path: root/eb/6e4e19570a7567f3106aebbf9b3743a770f897

Return-Path: <roconnor@blockstream.com>
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 852AFC002B
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue,  7 Feb 2023 18:35:25 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp3.osuosl.org (Postfix) with ESMTP id 5303161030
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue,  7 Feb 2023 18:35:25 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 5303161030
Authentication-Results: smtp3.osuosl.org;
 dkim=pass (2048-bit key) header.d=blockstream-com.20210112.gappssmtp.com
 header.i=@blockstream-com.20210112.gappssmtp.com header.a=rsa-sha256
 header.s=20210112 header.b=Kg7cGeyF
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level: 
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from smtp3.osuosl.org ([127.0.0.1])
 by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 9XK1mUDPTAjK
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue,  7 Feb 2023 18:35:24 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 06D0C60BB1
Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com
 [IPv6:2607:f8b0:4864:20::431])
 by smtp3.osuosl.org (Postfix) with ESMTPS id 06D0C60BB1
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue,  7 Feb 2023 18:35:23 +0000 (UTC)
Received: by mail-pf1-x431.google.com with SMTP id g9so11402423pfo.5
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 07 Feb 2023 10:35:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=blockstream-com.20210112.gappssmtp.com; s=20210112;
 h=to:subject:message-id:date:from:in-reply-to:references:mime-version
 :from:to:cc:subject:date:message-id:reply-to;
 bh=BZQlj6cLdjkxc844P7Ackb/Wmtyk9IrJvfZUrNIQAd8=;
 b=Kg7cGeyFdLQEHWm6fAyhnVlRQMCGbBOia2P4HfT5CEAWwcWutArSPYLwWqHKp88sCG
 l/r9wy589ZSuYxU+Glsf1Vrgb3KTMrZqRMvo/eEi9B0/ZuY2qemhbhFqgSqMCJv+F8+V
 8BJ3fpn+J2J1noCq469cZb4YAU8WMzRhbaYeWU3F28Dc70Z7m+eWvnHv6NY8yvC4TlOW
 GM9UQ9LgbStfLDyQglC9XqwbsY2psp+ZVgUcjiXaHmuENKx5IH4fQ+FkN9jXl56/GxYo
 kHhQ7WY4fwRkJHXUHCIVBL1eLSLRyGUlUfDKjTJWJO5VPH+dFuf1D4UvtS5/0rHWVW4a
 ujiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=to:subject:message-id:date:from:in-reply-to:references:mime-version
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=BZQlj6cLdjkxc844P7Ackb/Wmtyk9IrJvfZUrNIQAd8=;
 b=Fku/DZdDc2dnfvcgJSEEC7X3vnqD+G50ZnCPkpVtlzuo1pHL4tg8dTxuUWLzfpwCqE
 OCaOfbgf06+5vOM5K1aynmWdTmQKT7ojAsrU5awVc72UMsS+qjP4DIXAqrN2qfrESA1C
 NXBGmjfWTWjh63k314jVtMXgX83iPPhkyhDFpCm05ui9M1QC095u3HzbLyDLBi8c1pMt
 vbKFq7FqSBoWmLMprNdEZSShUHsG5bh2VrIy1b+5/uKaPTX5wfg9h+BNAnq3Zx0PipW+
 DKh7vZHbxr/aqWuiVknTkmXi0IULuWTe1bn9hMmnmrFaVlvxMTHOIK/7WHuyZ1iNIyyP
 DLkw==
X-Gm-Message-State: AO0yUKU8Rl3QxkwuHE4JaiGRzV7K2QzrkwKSXx5/t79tfvcSPihvBaiM
 Eg3svPs3Q6vB/NAwsiEdBnYpLoAoir8Y3lo5fTrAJjvc3L9REw==
X-Google-Smtp-Source: AK7set8/1jjmBSdcrh3ov4oT5UfaLxDodHhy75vqg+5RrK93Fz0LB/m3TX2ThszRrD00TeVvjW8KuurrlJ4rSL49ny0=
X-Received: by 2002:a63:a101:0:b0:4fb:1c1c:5f38 with SMTP id
 b1-20020a63a101000000b004fb1c1c5f38mr524514pgf.47.1675794923349; Tue, 07 Feb
 2023 10:35:23 -0800 (PST)
MIME-Version: 1.0
References: <CAAQdECCH=YOcu4g6Ku1_G4CnRg6rsaFPFPwbABx9aZin9A8+2A@mail.gmail.com>
 <Y+JWLsc80gxL4kpG@camus> <Y+KUAlsPc8ohPecb@camus>
In-Reply-To: <Y+KUAlsPc8ohPecb@camus>
From: "Russell O'Connor" <roconnor@blockstream.com>
Date: Tue, 7 Feb 2023 13:35:12 -0500
Message-ID: <CAMZUoK=u2114uv0Uc0u_RVMBv-cq-gJiNxiyOk_T_xxTYO0Ghw@mail.gmail.com>
To: Andrew Poelstra <apoelstra@wpsoftware.net>, 
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="0000000000001f8a8405f4206984"
Subject: Re: [bitcoin-dev] Unenforceable fee obligations in multiparty
 protocols with Taproot inputs
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2023 18:35:25 -0000

--0000000000001f8a8405f4206984
Content-Type: text/plain; charset="UTF-8"

There is a bug in Taproot that allows the same Tapleaf to be repeated
multiple times in the same Taproot, potentially at different Taplevels
incurring different Tapfee rates.

The countermeasure is that you should always know the entire Taptree when
interacting with someone's Tapspend.


On Tue, Feb 7, 2023 at 1:10 PM Andrew Poelstra via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

>
> Some people highlighted some minor problems with my last email:
>
> On Tue, Feb 07, 2023 at 01:46:22PM +0000, Andrew Poelstra via bitcoin-dev
> wrote:
> >
> > <snip>
> >
> > [1] https://bitcoin.sipa.be/miniscript/
> > [2] In Taproot, if you want to prevent signatures migrating to another
> >     branch or within a branch, you can use the CODESEPARATOR opcode
> >     which was redisegned in Taproot for exactly this purpose... we
> >     really did about witness malleation in its design!
>
> In Taproot the tapleaf hash is always covered by the signature (though
> not in some ANYONECANPAY proposals) so you can never migrate signatures
> between tapbranches.
>
> I had thought this was the case, but then I re-confused myself by
> reading BIP 341 .... which has much of the sighash specified, but not
> all of it! The tapleaf hash is added in BIP 342.
>
> >
> >     If you want to prevent signatures from moving around *within* a
> >     branch,
> >
>
> And this sentence I just meant to delete :)
>
>
> --
> Andrew Poelstra
> Director of Research, Blockstream
> Email: apoelstra at wpsoftware.net
> Web:   https://www.wpsoftware.net/andrew
>
> The sun is always shining in space
>     -Justin Lewis-Webster
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

--0000000000001f8a8405f4206984
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>There is a bug in Taproot that allows the same Taplea=
f to be repeated multiple times in the same Taproot, potentially at differe=
nt Taplevels incurring different Tapfee rates.</div><div><br></div><div>The=
 countermeasure is that you should always know the entire Taptree when inte=
racting with someone&#39;s Tapspend.<br></div><div dir=3D"ltr"><br></div><b=
r><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Tue, =
Feb 7, 2023 at 1:10 PM Andrew Poelstra via bitcoin-dev &lt;<a href=3D"mailt=
o:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.=
org</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"marg=
in:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1e=
x"><br>
Some people highlighted some minor problems with my last email:<br>
<br>
On Tue, Feb 07, 2023 at 01:46:22PM +0000, Andrew Poelstra via bitcoin-dev w=
rote:<br>
&gt; <br>
&gt; &lt;snip&gt; <br>
&gt; <br>
&gt; [1] <a href=3D"https://bitcoin.sipa.be/miniscript/" rel=3D"noreferrer"=
 target=3D"_blank">https://bitcoin.sipa.be/miniscript/</a><br>
&gt; [2] In Taproot, if you want to prevent signatures migrating to another=
<br>
&gt;=C2=A0 =C2=A0 =C2=A0branch or within a branch, you can use the CODESEPA=
RATOR opcode<br>
&gt;=C2=A0 =C2=A0 =C2=A0which was redisegned in Taproot for exactly this pu=
rpose... we<br>
&gt;=C2=A0 =C2=A0 =C2=A0really did about witness malleation in its design!<=
br>
<br>
In Taproot the tapleaf hash is always covered by the signature (though<br>
not in some ANYONECANPAY proposals) so you can never migrate signatures<br>
between tapbranches.<br>
<br>
I had thought this was the case, but then I re-confused myself by<br>
reading BIP 341 .... which has much of the sighash specified, but not<br>
all of it! The tapleaf hash is added in BIP 342.<br>
<br>
&gt; <br>
&gt;=C2=A0 =C2=A0 =C2=A0If you want to prevent signatures from moving aroun=
d *within* a<br>
&gt;=C2=A0 =C2=A0 =C2=A0branch,<br>
&gt;<br>
<br>
And this sentence I just meant to delete :)<br>
<br>
<br>
-- <br>
Andrew Poelstra<br>
Director of Research, Blockstream<br>
Email: apoelstra at <a href=3D"http://wpsoftware.net" rel=3D"noreferrer" ta=
rget=3D"_blank">wpsoftware.net</a><br>
Web:=C2=A0 =C2=A0<a href=3D"https://www.wpsoftware.net/andrew" rel=3D"noref=
errer" target=3D"_blank">https://www.wpsoftware.net/andrew</a><br>
<br>
The sun is always shining in space<br>
=C2=A0 =C2=A0 -Justin Lewis-Webster<br>
<br>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div></div>

--0000000000001f8a8405f4206984--