Is it possible to sign a transaction (to spend) from a multisig address using only one private key?

0

Let's assume there's a segwit address created with 3 different private keys.

Is there a chance that exist 1 (just one) other private key (in the universe of valid private keys) that can sign a transaction from that multisig address (that requires 3 keys to spend)?

user92640

Posted 2019-02-28T21:10:55.030

Reputation: 1

Answers

1

If the bitcoin is locked with three private keys using a simple script that involves signing by all three private keys (3 of 3), then there is no way to spend it without providing all three private keys for the signature.

However, bitcoin being a programmable money, it allows you to create a locking script that is decided by time. By that I mean, you can include conditions within your script such that, after x amount of days, you need only 2 keys and after y amount of days you need just one key to spend the bitcoin. Thus, within the broad spectrum of your question, yes the bitcoin can be spent by only one private key that generally requires three private keys, only if the necessary condition is justified in the locking script. Below is the locking script that you will follow to meet the above condition.

IF
    IF
        3
    ELSE
        <x days> CHECKSEQUENCEVERIFY DROP
        2
    ENDIF
    <Pub key 1><Pub Key 2><Pub Key 3> 3 CHECKMULTISIG
ELSE
    <y days> CHECKSEQUENCEVERIFY DROP
    1 <Pub key 1><Pub Key 2><Pub Key 3> 3 CHECKMULTISIG
ENDIF

The unlocking script for evaluation of

  • 3 of 3 will be < Sig 1>< Sig 2>< Sig 3> 1 1. The 1 and 1 at the end indicates evaluating both the first and second IF
  • 2 of 3 will be < Sig 1>< Sig 2> 1 0. 1 will trigger the first IF and then the ELSE in the second loop
  • 1 of 3 will be < Sig 1> 0 0. It will trigger the first loop ELSE

Ugam Kamat

Posted 2019-02-28T21:10:55.030

Reputation: 5 180

0

No, this is not (practically) possible.

A multisig address relies on a small Bitcoin Script program that takes the form of .

The public keys that are allowed to participate in the signing are defined as the time of address creation. Any other key signing a transaction from that address will simply be an invalid transaction.

Althought, as Pieter mentions in the comments, it is technically possible if you are able to create a Bitcoin Script that requires just one key to spend (it could even require no keys to spend), such that the script hashes to the same value that is encoded in the multisig UTXO. However, this kind of preimage attack is also infeasible.

Raghav Sood

Posted 2019-02-28T21:10:55.030

Reputation: 10 897

It depends on your set of assumptions. As the question is "is there a chance" - there is, though it relies on a preimage attack against SHA256/RIPEMD160 (you'd need to find a different script with the same hash). Bitcoin's security already assumes this is computationally infeasible - but it's a zero chancePieter Wuille 2019-02-28T22:26:15.113

@PieterWuille Good point, I was looking at it purely from the point of view that the Bitcoin Script program would fail, forgot about the preimage attacks. I've updated the answer, thank you!Raghav Sood 2019-02-28T22:33:04.033