Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id E54E294B for ; Mon, 19 Nov 2018 22:38:10 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-ot1-f53.google.com (mail-ot1-f53.google.com [209.85.210.53]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 87AD2782 for ; Mon, 19 Nov 2018 22:38:10 +0000 (UTC) Received: by mail-ot1-f53.google.com with SMTP id 40so29211436oth.4 for ; Mon, 19 Nov 2018 14:38:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=NFgC4MyUcicYU75YCV/Kyqa6E74zM57GkmDNougOdD8=; b=Z00ME5M7El1hnvfvNy/O/Blo0wZnKUmMK6o2UC40wlOAXelOJur5rsWA45vAcvCzzE C+zCPWfv1YyZx+p6Lcvm9wVR1cWWVmL0TXNlWh0ubX7BX7oom98i+a5+p1DiJ78/vp3P Dy0VwmmPhTncVnkKkzT6vdFHW421UfK7RRa904uifdYZqBq1BmFoj/+Q+aTUlPhFraNe DAUT4IoAh6GNrgISicKcb/Bogu8z3Ll7jTT+t0acp5RqwmuOhIFA9gJl0n5MWqsAomHD McW6TDXle+lBIEyfMB/Zbt3hN7K0RaFtzfOl9VvGNZg8Opu+GgMdTFH3AUzAQ0MbqFha cgHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=NFgC4MyUcicYU75YCV/Kyqa6E74zM57GkmDNougOdD8=; b=g2DQ4F8OYP+7XfmQFDpRVWGG8Gn9DJywycyx69/1hsnQjNvjTWlexcp+KI0zAvPoHz O52WG6sB2/6gvY0N2jDp01SKgKJAw3M2EsWaCCxLKBmuHuC5Az9dR71O2jJGe8hzcNFs WzuzSpuQvpl+tL5Rz+9g5Dr5DO4p/LpTyjTNMaciawCNOUa56pkerAj8DcLP5dRmScbd NIiKzZkrOGYvLT86JNvTMGD0/yUcSDNqZqOLBuRV42aL7e/utsXgLSTohoEMeuHAFyYi LRlIaJ6l21S8sChh0q0ZYgmADyPSRPOLPfxxy0Vg9SggKLvqf1dijtE91z9PPlnRPWtp hKEQ== X-Gm-Message-State: AGRZ1gIN52ca5kjBfuCjAavbq+Kn9rAky9Mis/H1kv32cN9CQcVE6aYM DL9ysXtbuQVRm5zDBHLEdKtqZfbL5qdJdzacDiXgHKKJ X-Google-Smtp-Source: AJdET5cY2tI4bj8/SvIgPPEFz7sbSGKU83pMQnyCLRy9WSuRPbI5v9gVLpok+hMGj8ZJ8OHgxzBmfkTeywly5x8+hqM= X-Received: by 2002:a9d:582e:: with SMTP id r46mr14628085oth.238.1542667089382; Mon, 19 Nov 2018 14:38:09 -0800 (PST) MIME-Version: 1.0 From: Pieter Wuille Date: Mon, 19 Nov 2018 14:37:57 -0800 Message-ID: To: Bitcoin Dev Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Tue, 20 Nov 2018 03:21:03 +0000 Subject: [bitcoin-dev] Safer sighashes and more granular SIGHASH_NOINPUT X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Nov 2018 22:38:11 -0000 Hello everyone, For future segwit versions, I think it would be good add a few things to the sighash by default that were overlooked in BIP143: * Committing to the absolute transaction fee (in addition to just the amount being spent in each input) would categorically remove concerns about wallets lying about fees to HW devices or airgapped signers. * Committing to the scriptPubKey (in addition to the scriptCode) would prevent lying to devices about the type of output being spent, even when the scriptCode is correct. As a reminder, the scriptCode is the actually executed script (which is the redeemscript in non-segwit P2SH, and the witnesscript in P2WSH/P2WPKH). As this implies additional information that may not be desirable to commit to in all circumstances, it makes sense to make these optional. This obviously interacts with SIGHASH_NOINPUT, which really adds two different ways of rebinding signatures to inputs: * Changing the prevout (so that the txid doesn't need to be known when the signature is created) * Changing the script (so that the exact scriptPubKey/redeemScript/... doesn't need to be known when the signature is created) Of course, the second implies the first, but do all use cases require both being able to change the prevout and (arbitrarily) changing the scriptPubKey? While BIP118 correctly points out this is secure if the same keys are only used in scripts with which binding is to be permitted, I feel it would be preferable if signatures/scripts would explicitly state what can change. One way to accomplish this is by indicating exactly what in a script is subject to change. Here is a combined proposal: * Three new sighash flags are added: SIGHASH_NOINPUT, SIGHASH_NOFEE, and SIGHASH_SCRIPTMASK. * A new opcode OP_MASK is added, which acts as a NOP during execution. * The sighash is computed like in BIP143, but: * If SIGHASH_SCRIPTMASK is present, for every OP_MASK in scriptCode the subsequent opcode/push is removed. * The scriptPubKey being spent is added to the sighash, unless SIGHASH_SCRIPTMASK is set. * The transaction fee is added to the sighash, unless SIGHASH_NOFEE is set. * hashPrevouts, hashSequence, and outpoint are set to null when SIGHASH_NOINPUT is set (like BIP118, but not for scriptCode). So my question is whether anyone can see ways in which this introduces redundant flexibility, or misses obvious use cases? Cheers, -- Pieter