Hi Jeremy,

What you are saying is correct and I am not disputing that there is sufficient cryptographic commitment in the signature message. As I tried to explain, my proposal is about avoiding the need for the metadata protocol you speak of. Avoiding such a protocol has been a design goal in both BIP-143 [1, 2] and BIP-341 [3, 4], because having to acquire each of the transactions being spent in their entirety places a significant burden on offline signing devices.

Cheers,
Andrew

[1] https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki#motivation
[2] https://bitcointalk.org/index.php?topic=181734.0
[3] https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-16
[4] https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-17

On Fri, May 1, 2020 at 8:56 AM Jeremy <jlrubin@mit.edu> wrote:

Hi Andrew,

If you use SIGHASH_ALL it shall sign the COutPoints of all inputs which commit to the scriptPubKeys of the txn.

Thus the 341 hash doesn't need to sign any additional data.

As a metadata protocol you can provide all input transactions to check the scriptPubKeys.

Best,

Jeremy
--
@JeremyRubin

On Thu, Apr 30, 2020 at 1:22 AM Andrew Kozlik via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
Hi everyone,

In the current draft of BIP-0341 [1] the signature message commits to the scriptPubKey of the output being spent by the input. I propose that the signature message should commit to the scriptPubKeys of *all* transaction inputs.

In certain applications like CoinJoin, a wallet has to deal with transactions containing external inputs. To calculate the actual amount that the user is spending, the wallet needs to reliably determine for each input whether it belongs to the wallet or not. Without such a mechanism an adversary can fool the wallet into displaying incorrect information about the amount being spent, which can result in theft of user funds [2].

In order to ascertain non-ownership of an input which is claimed to be external, the wallet needs the scriptPubKey of the previous output spent by this input. It must acquire the full transaction being spent and verify its hash against that which is given in the outpoint. This is an obstacle in the implementation of lightweight air-gapped wallets and hardware wallets in general. If the signature message would commit to the scriptPubKeys of all transaction inputs, then the wallet would only need to acquire the scriptPubKey of the output being spent without having to acquire and verify the hash of the entire previous transaction. If an attacker would provide an incorrect scriptPubKey, then that would cause the wallet to generate an invalid signature message.

Note that committing only to the scriptPubKey of the output being spent is insufficient for this application, because the scriptPubKeys which are needed to ascertain non-ownership of external inputs are precisely the ones that would not be included in any of the signature messages produced by the wallet.

The obvious way to implement this is to add another hash to the signature message:
sha_scriptPubKeys (32): the SHA256 of the serialization of all scriptPubKeys of the previous outputs spent by this transaction.

Cheers,
Andrew Kozlik

[1] https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#common-signature-message
[2] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-August/014843.html
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev