Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 7088F10C9 for ; Thu, 13 Dec 2018 16:21:24 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-io1-f41.google.com (mail-io1-f41.google.com [209.85.166.41]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id B4FC912E for ; Thu, 13 Dec 2018 16:21:23 +0000 (UTC) Received: by mail-io1-f41.google.com with SMTP id f14so2049510iol.4 for ; Thu, 13 Dec 2018 08:21:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blockstream.io; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+LCfMyjUtr3HE2MXp00KdNhBbsQUc/GoF2AwX/IrFYY=; b=CbzdIQUUOCfSmIU1dDOPMuUp7S8+KPCz+higxIoagIFTJU6SL14N/hqEUOJUlx40MC knf8SwYxKc/kQHUgXr3VTgVTeDjkR6czV3EWXXBi2ppYembGdS7b9cq5lZbH6wg5TvKI 6B/Mhd62IPI7hGekhjYKnwORGEZtE867umAkc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+LCfMyjUtr3HE2MXp00KdNhBbsQUc/GoF2AwX/IrFYY=; b=qM25JNehVqWYySI3BYzc4ZM7ue5c8qUg0XjAbV5x98/hMlFk1V79XGqq4dG6vQQKz9 cENqmJJRRZboFen5TX7aPBgBJFFFYcaciM0jvm+LvAM6fJWmUaptC4wHdPEq9U/QBx9O Ymz61x1zbfYE3pAYyohrgM+iyr/J8I1QuaYXcSx108d7cY0KHY6mXGcItSptuX4dWZFk dEX8AgXFO2qFLYF3KFFA8LhWTaThhuJA5G6Z/87bGQv9BVft2SUUUlf/003yxS9wq7SG fm74J4mUU7/DPe+bjQgRpk7ZlyIdXJLLU6X0RzNh1GVkMz23UhJinWdVzfFF3dFq01VO Krrg== X-Gm-Message-State: AA+aEWYy8RrBfoi/JYsX8dmJSymjNsPeSuFgpohWtaewMDjcgqbdmPka iP+wZP/HQJK3Hw00W7NEsNPlE0+ucG0P8z5GplzB94mTXLk= X-Google-Smtp-Source: AFSGD/WmNgMs/vzXE2XaVv65j2bB7xXRZ7mOSb0NOKR6VYNfCpghej5rQF+9wFYDWkWuG7c7Zda0xOyQMZidfombTH8= X-Received: by 2002:a6b:4001:: with SMTP id k1mr22473956ioa.34.1544718082747; Thu, 13 Dec 2018 08:21:22 -0800 (PST) MIME-Version: 1.0 References: <702FE74C-119C-4D14-BCD3-85C4355356A2@xbt.hk> <20181213000553.cikilodf65an225g@erisian.com.au> In-Reply-To: <20181213000553.cikilodf65an225g@erisian.com.au> From: "Russell O'Connor" Date: Thu, 13 Dec 2018 11:21:10 -0500 Message-ID: To: Anthony Towns Content-Type: multipart/alternative; boundary="0000000000009a064b057ce9b417" X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Thu, 13 Dec 2018 22:09:29 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Safer sighashes and more granular SIGHASH_NOINPUT X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Dec 2018 16:21:24 -0000 --0000000000009a064b057ce9b417 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Dec 12, 2018 at 7:06 PM Anthony Towns wrote: > On Tue, Dec 11, 2018 at 05:50:24PM -0500, Russell O'Connor via bitcoin-de= v > wrote: > > On Sun, Dec 9, 2018 at 2:13 PM Johnson Lau wrote: > > The current proposal is that a 64-byte signature will be used for t= he > > default =E2=80=9Csigning all=E2=80=9D sighash, and 65-byte for othe= r sighash types. > The > > space saved will allow a few more txs in a block, so I think it > worths > > doing. However, this also makes witness weight estimation more > difficult in > > multisig cases. > > This seems strange to me -- why wouldn't you just assume every signature > is 65 witness bytes, and just be grateful for the prioritisation benefit > if someone chooses a shorter signature? Your error margin is just 0.25 > vbytes per signature. > The issue is that the proposal is to sign the actual weight, rather than sign an upper bound on the weight. The problem with signing an upper bound, is that you need to specify that upper bound someplace in the transaction, and we are out of sneaky places to stash that data. Signing the actual weight is easy because the total weight is implicit, but now you need to know the total weight before signing. > > I tend to think in opposite terms. Is there a proof that any script can > be > > transformed into an equivalent one that avoids witness weight > malleability? > > An alternative generalisation: is there a proof that all valid witnesses > will have a weight within some small range? > > > Moreover, even if witness weight malleability is entirely avoidable, it > always > > seems to come at a cost. Taking as an example libwally's proposed " > > csv_2of3_then_2" Script, it begins with "OP_DEPTH OP_1SUB OP_1SUB" > > (DEPTH 2 NUMNOTEQUAL seems like it would have been more obvious...) > > I think the 1SUB idea was derived from the csv_2of2_then_1 Script where DEPTH 1SUB is shorter than DEPTH 1 NUMNOTEQUAL. > Cheers, > aj > > --0000000000009a064b057ce9b417 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Wed, Dec 12= , 2018 at 7:06 PM Anthony Towns <aj= @erisian.com.au> wrote:
On T= ue, Dec 11, 2018 at 05:50:24PM -0500, Russell O'Connor via bitcoin-dev = wrote:
> On Sun, Dec 9, 2018 at 2:13 PM Johnson Lau <jl2012@xbt.hk> wrote:
>=C2=A0 =C2=A0 =C2=A0The current proposal is that a 64-byte signature wi= ll be used for the
>=C2=A0 =C2=A0 =C2=A0default =E2=80=9Csigning all=E2=80=9D sighash, and = 65-byte for other sighash types. The
>=C2=A0 =C2=A0 =C2=A0space saved will allow a few more txs in a block, s= o I think it worths
>=C2=A0 =C2=A0 =C2=A0doing. However, this also makes witness weight esti= mation more difficult in
>=C2=A0 =C2=A0 =C2=A0multisig cases.

This seems strange to me -- why wouldn't you just assume every signatur= e
is 65 witness bytes, and just be grateful for the prioritisation benefit if someone chooses a shorter signature? Your error margin is just 0.25
vbytes per signature.

The issue is that= the proposal is to sign the actual weight, rather than sign an upper bound= on the weight.
The problem with signing an upper bound, is that = you need to specify that upper bound someplace in the transaction, and we a= re out of sneaky places to stash that data.
Signing the actual we= ight is easy because the total weight is implicit, but now you need to know= the total weight before signing.
=C2=A0
> I tend to think in opposite terms. Is there a proof that any script ca= n be
> transformed into an equivalent one that avoids witness weight malleabi= lity?

An alternative generalisation: is there a proof that all valid witnesses will have a weight within some small range?

> Moreover, even if witness weight malleability is entirely avoidable, i= t always
> seems to come at a cost.=C2=A0 Taking as an example libwally's pro= posed "
> csv_2of3_then_2" Script, it begins with "OP_DEPTH OP_1SUB OP= _1SUB"

(DEPTH 2 NUMNOTEQUAL seems like it would have been more obvious...)

I think the 1SUB idea was derived from the csv_2of2_then_1 Script where DEPTH 1SUB is shorter than D= EPTH 1 NUMNOTEQUAL.
=C2=A0
Cheers,
aj

--0000000000009a064b057ce9b417--