Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 2535BCCA for ; Wed, 23 May 2018 13:57:08 +0000 (UTC) X-Greylist: delayed 00:06:52 by SQLgrey-1.7.6 Received: from mail.wpsoftware.net (wpsoftware.net [96.53.77.134]) by smtp1.linuxfoundation.org (Postfix) with ESMTP id B960D6C4 for ; Wed, 23 May 2018 13:57:07 +0000 (UTC) Received: from boulet.lan (boulot.lan [192.168.0.193]) by mail.wpsoftware.net (Postfix) with ESMTPSA id ED3D840165; Wed, 23 May 2018 13:50:12 +0000 (UTC) Date: Wed, 23 May 2018 13:50:13 +0000 From: Andrew Poelstra To: Pieter Wuille , Bitcoin Protocol Discussion Message-ID: <20180523135013.GN14992@boulet.lan> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="95CBLwa+io9O2zXc" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.7.1 (2016-10-04) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] Should Graftroot be optional? X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 May 2018 13:57:08 -0000 --95CBLwa+io9O2zXc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 22, 2018 at 11:17:42AM -0700, Pieter Wuille via bitcoin-dev wro= te: >=20 > Given the recent discussions about Taproot [1] and Graftroot [2], I > was wondering if a practical deployment needs a way to explicitly > enable or disable the Graftroot spending path. I have no strong > reasons why this would be necessary, but I'd like to hear other > people's thoughts. > Graftroot also break blind signature schemes. Consider a protocol such as [= 1] where some party has a bunch of UTXOs all controlled (in part) by the same key X. This party produces blind signatures on receipt of new funds, and can only verify the number of signatures he produces, not anything about what he is signing. BTW, the same concern holds for SIGHASH_NOINPUT, which I'd also like to be disable-able. Maybe we should extend one of ZmnSCPxj's suggestions to inclu= de a free "flags" byte or two in the witness? (I also had the same concern about signature aggregation. It seems like it's pretty hard to preserve the "one signature =3D at most one input" invariant= of Bitcoin, but I think it's important that it is preserved, at least for outputs that need it.) Or maybe, since it appears it will require a space hit to support optional graftroot anyway, we should simply not include it in a proposal for Taproot, since there would be no opportunity cost (in blockchain efficiency) to doing it later. [1] https://github.com/apoelstra/scriptless-scripts/pull/1=20 --=20 Andrew Poelstra Mathematics Department, Blockstream Email: apoelstra at wpsoftware.net Web: https://www.wpsoftware.net/andrew "A goose alone, I suppose, can know the loneliness of geese who can never find their peace, whether north or south or west or east" --Joanna Newsom --95CBLwa+io9O2zXc Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJbBXGTAAoJEMWI1jzkG5fBh0wH/2U+PinEn5vIehDyjUM9ceE3 YUYAO36jcXbm/aAT9pWl3eJtXVvMFoiCS69p2a/sVszvrZqCJsSNC+LsZJILkMIM yNNYhxOrXUFobUKvWpWdkv/hkA9M/UR9NQQCM9kMVLoyA3US8kvKxm0XRNCYdRIl 6BHK889Mv4OSBPsM/LvduIiB06OcIQs6MqRaF5u7no04/fFU4fswq8Uw3pFNNAo6 tNhzZg/Erq6mvaGpQ4uLOeIKhcfu29kuHX8UqXpsbtS1BAl1k+4Fxxb44Go6GDsc UzyklpkbpdkY6mxlt2bETNjOn1KDlvWI2eWPDdD/X1g8DgElqTNZ2HGu3LNQlK8= =Ooss -----END PGP SIGNATURE----- --95CBLwa+io9O2zXc--