1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
Return-Path: <aj@erisian.com.au>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 03D41B12
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 23 Nov 2018 06:04:13 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from azure.erisian.com.au (cerulean.erisian.com.au [139.162.42.226])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 7D7365E2
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 23 Nov 2018 06:04:12 +0000 (UTC)
Received: from aj@azure.erisian.com.au (helo=sapphire.erisian.com.au)
by azure.erisian.com.au with esmtpsa (Exim 4.89 #1 (Debian))
id 1gQ4ZV-0002gB-1X; Fri, 23 Nov 2018 16:04:10 +1000
Received: by sapphire.erisian.com.au (sSMTP sendmail emulation);
Fri, 23 Nov 2018 16:04:04 +1000
Date: Fri, 23 Nov 2018 16:04:04 +1000
From: Anthony Towns <aj@erisian.com.au>
To: Christian Decker <decker.christian@gmail.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Message-ID: <20181123060404.fu4eyzcynbppmjcy@erisian.com.au>
References: <CAPg+sBhuPG-2GXc+Bp0yv5ywry2fk56LPLT4AY0Kcs+YEoz4FA@mail.gmail.com>
<87k1l6d6lb.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87k1l6d6lb.fsf@gmail.com>
User-Agent: NeoMutt/20170113 (1.7.2)
X-Spam-Score: -1.9
X-Spam-Score-int: -18
X-Spam-Bar: -
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,UNPARSEABLE_RELAY
autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Sat, 24 Nov 2018 02:17:49 +0000
Subject: Re: [bitcoin-dev] Safer sighashes and more granular SIGHASH_NOINPUT
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Nov 2018 06:04:13 -0000
On Wed, Nov 21, 2018 at 12:15:44PM +0100, Christian Decker via bitcoin-dev wrote:
> One minor thing that I noticed a while ago and that I meant
> to fix on BIP118 is that `hashSequence` does not need to be blanked for
> eltoo to work (since where it is needed we also use `sighash_single`),
> so I'm tempted to remove that redundant blanking. It may not make a lot
> of difference but it'd limit the ability to change the number of inputs
> to a NOINPUT transaction (this now being the only field that commits to
> the set of inputs).
Commiting to just the sequence numbers seems really weird to me; it
only really prevents you from adding inputs, since you could still
replace any input that was meant to be there by almost any arbitrary
other transaction...
I could see this *maybe* making sense if you at least committed to the
values of each input's outpoint; since that would be an actual constraint?
I don't think you can commit to anything else about the other inputs:
-- txids of the other transactions wouldn't work if you had other
NOINPUT txes, and would introduce O(N^2) validation cost if someone
signed every input with NOINPUT but committed to the txids of
every other input
-- scriptPubKeys wouldn't really work for eltoo-like constructions
that want to vary the scripts but apply the same sig, but might
work sometimes?
-- witness scripts for the other inputs could be unknown at your
signing time, or arbitrarily large and thus a pain to have to send
to a hardware wallet
Just treating NOINPUT as a subset of ANYONECANPAY seems simpler to
me though...
> As for your proposal, I really like the `sighash_scriptmask` proposal,
> and committing to the fees (with the `nofee` escape hatch) also works
> seems also a nice fix. My one concern is that introducing a new opcode
> to mask things in the sighash looks like a similar layering violation as
> `codeseparator` was, but that's just a minor issue imho.
I think OP_MASK is okay as far as layering goes, if you just think of it
as a (set of) multibyte "OP_MASKED_PUSH" opcode(s). So when you
pseudocode a script like:
<n> OP_CSV OP_DROP <p> OP_CHECKSIG
and then decide <n> needs to be masked, you rewrite it as:
[n] OP_CSV OP_DROP <p> OP_CHECKSIG
indicating n is masked, and don't worry about the exact bytes that will
encode the push, anymore than you currently worry about whether it's
OP_0, OP_1..16, <1..75>+1..75-bytes, PUSHDATA[1,2,3]+n+n-bytes.
As long as OP_MASK only applies to a PUSH and it's an error for OP_MASK
not to be immediately followed by that PUSH, I think that all works
out fine.
Cheers,
aj
|
