Feature request: Transaction that require the signature of both the sender and recipient.

[destenson]

EDIT: Please see this comment for a clearer explanation of the requested feature I've called "multi-sig transactions", for lack of a better term.

I would like to propose that Monero add the concept of multi-signature transactions (in addition to multisig wallets). A multi-signature transaction would be a transaction that requires the valid signature of all parties involved before it is actually committed to the blockchain as a valid transaction. A requester or recipient could be any valid address, not just multi-signature wallets. The transaction can be initiated by either the payer or the payee.

Requests for payment can be initiated by party A with a valid signature (or all required signatures if initiated by a multisig wallet) & when party B also signs the request, the actual transfer of funds from B to A will occur like a normal transaction. This will add invoicing as an intrinsic feature to Monero.

Outgoing payments to a third-party can also be multisig. In that case, the request is for acceptance of payment, and the transfer is completed when the recipient signs the transaction. Since the transfer is not valid until all parties sign, this allows the funds for the transaction not to be committed until the recipient accepts the payment. If funds are not available when the transaction is adequately signed, it will be rejected by the blockchain due to insufficient funds. A signatory can also rescind their signature before the transaction is accepted by all parties. This allows a fund transfer to be cancelled before payment is accepted. This is a feature that is missing from all major cryptocurrencies.

[fluffypony]

MRL work currently being done here: https://shnoe.wordpress.com/2016/03/22/ring-multisignature/

[ChristopherKing42]

Its already possible: http://monero.stackexchange.com/q/782/255

[luigi1111]

This is known. No one has wanted to take up implementation with RingCT coming "soon" and making it incompatible.

Getting the communication to be non-clunky will be a work of art in itself I think.

[Riiume]

Dear developers, I have posted a $480 bounty for completion of this issue: https://www.bountysource.com/issues/35498752-feature-request-multi-sig-transactions

Best of luck!

[lessless]

This is an OUTSTANDING feature! It will allow to create recurring payments: business can initiate transfers at the beginning of the each billing cycle and customer just sign them off in the wallet.

What a brilliant idea!

[Tails]

The communications across the web are a bit ambiguous. Is multi-sig already possible now or not? Is it being worked on? When is it expected?

For example, it seems it was possible in 2016 based on this answer: https://monero.stackexchange.com/a/783

However, in the roadmap it is still listed to be done in 2017: https://getmonero.org/resources/roadmap/

And here it seems the feature is being reviewed and tested, waiting for integration: https://github.com/monero-project/monero/pull/2134

[destenson]

@Tails, I'm sure the devs will have more to say, but it certainly appears to have been worked on recently. From the links you posted, it looks like many features are already implemented, but it's probably not considered complete yet.

However, @lessless's comment shows he understands that this particular issue that I posted originally is not about standard "multi-sig" as you normally think of when you think of multi-sig wallets, etc. This particular issue is about possibly generating a temporary ring between sender and receiver that would allow individual transactions to be completed when the recipient signs the transaction.

@luigi1111 or @fluffypony, or anyone who knows, does a recipient's address contain enough information to generate a 2-party ring-signed transaction that would allow/require both sender and receiver to sign before the transaction is complete? If private keys for both parties are necessary to create the ring-signature, that would prohibit the use-case(s) I was thinking of when creating this issue. But if the address contains a public key, and if only public keys are necessary to create the ring signature(s), then it definitely seems like it would be a viable way to implement this feature.

[moneromooo-monero]

That stack exchange link essentially says "yes, it's possible, if you write the code". It does not say "yes, and the code is written". #2134 is the code for doing so, and is close to being fixed up to work with subaddresses.

[moneromooo-monero]

I'm not sure I understand your question destenson, but:

• a recipient's address contains both the public spend key and public view key.
• to create a ring signature, you need a private spend key for one of the ring members (and multisig does that in reconstructing the results of using that private key).

So I think you will have to rephrase your question with specific details.

[destenson]

@moneromooo-monero, thank you. That does answer my question. It would mean that this implementation of "multisig" as you refer to it, does not provide the features required to enable the kind of multi-sig transaction this issue requests.

[moneromooo-monero]

Then I suggest you explain it clearly, as the first post is very vague, due to being explained in flowing English. For instance, "Requests for payment can be initiated by party A with a valid signature" needs the following information: what is a request (from the point of view of the network), what is the initiation step (and what other steps are there, equally well defined), what information does the signature sign (if it is just "the request" then the request needs to be well defined), and it would be helpful to have an basic overview of whether monero is meant to flow from A to B, or B to A, or both.

[destenson]

@moneromooo-monero, thank you. You are absolutely right. I agree and apologize. It was difficult to explain initially and I did not explain it very effectively. Let me try this again...

The idea is to have a sender, Sam, send a payment to a recipient, Rita, that either Sam or Rita can initiate or cancel (for little-to-no cost) and that must be signed with both Sam's and Rita's private keys before it can be mined.

I may have jumped ahead prematurely by suggesting a (non- Monero-specific) possible implementation using multi-sig technologies and then calling them "multi-sig transactions" in this thread. When I refer to a "multi-sig transaction", I mean a type of transaction that:

• may be created by either Sam or Rita, and
• transfers funds from Sam's address to Rita's address, and
• must be signed by both Sam and Rita before it is considered complete, valid, and ready to mine, and
• might be implemented using ring signatures, if the ring signature parameters can be specified using only the public keys or addresses of each party. This type of ring signature would still require signers to sign with their private keys, but could create the ring easily from a pair of public addresses. (I have learned since the original post, that this feature may not be generally possible using ring signatures.)

This type of transaction would be similar to a traditional multi-sig account, but rather than requiring signatures of a certain number of pre-authorized accounts for the transaction to be complete and valid, it would instead require the signatures of both the sender and the recipient.

In the following examples, Sam may represent a single individual address or a regular multi-sig wallet account/address. In the case of a multi-sig wallet, all necessary signing requirements for making transactions would remain intact. If 2-of-3 signatures is required to make payments from that address, then all 2-of-3 signatures would be required to be a valid signature as Sam to initiate or approve an outgoing payment. When Rita is a multi-sig address, it might make more sense to allow a single one of the authorized signers to acknowledge receipt instead of requiring all (e.g. 2-of-3 signatures) to sign. But I think that should be user configurable, as some multi-sig owners may want it to be easier to receive payments and others may want it to be harder to receive unwanted payments.

This type of transaction, a "multi-sig transaction" as I called it, could be created by either party:

1. Sam makes a payment to Rita by:
   • creating a transaction with payment details for Rita and signing it.
   • then the incomplete, half-signed transaction is provided to Rita's client (specifically or broadcast to the network if clients are unreachable).
   • when Rita, or her automated client, notices the half-signed transaction waiting for her to approve, acknowledge, sign and complete, she can:
     • sign the transaction and broadcast it to the network to be mined, completing the transaction and effectively providing Sam the additional acknowledgement of payment acceptance as requested.
     • or cancel it, by requesting that the network remove the incomplete transaction from its list of incomplete, half-signed transactions, effectively providing Sam with the acknowledgement requested of Rita as well as acknowledgement that Rita disapproved the payment details supplied by Sam's transaction.
2. Or Rita creates an invoice requesting payment from Sam by:
   • creating a transaction with payment details for Sam and signing it.
   • then the incomplete, half-signed transaction is provided to Sam's client individually or broadcast to the network if clients are unreachable.
   • when Sam, or his automated bill-payment software ;), notices the half-signed transaction awaiting his signature, he can:
     • sign the transaction and broadcast it to the network for mining, completing the transaction and providing Rita with the acknowledgement, approval and transmission of payment she effectively requested.
     • or cancel it, by requesting that the network remove the incomplete transaction from its list of incomplete, half-signed transactions, effectively providing Rita acknowledgement from Sam that he received the payment's details and disapproved of the payment.

By offering a half-signed transaction for Rita to sign, Sam is effectively requesting Rita's acknowledgment and approval of the payment details as provided by Sam's half-signed transaction. And by offering a half-signed transaction for Sam to sign, Rita is effectively requesting Sam's acknowledgement of the payment request, and his approval of the payment's details as provided by Rita's half-signed transaction.. Therefore, a fully-signed transaction (signed by both Sam and Rita) effectively provides both:

• authorization (by Sam) to make the intended payment from his address, and
• acknowledgement (by Rita) that approval was granted to receive the payment with her address.

Some benefits of having a type of "multi-sig transaction" like this available:

• Mistakes and accidents can be corrected before they cause the loss of funds. This would depend on the recipient address not auto-approving deposits. That would almost always be the case for mistyped/miscopied addresses that had never been used previously.
• Sam can change his mind and cancel the transaction any time before Rita signs it in order to prevent it from being mined.
• Rita can send a half-signed transaction effectively as an invoice. Sam would only need to sign the transaction (and have it be mined) to complete the requested payment.
• Rita can refuse to accept unexpected deposits by cancelling them. A broker, exchange or other service could refuse to accept any deposits that did not come from their list of known clients.
• Sam can be more "creative" with budgeting and have more freedom to use funds in alternative ways if Rita does not promptly acknowledge and accept Sam's payment.
• Either party could cancel a transaction and replace it with a transaction having different payment details.

And some issues with having a transaction type like this available:

• Assuming the mempool would retain incomplete, half-signed transactions awaiting approval, the network could become saturated with these non-mineable transactions. One solution could be to send half-signed transactions directly to the other party instead of broadcasting them, using, for example:
  • a specially formatted URL that includes everything required to recreate the half-signed transaction, or
  • a half-signed transaction file that could be attached to email and opened by a compatible client, or
  • a messaging system, such as Bitmessage (just an example, not an endorsement), that transmits the half-signed transaction as a direct message to the other party.
• Network fees may change between the first and last signatures. Probably trivial to solve.
• There should be a reasonable expiration period for these types of transactions to prevent stale and unusable half-signed transactions from staying in the mempool for too long.
• To cancel a transaction, a party might need to sign a proof of cancellation. This could get problematic unless the cancellation proof replaces the existing half-signed transaction instead of allowing stale transactions to exist on the network in variously signed states. If signed proof is required, how long would that proof of cancellation be retained in the mempool? I think it really should just cause the removal of the half-signed transaction from the network instead of adding another signed proof to the mempool. Removal of a half-signed transaction from the network probably should be only be caused by expiration of the transaction or by cancellation of the transaction by one of the required signatories, either Rita or Sam.
• Finally, transactions specifying UTXO as inputs may be difficult to reliably initiate by Rita, unless those inputs could be specified in a way that the transaction need not be re-signed when inputs change.
  • This could prevent a transaction of this type from working well on certain blockchains (such as Bitcoin and Monero 😦) that depend upon specifying unspent outputs to used as inputs for the transaction.
  • It might be more of an edge case that is really only a problem for addresses that send payments frequently, but I still think it's an issue to be solved before this idea is viable.
  • Depending on internal design, it might be possible to use sane defaults instead of specifying precised inputs, but that will introduce more edge cases when the defaults cannot be picked or used sanely or cheaply.
• There are probably many other things I haven't thought of as well. I encourage your feedback.

Hopefully you and others will find this explanation more digestible. Thank you for your suggestion. I look forward to more, since I am not an expert at Monero.

[moneromooo-monero]

That was a lot more understandable, thanks. First thing that comes to mind is that you'll be either spamming the chain with "cancel" notes, or allowing the cancelling pary to later replay a previously cancelled tx. Using the txpool like this is an attempt to bypass mining, and thus is not decided by consensus.

That said, the idea behind it is possible, by having both parties spend one of their inputs in that tx. Then cancellation becomes merely "not signing the tx" (that is, a passive absence of step rather than an active step). It seems similar to vespco's idea about dominant assurance contracts (search for those exact words).

[destenson]

I did consider the additional load on the txpool might be excessive. With ethereum or bitcoin, that could be prevented by sharing the transaction with the other party directly, and submitted to the network only after being fully signed. Does Monero also provide that possibility? If so, a half-signed transaction could be given to the other party "by hand" using a file, network message, or any other method of preventing the transaction from entering the txpool before it's been fully signed. And then, as you suggested, a cancelled transaction would simply be one that is not signed by all parties.

Also, is it true that Monero doesn't offer any method of communication between individual clients or addresses (besides submitting transactions to the txpool)? If so, and if this feature is added to Monero, you should consider adding a messaging feature as well. It might even be good to add messaging regardless, since it would permit additional use-cases that may have never been considered before. And if direct messaging were availabe, it would help to protect the txpool from such spam.

Can you help me understand what you mean by cancelling party replaying a cancelled tx? Do you mean that the a cancelling party could cancel a transaction, then later sign and submit it maliciously after the other party had concluded it was cancelled? Thanks.

[lessless]

@moneromooo-monero as far as I understood from reading https://www.reddit.com/r/Monero/comments/6htvg3/monero_is_perfect_for_dominant_assurance/ DAC will require a seller to attach extra funds to initiate a payment. The first application of proposed feature, in my mind, is empowering SaaS business model. So far it's not possible to use any other crypto in the SaaS model unless there is a 3rd party like Coinbase that will sign off periodical payments on the customer behalf.

Using DAC in such condition doesn't seem reasonable (and it will be almost impossible to justify to any management) - business potentially can lose money with any of its customers when it wants to bill them. Quite opposite outcome. One way around that is to increase a fee when accepting Monero and hedge the risk by including that extra in the monthly payments. Which will make the same service cost in fiat less, than it will cost in Monero.

Off-chain sharing sounds like a nice option here. Maybe LN will help somehow?

[dEBRUYNE-1]

+proposal

[destenson]

I don't know how easily it can be implemented in Monero, but the Simple Schnorr Multisignatures recently described by Blockstream in this paper, sound like exactly the kind of algorithm that would make this proposal feasible as described.

[moneromooo-monero]

Above, cancelling a transaction is just not signing it. No active step. Not like a revocation you check, just the absence of an action. Therefore, the party can sign/relay it later, if wanted. The case I had in mind is:

Alice and Bob have a 2/2 multiisig wallet. Alice creates a new tx, and passes it to Bob for signing Bob does not sign it (Bob could claim he never received it too) Stuff happens Bob actually signs/relays it days later, surprising Alice

Here, "Stuff happens" could be "Alice makes another tx, and Bob signs it normally". If that tx doesn't invalidate the earlier one (through double spending), then Alice/Bob spent twice.

[destenson]

I understand that is how it works now.

The suggestion would require allowing cancelling or revoking a transaction as an action.

As this topic is going nowhere. I'm ok if it's closed.