users should be shielded from confusing themselves with complex Bitcoin operations, until they explicitly decide they want them.  

So along those lines, I'm working on a BIP right now for multi-sig exchanges, which can be handled much like PGP/GPG msgs and sigs (armored ascii, easy to copy/print/email).  I think it gives us an opportunity to standardize this process so all BTC programs can interoperate without trouble.  Maybe I'm being too optimistic...    I'll post a link to the BIP when I get it up, but right now the wiki is inaccessible

EDIT:  Btw, I'm not ignoring the rest of your post, I just wanted to throw it out there that my initial assumptions are different, and I think there's reasons to be optimistic.  I'm going to work out some more details in my head before responding.

2-of-3 signatures are useful.

Like the alipay.com in China (belong to  alibaba,  belong to yahoo) ,
when buyer and seller has disputes ,
ALIPAY will decide where the money goes (back to buyer or forward to seller, depending on evidence).

Most of China's e-commerce are using this kind of service.

I've been thinking a lot about transaction IDs and how to gather signatures for multi-party transactions, too.

For the most part, I think all the details should normally be hidden from users-- I think "Select Transaction Type" is much too geeky.

Thinking out loud, and starting with what I think will be a very common use case:  buyer and seller and somebody to resolve disputes that arise (2-of-3 escrow).

Are you imagining all three are using a bitcoin client? In my head, one might be using bitcoin-qt, another a web-based wallet service, and the dispute resolution would be done by a company with a website. I don't think "we're all running bitcoin on our computers" will be the common case.

So here's how I see it working (my ClearCoin experience may be biasing me):

Buyer and Seller sign up with the escrow service. During signup, they each give the escrow service a public key.  How?
  -- Clunky way:  they poke a "Advanced.... New Public Key" button and then copy&paste a long string of hex
  -- Better way: they poke a link on the escrow status page that does some magic
     (maybe there's a bitcoin:sendnewpublickey?destination=https://www.clearcoin.com/newkey/user1234 URI type that can be made to Do the Right Thing)

Buyer or Seller then creates an escrow at the escrow service's website.
  -- Escrow service creates or assigns a keypair for their part of the 2-of-3
  -- Escrow service creates a newfangled bitcoin address using the 3 public keys.

Buyer sends bitcoins to the newfangled bitcoin address (by clicking on it at the escrow service's page-- it could be a bitcoin:... link)

Escrow service's wallet sees the payment to the newfangled bitcoin address, updates the status page.

Buyer tells seller they paid.  Seller checks the escrow status page, clicks on a "send me the money" link and ships the product to the buyer.

What does the "send me the money" link do?  It needs to get a signature from the seller for a transaction that spends from the 2-of-3 transaction and sends to the seller's wallet.  Another bitcoin: URI that does magical stuff?  (bitcoin:signtransaction?tx=...hex...&destination=https://www.clearcoin.com/... ) Or some other clunky copying-and-pasting of long hex strings?

Days later: Buyer gets the product and is happy. They visit the escrow status page and click on a "send THEM the money" link, which does more magical stuff. Or more clunky copying-and-pasting of hex strings.  In any case, the escrow service gets the second signature and sends the transaction to the bitcoin network, and the coins show up in the seller's wallet.

---

Couple of notes:

I don't see the newfangled-bitcoin-address being part of the buyer's or seller's wallet, and adding it to their wallet would be yet another step.

Need to think about what happens if the escrow service suddenly disappears... they can't steal any coins, but if neither buyer nor seller knows the public key the escrow service is using then they can't complete the transaction by themselves.  Perhaps the bitcoin: URI that the buyer uses to fund the transaction should include all the public keys and should be added to the buyer's wallet...

---

All of this would be much nicer if there was a more user-friendly, security-friendly representation of bitcoin addresses / public keys.