1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
|
Return-Path: <jlrubin@mit.edu>
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
by lists.linuxfoundation.org (Postfix) with ESMTP id 9CB5FC016F
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 1 May 2020 06:56:34 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by hemlock.osuosl.org (Postfix) with ESMTP id 84AD88B042
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 1 May 2020 06:56:34 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id D9Avuv30fSaA
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 1 May 2020 06:56:33 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11])
by hemlock.osuosl.org (Postfix) with ESMTPS id 5BB468B041
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 1 May 2020 06:56:33 +0000 (UTC)
Received: from mail-io1-f47.google.com (mail-io1-f47.google.com
[209.85.166.47]) (authenticated bits=0)
(User authenticated as jlrubin@ATHENA.MIT.EDU)
by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0416uV6H025151
(version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT)
for <bitcoin-dev@lists.linuxfoundation.org>; Fri, 1 May 2020 02:56:32 -0400
Received: by mail-io1-f47.google.com with SMTP id k23so4095782ios.5
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 30 Apr 2020 23:56:31 -0700 (PDT)
X-Gm-Message-State: AGi0PuatZC6HMBPizUFWoub0/fBYdbutpL8wMAFv0ZL27JaPm2xSNxNi
rWsLRvYczl1cl65y7yXhbt3LM/sSBNmTY5y3+Ng=
X-Google-Smtp-Source: APiQypLiLojARnNUrkCI5qLGJFleA3kDji9lCno5/oBWAZ8u3OYq1g6C+1IxWl8kCE1AGgFnOUByu+gezCWEKoE7l2w=
X-Received: by 2002:a5d:97cf:: with SMTP id k15mr2564093ios.49.1588316191173;
Thu, 30 Apr 2020 23:56:31 -0700 (PDT)
MIME-Version: 1.0
References: <CACvH2e=3s2kZWnytMySTv8U4pny3i0rEWas7NxzLxf5J7BewTg@mail.gmail.com>
In-Reply-To: <CACvH2e=3s2kZWnytMySTv8U4pny3i0rEWas7NxzLxf5J7BewTg@mail.gmail.com>
From: Jeremy <jlrubin@mit.edu>
Date: Thu, 30 Apr 2020 23:57:09 -0700
X-Gmail-Original-Message-ID: <CAD5xwhgo0YfpOcKoBYSFYrx8bOT2RNDzM0+JiLqhZaLi_0C5RA@mail.gmail.com>
Message-ID: <CAD5xwhgo0YfpOcKoBYSFYrx8bOT2RNDzM0+JiLqhZaLi_0C5RA@mail.gmail.com>
To: Andrew Kozlik <andrew.kozlik@satoshilabs.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="0000000000005dbd8a05a490ae90"
Subject: Re: [bitcoin-dev] BIP-341: Committing to all scriptPubKeys in the
signature message
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 01 May 2020 06:56:34 -0000
--0000000000005dbd8a05a490ae90
Content-Type: text/plain; charset="UTF-8"
Hi Andrew,
If you use SIGHASH_ALL it shall sign the COutPoints of all inputs which
commit to the scriptPubKeys of the txn.
Thus the 341 hash doesn't need to sign any additional data.
As a metadata protocol you can provide all input transactions to check the
scriptPubKeys.
Best,
Jeremy
--
@JeremyRubin <https://twitter.com/JeremyRubin>
On Thu, Apr 30, 2020 at 1:22 AM Andrew Kozlik via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Hi everyone,
>
> In the current draft of BIP-0341 [1] the signature message commits to the
> scriptPubKey of the output being spent by the input. I propose that the
> signature message should commit to the scriptPubKeys of *all* transaction
> inputs.
>
> In certain applications like CoinJoin, a wallet has to deal with
> transactions containing external inputs. To calculate the actual amount
> that the user is spending, the wallet needs to reliably determine for each
> input whether it belongs to the wallet or not. Without such a mechanism an
> adversary can fool the wallet into displaying incorrect information about
> the amount being spent, which can result in theft of user funds [2].
>
> In order to ascertain non-ownership of an input which is claimed to be
> external, the wallet needs the scriptPubKey of the previous output spent by
> this input. It must acquire the full transaction being spent and verify its
> hash against that which is given in the outpoint. This is an obstacle in
> the implementation of lightweight air-gapped wallets and hardware wallets
> in general. If the signature message would commit to the scriptPubKeys of
> all transaction inputs, then the wallet would only need to acquire the
> scriptPubKey of the output being spent without having to acquire and verify
> the hash of the entire previous transaction. If an attacker would provide
> an incorrect scriptPubKey, then that would cause the wallet to generate an
> invalid signature message.
>
> Note that committing only to the scriptPubKey of the output being spent is
> insufficient for this application, because the scriptPubKeys which are
> needed to ascertain non-ownership of external inputs are precisely the ones
> that would not be included in any of the signature messages produced by the
> wallet.
>
> The obvious way to implement this is to add another hash to the signature
> message:
> sha_scriptPubKeys (32): the SHA256 of the serialization of all
> scriptPubKeys of the previous outputs spent by this transaction.
>
> Cheers,
> Andrew Kozlik
>
> [1]
> https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#common-signature-message
> [2]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-August/014843.html
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--0000000000005dbd8a05a490ae90
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div><div dir=3D"ltr" class=3D"gmail_signature" data-smart=
mail=3D"gmail_signature"><div dir=3D"ltr"><div style=3D"font-family:arial,h=
elvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class=3D"gmail_defaul=
t">Hi Andrew,</div><div style=3D"font-family:arial,helvetica,sans-serif;fon=
t-size:small;color:rgb(0,0,0)" class=3D"gmail_default"><br></div><div style=
=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)=
" class=3D"gmail_default">If you use SIGHASH_ALL it shall sign the COutPoin=
ts of all inputs which commit to the scriptPubKeys of the txn.</div><div st=
yle=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0=
,0)" class=3D"gmail_default"><br></div><div style=3D"font-family:arial,helv=
etica,sans-serif;font-size:small;color:rgb(0,0,0)" class=3D"gmail_default">=
Thus the 341 hash doesn't need to sign any additional data.</div><div s=
tyle=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,=
0,0)" class=3D"gmail_default"><br></div><div style=3D"font-family:arial,hel=
vetica,sans-serif;font-size:small;color:rgb(0,0,0)" class=3D"gmail_default"=
>As a metadata protocol you can provide all input transactions to check the=
scriptPubKeys.</div><div style=3D"font-family:arial,helvetica,sans-serif;f=
ont-size:small;color:rgb(0,0,0)" class=3D"gmail_default"><br></div><div sty=
le=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,=
0)" class=3D"gmail_default">Best,</div><div style=3D"font-family:arial,helv=
etica,sans-serif;font-size:small;color:rgb(0,0,0)" class=3D"gmail_default">=
<br></div><div style=3D"font-family:arial,helvetica,sans-serif;font-size:sm=
all;color:rgb(0,0,0)" class=3D"gmail_default">Jeremy<br></div><div style=3D=
"font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" c=
lass=3D"gmail_default">--</div><a href=3D"https://twitter.com/JeremyRubin" =
target=3D"_blank">@JeremyRubin</a></div></div></div><br></div><br><div clas=
s=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Apr 30, 202=
0 at 1:22 AM Andrew Kozlik via bitcoin-dev <<a href=3D"mailto:bitcoin-de=
v@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a>> =
wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0=
px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=
=3D"ltr">Hi everyone,<br><br>In the current draft of BIP-0341 [1] the signa=
ture message commits to the scriptPubKey of the output being spent by the i=
nput. I propose that the signature message should commit to the scriptPubKe=
ys of *all* transaction inputs.<br><br>In certain applications like CoinJoi=
n, a wallet has to deal with transactions containing external inputs. To ca=
lculate the actual amount that the user is spending, the wallet needs to re=
liably determine for each input whether it belongs to the wallet or not. Wi=
thout such a mechanism an adversary can fool the wallet into displaying inc=
orrect information about the amount being spent, which can result in theft =
of user funds [2].<br><br>In order to ascertain non-ownership of an input w=
hich is claimed to be external, the wallet needs the scriptPubKey of the pr=
evious output spent by this input. It must acquire the full transaction bei=
ng spent and verify its hash against that which is given in the outpoint. T=
his is an obstacle in the implementation of lightweight air-gapped wallets =
and hardware wallets in general. If the signature message would commit to t=
he scriptPubKeys of all transaction inputs, then the wallet would only need=
to acquire the scriptPubKey of the output being spent without having to ac=
quire and verify the hash of the entire previous transaction. If an attacke=
r would provide an incorrect scriptPubKey, then that would cause the wallet=
to generate an invalid signature message.<br><div><br></div><div>Note that=
committing only to the scriptPubKey of the output being spent is insuffici=
ent for this application, because the scriptPubKeys which are needed to asc=
ertain non-ownership of external inputs are precisely the ones that would n=
ot be included in any of the signature messages produced by the wallet.</di=
v><div><br></div>The obvious way to implement this is to add another hash t=
o the signature message:<br>sha_scriptPubKeys (32): the SHA256 of the seria=
lization of all scriptPubKeys of the previous outputs spent by this transac=
tion.<br><div><br></div><div>Cheers,<br></div><div>Andrew Kozlik</div><div>=
<br></div>[1] <a href=3D"https://github.com/bitcoin/bips/blob/master/bip-03=
41.mediawiki#common-signature-message" target=3D"_blank">https://github.com=
/bitcoin/bips/blob/master/bip-0341.mediawiki#common-signature-message</a><b=
r>[2] <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/20=
17-August/014843.html" target=3D"_blank">https://lists.linuxfoundation.org/=
pipermail/bitcoin-dev/2017-August/014843.html</a><br></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
--0000000000005dbd8a05a490ae90--
|