public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Johnson Lau <jl2012@xbt•hk>
To: Pieter Wuille <pieter.wuille@gmail•com>,
	bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Safer sighashes and more granular SIGHASH_NOINPUT
Date: Wed, 28 Nov 2018 16:31:48 +0800	[thread overview]
Message-ID: <8BD44CAB-D590-4B2D-8CB7-9CD6792E5EF9@xbt.hk> (raw)
In-Reply-To: <CAPg+sBiu0BjZEtz-t7m3M+TnAEDG_k1GKtxwkOKh6qrSezUO7g@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 4204 bytes --]



> On 28 Nov 2018, at 11:41 AM, Pieter Wuille via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> wrote:
> 
> So a combined proposal:
> * All existing sighash flags, plus NOINPUT and MASK
> (ANYONECANPAY/NOINPUT/MASK are encoded in 2 bits).
> * A new opcode called OP_MASKEDPUSH, whose only runtime behaviour is
> failing if not immediately followed by a push, or when appearing as
> last opcode in the script.

I suggest to use the place of OP_RESERVED (0x50) as OP_MASKEDPUSH. The reason is 0x50 is not counted towards the 201 opcode limit, so people could mask as many pushes as needed.

In a new script version, of course, we could make any opcode not being counted. But that would just create another special case in the EvalScript() code.

(Or, maybe we should limit the use of OP_MASKEDPUSH? I think this is open for discussion.)

> * Signatures are 64 plus an optional sighash byte. A missing sighash
> byte implies ALL, and ALL cannot be specified explicitly.
> * The sighash is computed from the following:
>  * A 64-byte constant tag
>  * Data about the spending transaction:
>    * The transaction version number
>    * The hash of txins' prevouts+amounts+sequences (or nothing if ANYONECANPAY)

Do you want to make it 1 hash or 3 hashes? With 3 hashes, it could share hashPrevouts and hashSequence with BIP143. Making everything 1 hash will only result in redundent hashing for each input

>    * The hash of all txouts (or just the corresponding txout if
> SINGLE; nothing if NONE)

Starting from this sighash version, I think we should forbid the use of SINGLE without a matching output. Also, the undefined output type should also be invalid.

>    * The transaction locktime
>  * Data about the output being spent:
>    * The prevout (or nothing if NOINPUT)
>    * The amount
>    * The sequence number
>    * The hash of the scriptPubKey (or nothing if MASK)

I think we should just use the scriptPubKey, since sPK is fixed size (23-byte for p2sh and 35-byte for native segwit).

In order to distinguish p2sh and native segwit for MASKED NOINPUT, you also need to commit to an additional 1-bit value

>  * Data about the script being executed:
>    * The hash of the scriptCode (after masking out, if MASK is set)

For direct key-spending (i.e. not taprooted script), I suggest to set the H(scriptCode) to zero, for the following reasons:
1) Since we have already committed to sPK, which is already a *direct* hash of scriptCode, it is redundant to do it again.
2) This could save one SHA256 compression for direct key-spending, which is probably 90% of all cases
3) This allows hardware wallet to tell whether they are using direct-spending path or taproot script path

Since we may want 3) anyway, we don’t need to commit to another 1-bit value if we simply set H(scriptCode) to zero

We should also ban MASKED NOINPUT for direct-spending, which doesn’t make sense. And it is not safe since both H(scriptCode) and sPK are empty.

>    * The opcode number of the last executed OP_CODESEPARATOR (or
> 0xFFFFFFFF if none)
>  * The sighash mode

This proposal will only use 4 out of the 8 sighash bits. Do we want to make those 4 unused bits invalid, or ignored? Leaving at least 1 bit valid but ignored (“bit-x"), and 1 bit invalid (“bit-y”), will allow opt-in/out hardfork replay-protection, for example:

* default signatures are those with both bit-x and bit-y unset.
* If we want to make default signatures replayable across chains, the new fork should reject signatures with bit-x, and accept sigs with or without bit-y. In this case, defaults sigs are valid for both chains. Sigs with bit-x is valid only for original chain, and sigs with bit-y is valid only for new chain.
* If we want to make default signatures non-replayabble, the new fork should reject all default sigs, but accept sigs with either bit-x or bit-y set. In this case, default sig is valid only for original chain. Sigs with bit-x is valid for both chains, and sigs with bit-y is valid only for new chain.

Replayability is sometimes desirable, for example, an LN opened before a fork should be able to be settled on both chains


[-- Attachment #2: Type: text/html, Size: 23919 bytes --]

  reply	other threads:[~2018-11-28  8:31 UTC|newest]

Thread overview: 55+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-19 22:37 Pieter Wuille
2018-11-20 20:29 ` Anthony Towns
2018-11-21 11:20   ` Christian Decker
2018-11-21 17:55   ` Johnson Lau
2018-11-21 11:15 ` Christian Decker
2018-11-23  6:04   ` Anthony Towns
2018-11-23  9:40     ` Christian Decker
2018-11-24  8:13       ` Johnson Lau
2018-11-21 17:07 ` Russell O'Connor
2018-11-22 14:28   ` Johnson Lau
2018-11-22 16:23     ` Russell O'Connor
2018-11-22 20:52       ` Johnson Lau
2018-11-22 22:10         ` Russell O'Connor
2018-11-23 10:47           ` Johnson Lau
2018-11-23  5:03   ` Anthony Towns
2018-11-23 20:18     ` Russell O'Connor
2018-11-28  3:41 ` Pieter Wuille
2018-11-28  8:31   ` Johnson Lau [this message]
2018-11-29 17:00   ` Christian Decker
2018-11-29 18:29     ` Christian Decker
2018-12-06 16:57   ` Russell O'Connor
2018-12-09 19:13     ` Johnson Lau
2018-12-11 22:50       ` Russell O'Connor
2018-12-12 19:53         ` Johnson Lau
2018-12-13 16:50           ` Russell O'Connor
2018-12-13  0:05         ` Anthony Towns
2018-12-13 16:21           ` Russell O'Connor
2018-12-14  0:47             ` Anthony Towns
     [not found]         ` <CAAS2fgRma+Pw-rHJSOKRVBqoxqJ3AxHO9d696fWoa-sb17JEOQ@mail.gmail.com>
2018-12-13 16:34           ` Russell O'Connor
2018-12-09 22:41     ` David A. Harding
2018-12-11 15:36       ` Russell O'Connor
2018-12-11 17:47         ` David A. Harding
2018-12-12  9:42 ` Rusty Russell
2018-12-12 20:00   ` Johnson Lau
2018-12-12 23:49     ` Rusty Russell
2018-12-13  0:37       ` Rusty Russell
2018-12-14  9:30         ` Anthony Towns
2018-12-14 13:55           ` Johnson Lau
2018-12-17  3:10             ` Rusty Russell
2018-12-20 19:34               ` Johnson Lau
2018-12-20 23:17                 ` Rusty Russell
2018-12-21 18:54                   ` Johnson Lau
2018-12-23  4:26                     ` Anthony Towns
2018-12-23 16:33                       ` Johnson Lau
2018-12-24 12:01                         ` ZmnSCPxj
2018-12-24 21:23                           ` Johnson Lau
2018-12-16  6:55           ` Rusty Russell
2018-12-17 19:08             ` Johnson Lau
2018-12-18  4:22               ` Peter Todd
2018-12-19  0:39               ` Rusty Russell
2019-02-09  0:39                 ` Pieter Wuille
2018-12-13  0:24   ` Anthony Towns
2018-11-28  0:54 Bob McElrath
2018-11-28  8:40 ` Johnson Lau
2018-11-28 14:04   ` Bob McElrath

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8BD44CAB-D590-4B2D-8CB7-9CD6792E5EF9@xbt.hk \
    --to=jl2012@xbt$(echo .)hk \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    --cc=pieter.wuille@gmail$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox