1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
|
Return-Path: <jl2012@xbt.hk>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 510AD1149;
Thu, 21 Mar 2019 08:38:13 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from sender-of-o51.zoho.com (sender-of-o51.zoho.com [135.84.80.216])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9A68FD3;
Thu, 21 Mar 2019 08:38:12 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; t=1553157481; cv=none; d=zoho.com; s=zohoarc;
b=ZitP/ick5/g1dEl9L/eXu0hlPX3IGW4RrbTcRX9V9VJ2VOScAsIHn4gRQdVZDRxS5o63z7o51cMqiPxITVu0huxTMxXnVTwvDGFjYxFIJRbVUnpULr8sfiFdRkOSNjv+xilM1kFdvRA9+7g0+a3HVZv3TD7RrT/fev2ohoZ+Q1c=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com;
s=zohoarc; t=1553157481;
h=Content-Type:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To:ARC-Authentication-Results;
bh=99raCkHwTEfJxVp19gp4NemTtr3Io9QqiJMXMHQYxQo=;
b=JvNf16tWVEB3DNFqI1r1hxfMx2eIlcGNrSOMQLC+kVXq00KCokMsTzFOoDiV4QUaMFfr1ESTEJN+4sG1CID9rqT9t1KW57/nEdxhpFxEXMkKNp2txWDPwGH3FSs2gvBib++QCG/K0/yCtqEd+8Cuxdmm7lS3USl+m1IY1WrxxFw=
ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass header.i=xbt.hk;
spf=pass smtp.mailfrom=jl2012@xbt.hk;
dmarc=pass header.from=<jl2012@xbt.hk> header.from=<jl2012@xbt.hk>
Received: from [192.168.1.2] (n219079143054.netvigator.com [219.79.143.54]) by
mx.zohomail.com with SMTPS id 1553157478684759.1265403083509;
Thu, 21 Mar 2019 01:37:58 -0700 (PDT)
From: Johnson Lau <jl2012@xbt.hk>
Message-Id: <1D5043F6-DC7B-4D40-9B68-30125829A7F6@xbt.hk>
Content-Type: multipart/alternative;
boundary="Apple-Mail=_1BEAD8F9-AF34-4F09-BDF0-F25AE6715A03"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Thu, 21 Mar 2019 16:37:54 +0800
In-Reply-To: <isp2OcX23r-Tfl-WSbybuKnppjVlZV52AM1GGEaQd8uHlkliikUBvK49WOnzgaxOjDuOCNdu6CsmHt6kfK0z_FRrOgYAYWrWaDniZA3EEZQ=@protonmail.com>
To: ZmnSCPxj <ZmnSCPxj@protonmail.com>,
bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>
References: <20190313014143.ifffshwdux2jt7w5@erisian.com.au>
<87k1gubdjm.fsf@rustcorp.com.au> <87woku9q3g.fsf@rustcorp.com.au>
<UOdt33VfD8o6NfeDKMSip0hUmy1_jyo65-ihunuMRRg8IfXEOq-W60-TPoINm5HErPqnY_-yd1x_VnnVihrvtXRA2OHkjeROZheZ_QV0Zvo=@protonmail.com>
<isp2OcX23r-Tfl-WSbybuKnppjVlZV52AM1GGEaQd8uHlkliikUBvK49WOnzgaxOjDuOCNdu6CsmHt6kfK0z_FRrOgYAYWrWaDniZA3EEZQ=@protonmail.com>
X-Mailer: Apple Mail (2.3445.102.3)
X-ZohoMailClient: External
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Thu, 21 Mar 2019 16:54:19 +0000
Cc: "lightning-dev@lists.linuxfoundation.org"
<lightning-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] [Lightning-dev] More thoughts on NOINPUT safety
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2019 08:38:13 -0000
--Apple-Mail=_1BEAD8F9-AF34-4F09-BDF0-F25AE6715A03
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
> On 20 Mar 2019, at 4:07 PM, ZmnSCPxj via bitcoin-dev =
<bitcoin-dev@lists.linuxfoundation.org> wrote:
>=20
> Hi aj,
>=20
> Re-reading again, I think perhaps I was massively confused by this:
>=20
>> - alternatively, we could require every script to have a valid =
signature
>> that commits to the input. In that case, you could do eltoo with a
>> script like either:
>>=20
>> <A> CHECKSIGVERIFY <B> CHECKSIG
>> or <P> CHECKSIGVERIFY <Q> CHECKSIG
>>=20
>>=20
>> where A is Alice's key and B is Bob's key, P is muSig(A,B) and Q is
>> a key they both know the private key for. In the first case, Alice
>> would give Bob a NOINPUT sig for the tx, and when Bob wanted to =
publish
>> Bob would just do a SIGHASH_ALL sig with his own key. In the second,
>> Alice and Bob would share partial NOINPUT sigs of the tx with P, and
>> finish that when they wanted to publish.
>=20
> Do you mean that *either* of the above two scripts is OK, *or* do you =
mean they are alternatives within a single MAST or `OP_IF`?
>=20
It means either.
If you use <A> CHECKSIGVERIFY <B> CHECKSIG style, A and B will exchange =
the NOINPUT sig, and they will add the required non-NOINPUT sig when =
needed.
If you use <muSig(A,B)> CHECKVERIFY <Q> CHECKSIG, A and B will co-sign =
the muSig(A,B) with NOINPUT. They will also share the private key of Q, =
so they could produce a non-NOINPUT sig when needed.
The first style is slightly easier as it doesn=E2=80=99t need muSig. But =
with 3 or more parties, the second style is more efficient.
However, if you use watchtower, you have to use the second style. That =
means you need to share the private key for Q with the watchtower, That =
also means the watchtower will have the ability to reply the NOINPU =
muSig. But it is still strictly better than anyone-can-replay.
--Apple-Mail=_1BEAD8F9-AF34-4F09-BDF0-F25AE6715A03
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=utf-8
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" class=3D""><br =
class=3D""><div><br class=3D""><blockquote type=3D"cite" class=3D""><div =
class=3D"">On 20 Mar 2019, at 4:07 PM, ZmnSCPxj via bitcoin-dev <<a =
href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" =
class=3D"">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><span =
style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant-caps: normal; font-weight: =
normal; letter-spacing: normal; text-align: start; text-indent: 0px; =
text-transform: none; white-space: normal; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; text-decoration: none; float: none; =
display: inline !important;" class=3D"">Hi aj,</span><br =
style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant-caps: normal; font-weight: =
normal; letter-spacing: normal; text-align: start; text-indent: 0px; =
text-transform: none; white-space: normal; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; text-decoration: none;" class=3D""><br =
style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant-caps: normal; font-weight: =
normal; letter-spacing: normal; text-align: start; text-indent: 0px; =
text-transform: none; white-space: normal; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; text-decoration: none;" class=3D""><span =
style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant-caps: normal; font-weight: =
normal; letter-spacing: normal; text-align: start; text-indent: 0px; =
text-transform: none; white-space: normal; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; text-decoration: none; float: none; =
display: inline !important;" class=3D"">Re-reading again, I think =
perhaps I was massively confused by this:</span><br style=3D"caret-color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: =
normal; font-variant-caps: normal; font-weight: normal; letter-spacing: =
normal; text-align: start; text-indent: 0px; text-transform: none; =
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
text-decoration: none;" class=3D""><br style=3D"caret-color: rgb(0, 0, =
0); font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
text-decoration: none;" class=3D""><blockquote type=3D"cite" =
style=3D"font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; =
text-decoration: none;" class=3D"">- alternatively, we could require =
every script to have a valid signature<br class=3D"">that commits to the =
input. In that case, you could do eltoo with a<br class=3D"">script like =
either:<br class=3D""><br class=3D""><A> CHECKSIGVERIFY <B> =
CHECKSIG<br class=3D"">or <P> CHECKSIGVERIFY <Q> CHECKSIG<br =
class=3D""><br class=3D""><br class=3D"">where A is Alice's key and B is =
Bob's key, P is muSig(A,B) and Q is<br class=3D"">a key they both know =
the private key for. In the first case, Alice<br class=3D"">would give =
Bob a NOINPUT sig for the tx, and when Bob wanted to publish<br =
class=3D"">Bob would just do a SIGHASH_ALL sig with his own key. In the =
second,<br class=3D"">Alice and Bob would share partial NOINPUT sigs of =
the tx with P, and<br class=3D"">finish that when they wanted to =
publish.<br class=3D""></blockquote><br style=3D"caret-color: rgb(0, 0, =
0); font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
text-decoration: none;" class=3D""><span style=3D"caret-color: rgb(0, 0, =
0); font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
text-decoration: none; float: none; display: inline !important;" =
class=3D"">Do you mean that *either* of the above two scripts is OK, =
*or* do you mean they are alternatives within a single MAST or =
`OP_IF`?</span><br style=3D"caret-color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; text-align: start; =
text-indent: 0px; text-transform: none; white-space: normal; =
word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: =
none;" class=3D""><br style=3D"caret-color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: =
normal; font-weight: normal; letter-spacing: normal; text-align: start; =
text-indent: 0px; text-transform: none; white-space: normal; =
word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: =
none;" class=3D""></div></blockquote><div><br class=3D""></div><div>It =
means either.</div><div><br class=3D""></div><div>If you use <A> =
CHECKSIGVERIFY <B> CHECKSIG style, A and B will exchange the =
NOINPUT sig, and they will add the required non-NOINPUT sig when =
needed.</div><div><br class=3D""></div><div>If you use =
<muSig(A,B)> CHECKVERIFY <Q> CHECKSIG, A and B will co-sign =
the muSig(A,B) with NOINPUT. They will also share the private key of Q, =
so they could produce a non-NOINPUT sig when needed.</div><div><br =
class=3D""></div><div>The first style is slightly easier as it doesn=E2=80=
=99t need muSig. But with 3 or more parties, the second style is more =
efficient.</div><div><br class=3D""></div><div>However, if you use =
watchtower, you have to use the second style. That means you need to =
share the private key for Q with the watchtower, That also means the =
watchtower will have the ability to reply the NOINPU muSig. But it is =
still strictly better than anyone-can-replay.</div></div><br =
class=3D""></body></html>=
--Apple-Mail=_1BEAD8F9-AF34-4F09-BDF0-F25AE6715A03--
|
