MIME-Version: 1.0
References: <CAPg+sBhuPG-2GXc+Bp0yv5ywry2fk56LPLT4AY0Kcs+YEoz4FA@mail.gmail.com>
	<CAPg+sBiu0BjZEtz-t7m3M+TnAEDG_k1GKtxwkOKh6qrSezUO7g@mail.gmail.com>
	<CAMZUoKkJdU0P_dVRvHn5zY6xUHYUptdK221ioQMp3FXZAerp3Q@mail.gmail.com>
	<702FE74C-119C-4D14-BCD3-85C4355356A2@xbt.hk>
	<CAMZUoKkYcXt7O39zdpz494f9Jm195mBtWyrH3siX4PBEAf8OKQ@mail.gmail.com>
	<20181213000553.cikilodf65an225g@erisian.com.au>
In-Reply-To: <20181213000553.cikilodf65an225g@erisian.com.au>
From: "Russell O'Connor" <roconnor@blockstream.io>
Date: Thu, 13 Dec 2018 11:21:10 -0500
Message-ID: <CAMZUoKkPCNaPyiSanDH8cAZuybywZsNE0ErYJTctcYc+VAWQxg@mail.gmail.com>
To: Anthony Towns <aj@erisian.com.au>
Content-Type: multipart/alternative; boundary="0000000000009a064b057ce9b417"
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Safer sighashes and more granular SIGHASH_NOINPUT
Precedence: list

--0000000000009a064b057ce9b417
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Wed, Dec 12, 2018 at 7:06 PM Anthony Towns <aj@erisian.com.au> wrote:

> On Tue, Dec 11, 2018 at 05:50:24PM -0500, Russell O'Connor via bitcoin-de=
v
> wrote:
> > On Sun, Dec 9, 2018 at 2:13 PM Johnson Lau <jl2012@xbt.hk> wrote:
> >     The current proposal is that a 64-byte signature will be used for t=
he
> >     default =E2=80=9Csigning all=E2=80=9D sighash, and 65-byte for othe=
r sighash types.
> The
> >     space saved will allow a few more txs in a block, so I think it
> worths
> >     doing. However, this also makes witness weight estimation more
> difficult in
> >     multisig cases.
>
> This seems strange to me -- why wouldn't you just assume every signature
> is 65 witness bytes, and just be grateful for the prioritisation benefit
> if someone chooses a shorter signature? Your error margin is just 0.25
> vbytes per signature.
>

The issue is that the proposal is to sign the actual weight, rather than
sign an upper bound on the weight.
The problem with signing an upper bound, is that you need to specify that
upper bound someplace in the transaction, and we are out of sneaky places
to stash that data.
Signing the actual weight is easy because the total weight is implicit, but
now you need to know the total weight before signing.


> > I tend to think in opposite terms. Is there a proof that any script can
> be
> > transformed into an equivalent one that avoids witness weight
> malleability?
>
> An alternative generalisation: is there a proof that all valid witnesses
> will have a weight within some small range?
>
> > Moreover, even if witness weight malleability is entirely avoidable, it
> always
> > seems to come at a cost.  Taking as an example libwally's proposed "
> > csv_2of3_then_2" Script, it begins with "OP_DEPTH OP_1SUB OP_1SUB"
>
> (DEPTH 2 NUMNOTEQUAL seems like it would have been more obvious...)
>
> I think the 1SUB idea was derived from the csv_2of2_then_1 Script where
DEPTH 1SUB is shorter than DEPTH 1 NUMNOTEQUAL.


> Cheers,
> aj
>
>

--0000000000009a064b057ce9b417
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_quote"><div dir=3D"ltr">On Wed, Dec 12=
, 2018 at 7:06 PM Anthony Towns &lt;<a href=3D"mailto:aj@erisian.com.au">aj=
@erisian.com.au</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" s=
tyle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On T=
ue, Dec 11, 2018 at 05:50:24PM -0500, Russell O&#39;Connor via bitcoin-dev =
wrote:<br>
&gt; On Sun, Dec 9, 2018 at 2:13 PM Johnson Lau &lt;<a href=3D"mailto:jl201=
2@xbt.hk" target=3D"_blank">jl2012@xbt.hk</a>&gt; wrote:<br>
&gt;=C2=A0 =C2=A0 =C2=A0The current proposal is that a 64-byte signature wi=
ll be used for the<br>
&gt;=C2=A0 =C2=A0 =C2=A0default =E2=80=9Csigning all=E2=80=9D sighash, and =
65-byte for other sighash types. The<br>
&gt;=C2=A0 =C2=A0 =C2=A0space saved will allow a few more txs in a block, s=
o I think it worths<br>
&gt;=C2=A0 =C2=A0 =C2=A0doing. However, this also makes witness weight esti=
mation more difficult in<br>
&gt;=C2=A0 =C2=A0 =C2=A0multisig cases.<br>
<br>
This seems strange to me -- why wouldn&#39;t you just assume every signatur=
e<br>
is 65 witness bytes, and just be grateful for the prioritisation benefit<br=
>
if someone chooses a shorter signature? Your error margin is just 0.25<br>
vbytes per signature.<br></blockquote><div><br></div><div>The issue is that=
 the proposal is to sign the actual weight, rather than sign an upper bound=
 on the weight.</div><div>The problem with signing an upper bound, is that =
you need to specify that upper bound someplace in the transaction, and we a=
re out of sneaky places to stash that data.</div><div>Signing the actual we=
ight is easy because the total weight is implicit, but now you need to know=
 the total weight before signing.<br></div><div>=C2=A0</div><blockquote cla=
ss=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;pa=
dding-left:1ex">
&gt; I tend to think in opposite terms. Is there a proof that any script ca=
n be<br>
&gt; transformed into an equivalent one that avoids witness weight malleabi=
lity?<br>
<br>
An alternative generalisation: is there a proof that all valid witnesses<br=
>
will have a weight within some small range?<br>
<br>
&gt; Moreover, even if witness weight malleability is entirely avoidable, i=
t always<br>
&gt; seems to come at a cost.=C2=A0 Taking as an example libwally&#39;s pro=
posed &quot;<br>
&gt; csv_2of3_then_2&quot; Script, it begins with &quot;OP_DEPTH OP_1SUB OP=
_1SUB&quot;<br>
<br>
(DEPTH 2 NUMNOTEQUAL seems like it would have been more obvious...)<br>
<br></blockquote><div>I think the 1SUB idea was derived from the <span clas=
s=3D"gmail-pl-en">csv_2of2_then_1 Script where DEPTH 1SUB is shorter than D=
EPTH 1 NUMNOTEQUAL.<br></span></div><div>=C2=A0</div><blockquote class=3D"g=
mail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-l=
eft:1ex">
Cheers,<br>
aj<br>
<br>
</blockquote></div></div>

--0000000000009a064b057ce9b417--