> I don't find too compelling the potential problem of a 'bad wallet
designer', whether lazy or dogmatic, misusing noinput. I think there are
simpler ways to cut corners and there will always be plenty of good
wallet options people can choose.
In my original post, the business that I am talking about don't use "off the shelf" wallet options. It isn't a "let's switch from wallet A to wallet B" kind of situation. Usually this involves design from ground up with security considerations that businesses of scale need to consider (signing procedures and key handling being the most important!).
>Because scripts signed with no_input signatures are only really
exchanged and used for off-chain negotiations, very few should ever
appear on chain. Those that do should represent non-cooperative
situations that involve signing parties who know not to reuse or share
scripts with these public keys again. No third party has any reason to
spend value to a multisignature script they don't control, whether or
not a no_input signature exists for it.
Just because some one is your friend today, doesn't mean they aren't necessarily your adversary tomorrow. I don't think a signature being onchain really matters, as you have to give it to your counterparty regardless. How do you know your counterparty won't replay that SIGHASH_NOINPUT signature later? Offchain protocols shouldn't rely on "good-will" for their counter parties for security.
>As I mentioned before, I don't think the lazy wallet designer advantage
is enough to justify the downsides of chaperone signatures. One
additional downside is the additional code complexity required to flag
whether or not a chaperone output is included. By comparison, the code
changes for creating a no_input digest that skips the prevout and
prevscript parts of a tx is much less intrusive and easier to maintain.
>I want to second this. The most expensive part of wallet design is
engineering time. Writing code that uses a new sighash or a custom
script with a OP_CODE is a very large barrier to use. How many wallets
support multisig or RBF? How much BTC has been stolen over the entire
history of Bitcoin because of sighash SIGHASH_NONE or SIGHASH_SINGLE
vs ECDSA nonce reuse
I actually think lazy wallet designer is a really compelling reason to fix footguns in the bitcoin protocol. Mt Gox is allegedly a product of lazy wallet design. Now we have non-malleable transactions in the form of segwit (yay!) that prevent this exploit. We can wish that the Mt Gox wallet designers were more aware of bitcoin protocol vulnerabilities, but at the end of the day the best thing to do was offering an alternative that circumvents the vulnerability all together.
Ethan made a great point about SIGHASH_NONE or SIGHASH_SINGLE -- which have virtually no use AFAIK -- vs the ECDSA nonce reuse which is used in nearly every transaction. The feature -- ECDSA in this case -- was managed to be done wrong by wallet developers causing fund loss. Unfortunately we can't protect against this type of bug in the protocol.
If things aren't used -- such as SIGHASH_NONE or SIGHASH_SINGLE -- it doesn't matter if they are secure or insecure. I'm hopefully that offchain protocols will achieve wide adoption, and I would hate to see money lost because of this. Even though they aren't used, in my OP I do advocate for fixing these.
> understand the desire to be conservative with protocol changes that
could be misused. However, with just taproot and taproot public key
types the anyprevout functionality is already very opt-in and not
something that might accidentally get used. Belt-and-suspender
protections like chaperone signatures and tagged outputs have their own
impacts on code complexity, on-chain transaction sizes and transaction
anonymity that also must be considered.
I'm making the assumption that the business has decided to use this feature, and in my OP I talk about the engineering decisions that will have to be made support this. I'm hoping the "lazy wallet designers" -- or perhaps people that don't follow bitcoin protocol development as rabidly as us :-) -- can see that nuance.
-Chris