Skip to content

Arbitrary multisig, a multisig design for CKB which supports multiple digital signature algorithms #448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
xxuejie wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Arbitrary multisig, a multisig design for CKB which supports multiple digital signature algorithms #448

xxuejie wants to merge 5 commits into from
+376 −0

Conversation

@xxuejie
Copy link
Contributor

@xxuejie xxuejie commented Mar 18, 2025

@xxuejie xxuejie requested a review from a team as a code owner March 18, 2025 04:35
@xxuejie xxuejie requested a review from quake March 18, 2025 04:35
XuJiandong
XuJiandong reviewed Mar 19, 2025
View reviewed changes
@xxuejie xxuejie mentioned this pull request Jun 10, 2025
Merged
Hanssen0
Hanssen0 reviewed Jun 10, 2025
View reviewed changes
rfcs/0000-arbitrary-multisig/0000-arbitrary-multisig.md

The multisig configuration designed here, is highly inspired(though differences still exist) from [multisig lock included in the genesis block](https://github.com/nervosnetwork/ckb-system-scripts/blob/934166406fafb33e299f5688a904cadb99b7d518/c/secp256k1_blake160_multisig_all.c#L17-L28):

* `S`: a 1-byte reserved value, right now `S` must be `0x80`, to differentiate from the reserved value used in multisig lock included in the genesis block.
Copy link

@Hanssen0 Hanssen0 Jun 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I insist that we should at least explain this clearly in the document. From the last script to now, the only thing that is available in the public documentation is a description of the reserved area, but there is no description of its function or why we chose the value that way. This has caused confusion.

For full context see cryptape/quantum-resistant-lock-script#14

Copy link
Contributor Author

@xxuejie xxuejie Jun 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to fill in the complete context: in cryptape/quantum-resistant-lock-script#14 (comment), @Hanssen0 actually proposed a different design: we can simply remove S, whether it is a reserved field or a version field, a lock / type script implementing current multisig design should implement this multisig design only. When a new multisig design is introduced, a new script should be used, different code_hash shall be used to distinguish one multisig design from another.

Not to say which direction is better, but just want to provide a complete background here, we can then discuss which design adapts to the future better.

Copy link
Contributor Author

@xxuejie xxuejie Jun 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding a counter example: in the design of cobuild, we actually encoded special union IDs:

union WitnessLayout {
  SighashAll: 4278190081,
  SighashAllOnly: 4278190082,
  Otx: 4278190083,
  OtxStart: 4278190084,
}

See here for more details.

Those special union IDs, are exactly hacks required, because WitnessArgs do not have a version byte, or a reserved field. In future expansions, we will need to tell the 2 formats apart(WitnessArgs vs cobuild data structures). Even if an old script only deals with WitnessArgs, it still brings merits since it can reject apps that wrongly use the new cobuild format.

So personally, I do see values in a reserved field in the multisig format. Even if we want to stick to the fact that one script only implements a single multisig format, it still can benefit us in the future.

@phroi
Copy link
Contributor

phroi commented Jun 20, 2025
edited
Loading

There is an incoherence in this RFC implemented by the quantum resistant lock:

  1. S needs to be explicit (version field).
  2. Set of supported digital signature schemes (by a given lock implementing the RFC such a the current) is implicit and requires off-chain knowledge to interact with said lock (though only a subset of ALGO_IDs is supported).

Do we need off-chain knowledge about the lock we are interacting with?

  • If no, ok, prove it: design a test suite for the RFC that doesn't need to be tailored for a given lock implementing this RFC (no hand picked exclusion of tests depending on the lock, that's cheating)
  • If yes, we can drop this field, as it is not necessary.

@phroi
Copy link
Contributor

phroi commented Jun 20, 2025

Additionally, where are the examples/visualizations in this RFC?

The section named examples is just a low effort link to an incomplete implementation of this RFC in the form of the quantum resistant lock. I'd call it low effort because it's very much unclear what's the mapping between the entities described in the RFC and the ones appearing in the code.

Are we even trying to get other devs to understand the work being done here?

Please provide examples and visualizations!! 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@XuJiandong XuJiandong XuJiandong left review comments

@quake quake Awaiting requested review from quake quake is a code owner automatically assigned from nervosnetwork/rfc

+1 more reviewer

@Hanssen0 Hanssen0 Hanssen0 left review comments

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@xxuejie @phroi @XuJiandong @Hanssen0