P2SH that pays out only to a certain Bitcoin address?

2

Is it possible to create a type of redemption script that when the correct number of signatures are collected pays out to a pre-defined address ?

Ian Purton

Posted 2015-07-27T15:01:46.607

Reputation: 1 010

And who would be able to sign? If anyone can sign, this is trivial to game. Otherwise it is multisig?

Murch 2015-07-28T12:20:05.910

Yes it would be multi sig. Basically a multi sig address that only pays out to a pre-determined bitcoin address.

This would be useful as a secure bitcoin vault. Even if the key holders collude. The destination can't be changed. You could then create a hierarchy of wallets with different approval levels. – Ian Purton 2015-07-29T09:53:31.907

Ah, sorry, I had overread the "pre-defined address" part. Carry on. :)Murch 2015-07-29T21:46:05.070

Answers

1

I believe this is possible, but with a subtle difference to how OP suggests.

OP seems to want: funds are first signed off by the multisig address, then a transaction is broadcast moving the funds to [destination].

It's not possible for a destination script to stipulate where the funds can end up. A new opcode could introduce that feature, but we can do this a different way.

I would argue this no weaker than having a transaction between the two destinations (as OP envisioned). In either case the multisig participants could hold the funds to ransom before the end user can move them.

Multisig: 2 [pubkey1] [pubkey2] 3 CHECKMULTISIG
Destination: DUP HASH160 [hash] EQUALVERIFY CHECKSIG

Since we cannot lock funds so they are released to a certain destination, we just merge the two scripts, allowing predefined party to take control only when the multisig is solved. He would propose a spend to the others, they sign, then he signs (it can be done in any order)

The scriptPubKey (or P2SH script) would then look like this:

 2 [pubkey1] [pubkey2] 3 CHECKSIG DUP HASH160 [hash] EQUALVERIFY CHECKSIG

And the scriptSig:

 [sig1] [sig2] [sigA] [pubkeyA]

karimkorun

Posted 2015-07-27T15:01:46.607

Reputation: 763

Re ransom/theft: In the predetermined address case, they would refuse to sign release unless they are paid 1BTC. In my case, they would only sign a transaction if x% goes to their address.karimkorun 2016-05-12T16:54:28.390