1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
|
Return-Path: <andrew.kozlik@satoshilabs.com>
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
by lists.linuxfoundation.org (Postfix) with ESMTP id B00E4C016F
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 1 May 2020 08:56:09 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by whitealder.osuosl.org (Postfix) with ESMTP id 9E34789945
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 1 May 2020 08:56:09 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id wrpRWmlI-hOU
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 1 May 2020 08:56:08 +0000 (UTC)
X-Greylist: delayed 00:07:14 by SQLgrey-1.7.6
Received: from mail-ej1-f49.google.com (mail-ej1-f49.google.com
[209.85.218.49])
by whitealder.osuosl.org (Postfix) with ESMTPS id 22A068993C
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 1 May 2020 08:56:08 +0000 (UTC)
Received: by mail-ej1-f49.google.com with SMTP id n4so6992654ejs.11
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 01 May 2020 01:56:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=satoshilabs.com; s=google;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=8/guNtx74L61OAm3KFL30rFLN430D+fE55D+rmKi2OE=;
b=PFBFDAJgq2pjiaGJ68ritSyc2uB7unBSqV95eRdShqEWp4eCjCPWZYaDnWy9PN6csO
Dfg8ikmH4hOzsHQ1kwUH83Yq6SArjLP9HcVrXilKqgN3rxuSYi9jXjRPE4TFMSP6ONyf
mtXbS5Q4i/T98JNrID9M678Od3BHorMCH0AsngvDSYKInUOcAJpw4H3ClJELtC8fzC/X
eubAx/Os3Y/c3eIPcxAX6MYvZWtA5URHcFbXA0QpZpX3bmQj1PuOJbFdvca4R549fr9p
XOH5i8eWlWgHCoBh232UYm4qtOy3TYU1dz4JMgpmWiHf3l0FWTExHVkLs3MsdoYNlevA
MjVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=8/guNtx74L61OAm3KFL30rFLN430D+fE55D+rmKi2OE=;
b=B3Rp1Gg7ffy/QOFaVcCGxcvk3Wr4XgUagPgw5bcsRS9v0my7ncONamYaIQQvnKowFn
dCvTcYpX9XcSWCkXYgko9lf/BQkc7Y774Rc8wjUQ5sztYhGJtbNazv1GbcPW4xPvua2D
J9K4xKMd08SA52lK3DukUCcl3r87Q6CUGTlN+cGDp8lhs2x1Ui2i50ICAgovAAi0um6G
0l7c1fwK3DJsKmV5vOMdjlwWuaZMU0Pt0SM6xt98owAY69CJfetprfrrBpzo+oh3fLp8
tvcCpjsbOpqmGQ6aVtg/sc4pfJRApdVOz8B7FkpRUe/P7B59ADM9JoPBkzqeg5gsESZa
4nIg==
X-Gm-Message-State: AGi0PuZ8x6D5SpOXG1Cwf8OmspuULiRjb7KV52Wbu0CCS+VI9mr3HajU
Wsddw6W2bhsvmEWl1me+l4MN+V0NdznoZsUscZoHNK1g
X-Google-Smtp-Source: APiQypIShc87Y15TDK0+jho4XNG4gtAEXRe67DOZz210zkmMxhbg7Y5hq1aUVjsBUpk8VouRw1BfKjsWr8X85jCyoFU=
X-Received: by 2002:a17:906:af6f:: with SMTP id
os15mr2293224ejb.78.1588322932763;
Fri, 01 May 2020 01:48:52 -0700 (PDT)
MIME-Version: 1.0
References: <CACvH2e=3s2kZWnytMySTv8U4pny3i0rEWas7NxzLxf5J7BewTg@mail.gmail.com>
<CAD5xwhgo0YfpOcKoBYSFYrx8bOT2RNDzM0+JiLqhZaLi_0C5RA@mail.gmail.com>
In-Reply-To: <CAD5xwhgo0YfpOcKoBYSFYrx8bOT2RNDzM0+JiLqhZaLi_0C5RA@mail.gmail.com>
From: Andrew Kozlik <andrew.kozlik@satoshilabs.com>
Date: Fri, 1 May 2020 10:48:41 +0200
Message-ID: <CACvH2e=_ShBk6cJq8Tow3+T=9_ZSbDy2npEGLfkXCj3QQnLxtA@mail.gmail.com>
To: Jeremy <jlrubin@mit.edu>
Content-Type: multipart/alternative; boundary="00000000000032446b05a49240de"
X-Mailman-Approved-At: Fri, 01 May 2020 11:55:00 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] BIP-341: Committing to all scriptPubKeys in the
signature message
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 01 May 2020 08:56:09 -0000
--00000000000032446b05a49240de
Content-Type: text/plain; charset="UTF-8"
Hi Jeremy,
What you are saying is correct and I am not disputing that there is
sufficient cryptographic commitment in the signature message. As I tried to
explain, my proposal is about avoiding the need for the metadata protocol
you speak of. Avoiding such a protocol has been a design goal in both
BIP-143 [1, 2] and BIP-341 [3, 4], because having to acquire each of the
transactions being spent in their entirety places a significant burden on
offline signing devices.
Cheers,
Andrew
[1]
https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki#motivation
[2] https://bitcointalk.org/index.php?topic=181734.0
[3]
https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-16
[4]
https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-17
On Fri, May 1, 2020 at 8:56 AM Jeremy <jlrubin@mit.edu> wrote:
> Hi Andrew,
>
> If you use SIGHASH_ALL it shall sign the COutPoints of all inputs which
> commit to the scriptPubKeys of the txn.
>
> Thus the 341 hash doesn't need to sign any additional data.
>
> As a metadata protocol you can provide all input transactions to check the
> scriptPubKeys.
>
> Best,
>
> Jeremy
> --
> @JeremyRubin <https://twitter.com/JeremyRubin>
>
>
> On Thu, Apr 30, 2020 at 1:22 AM Andrew Kozlik via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Hi everyone,
>>
>> In the current draft of BIP-0341 [1] the signature message commits to the
>> scriptPubKey of the output being spent by the input. I propose that the
>> signature message should commit to the scriptPubKeys of *all* transaction
>> inputs.
>>
>> In certain applications like CoinJoin, a wallet has to deal with
>> transactions containing external inputs. To calculate the actual amount
>> that the user is spending, the wallet needs to reliably determine for each
>> input whether it belongs to the wallet or not. Without such a mechanism an
>> adversary can fool the wallet into displaying incorrect information about
>> the amount being spent, which can result in theft of user funds [2].
>>
>> In order to ascertain non-ownership of an input which is claimed to be
>> external, the wallet needs the scriptPubKey of the previous output spent by
>> this input. It must acquire the full transaction being spent and verify its
>> hash against that which is given in the outpoint. This is an obstacle in
>> the implementation of lightweight air-gapped wallets and hardware wallets
>> in general. If the signature message would commit to the scriptPubKeys of
>> all transaction inputs, then the wallet would only need to acquire the
>> scriptPubKey of the output being spent without having to acquire and verify
>> the hash of the entire previous transaction. If an attacker would provide
>> an incorrect scriptPubKey, then that would cause the wallet to generate an
>> invalid signature message.
>>
>> Note that committing only to the scriptPubKey of the output being spent
>> is insufficient for this application, because the scriptPubKeys which are
>> needed to ascertain non-ownership of external inputs are precisely the ones
>> that would not be included in any of the signature messages produced by the
>> wallet.
>>
>> The obvious way to implement this is to add another hash to the signature
>> message:
>> sha_scriptPubKeys (32): the SHA256 of the serialization of all
>> scriptPubKeys of the previous outputs spent by this transaction.
>>
>> Cheers,
>> Andrew Kozlik
>>
>> [1]
>> https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#common-signature-message
>> [2]
>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-August/014843.html
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
--00000000000032446b05a49240de
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hi Jeremy,<br><br>What you are saying is correct and I am =
not disputing that there is sufficient cryptographic commitment in the sign=
ature message. As I tried to explain, my proposal is about avoiding the nee=
d for the metadata protocol you speak of. Avoiding such a protocol has been=
a design goal in both BIP-143 [1, 2] and BIP-341 [3, 4], because having to=
acquire each of the transactions being spent in their entirety places a si=
gnificant burden on offline signing devices.<br><br>Cheers,<br>Andrew<br><b=
r>[1] <a href=3D"https://github.com/bitcoin/bips/blob/master/bip-0143.media=
wiki#motivation" target=3D"_blank">https://github.com/bitcoin/bips/blob/mas=
ter/bip-0143.mediawiki#motivation</a><br>[2] <a href=3D"https://bitcointalk=
.org/index.php?topic=3D181734.0" target=3D"_blank">https://bitcointalk.org/=
index.php?topic=3D181734.0</a><br>[3] <a href=3D"https://github.com/bitcoin=
/bips/blob/master/bip-0341.mediawiki#cite_note-16" target=3D"_blank">https:=
//github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-16</a><b=
r>[4] <a href=3D"https://github.com/bitcoin/bips/blob/master/bip-0341.media=
wiki#cite_note-17" target=3D"_blank">https://github.com/bitcoin/bips/blob/m=
aster/bip-0341.mediawiki#cite_note-17</a></div><br><div class=3D"gmail_quot=
e"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, May 1, 2020 at 8:56 AM Jer=
emy <<a href=3D"mailto:jlrubin@mit.edu" target=3D"_blank">jlrubin@mit.ed=
u</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin=
:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"=
><div dir=3D"ltr"><div><div dir=3D"ltr"><div dir=3D"ltr"><div style=3D"font=
-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class=
=3D"gmail_default">Hi Andrew,</div><div style=3D"font-family:arial,helvetic=
a,sans-serif;font-size:small;color:rgb(0,0,0)" class=3D"gmail_default"><br>=
</div><div style=3D"font-family:arial,helvetica,sans-serif;font-size:small;=
color:rgb(0,0,0)" class=3D"gmail_default">If you use SIGHASH_ALL it shall s=
ign the COutPoints of all inputs which commit to the scriptPubKeys of the t=
xn.</div><div style=3D"font-family:arial,helvetica,sans-serif;font-size:sma=
ll;color:rgb(0,0,0)" class=3D"gmail_default"><br></div><div style=3D"font-f=
amily:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class=3D=
"gmail_default">Thus the 341 hash doesn't need to sign any additional d=
ata.</div><div style=3D"font-family:arial,helvetica,sans-serif;font-size:sm=
all;color:rgb(0,0,0)" class=3D"gmail_default"><br></div><div style=3D"font-=
family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class=
=3D"gmail_default">As a metadata protocol you can provide all input transac=
tions to check the scriptPubKeys.</div><div style=3D"font-family:arial,helv=
etica,sans-serif;font-size:small;color:rgb(0,0,0)" class=3D"gmail_default">=
<br></div><div style=3D"font-family:arial,helvetica,sans-serif;font-size:sm=
all;color:rgb(0,0,0)" class=3D"gmail_default">Best,</div><div style=3D"font=
-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class=
=3D"gmail_default"><br></div><div style=3D"font-family:arial,helvetica,sans=
-serif;font-size:small;color:rgb(0,0,0)" class=3D"gmail_default">Jeremy<br>=
</div><div style=3D"font-family:arial,helvetica,sans-serif;font-size:small;=
color:rgb(0,0,0)" class=3D"gmail_default">--</div><a href=3D"https://twitte=
r.com/JeremyRubin" target=3D"_blank">@JeremyRubin</a></div></div></div><br>=
</div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">=
On Thu, Apr 30, 2020 at 1:22 AM Andrew Kozlik via bitcoin-dev <<a href=
=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">bitcoin=
-dev@lists.linuxfoundation.org</a>> wrote:<br></div><blockquote class=3D=
"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(2=
04,204,204);padding-left:1ex"><div dir=3D"ltr">Hi everyone,<br><br>In the c=
urrent draft of BIP-0341 [1] the signature message commits to the scriptPub=
Key of the output being spent by the input. I propose that the signature me=
ssage should commit to the scriptPubKeys of *all* transaction inputs.<br><b=
r>In certain applications like CoinJoin, a wallet has to deal with transact=
ions containing external inputs. To calculate the actual amount that the us=
er is spending, the wallet needs to reliably determine for each input wheth=
er it belongs to the wallet or not. Without such a mechanism an adversary c=
an fool the wallet into displaying incorrect information about the amount b=
eing spent, which can result in theft of user funds [2].<br><br>In order to=
ascertain non-ownership of an input which is claimed to be external, the w=
allet needs the scriptPubKey of the previous output spent by this input. It=
must acquire the full transaction being spent and verify its hash against =
that which is given in the outpoint. This is an obstacle in the implementat=
ion of lightweight air-gapped wallets and hardware wallets in general. If t=
he signature message would commit to the scriptPubKeys of all transaction i=
nputs, then the wallet would only need to acquire the scriptPubKey of the o=
utput being spent without having to acquire and verify the hash of the enti=
re previous transaction. If an attacker would provide an incorrect scriptPu=
bKey, then that would cause the wallet to generate an invalid signature mes=
sage.<br><div><br></div><div>Note that committing only to the scriptPubKey =
of the output being spent is insufficient for this application, because the=
scriptPubKeys which are needed to ascertain non-ownership of external inpu=
ts are precisely the ones that would not be included in any of the signatur=
e messages produced by the wallet.</div><div><br></div>The obvious way to i=
mplement this is to add another hash to the signature message:<br>sha_scrip=
tPubKeys (32): the SHA256 of the serialization of all scriptPubKeys of the =
previous outputs spent by this transaction.<br><div><br></div><div>Cheers,<=
br></div><div>Andrew Kozlik</div><div><br></div>[1] <a href=3D"https://gith=
ub.com/bitcoin/bips/blob/master/bip-0341.mediawiki#common-signature-message=
" target=3D"_blank">https://github.com/bitcoin/bips/blob/master/bip-0341.me=
diawiki#common-signature-message</a><br>[2] <a href=3D"https://lists.linuxf=
oundation.org/pipermail/bitcoin-dev/2017-August/014843.html" target=3D"_bla=
nk">https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-August/014=
843.html</a><br></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
</blockquote></div>
--00000000000032446b05a49240de--
|
