RobinLinus/decaying-multisig.md

Last active February 10, 2022 06:24

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/RobinLinus/47dd9dc4a0b614e23d30e2131ff6ea46.js"></script>
Save RobinLinus/47dd9dc4a0b614e23d30e2131ff6ea46 to your computer and use it in GitHub Desktop.

Download ZIP

Raw

decaying-multisig.md

Decaying MultiSig using nLockTime

A decaying MultiSig that requires no bitcoin script other than regular MultiSigs.

A 3-of-3 that decays into a 2-of-3 at block height x.

Alice, Bob, and Carol create a 3-of-3 regular MultiSig output.
Alice signs the output with nLocktime = x and SIGHASH_NONE.
She sends this partially signed TX to Bob and Carol.
Bob and Carol do the same and send their transactions to the other two.
They all make their transaction slightly unique, such that Alice cannot combine Bob and Carol's signatures to reduce it to a 1-of-3.

E.g. by each signing distinct bits of the nSequence field, or distinct fees

Now they are ready to receive the output trustlessly.

Limitations

For each output this ceremony is required.
For it to become trustless, the exact spending output has to be known upfront.
For a Schnorr MuSig the receiving output has to be known, too. E.g., it could be send to an output controlled by the remaining signers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment