How complex can bitcoin multi-signature addresses be?

Question

From what I've read, M-of-N multisig addresses are possible in bitcoin. But nothing I've read talks about the limits of that (eg I'm not sure if there are limits to M and N) nor whether there are more complex forms of multisig.

For example, something I think I would like to do is have an address that can be spent on in the following conditions:

1. Address A signs it, or
2. At least 3 of B,C,D,E,F and G sign it and H also signs it

This would allow me to have an address I can use normally that also can be accessed by a number of trusted 3rd parties in the case that Address A gets lost or destroyed. This would be useful to back up your bitcoins by distributing some keys to a number of friends (B,C,D,E,F,G) with an explanatory note and final key in your will (H).

Is this kind of thing at all possible in Bitcoin?

Answer 1

1. Address A signs it, or
2. At least 3 of B,C,D,E,F and G sign it and H also signs it

OP_IF
  pubA OP_CHECKSIG
OP_ELSE
  OP_3 pubB pubC pubD pubE pubF OP_5 OP_CHECKMULTISIGVERIFY
  OP_2 pubG pubH OP_2 OP_CHECKMULTISIG
OP_ENDIF

Answer 2

The limits of such constructs are the 520 bytes of the redeem script (its opcodes). A signature is roughly 70 Bytes (length code, r-key, s-key ...), so you can calculate what n-of-m versions fit into 520 bytes. All your ideas are possible with bitcoin.

E.g. you can create a 2 out of 6 multisig for B,C,D,E,F and G.

When you say "A" can sign it, I believe it is the same as "H". Then you run into 8 keys (8x70=560 bam...), so you are beyond the limits. You might circumvent this when creating a simple "smart contract":

if <pubkey A> OR <pubkey B> else <2-of-6 msig>

then you are again in the limits. These type of ideas are explained e.g. in Andreas' book "Mastering Bitcoin, 2nd edition", chapter 7 "Advanced Transactions and Scripting".