π
Original date posted:2020-05-05
π Original message:This is a reasonable suggestion. Committing to every spent scriptPubKey and
therefore every element of the TxOut instead of just the amount makes sense
conceptually. And it would be a small diff (~4 lines + rationale) compared to
the current bip-taproot version.
As far aas I understand, coinjoin with offline signers would be substantially
harder without this proposal. There is a WIP "SLIP" that helped me understand
how the Proof of Ownership would work [0]. For every input, the offline signing
device verifies a signature against the corresponding scriptPubKey. In order to
obtain the correct scriptPubKey, sending the whole input transaction to the
signing device is prohibitive when the available bandwidth is low (QR codes).
The idea of only sending the transaction midstate along with the rest of
to-be-hashed transaction data is an improvement, but still results in a lot of
data (whole vout and witness stacks). Adding a new sighash flag that marks
coinjoin transactions would be a step backwards fungibility-wise.
Thus, the same reasoning for for committing to the input values in the
transaction digest to allow compact fee proofs would similarly apply the
scriptPubKeys - with the only difference that coinjoins with offline signers are
less common.
The downsides of this proposal seem to be limited. It requires additional
review, but the BIP is only in the draft stage and should incorporate reasonable
feedback. It does not invite further scope creep because the full TxOut would be
already included. The costs to verifiers is only slightly increased using
Anthony Town's suggested sighash change. Availability of the scriptPubKeys for
signing devices does not seem to be an issue because the input amounts are
already required. And if all inputs belong to the signing device, there's no
additional data sent to the device.
[0] https://github.com/satoshilabs/slips/blob/slips-19-20-coinjoin-proofs/slip-0019.md
On 4/29/20 2:57 PM, Andrew Kozlik via bitcoin-dev wrote:
> Hi everyone,
>
> In the current draft of BIP-0341 [1] the signature message commits to the
> scriptPubKey of the output being spent by the input. I propose that the
> signature message should commit to the scriptPubKeys of *all* transaction
> inputs.
>
> In certain applications like CoinJoin, a wallet has to deal with
> transactions containing external inputs. To calculate the actual amount
> that the user is spending, the wallet needs to reliably determine for each
> input whether it belongs to the wallet or not. Without such a mechanism an
> adversary can fool the wallet into displaying incorrect information about
> the amount being spent, which can result in theft of user funds [2].
>
> In order to ascertain non-ownership of an input which is claimed to be
> external, the wallet needs the scriptPubKey of the previous output spent by
> this input. It must acquire the full transaction being spent and verify its
> hash against that which is given in the outpoint. This is an obstacle in
> the implementation of lightweight air-gapped wallets and hardware wallets
> in general. If the signature message would commit to the scriptPubKeys of
> all transaction inputs, then the wallet would only need to acquire the
> scriptPubKey of the output being spent without having to acquire and verify
> the hash of the entire previous transaction. If an attacker would provide
> an incorrect scriptPubKey, then that would cause the wallet to generate an
> invalid signature message.
>
> Note that committing only to the scriptPubKey of the output being spent is
> insufficient for this application, because the scriptPubKeys which are
> needed to ascertain non-ownership of external inputs are precisely the ones
> that would not be included in any of the signature messages produced by the
> wallet.
>
> The obvious way to implement this is to add another hash to the signature
> message:
> sha_scriptPubKeys (32): the SHA256 of the serialization of all
> scriptPubKeys of the previous outputs spent by this transaction.
>
> Cheers,
> Andrew Kozlik
>
> [1]
> https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#common-signature-message
> [2]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-August/014843.html
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
Jonas Nick [ARCHIVE] /
npub1atβ¦y3z5a
2023-06-07 18:24:14
in reply to nevent1qβ¦v7gv
Author Public Key
npub1at3pav59gkeqz9kegzqhk2v4j4r435x42ytf23pxs8crt74tuc8s2y3z5aPublished at
2023-06-07 18:24:14Event JSON
{
"id": "a0cc1f61d47187cea7c11242ac6314107ee3d1182217d912cf73185a7dbf8e41",
"pubkey": "eae21eb28545b20116d940817b2995954758d0d5511695442681f035faabe60f",
"created_at": 1686162254,
"kind": 1,
"tags": [
[
"e",
"b038cfdcd779323d1d245efaea012a124e2525ce8c4fab0b380bf396641449b0",
"",
"root"
],
[
"e",
"a1b7940d15613e210c7109353aaacb53a1e6844163827a83b97eac15603c83de",
"",
"reply"
],
[
"p",
"d3574a24208f4e3d0821bb4a69a0c3ae842043d444fa5c4a8c49c369918a6fb2"
]
],
"content": "π
Original date posted:2020-05-05\nπ Original message:This is a reasonable suggestion. Committing to every spent scriptPubKey and\ntherefore every element of the TxOut instead of just the amount makes sense\nconceptually. And it would be a small diff (~4 lines + rationale) compared to\nthe current bip-taproot version.\n\nAs far aas I understand, coinjoin with offline signers would be substantially\nharder without this proposal. There is a WIP \"SLIP\" that helped me understand\nhow the Proof of Ownership would work [0]. For every input, the offline signing\ndevice verifies a signature against the corresponding scriptPubKey. In order to\nobtain the correct scriptPubKey, sending the whole input transaction to the\nsigning device is prohibitive when the available bandwidth is low (QR codes).\nThe idea of only sending the transaction midstate along with the rest of\nto-be-hashed transaction data is an improvement, but still results in a lot of\ndata (whole vout and witness stacks). Adding a new sighash flag that marks\ncoinjoin transactions would be a step backwards fungibility-wise.\n\nThus, the same reasoning for for committing to the input values in the\ntransaction digest to allow compact fee proofs would similarly apply the\nscriptPubKeys - with the only difference that coinjoins with offline signers are\nless common.\n\nThe downsides of this proposal seem to be limited. It requires additional\nreview, but the BIP is only in the draft stage and should incorporate reasonable\nfeedback. It does not invite further scope creep because the full TxOut would be\nalready included. The costs to verifiers is only slightly increased using\nAnthony Town's suggested sighash change. Availability of the scriptPubKeys for\nsigning devices does not seem to be an issue because the input amounts are\nalready required. And if all inputs belong to the signing device, there's no\nadditional data sent to the device.\n\n[0] https://github.com/satoshilabs/slips/blob/slips-19-20-coinjoin-proofs/slip-0019.md\n\n\nOn 4/29/20 2:57 PM, Andrew Kozlik via bitcoin-dev wrote:\n\u003e Hi everyone,\n\u003e \n\u003e In the current draft of BIP-0341 [1] the signature message commits to the\n\u003e scriptPubKey of the output being spent by the input. I propose that the\n\u003e signature message should commit to the scriptPubKeys of *all* transaction\n\u003e inputs.\n\u003e \n\u003e In certain applications like CoinJoin, a wallet has to deal with\n\u003e transactions containing external inputs. To calculate the actual amount\n\u003e that the user is spending, the wallet needs to reliably determine for each\n\u003e input whether it belongs to the wallet or not. Without such a mechanism an\n\u003e adversary can fool the wallet into displaying incorrect information about\n\u003e the amount being spent, which can result in theft of user funds [2].\n\u003e \n\u003e In order to ascertain non-ownership of an input which is claimed to be\n\u003e external, the wallet needs the scriptPubKey of the previous output spent by\n\u003e this input. It must acquire the full transaction being spent and verify its\n\u003e hash against that which is given in the outpoint. This is an obstacle in\n\u003e the implementation of lightweight air-gapped wallets and hardware wallets\n\u003e in general. If the signature message would commit to the scriptPubKeys of\n\u003e all transaction inputs, then the wallet would only need to acquire the\n\u003e scriptPubKey of the output being spent without having to acquire and verify\n\u003e the hash of the entire previous transaction. If an attacker would provide\n\u003e an incorrect scriptPubKey, then that would cause the wallet to generate an\n\u003e invalid signature message.\n\u003e \n\u003e Note that committing only to the scriptPubKey of the output being spent is\n\u003e insufficient for this application, because the scriptPubKeys which are\n\u003e needed to ascertain non-ownership of external inputs are precisely the ones\n\u003e that would not be included in any of the signature messages produced by the\n\u003e wallet.\n\u003e \n\u003e The obvious way to implement this is to add another hash to the signature\n\u003e message:\n\u003e sha_scriptPubKeys (32): the SHA256 of the serialization of all\n\u003e scriptPubKeys of the previous outputs spent by this transaction.\n\u003e \n\u003e Cheers,\n\u003e Andrew Kozlik\n\u003e \n\u003e [1]\n\u003e https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#common-signature-message\n\u003e [2]\n\u003e https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-August/014843.html\n\u003e \n\u003e \n\u003e _______________________________________________\n\u003e bitcoin-dev mailing list\n\u003e bitcoin-dev at lists.linuxfoundation.org\n\u003e https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev\n\u003e",
"sig": "ed0ba83179a95297238cc9eeb5028276733c389d8a88fe979034129e43ec4d2168bd8f25ae04fa1603b3090606818e68c0fac85ca5b9aa609410ccd45fb3c6a7"
}