public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* [Bitcoin-development] sorting public keys for p2sh multisig transactions
@ 2014-03-12 17:10 Ryan X. Charles
  2014-03-12 19:42 ` devrandom
  0 siblings, 1 reply; 2+ messages in thread
From: Ryan X. Charles @ 2014-03-12 17:10 UTC (permalink / raw)
  To: bitcoin-development

[-- Attachment #1: Type: text/plain, Size: 1770 bytes --]

For a p2sh multisig transaction, the serialized script looks like this:

m [pubkey] ... [pubkey] n OP_CHECKMULTISIG

The p2sh address is the hash of this script. The public keys can come in
any order, but the hash depends on the order. If you have a list of
public keys, to which address do you send your money? We need a standard
way of sorting the public keys so that the address generated is always
the same for the same public keys and m.

There are two kinds of public keys: compressed and uncompressed.
Uncompressed are longer than compressed.

There are a few obvious ways we could sort the public keys: as strings,
as big endian numbers, as little endian numbers.

The difference is this. Suppose one public key is 59234 (uncompressed),
and the other is 6903 (compressed). If we sort these as strings, then
6903 > 59234. But if we sort them as big endian numbers, then 6903 is
really 06903, and then 06903 < 59234. So it makes a critical difference.
Sorting as little endian is yet another option that is not the same as
the other two.

I noticed Alan Reiner's comment in an earlier message:

"Just like Jean-Pierre mentioned, we'll be using parallel
trees to generate P2SH addresses after sorting the keys
lexicographically."

It sounds like "lexicographically" probably means sorting as strings. I
have made an implementation of public key sorting in javascript where I
sort them as big endian numbers and fill in the 0s. IMO, the simpler
method is to sort them as strings, which has a simpler implementation
since it doesn't require filling in 0s first. However, I don't actually
care what method we use so long as everyone in the bitcoin world uses
the same standard. Which is the best way to sort public keys?

-- 
Ryan X. Charles
Software Engineer, BitPay

[-- Attachment #2: 0xA11B4DDE.asc --]
[-- Type: application/pgp-keys, Size: 5718 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [Bitcoin-development] sorting public keys for p2sh multisig transactions
  2014-03-12 17:10 [Bitcoin-development] sorting public keys for p2sh multisig transactions Ryan X. Charles
@ 2014-03-12 19:42 ` devrandom
  0 siblings, 0 replies; 2+ messages in thread
From: devrandom @ 2014-03-12 19:42 UTC (permalink / raw)
  To: Ryan X. Charles; +Cc: bitcoin-development

Hi Ryan,

Probably the most neutral way to go about this is to lexicographically
sort by encoded representation bytes.  In java, that would be
ECPoint.getEncoded.

This is what we currently do in our watchdog Oracle.

On Wed, 2014-03-12 at 13:10 -0400, Ryan X. Charles wrote:
> For a p2sh multisig transaction, the serialized script looks like this:
> 
> m [pubkey] ... [pubkey] n OP_CHECKMULTISIG
> 
> The p2sh address is the hash of this script. The public keys can come in
> any order, but the hash depends on the order. If you have a list of
> public keys, to which address do you send your money? We need a standard
> way of sorting the public keys so that the address generated is always
> the same for the same public keys and m.
> 
> There are two kinds of public keys: compressed and uncompressed.
> Uncompressed are longer than compressed.
> 
> There are a few obvious ways we could sort the public keys: as strings,
> as big endian numbers, as little endian numbers.
> 
> The difference is this. Suppose one public key is 59234 (uncompressed),
> and the other is 6903 (compressed). If we sort these as strings, then
> 6903 > 59234. But if we sort them as big endian numbers, then 6903 is
> really 06903, and then 06903 < 59234. So it makes a critical difference.
> Sorting as little endian is yet another option that is not the same as
> the other two.
> 
> I noticed Alan Reiner's comment in an earlier message:
> 
> "Just like Jean-Pierre mentioned, we'll be using parallel
> trees to generate P2SH addresses after sorting the keys
> lexicographically."
> 
> It sounds like "lexicographically" probably means sorting as strings. I
> have made an implementation of public key sorting in javascript where I
> sort them as big endian numbers and fill in the 0s. IMO, the simpler
> method is to sort them as strings, which has a simpler implementation
> since it doesn't require filling in 0s first. However, I don't actually
> care what method we use so long as everyone in the bitcoin world uses
> the same standard. Which is the best way to sort public keys?
> 
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists•sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development





^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-03-12 19:42 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-03-12 17:10 [Bitcoin-development] sorting public keys for p2sh multisig transactions Ryan X. Charles
2014-03-12 19:42 ` devrandom

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox