Bare Multisig Outputs

-----------------------

Blocks are getting filled with bare multisig outputs and it's an obvious troll from people that hate Bitcoin. Let me explain.

Multisig currently can be done in many ways, but before p2sh (BIP0013), the only way to do multisig was through putting the many pubkeys on-chain. As ECDSA doesn't really let you aggregate keys, outputs had to specify something like "3-of-5 of these pubkeys." The normal UTXOs have the following number of bytes:

p2pkh:25

p2sh:23

p2wpkh:22

p2wsh:34

p2tr:34

By contrast the n in the k-of-n bare multisig determines the number of bytes and it's 5 + 34 * n (my math might be off, but around there). So for 3-of-5, it's upwards of 170 bytes. But that's using compressed keys. For uncompressed keys, you it's 5 + 66 * n or 335 bytes+, and worse, you can put in illegitimate uncompressed keys (keys that are provably have no private key) to add data to the chain

Why does this matter? Because these bytes stay in the UTXO set, which is what Bitcoin software optimizes for because that's how you validate that a transaction is a not double spend and satisfies the conditions of the smart contract that locked it.

What's worse, if the pubkeys are unspendable (uncompressed keys that are not real points on the secp256k1 curve), then they'll *never* be pruned. So the UTXO set grows larger and requires more resources for your typical node runner.

Interestingly, this was how the whitepaper was embedded into the Bitcoin blockchain by putting pieces of the whitepaper pdf in 64 byte chunks through uncompressed pubkeys. Luke's Eligius pool was one of the first to ban such transactions because they were clearly bloating not just the blockchain, but the UTXO set.

That's what these trolls are doing. They're adding to the UTXO set that's not easily prunable, though now, I'm guessing some people will add pruning for UTXOs with multisig outputs that don't have any legitimate keys.