From: Anthony Towns <aj@erisian•com.au>
To: Pieter Wuille <pieter.wuille@gmail•com>,
Bitcoin Protocol Discussion
<bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Should Graftroot be optional?
Date: Wed, 27 Jun 2018 17:29:09 +1000 [thread overview]
Message-ID: <20180627072909.5hqnl4kfrnqfvhc4@erisian.com.au> (raw)
In-Reply-To: <CAPg+sBgEUV5KNFi1L4MhR-3KAX9gbQKdzWneaEzF+QsKSXYu8A@mail.gmail.com>
On Thu, May 31, 2018 at 05:25:04PM -0700, Pieter Wuille via bitcoin-dev wrote:
> The best argument for why Graftroot does not need to be optional I
> think was how Greg put it: "since the signer(s) could have signed an
> arbitrary transaction instead, being able to delegate is strictly less
> powerful.".
This seems persuasive to me. I think you could implement graftroot in
a way that makes this explicit:
* A graftroot input has >=2 items on the witness stack, a signature,
a script (S), and possibly witness elements for the script. The
signature has a SIGHASH_GRAFTROOT bit set.
* To validate the signature, a virtual transaction is constructed:
nVersion = 1
locktime = 0
inputs = [(txhash, txoutidx, 0, "", 0xffffffff)]
outputs = [(txvalue, len(S), S)]
locktime = 0
The signature is then checked against the virtual transaction.
* If the signature is valid, the virtual transaction is discarded, and
the script and witness elements are checked against the original tx.
I think this approach (or one like it) would make it clear that
graftroot is a simple optimisation, rather than changing the security
parameters. Some caveats:
* You'd presumably want to disallow signatures with SIGHASH_GRAFTROOT
from being used in signatures in scripts, so as not to end up having
to support recursive graftroot.
* Checking the script/witness against the original transaction instead
of the virtual one cheats a bit, but something like it is necessary
to ensure locktime/csv checks in the script S behave sanely. You
could have the virtual transaction be treated as being confirmed in
the same block as the original transaction instead though, I think.
* You would need to use SIGHASH_NOINPUT (or similar) in conjuction
to allow graftroot delegation prior to constructing the tx (otherwise
the signature would be committing to txhash/txoutidx). BIP118 would
still commit to txvalue, but would otherwise work fine, I think.
Cheers,
aj
prev parent reply other threads:[~2018-06-27 7:29 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-22 18:17 Pieter Wuille
2018-05-23 6:15 ` ZmnSCPxj
2018-05-23 13:50 ` Andrew Poelstra
2018-05-23 17:52 ` Andrew Poelstra
2018-05-25 9:46 ` Johnson Lau
2018-05-23 22:06 ` Natanael
2018-05-23 23:45 ` Gregory Maxwell
2018-05-24 9:32 ` Natanael
2018-05-24 1:58 ` Pieter Wuille
2018-05-24 2:08 ` Gregory Maxwell
2018-05-24 9:44 ` Natanael
2018-05-24 12:39 ` Andrew Poelstra
2018-05-25 10:14 ` Johnson Lau
2018-06-01 0:25 ` Pieter Wuille
2018-06-06 12:48 ` Tim Ruffing
2018-06-06 17:04 ` Pieter Wuille
2018-06-06 21:25 ` Tim Ruffing
2018-06-20 12:12 ` ZmnSCPxj
2018-06-20 14:30 ` Gregory Maxwell
2018-06-21 7:09 ` ZmnSCPxj
2018-06-27 7:29 ` Anthony Towns [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180627072909.5hqnl4kfrnqfvhc4@erisian.com.au \
--to=aj@erisian$(echo .)com.au \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
--cc=pieter.wuille@gmail$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox