📅 Original date posted:2018-11-23
📝 Original message:On Wed, Nov 21, 2018 at 12:15:44PM +0100, Christian Decker via bitcoin-dev wrote:
> One minor thing that I noticed a while ago and that I meant
> to fix on BIP118 is that `hashSequence` does not need to be blanked for
> eltoo to work (since where it is needed we also use `sighash_single`),
> so I'm tempted to remove that redundant blanking. It may not make a lot
> of difference but it'd limit the ability to change the number of inputs
> to a NOINPUT transaction (this now being the only field that commits to
> the set of inputs).
Commiting to just the sequence numbers seems really weird to me; it
only really prevents you from adding inputs, since you could still
replace any input that was meant to be there by almost any arbitrary
other transaction...
I could see this *maybe* making sense if you at least committed to the
values of each input's outpoint; since that would be an actual constraint?
I don't think you can commit to anything else about the other inputs:
-- txids of the other transactions wouldn't work if you had other
NOINPUT txes, and would introduce O(N^2) validation cost if someone
signed every input with NOINPUT but committed to the txids of
every other input
-- scriptPubKeys wouldn't really work for eltoo-like constructions
that want to vary the scripts but apply the same sig, but might
work sometimes?
-- witness scripts for the other inputs could be unknown at your
signing time, or arbitrarily large and thus a pain to have to send
to a hardware wallet
Just treating NOINPUT as a subset of ANYONECANPAY seems simpler to
me though...
> As for your proposal, I really like the `sighash_scriptmask` proposal,
> and committing to the fees (with the `nofee` escape hatch) also works
> seems also a nice fix. My one concern is that introducing a new opcode
> to mask things in the sighash looks like a similar layering violation as
> `codeseparator` was, but that's just a minor issue imho.
I think OP_MASK is okay as far as layering goes, if you just think of it
as a (set of) multibyte "OP_MASKED_PUSH" opcode(s). So when you
pseudocode a script like:
<n> OP_CSV OP_DROP <p> OP_CHECKSIG
and then decide <n> needs to be masked, you rewrite it as:
[n] OP_CSV OP_DROP <p> OP_CHECKSIG
indicating n is masked, and don't worry about the exact bytes that will
encode the push, anymore than you currently worry about whether it's
OP_0, OP_1..16, <1..75>+1..75-bytes, PUSHDATA[1,2,3]+n+n-bytes.
As long as OP_MASK only applies to a PUSH and it's an error for OP_MASK
not to be immediately followed by that PUSH, I think that all works
out fine.
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-07 18:15:17
in reply to nevent1q…x2wj
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-07 18:15:17Event JSON
{
"id": "afa6b9dddb5a9667d94225ce351f44f8604c384b32c4ffe4557cbc595259860e",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686161717,
"kind": 1,
"tags": [
[
"e",
"1bd7a781e2cfd166ff9a33b1bac5fde47a675384fad1a2f913ed308d62699fea",
"",
"root"
],
[
"e",
"e420d5181141c13e0540537b7fd8b4d2cf4fd5e8db29f68e07c1603f2462bb43",
"",
"reply"
],
[
"p",
"72cd40332ec782dd0a7f63acb03e3b6fdafa6d91bd1b6125cd8b7117a1bb8057"
]
],
"content": "📅 Original date posted:2018-11-23\n📝 Original message:On Wed, Nov 21, 2018 at 12:15:44PM +0100, Christian Decker via bitcoin-dev wrote:\n\u003e One minor thing that I noticed a while ago and that I meant\n\u003e to fix on BIP118 is that `hashSequence` does not need to be blanked for\n\u003e eltoo to work (since where it is needed we also use `sighash_single`),\n\u003e so I'm tempted to remove that redundant blanking. It may not make a lot\n\u003e of difference but it'd limit the ability to change the number of inputs\n\u003e to a NOINPUT transaction (this now being the only field that commits to\n\u003e the set of inputs).\n\nCommiting to just the sequence numbers seems really weird to me; it\nonly really prevents you from adding inputs, since you could still\nreplace any input that was meant to be there by almost any arbitrary\nother transaction...\n\nI could see this *maybe* making sense if you at least committed to the\nvalues of each input's outpoint; since that would be an actual constraint?\n\nI don't think you can commit to anything else about the other inputs:\n\n -- txids of the other transactions wouldn't work if you had other\n NOINPUT txes, and would introduce O(N^2) validation cost if someone\n signed every input with NOINPUT but committed to the txids of\n every other input\n\n -- scriptPubKeys wouldn't really work for eltoo-like constructions\n that want to vary the scripts but apply the same sig, but might\n work sometimes?\n\n -- witness scripts for the other inputs could be unknown at your\n signing time, or arbitrarily large and thus a pain to have to send\n to a hardware wallet\n\nJust treating NOINPUT as a subset of ANYONECANPAY seems simpler to\nme though...\n\n\u003e As for your proposal, I really like the `sighash_scriptmask` proposal,\n\u003e and committing to the fees (with the `nofee` escape hatch) also works\n\u003e seems also a nice fix. My one concern is that introducing a new opcode\n\u003e to mask things in the sighash looks like a similar layering violation as\n\u003e `codeseparator` was, but that's just a minor issue imho.\n\nI think OP_MASK is okay as far as layering goes, if you just think of it\nas a (set of) multibyte \"OP_MASKED_PUSH\" opcode(s). So when you\npseudocode a script like:\n\n \u003cn\u003e OP_CSV OP_DROP \u003cp\u003e OP_CHECKSIG\n\nand then decide \u003cn\u003e needs to be masked, you rewrite it as:\n\n [n] OP_CSV OP_DROP \u003cp\u003e OP_CHECKSIG\n\nindicating n is masked, and don't worry about the exact bytes that will\nencode the push, anymore than you currently worry about whether it's\nOP_0, OP_1..16, \u003c1..75\u003e+1..75-bytes, PUSHDATA[1,2,3]+n+n-bytes.\n\nAs long as OP_MASK only applies to a PUSH and it's an error for OP_MASK\nnot to be immediately followed by that PUSH, I think that all works\nout fine.\n\nCheers,\naj",
"sig": "d6f43b495451331196f1505068fb73d8f36596843e6fcc44f265898e87468f5b1c84bf957edcb8c69bee36bf429d829330d687afe4e9565b802e79a22afac8ab"
}