Oddbean new post about | logout
 Answer to this question from a few days ago: mempool.space helpfully shows you a decoding of the scriptSig; in this case you can see that a 2 of 3 multisig was being used. However, there are two things rather strange about this multisig redemption script.

First, the keys are using uncompressed encoding. You can see this because the pubkeys start with "04". Further, an uncompressed pubkey then displays the x and y coordinates of the point, in that order, meaning the total size of each pubkey is 65 bytes. Uncompressed pubkeys, starting with 03 or 02 instead of 04, take only 33 bytes and are therefore universally preferred (in the DER encoding used pre-taproot; taproot uses a 32 bytes serialization, instead).

These uncompressed pubkeys were relatively common in the early days of bitcoin, and famously persisted in isolated use cases e.g. the bitmex deposit account which was something like a 4 of 5 uncompressed key multisig - very space inefficient.

Anyway, that's only part of the story here: you'll notice that the 3rd of the 3 pubkeys, while being marked again as uncompressed ("04") actually only has 33 bytes, not 65. This is simply user error; this is NOT a valid pubkey encoding.

This is a corner case; it does *not* break consensus to have one of the N pubkeys in an M of N multisig be invalid, *if* the signatures provided in the scriptSig are valid for keys other than the invalid one.

It was however, not *standard*, so this transaction had to be submitted manually to a miner.

The question is not trivial of course; if pubkeys are allowed to be invalid in multisigs, does it help people use them to embed data? And, is that something anyone should care about? And, even if you restrict consensus to only allow valid pubkeys here, does that make any difference? Can people embed data anyway (hint: yes)?



nostr:nevent1qqsrged0nafpusc0lwts4dknfq9enfnsw028rl9mcglcvc6a3udc7zgpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsygr8twz0ua0zz64eglr58rh9r898wafhdh0stkklhf3830gp9cwh9qpsgqqqqqqs6srw67 
 Ping @SD 
 IIRC at one point OpenTimestamps had code that would embed a hash into a bare pubkey in a multisig by grinding the hash until it happened to be a valid pubkey.  
 I guess if anyone should remember that, it'd be you  :)

Or was it Ricardo? Stretching my failing memory here ... 
 If that code does in fact exist, I almost certainly would have been the one to write it. Ricardo has does a lot of work on OTS. But not that part of the codebase. 
 note1zteaqtpexe7nx26knsjqpf08qhvwwc54vd753m8x006xxsa55nqscp907v 
 My relays/amethyst can't see that event. 
 nostr:nevent1qqsp9u7s9sunvlfn9dtfcfqq5hnstk88v22kxl2gann8harrgw62fsgpzemhxue69uhhyetvv9ujuurjd9kkzmpwdejhgq3qc32cyk7n2xzja96dlxyk4tzq7pssy3fhemthjdtdkaewpuflj6xqxpqqqqqqz60njvn