Return-Path: Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 71382C002D for ; Sun, 3 Jul 2022 05:55:59 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 455F3607B0 for ; Sun, 3 Jul 2022 05:55:59 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 455F3607B0 Authentication-Results: smtp3.osuosl.org; dkim=pass (1024-bit key) header.d=gazeta.pl header.i=@gazeta.pl header.a=rsa-sha256 header.s=2013 header.b=InvvhC14 X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -0.2 X-Spam-Level: X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E96BWN7Klrk6 for ; Sun, 3 Jul 2022 05:55:58 +0000 (UTC) X-Greylist: delayed 00:10:00 by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 6FE9F6077D Received: from smtpo78.poczta.onet.pl (smtpo78.poczta.onet.pl [141.105.16.28]) by smtp3.osuosl.org (Postfix) with ESMTPS id 6FE9F6077D for ; Sun, 3 Jul 2022 05:55:57 +0000 (UTC) Received: from pmq5v.m5r2.onet (pmq5v.m5r2.onet [10.174.35.25]) by smtp.poczta.onet.pl (Onet) with ESMTP id 4LbHwZ0Yqxz2K24DV; Sun, 3 Jul 2022 07:45:50 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gazeta.pl; s=2013; t=1656827150; bh=8GcMR7/aGInn/iGSRRbaXSdch5FHzPW6f81zSbw9UNA=; h=From:To:In-Reply-To:Date:Subject:From; b=InvvhC14kWql1+DcB1HP+lk+XYibeqsZyk3t1VrePMN7eLZgGIMTAePnmmFk51AtZ D/MAkznnMKHrJjObnmB94/oNDohrFtMmWK4GICQxbXhOYnsl8jVz3GoEd9I13osLiw fGHZGqgzUushVURDLFhs0u5P6s8xldAECmDsCm7U= Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received: from [5.173.224.149] by pmq5v.m5r2.onet via HTTP id ; Sun, 03 Jul 2022 07:45:50 +0200 From: vjudeu@gazeta.pl X-Priority: 3 To: Jeremy Rubin , Bitcoin Protocol Discussion In-Reply-To: Date: Sun, 03 Jul 2022 07:45:48 +0200 Message-Id: <163978583-4822df8d32d6f90c80179ca227a2320a@pmq5v.m5r2.onet> X-Mailer: onet.poczta X-Onet-PMQ: ;5.173.224.149;PL;2 X-Mailman-Approved-At: Sun, 03 Jul 2022 07:44:37 +0000 Subject: Re: [bitcoin-dev] Adding SIGHASH to TXID X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jul 2022 05:55:59 -0000 > Have you seen the inherited ID proposal from John Law on this list? I didn't see that before posting, I'm still trying to get more familiar wit= h that (and with proposals, where every single field in each transaction is= controlled for inclusion or exclusion). > Honestly, I've yet to fully load in exactly how the applications of it wo= rk, but I'd be interested to hear your thoughts. The main use case is to control transaction flow. If you have everything si= gned with SIGHASH_ALL, then it is obvious that you can just use txid, and e= verything works. But on the other hand, if you use other sighashes, for exa= mple SIGHASH_SINGLE|SIGHASH_ANYONECANPAY, then you should be able to make a= new transaction spending your signed output, no matter which inputs and ou= tputs will be added to the previous one. And that's why SIGHASH_PREVOUT_SOM= ETHING is needed, to control, which parts of the previous transaction are s= igned, and which are not. And to do that, it is needed to take the previous= transaction, referenced by txid, and to modify it, based on provided SIGHA= SH_PREVOUT_SOMETHING sighashes. To push things one step further, I think different sighashes should be prop= osed by default, that would make users more familiar with the whole concept= of sighashes. Because now, the default behavior is to sign everything with= SIGHASH_ALL. I think it should be changed, the Core client should propose = different sighashes, based on created transaction, just to allow transactio= n joining. To start with, it could be just a simple checkbox "allow transac= tion joining", that would enable it, to see if it will be simple enough for= most users. SIGHASH_ANYONECANPAY - used for every input (because it allows fee bumping = without changing signatures) SIGHASH_SINGLE - used only when there is any corresponding output, and only= when it has higher or equal amount than the corresponding input SIGHASH_ALL - used when there is no corresponding output, or when the corre= sponding output is smaller, to prevent detaching it In general, I think the transaction should be displayed like it is visible = in many block explorers, and after clicking each input, users should see, w= hat is signed, and what is not, so they should control sighashes in a simil= ar user interface, as they use to choose coins. Inputs and outputs should b= e grayed or highlighted, based on sighashes selected by user, to allow unde= rstanding them better. On 2022-05-07 13:55:48 user Jeremy Rubin wrote: Have you seen the inherited ID proposal from John Law on this list? It's a pretty thorough treatment of this type of proposal, curious if you t= hink it overlaps what you had in mind? Honestly, I've yet to fully load in exactly how the applications of it work= , but I'd be interested to hear your thoughts. On Sat, May 7, 2022, 4:55 AM vjudeu via bitcoin-dev wrote: For now, we have txid:vout as a previous transaction output. This means tha= t to have a stable TXID, we are forced to use SIGHASH_ALL somewhere, just t= o prevent any transaction modifications that can happen during adding some = inputs and outputs. But it seems that new sighashes could be far more power= ful than we expected: it is technically possible to not only remove previou= s transaction output by using SIGHASH_ANYPREVOUT. We can do more and do it = better, we could decide, how to calculate this txid at all! So, something like SIGHASH_PREVOUT_NONE would be similar to SIGHASH_NONE (a= pplied to the previous transaction, taken from txid). To have SIGHASH_ANYPR= EVOUT, we need to remove absolutely everything, I don't know any such sigha= shes, because even SIGHASH_NONE | SIGHASH_ANYONECANPAY will commit at least= to some fields, for example to the locktime. But, if we introduce SIGHASH_= PREVOUT_XYZ flags for all existing sighashes, we would have this: SIGHASH_PREVOUT_NONE SIGHASH_PREVOUT_SINGLE SIGHASH_PREVOUT_ALL SIGHASH_PREVOUT_ANYONECANPAY Then, the procedure is as follows: we use txid:vout to find our previous tr= ansaction. Then, we apply those sighashes to this previous transaction, to = form a new txid, that will be checked during every OP_CHECKSIG-based opcode= . In this way, our txid:vout is used just to do transaction lookup, after t= hat, sighashes can be applied to the previous transaction, so our txid coul= d remain stable, even if someone will add some inputs and outputs. By default, we could use SIGHASH_PREVOUT_ALL, that would mean our txid:vout= remains unchanged. Then, SIGHASH_PREVOUT_SINGLE would obviously mean, that= we want to commit only to this particular previous transaction output. Tha= t would allow adding any new outputs to the previous transaction, without a= ffecting our replaced txid, but also without blindly accepting any txid, be= cause some data of the previous transaction would be still hashed. Then, SIGHASH_PREVOUT_NONE is an interesting case, because it would mean th= at no outputs of the previous transaction are checked. But still, the input= s will be! That would mean: "I don't care about in-between addresses, but I= care that it was initiated from these inputs". In this case, it is possibl= e to choose some input without those flags, and then apply SIGHASH_PREVOUT_= NONE many times, to make sure that everything started from that input, but = everything in-between can be anything. All of those three SIGHASH_PREVOUT_XYZ flags could be combined with SIGHASH= _PREVOUT_ANYONECANPAY. That would mean all inputs of the previous transacti= on are discarded, except from the input number matching "vout". Or we could= just use SIGHASH_PREVOUT_ANY instead and discard all inputs from that prev= ious transaction, that could also be combined with other sighashes. So, to sum up, by applying sighashes to the previous transaction, instead o= f allowing for any transaction, we could still have some control of our txi= d, and I think it could be better than just saying "give me any txid, I wil= l accept that". I think in most cases we don't want to allow any txid: we w= ant to only "control the flow", just to make sure that our signatures will = sign what we want and will not be invalidated by changing some transaction = inputs and outputs, unrelated to the currently-checked signature. _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev