Sorry for keeping this short but I'm in holiday and reading/writing on my phone is a pain. On Aug 24, 2011 4:12 PM, "Gavin Andresen" wrote: > > It seems to me the fastest path to very secure, very-hard-to-lose > bitcoin wallets is multi-signature transactions. > > To organize this discussion: first, does everybody agree? It's a great way for companies to secure their assets. > > ByteCoin pointed to a research paper that gives a scheme for splitting > a private key between two people, neither of which every knows the > full key, but, together, both can DSA-sign transactions. That's very > cool, but it involves high-end cutting-edge crypto like zero-knowledge > proofs that I know very little about (are implementations available? > are they patented? have they been thoroughly vetted/tested? etc). > So I'm assuming that is NOT the fastest way to solving the problem. > > If anybody has some open-source, patent-free, thoroughly-tested code > that already does DSA-key-splitting, speak up please. Since. we have the possibility o add other signature schemes to the protocol we could add an rsa-like scheme which allows m-out-of-n signatures. It works by distributing shares of the key which are points on a curve having the actual key as 0-value. It does not require special length for the key so if ecdsa allows something similar there need not be anything changed. > > I've been trying to get consensus on low-level 'standard' transactions > for transactions that must be signed by 2 or 3 keys; current draft > proposal is here: > https://gist.github.com/39158239e36f6af69d6f > and discussion on the forums here: > https://bitcointalk.org/index.php?topic=38928.0 > ... and there is a pull request that is relevant here: > https://github.com/bitcoin/bitcoin/pull/319 > > > I still think it is a good idea to enable a set of new 'standard' > multisignature transactions, so they get relayed and included into > blocks. I don't want to let "the perfect become the enemy of the > good" -- does anybody disagree? Would be a first step. > > The arguments against are that if the proposed standard transactions > are accepted, then the next step is to define a new kind of bitcoin > address that lets coins be deposited into a multisignature-protected > wallet. > > And those new as-yet-undefined bitcoin addresses will have to be 2 or > 3 times as big as current bitcoin addresses, and will be incompatible > with old clients. > > So, if we are going to have new releases that are incompatible with > old clients why not do things right in the first place, implement or > enable opcodes so the new bitcoin addresses can be small, and schedule > a block chain split for N months from now. > > My biggest worry is we'll say "Sure, it'll only take a couple days to > agree on how to do it right" and six months from now there is still no > consensus on exactly which digest function should be used, or whether > or not there should be a new opcode for arbitrary boolean expressions > involving keypairs. And people's wallets continue to get lost or > stolen. > > Just wanted to point you in that alternative direction as it would possibly keep backward compatibility and allow multisignature. Regards, Chris > > -- > -- > Gavin Andresen > > ------------------------------------------------------------------------------ > EMC VNX: the world's simplest storage, starting under $10K > The only unified storage solution that offers unified management > Up to 160% more powerful than alternatives and 25% more efficient. > Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development