📅 Original date posted:2018-06-06
📝 Original message:What you're saying makes sense.
By the way, an even stronger reason why you shouldn't be able to
"repurpose" just a Graftroot signature as a transaction: You may want
to reveal to others that you've delegated. But if an observer sees the
delegation (literally the Graftroot signature), this observer could
send the Graftroot signature to the network (and lock out the other
delegates and the initial owner). So you would need to keep the
signature itself secret, otherwise we can't call this delegation.
So it may sense to consider the idea of an implicit transaction for the
case when one really solves the delegated script (as you mentioned) but
only in this case.
Tim
On Wed, 2018-06-06 at 10:04 -0700, Pieter Wuille wrote:
> On Wed, Jun 6, 2018 at 5:48 AM, Tim Ruffing via bitcoin-dev
> <bitcoin-dev at lists.linuxfoundation.org> wrote:
> > On Thu, 2018-05-31 at 17:25 -0700, Pieter Wuille via bitcoin-dev
> > wrote:
> > > The best argument for why Graftroot does not need to be optional
> > > I
> > > think was how Greg put it: "since the signer(s) could have signed
> > > an
> > > arbitrary transaction instead, being able to delegate is strictly
> > > less
> > > powerful.".
>
> ...
>
> > So
> > I think Graftroot delegation is not "strictly less powerful" than
> > just
> > using a normal transaction: Graftroot enables to delegate in a way
> > such
> > that the delegation itself cannot be fixed in the chain. I think
> > this
> > is not possible currently. (Okay, you can just pass around the
> > secret
> > keys but has other problems obviously).
> >
> > Does this have practical implications?
> > I don't see any but maybe this helps someone to identify an
> > undesirable
> > implication.
>
> Interesting point; I don't see any relevant implications to this
> either, but it's indeed good to point out this as a distinction.
>
> > One way to be on the safe side and probably make Greg's argument go
> > through is to just define the semantics such that (*) is allowed,
> > i.e.,
> > call g-sig a "Graftroot transaction" and give it transaction
> > semantics.
> > This provides a new perspective on Graftroot: Then Graftroot does
> > not
> > introduce new semantics but (*) is just an optimized version of
> > (**)
> > that uses fewer bytes and may be better for privacy.
>
> So you're saying: the Graftroot signature data could be made
> identical
> to the signature hash of an implicit 1-input-1-output transaction
> spending the coin and creating a new output with the delegated script
> as sPK, and the same amount.
>
> I like that idea, but I don't think it can be *exactly* that. If it's
> possible to take a Graftroot signature and instead construct a
> transaction with it, you have inherently introduced a malleability.
> The created outpoint will be different in both cases (different
> txid),
> meaning that a chain of dependent unconfirmed transactions may be
> broken by giving one participant the ability to choose between
> Graftroot delegation or actual spending.
>
> Two points here: (1) the implicit transaction would be 0 fee (unless
> we somehow assign a portion of the fee to the delegation itself for
> purposes of sighash computing), and (2) this sounds very similar to
> the issue SIGHASH_NOINPUT is intended to solve. About that...
>
> > Interestingly Andrew's blind-sig example and Johnson's fix (g-sig
> > signs
> > the outpoint) are just a special case. If g-sig has transaction
> > semantics, it must sign the outpoint (and other stuff).
>
> You're right when you're comparing with existing transaction sighash
> semantics, but not when SIGHASH_NOINPUT would exist. If that were the
> case, the only real difference is your point above of not being able
> to commit the implicit transaction separately. In other words, we're
> back to something Johnson pointed out earlier: some of the perceived
> problems with Graftroot are also issues with SIGHASH_NOINPUT.
>
> I wonder if we can make this explicit: Graftroot spending becomes a
> special sighash flag (which possibly is only allowed at the top
> level)
> - it builds an implicit transaction which moves all the coins to a
> newly provided script, computes the sighash of that transaction
> (taking all of the Graftroot signature's sighash flags into account -
> including potentially SIGHASH_NOINPUT), and requires a signature with
> that. The delegated script is then evaluated in the context of that
> implicit transaction.
>
> However, in order to avoid the malleability issue I think the actual
> signature should still be different - possibly by simply passing
> through the Graftroot sighash flag into the sighash being computed.
>
> Cheers,
>
Tim Ruffing [ARCHIVE] /
npub1cm…dwkls
2023-06-07 18:12:35
in reply to nevent1q…v6cu
Author Public Key
npub1cmt6gqyfw3sdngkq0wadtpe3kmgyyeld6ad0g2h5tar3kpzcrmpqddwklsPublished at
2023-06-07 18:12:35Event JSON
{
"id": "708146e687bce3463f769203defac8def9ddeade56350cfd07fc6fea6338b20e",
"pubkey": "c6d7a400897460d9a2c07bbad58731b6d04267edd75af42af45f471b04581ec2",
"created_at": 1686161555,
"kind": 1,
"tags": [
[
"e",
"b8d21356ac8a10082114550dc3d2c1af06da210e5c5c2a26406117c66617fb3a",
"",
"root"
],
[
"e",
"1b8d617ae90b9bf382fa2d4dccf11c15094b4b6ad0c01fa7e406fb042fbe7584",
"",
"reply"
],
[
"p",
"5cb21bf5d7f25a9d46879713cbd32433bbc10e40ef813a3c28fe7355f49854d6"
]
],
"content": "📅 Original date posted:2018-06-06\n📝 Original message:What you're saying makes sense.\n\nBy the way, an even stronger reason why you shouldn't be able to\n\"repurpose\" just a Graftroot signature as a transaction: You may want\nto reveal to others that you've delegated. But if an observer sees the\ndelegation (literally the Graftroot signature), this observer could\nsend the Graftroot signature to the network (and lock out the other\ndelegates and the initial owner). So you would need to keep the\nsignature itself secret, otherwise we can't call this delegation.\n\nSo it may sense to consider the idea of an implicit transaction for the\ncase when one really solves the delegated script (as you mentioned) but\nonly in this case.\n\nTim\n\n\nOn Wed, 2018-06-06 at 10:04 -0700, Pieter Wuille wrote:\n\u003e On Wed, Jun 6, 2018 at 5:48 AM, Tim Ruffing via bitcoin-dev\n\u003e \u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e \u003e On Thu, 2018-05-31 at 17:25 -0700, Pieter Wuille via bitcoin-dev\n\u003e \u003e wrote:\n\u003e \u003e \u003e The best argument for why Graftroot does not need to be optional\n\u003e \u003e \u003e I\n\u003e \u003e \u003e think was how Greg put it: \"since the signer(s) could have signed\n\u003e \u003e \u003e an\n\u003e \u003e \u003e arbitrary transaction instead, being able to delegate is strictly\n\u003e \u003e \u003e less\n\u003e \u003e \u003e powerful.\".\n\u003e \n\u003e ...\n\u003e \n\u003e \u003e So\n\u003e \u003e I think Graftroot delegation is not \"strictly less powerful\" than\n\u003e \u003e just\n\u003e \u003e using a normal transaction: Graftroot enables to delegate in a way\n\u003e \u003e such\n\u003e \u003e that the delegation itself cannot be fixed in the chain. I think\n\u003e \u003e this\n\u003e \u003e is not possible currently. (Okay, you can just pass around the\n\u003e \u003e secret\n\u003e \u003e keys but has other problems obviously).\n\u003e \u003e \n\u003e \u003e Does this have practical implications?\n\u003e \u003e I don't see any but maybe this helps someone to identify an\n\u003e \u003e undesirable\n\u003e \u003e implication.\n\u003e \n\u003e Interesting point; I don't see any relevant implications to this\n\u003e either, but it's indeed good to point out this as a distinction.\n\u003e \n\u003e \u003e One way to be on the safe side and probably make Greg's argument go\n\u003e \u003e through is to just define the semantics such that (*) is allowed,\n\u003e \u003e i.e.,\n\u003e \u003e call g-sig a \"Graftroot transaction\" and give it transaction\n\u003e \u003e semantics.\n\u003e \u003e This provides a new perspective on Graftroot: Then Graftroot does\n\u003e \u003e not\n\u003e \u003e introduce new semantics but (*) is just an optimized version of\n\u003e \u003e (**)\n\u003e \u003e that uses fewer bytes and may be better for privacy.\n\u003e \n\u003e So you're saying: the Graftroot signature data could be made\n\u003e identical\n\u003e to the signature hash of an implicit 1-input-1-output transaction\n\u003e spending the coin and creating a new output with the delegated script\n\u003e as sPK, and the same amount.\n\u003e \n\u003e I like that idea, but I don't think it can be *exactly* that. If it's\n\u003e possible to take a Graftroot signature and instead construct a\n\u003e transaction with it, you have inherently introduced a malleability.\n\u003e The created outpoint will be different in both cases (different\n\u003e txid),\n\u003e meaning that a chain of dependent unconfirmed transactions may be\n\u003e broken by giving one participant the ability to choose between\n\u003e Graftroot delegation or actual spending.\n\u003e \n\u003e Two points here: (1) the implicit transaction would be 0 fee (unless\n\u003e we somehow assign a portion of the fee to the delegation itself for\n\u003e purposes of sighash computing), and (2) this sounds very similar to\n\u003e the issue SIGHASH_NOINPUT is intended to solve. About that...\n\u003e \n\u003e \u003e Interestingly Andrew's blind-sig example and Johnson's fix (g-sig\n\u003e \u003e signs\n\u003e \u003e the outpoint) are just a special case. If g-sig has transaction\n\u003e \u003e semantics, it must sign the outpoint (and other stuff).\n\u003e \n\u003e You're right when you're comparing with existing transaction sighash\n\u003e semantics, but not when SIGHASH_NOINPUT would exist. If that were the\n\u003e case, the only real difference is your point above of not being able\n\u003e to commit the implicit transaction separately. In other words, we're\n\u003e back to something Johnson pointed out earlier: some of the perceived\n\u003e problems with Graftroot are also issues with SIGHASH_NOINPUT.\n\u003e \n\u003e I wonder if we can make this explicit: Graftroot spending becomes a\n\u003e special sighash flag (which possibly is only allowed at the top\n\u003e level)\n\u003e - it builds an implicit transaction which moves all the coins to a\n\u003e newly provided script, computes the sighash of that transaction\n\u003e (taking all of the Graftroot signature's sighash flags into account -\n\u003e including potentially SIGHASH_NOINPUT), and requires a signature with\n\u003e that. The delegated script is then evaluated in the context of that\n\u003e implicit transaction.\n\u003e \n\u003e However, in order to avoid the malleability issue I think the actual\n\u003e signature should still be different - possibly by simply passing\n\u003e through the Graftroot sighash flag into the sighash being computed.\n\u003e \n\u003e Cheers,\n\u003e",
"sig": "4a988db7e0020ee046ec23f3180e657a5a187c8b235841b8c56b077aaa06742a72dd225c899a065901192b661357ee2620fc9c6c91d2f1180d7f0ac24dd9a3d5"
}