Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 88348B9A for ; Thu, 13 Dec 2018 00:37:38 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from ozlabs.org (ozlabs.org [203.11.71.1]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id DFDC5764 for ; Thu, 13 Dec 2018 00:37:37 +0000 (UTC) Received: by ozlabs.org (Postfix, from userid 1011) id 43FZX012Wxz9s7h; Thu, 13 Dec 2018 11:37:36 +1100 (AEDT) From: Rusty Russell To: Johnson Lau , bitcoin-dev In-Reply-To: <87pnu6s3v5.fsf@rustcorp.com.au> References: <87ftv3xerx.fsf@rustcorp.com.au> <87pnu6s3v5.fsf@rustcorp.com.au> Date: Thu, 13 Dec 2018 11:07:28 +1030 Message-ID: <87h8fiqn1z.fsf@rustcorp.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Thu, 13 Dec 2018 22:09:29 +0000 Subject: Re: [bitcoin-dev] Safer sighashes and more granular SIGHASH_NOINPUT X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Dec 2018 00:37:38 -0000 Rusty Russell writes: >> However, I=E2=80=99m not sure if there is any useful NOINPUT case with u= nmasked script. > > This is *not* true of Eltoo; the script itself need not change for the > rebinding (Christian, did something change?). This is wrong, sorry. I re-checked the paper, and the constant for the timelock comparison changes on each new update. (The alternative was a new opcode like OP_TIMELOCKGREATERVERIFY which required remembering the nLocktime for the UTXO). So now my opinion is closer to yours: what's the use for NOINPUT && !NOMASK? And is it worthwhile doing the mask complexity, rather than just removing the commitment to script with NOINPUT? It *feels* safer to restrict what scripts we can sign, but is it? Note that NOINPUT is only useful when you can't just re-sign the tx, and you need to be able to create a new tx even if this input is spent once (an attacker can do this with SIGHASH_MASK or not!). ie. any other inputs need to be signed NOINPUT or this one SIGHASH_SINGLE|ANYONECANPAY. You already need both key-reuse and amount-reuse to be exploited. SIGHASH_MASK only prevents you from reusing this input for a "normal" output; if you used this key for multiple scripts of the same form, you're vulnerable[1]. Which, given the lightning software will be using the One True Script, is more likely that your normal wallet using the same keys. So I don't think it's worth it. SIGHASH_NOINPUT is simply dangerous with key-reuse, and Don't Do That. Cheers, Rusty. [1] Attacker can basically clone channel state to another channel.