Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 6BDBED56 for ; Thu, 13 Dec 2018 16:34:31 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-io1-f53.google.com (mail-io1-f53.google.com [209.85.166.53]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id A8B1D82E for ; Thu, 13 Dec 2018 16:34:30 +0000 (UTC) Received: by mail-io1-f53.google.com with SMTP id f14so2090460iol.4 for ; Thu, 13 Dec 2018 08:34:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blockstream.io; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tsnZ3d9kAd9dM3gJtrdRN1JJeoPn98Tb1Ae7pLhDA24=; b=EM/e6Nd3F4tWZs9mei6B/XKpd9eQ6tYhgSUXxRpaIneSDyxpNTr4IPRdFNZjEJa5L0 LdiA9U0YWJuolR0bFcaD3LvOZLxAmt8yzh7RRfE/VnRQ0ZoZKCxiXZy+TS6PmLUj84PA tC1Ga1pchN3TeXTmFdm7siY6WbQXNltKWbpGQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tsnZ3d9kAd9dM3gJtrdRN1JJeoPn98Tb1Ae7pLhDA24=; b=O8LuybI8mMRUPEygAUL+d1jnaikDfaLqPl21e389yDwJCC77gvqfrg67xhHx4Qjqr/ ThhriJZFQgfvtdAXNBRQ5HfhOhlRxFhIdkqEbi8PizhbrLwT4Q4hPcaXYeFjMmyY5ANC Rci7J2SzUyIcLFbnmJu1iwPj1IHik8aV29SjC98pnZuinJPsLn3Yx+l1kNj4lqF4Uolr i/DUY732yYSD70oEyCCoG2xcEeet1OkOwxqlNrSgSF6GA+GqtW3wf5oekWRl6pRCWq+h pitE+MbAwwSgiBsZYLGf2msSoLA03DRvx/L8sXFLo5ge2LHWtWUNMzujeeUg2fDs+p91 DVsw== X-Gm-Message-State: AA+aEWZ1RF/5ER6dcA7UOjmblwR4haXP4k5Fd7OKkLQJNnVlw74s+N8p t7L2vq9nXbeQgcw5yPb7yd4YsscwlmatMJfmz7dDJg== X-Google-Smtp-Source: AFSGD/WSPHF2Bm3YFnHLFCxnIOKmBBO1jPE4qagFdgAzkY7xCjeT9SoFCChwYJzdl4mbwMsNXnGAcbS8m9YMW5ICAps= X-Received: by 2002:a5d:9257:: with SMTP id e23mr23373483iol.112.1544718869800; Thu, 13 Dec 2018 08:34:29 -0800 (PST) MIME-Version: 1.0 References: <702FE74C-119C-4D14-BCD3-85C4355356A2@xbt.hk> In-Reply-To: From: "Russell O'Connor" Date: Thu, 13 Dec 2018 11:34:17 -0500 Message-ID: To: Gregory Maxwell Content-Type: multipart/alternative; boundary="0000000000008349ca057ce9e334" X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Thu, 13 Dec 2018 22:09:29 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Safer sighashes and more granular SIGHASH_NOINPUT X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Dec 2018 16:34:31 -0000 --0000000000008349ca057ce9e334 Content-Type: text/plain; charset="UTF-8" On Wed, Dec 12, 2018 at 12:26 PM Gregory Maxwell wrote: > On Wed, Dec 12, 2018 at 5:15 PM Russell O'Connor via bitcoin-dev > wrote: > > I tend to think in opposite terms. Is there a proof that any script can > be transformed into an equivalent one that avoids witness weight > malleability? But I admit there is a trade off: If we don't allow for > signature covers weight, and we do need it, it will be too late to add. On > the other hand if we add signature covers weight, but it turns out that no > Script ever needs to use it, then we've added that software complexity for > no gain. However, I think the software complexity is relatively low, > making it worthwhile. > > > > Moreover, even if witness weight malleability is entirely avoidable, it > always seems to come at a cost. Taking as an example libwally's proposed > "csv_2of3_then_2" > > I'm largely in agreement with you-- but my difficulty in arguing for > signing the weight is that it seemed to me that it was only easy to > sign an upper bound because some witnesses are variable size... and > signing an upper bound means more signalling overhead... offsetting > the space gains for demalleating. > In multi-party protocols, the last person to sign knows what the total weight is going to be (now that we have fixed sized signatures) and at least they have the ability to sign it. They are probably motivated to sign the weight as long as they are interested in the success of the transaction. I suppose there could be asynchronous protocols where there isn't a last person to sign, but that seems a bit weird. Greg, you are probably more familiar with examples of multi-party protocols than I am. OTOH maybe the last person to sign isn't interested in the success of the transaction and wants to cause grief by bloating the transaction and signing the bloated weight. I guess in such protocols, you'll have to keep the anti-malleablity Script Code. I totally get the idea that signing weight has a lot of issues in many scenarios. But I still feel than on the whole it is better to make the option available than to be forced to rely on anti-malleability Script Code or non-consensus relay policy. --0000000000008349ca057ce9e334 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Wed= , Dec 12, 2018 at 12:26 PM Gregory Maxwell <gmaxwell@gmail.com> wrote:
On Wed, Dec 12, 2018 at 5:15 PM Russell O'Connor via bitcoin-d= ev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
> I tend to think in opposite terms. Is there a proof that any script ca= n be transformed into an equivalent one that avoids witness weight malleabi= lity?=C2=A0 =C2=A0But I admit there is a trade off:=C2=A0 If we don't a= llow for signature covers weight, and we do need it, it will be too late to= add.=C2=A0 On the other hand if we add signature covers weight, but it tur= ns out that no Script ever needs to use it, then we've added that softw= are complexity for no gain.=C2=A0 However, I think the software complexity = is relatively low, making it worthwhile.
>
> Moreover, even if witness weight malleability is entirely avoidable, i= t always seems to come at a cost.=C2=A0 Taking as an example libwally's= proposed "csv_2of3_then_2"

I'm largely in agreement with you-- but my difficulty in arguing for signing the weight is that it seemed to me that it was only easy to
sign an upper bound because some witnesses are variable size... and
signing an upper bound means more signalling overhead... offsetting
the space gains for demalleating.

In mu= lti-party protocols, the last person to sign knows what the total weight is= going to be (now that we have fixed sized signatures) and at least they ha= ve the ability to sign it.=C2=A0 They are probably motivated to sign the we= ight as long as they are interested in the success of the transaction.=C2= =A0 I suppose there could be asynchronous protocols where there isn't a= last person to sign, but that seems a bit weird.=C2=A0 Greg, you are proba= bly more familiar with examples of multi-party protocols than I am.

OTOH maybe the last person to sign isn't interest= ed in the success of the transaction and wants to cause grief by bloating t= he transaction and signing the bloated weight.=C2=A0 I guess in such protoc= ols, you'll have to keep the anti-malleablity Script Code.
I totally get the idea that signing weight has a lot of issues= in many scenarios.=C2=A0 But I still feel than on the whole it is better t= o make the option available than to be forced to rely on anti-malleability = Script Code or non-consensus relay policy.
--0000000000008349ca057ce9e334--