Hi Jeremy, What you are saying is correct and I am not disputing that there is sufficient cryptographic commitment in the signature message. As I tried to explain, my proposal is about avoiding the need for the metadata protocol you speak of. Avoiding such a protocol has been a design goal in both BIP-143 [1, 2] and BIP-341 [3, 4], because having to acquire each of the transactions being spent in their entirety places a significant burden on offline signing devices. Cheers, Andrew [1] https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki#motivation [2] https://bitcointalk.org/index.php?topic=181734.0 [3] https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-16 [4] https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-17 On Fri, May 1, 2020 at 8:56 AM Jeremy wrote: > Hi Andrew, > > If you use SIGHASH_ALL it shall sign the COutPoints of all inputs which > commit to the scriptPubKeys of the txn. > > Thus the 341 hash doesn't need to sign any additional data. > > As a metadata protocol you can provide all input transactions to check the > scriptPubKeys. > > Best, > > Jeremy > -- > @JeremyRubin > > > On Thu, Apr 30, 2020 at 1:22 AM Andrew Kozlik via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > >> Hi everyone, >> >> In the current draft of BIP-0341 [1] the signature message commits to the >> scriptPubKey of the output being spent by the input. I propose that the >> signature message should commit to the scriptPubKeys of *all* transaction >> inputs. >> >> In certain applications like CoinJoin, a wallet has to deal with >> transactions containing external inputs. To calculate the actual amount >> that the user is spending, the wallet needs to reliably determine for each >> input whether it belongs to the wallet or not. Without such a mechanism an >> adversary can fool the wallet into displaying incorrect information about >> the amount being spent, which can result in theft of user funds [2]. >> >> In order to ascertain non-ownership of an input which is claimed to be >> external, the wallet needs the scriptPubKey of the previous output spent by >> this input. It must acquire the full transaction being spent and verify its >> hash against that which is given in the outpoint. This is an obstacle in >> the implementation of lightweight air-gapped wallets and hardware wallets >> in general. If the signature message would commit to the scriptPubKeys of >> all transaction inputs, then the wallet would only need to acquire the >> scriptPubKey of the output being spent without having to acquire and verify >> the hash of the entire previous transaction. If an attacker would provide >> an incorrect scriptPubKey, then that would cause the wallet to generate an >> invalid signature message. >> >> Note that committing only to the scriptPubKey of the output being spent >> is insufficient for this application, because the scriptPubKeys which are >> needed to ascertain non-ownership of external inputs are precisely the ones >> that would not be included in any of the signature messages produced by the >> wallet. >> >> The obvious way to implement this is to add another hash to the signature >> message: >> sha_scriptPubKeys (32): the SHA256 of the serialization of all >> scriptPubKeys of the previous outputs spent by this transaction. >> >> Cheers, >> Andrew Kozlik >> >> [1] >> https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#common-signature-message >> [2] >> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-August/014843.html >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> >