MIME-Version: 1.0
References: <871sewirni.fsf@gmail.com>
In-Reply-To: <871sewirni.fsf@gmail.com>
From: Olaoluwa Osuntokun <laolu32@gmail.com>
Date: Mon, 07 May 2018 23:47:23 +0000
Message-ID: <CAO3Pvs-8cX2Gdgu0cb0LdkY6ErguKkzs8pLZapFTD5JdpGms2A@mail.gmail.com>
To: Christian Decker <decker.christian@gmail.com>, 
	Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="0000000000003325da056ba64b0c"
Subject: Re: [bitcoin-dev] BIP sighash_noinput
Precedence: list

--0000000000003325da056ba64b0c
Content-Type: text/plain; charset="UTF-8"

Super stoked to see that no_input has been resurrected!!! I actually
implemented a variant back in 2015 when Tadge first described the approach
to
me for both btcd [1], and bitcoind [2]. The version being proposed is
_slightly_ differ though, as the initial version I implemented still
committed
to the script being sent, while this new version just relies on
witness validity instead. This approach is even more flexible as the script
attached to the output being spent can change, without rendering the
spending
transaction invalid as long as the witness still ratifies a branch in the
output's predicate.

Given that this would introduce a _new_ sighash flag, perhaps we should also
attempt to bundle additional more flexible sighash flags concurrently as
well?
This would require a larger overhaul w.r.t to how sighash flags are
interpreted, so in this case, we may need to introduce a new CHECKSIG
operator
(lets call it CHECKSIG_X for now), which would consume an available noop
opcode. As a template for more fine grained sighashing control, I'll refer
to
jl2012's BIP-0YYY [3] (particularly the "New nHashType definitions"
section).
This was originally proposed in the context of his merklized script work as
it
more or less opened up a new opportunity to further modify script within the
context of merklized script executions.  The approach reads in the
sighash flags as a bit vector, and allows developers to express things like:
"don't sign the input value, nor the sequence, but sign the output of this
input, and ONLY the script of this output". This approach is _extremely_
powerful, and one would be able to express the equivalent of no_input by
setting the appropriate bits in the sighash.

Looking forward in hearing y'alls thoughts on this approach, thanks.

[1]: https://github.com/Roasbeef/btcd/commits/SIGHASH_NOINPUT
[2]: https://github.com/Roasbeef/bitcoin/commits/SIGHASH_NOINPUT
[3]:
https://github.com/jl2012/bips/blob/vault/bip-0YYY.mediawiki#new-nhashtype-definitions

-- Laolu

On Mon, Apr 30, 2018 at 10:30 AM Christian Decker via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Hi all,
>
> I'd like to pick up the discussion from a few months ago, and propose a new
> sighash flag, `SIGHASH_NOINPUT`, that removes the commitment to the
> previous
> output. This was previously mentioned on the list by Joseph Poon [1], but
> was
> never formally proposed, so I wrote a proposal [2].
>
> We have long known that `SIGHASH_NOINPUT` would be a great fit for
> Lightning.
> They enable simple watch-towers, i.e., outsource the need to watch the
> blockchain for channel closures, and react appropriately if our
> counterparty
> misbehaves. In addition to this we just released the eltoo [3,4] paper
> which
> describes a simplified update mechanism that can be used in Lightning, and
> other
> off-chain contracts, with any number of participants.
>
> By not committing to the previous output being spent by the transaction,
> we can
> rebind an input to point to any outpoint with a matching output script and
> value. The binding therefore is no longer explicit through a reference, but
> through script compatibility, and the transaction ID reference in the
> input is a
> hint to validators. The sighash flag is meant to enable some off-chain
> use-cases
> and should not be used unless the tradeoffs are well-known. In particular
> we
> suggest using contract specific key-pairs, in order to avoid having any
> unwanted
> rebinding opportunities.
>
> The proposal is very minimalistic, and simple. However, there are a few
> things
> where we'd like to hear the input of the wider community with regards to
> the
> implementation details though. We had some discussions internally on
> whether to
> use a separate opcode or a sighash flag, some feeling that the sighash flag
> could lead to some confusion with existing wallets, but given that we have
> `SIGHASH_NONE`, and that existing wallets will not sign things with unknown
> flags, we decided to go the sighash way. Another thing is that we still
> commit
> to the amount of the outpoint being spent. The rationale behind this is
> that,
> while rebinding to outpoints with the same value maintains the value
> relationship between input and output, we will probably not want to bind to
> something with a different value and suddenly pay a gigantic fee.
>
> The deployment part of the proposal is left vague on purpose in order not
> to
> collide with any other proposals. It should be possible to introduce it by
> bumping the segwit script version and adding the new behavior.
>
> I hope the proposal is well received, and I'm looking forward to discussing
> variants and tradeoffs here. I think the applications we proposed so far
> are
> quite interesting, and I'm sure there are many more we can enable with this
> change.
>
> Cheers,
> Christian
>
> [1]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-February/012460.html
> [2] https://github.com/cdecker/bips/blob/noinput/bip-xyz.mediawiki
> [3] https://blockstream.com/2018/04/30/eltoo-next-lightning.html
> [4] https://blockstream.com/eltoo.pdf
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

--0000000000003325da056ba64b0c
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>Super stoked to see that no_input has been resur=
rected!!! I actually</div><div>implemented a variant back in 2015 when Tadg=
e first described the approach to</div><div>me for both btcd [1], and bitco=
ind [2]. The version being proposed is</div><div>_slightly_ differ though, =
as the initial version I implemented still committed</div><div>to the scrip=
t being sent, while this new version just relies on</div><div>witness valid=
ity instead. This approach is even more flexible as the script</div><div>at=
tached to the output being spent can change, without rendering the spending=
</div><div>transaction invalid as long as the witness still ratifies a bran=
ch in the</div><div>output&#39;s predicate.</div><div><br></div><div>Given =
that this would introduce a _new_ sighash flag, perhaps we should also</div=
><div>attempt to bundle additional more flexible sighash flags concurrently=
 as well?</div><div>This would require a larger overhaul w.r.t to how sigha=
sh flags are</div><div>interpreted, so in this case, we may need to introdu=
ce a new CHECKSIG operator</div><div>(lets call it CHECKSIG_X for now), whi=
ch would consume an available noop</div><div>opcode. As a template for more=
 fine grained sighashing control, I&#39;ll refer to</div><div>jl2012&#39;s =
BIP-0YYY [3] (particularly the &quot;New nHashType definitions&quot; sectio=
n).</div><div>This was originally proposed in the context of his merklized =
script work as it</div><div>more or less opened up a new opportunity to fur=
ther modify script within the</div><div>context of merklized script executi=
ons.=C2=A0 The approach reads in the</div><div>sighash flags as a bit vecto=
r, and allows developers to express things like:</div><div>&quot;don&#39;t =
sign the input value, nor the sequence, but sign the output of this</div><d=
iv>input, and ONLY the script of this output&quot;. This approach is _extre=
mely_</div><div>powerful, and one would be able to express the equivalent o=
f no_input by</div><div>setting the appropriate bits in the sighash.</div><=
div><br></div><div>Looking forward in hearing y&#39;alls thoughts on this a=
pproach, thanks.</div><div><br></div><div>[1]: <a href=3D"https://github.co=
m/Roasbeef/btcd/commits/SIGHASH_NOINPUT">https://github.com/Roasbeef/btcd/c=
ommits/SIGHASH_NOINPUT</a></div><div>[2]: <a href=3D"https://github.com/Roa=
sbeef/bitcoin/commits/SIGHASH_NOINPUT">https://github.com/Roasbeef/bitcoin/=
commits/SIGHASH_NOINPUT</a></div><div>[3]: <a href=3D"https://github.com/jl=
2012/bips/blob/vault/bip-0YYY.mediawiki#new-nhashtype-definitions">https://=
github.com/jl2012/bips/blob/vault/bip-0YYY.mediawiki#new-nhashtype-definiti=
ons</a></div><div><br></div><div>-- Laolu</div></div><div><br></div><div cl=
ass=3D"gmail_quote"><div dir=3D"ltr">On Mon, Apr 30, 2018 at 10:30 AM Chris=
tian Decker via bitcoin-dev &lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfo=
undation.org">bitcoin-dev@lists.linuxfoundation.org</a>&gt; wrote:<br></div=
><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1=
px #ccc solid;padding-left:1ex">Hi all,<br>
<br>
I&#39;d like to pick up the discussion from a few months ago, and propose a=
 new<br>
sighash flag, `SIGHASH_NOINPUT`, that removes the commitment to the previou=
s<br>
output. This was previously mentioned on the list by Joseph Poon [1], but w=
as<br>
never formally proposed, so I wrote a proposal [2].<br>
<br>
We have long known that `SIGHASH_NOINPUT` would be a great fit for Lightnin=
g.<br>
They enable simple watch-towers, i.e., outsource the need to watch the<br>
blockchain for channel closures, and react appropriately if our counterpart=
y<br>
misbehaves. In addition to this we just released the eltoo [3,4] paper whic=
h<br>
describes a simplified update mechanism that can be used in Lightning, and =
other<br>
off-chain contracts, with any number of participants.<br>
<br>
By not committing to the previous output being spent by the transaction, we=
 can<br>
rebind an input to point to any outpoint with a matching output script and<=
br>
value. The binding therefore is no longer explicit through a reference, but=
<br>
through script compatibility, and the transaction ID reference in the input=
 is a<br>
hint to validators. The sighash flag is meant to enable some off-chain use-=
cases<br>
and should not be used unless the tradeoffs are well-known. In particular w=
e<br>
suggest using contract specific key-pairs, in order to avoid having any unw=
anted<br>
rebinding opportunities.<br>
<br>
The proposal is very minimalistic, and simple. However, there are a few thi=
ngs<br>
where we&#39;d like to hear the input of the wider community with regards t=
o the<br>
implementation details though. We had some discussions internally on whethe=
r to<br>
use a separate opcode or a sighash flag, some feeling that the sighash flag=
<br>
could lead to some confusion with existing wallets, but given that we have<=
br>
`SIGHASH_NONE`, and that existing wallets will not sign things with unknown=
<br>
flags, we decided to go the sighash way. Another thing is that we still com=
mit<br>
to the amount of the outpoint being spent. The rationale behind this is tha=
t,<br>
while rebinding to outpoints with the same value maintains the value<br>
relationship between input and output, we will probably not want to bind to=
<br>
something with a different value and suddenly pay a gigantic fee.<br>
<br>
The deployment part of the proposal is left vague on purpose in order not t=
o<br>
collide with any other proposals. It should be possible to introduce it by<=
br>
bumping the segwit script version and adding the new behavior.<br>
<br>
I hope the proposal is well received, and I&#39;m looking forward to discus=
sing<br>
variants and tradeoffs here. I think the applications we proposed so far ar=
e<br>
quite interesting, and I&#39;m sure there are many more we can enable with =
this<br>
change.<br>
<br>
Cheers,<br>
Christian<br>
<br>
[1] <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016=
-February/012460.html" rel=3D"noreferrer" target=3D"_blank">https://lists.l=
inuxfoundation.org/pipermail/bitcoin-dev/2016-February/012460.html</a><br>
[2] <a href=3D"https://github.com/cdecker/bips/blob/noinput/bip-xyz.mediawi=
ki" rel=3D"noreferrer" target=3D"_blank">https://github.com/cdecker/bips/bl=
ob/noinput/bip-xyz.mediawiki</a><br>
[3] <a href=3D"https://blockstream.com/2018/04/30/eltoo-next-lightning.html=
" rel=3D"noreferrer" target=3D"_blank">https://blockstream.com/2018/04/30/e=
ltoo-next-lightning.html</a><br>
[4] <a href=3D"https://blockstream.com/eltoo.pdf" rel=3D"noreferrer" target=
=3D"_blank">https://blockstream.com/eltoo.pdf</a><br>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div></div>

--0000000000003325da056ba64b0c--