📅 Original date posted:2018-12-18
📝 Original message:Johnson Lau <jl2012 at xbt.hk> writes:
>> On 16 Dec 2018, at 2:55 PM, Rusty Russell via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> wrote:
>>
>> Anthony Towns via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> writes:
>>> On Thu, Dec 13, 2018 at 11:07:28AM +1030, Rusty Russell via bitcoin-dev wrote:
>>>> And is it worthwhile doing the mask complexity, rather than just
>>>> removing the commitment to script with NOINPUT? It *feels* safer to
>>>> restrict what scripts we can sign, but is it?
>>>
>>> If it's not safer in practice, we've spent a little extra complexity
>>> committing to a subset of the script in each signature to no gain. If
>>> it is safer in practice, we've prevented people from losing funds. I'm
>>> all for less complexity, but not for that tradeoff.
>>
>> There are many complexities we could add, each of which would prevent
>> loss of funds in some theoretical case.
>
> Every security measures are overkill, until someone get burnt. If these security measures are really effective, no one will get burnt. The inevitable conclusion is: every effective security measures are overkill.
>
>>
>> From practical experience; reuse of private keys between lightning and
>> other things is not how people will lose funds[1].
>
> So you argument seems just begging the question. Without NOINPUT, it is just impossible to lose money by key reuse, and this is exactly the topic we are debating.
I think we're getting confused here. I'm contributing my thoughts from
the lightning implementer's point of view; there are other important
considerations, but this is my contribution.
In *lightning* there are more ways to lose funds via secret reuse.
Meanwhile, both SIGHASH_NOINPUT and OP_MASK have the reuse-is-dangerous
property; with OP_MASK the danger is limited to reuse-on-the-same-script
(ie. if you use the same key for a non-lightning output and a lightning
output, you're safe with OP_MASK. However, this is far less likely in
practice).
I state again: OP_MASK doesn't seem to gain *lightning* any significant
security benefit.
> It does not need to be something like GetMaskedScript(GetScriptCodeForMultiSig()). After all, only a very small number of script templates really need NOINPUT. A GetMaskedScript() in a wallet is just an overkill (and a vulnerability if mis-implemented)
Our current transaction signing code is quite generic (and, if I may say
so, readable and elegant). We could, of course, special case
GetMaskedScript() for the case we need (the Eltoo examples I've seen
have a single OP_MASK at the front, which makes it trivial).
> It’s also about functionality here: as I mentioned in another reply, OP_CODESEPARATOR couldn’t function properly with NOINPUT but without OP_MASKEDPUSH
The mailing list seems a bit backed up or something; I replied to that
in the hope you can clear my confusion on that one.
> This debate happens because NOINPUT introduces the third way to lose fund with key reuse. And once it is deployed, we have to support it forever, and is not something that we could softfork it away.
A would use the same words to encourage you to create the simplest
possible implementation?
I don't think we disagree on philosophy, just trade-offs. And that's
OK.
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-07 18:15:41
in reply to nevent1q…a0qx
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-07 18:15:41Event JSON
{
"id": "9256b9dc8309c20e35e689335c4d593e5af094e349e7a2d4bc50f668cd81b969",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686161741,
"kind": 1,
"tags": [
[
"e",
"77c824d861e497590991b7dc940a75787db11a7b2eab6adcf5563d0847a4df18",
"",
"root"
],
[
"e",
"21fd0786a54804cf66562ad1f3c1608aa11296adda4e55514c0ab7a4dbc896b4",
"",
"reply"
],
[
"p",
"daa2fc676a25e3b5b45644540bcbd1e1168b111427cd0e3cf19c56194fb231aa"
]
],
"content": "📅 Original date posted:2018-12-18\n📝 Original message:Johnson Lau \u003cjl2012 at xbt.hk\u003e writes:\n\u003e\u003e On 16 Dec 2018, at 2:55 PM, Rusty Russell via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e\u003e \n\u003e\u003e Anthony Towns via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e writes:\n\u003e\u003e\u003e On Thu, Dec 13, 2018 at 11:07:28AM +1030, Rusty Russell via bitcoin-dev wrote:\n\u003e\u003e\u003e\u003e And is it worthwhile doing the mask complexity, rather than just\n\u003e\u003e\u003e\u003e removing the commitment to script with NOINPUT? It *feels* safer to\n\u003e\u003e\u003e\u003e restrict what scripts we can sign, but is it?\n\u003e\u003e\u003e \n\u003e\u003e\u003e If it's not safer in practice, we've spent a little extra complexity\n\u003e\u003e\u003e committing to a subset of the script in each signature to no gain. If\n\u003e\u003e\u003e it is safer in practice, we've prevented people from losing funds. I'm\n\u003e\u003e\u003e all for less complexity, but not for that tradeoff.\n\u003e\u003e \n\u003e\u003e There are many complexities we could add, each of which would prevent\n\u003e\u003e loss of funds in some theoretical case.\n\u003e\n\u003e Every security measures are overkill, until someone get burnt. If these security measures are really effective, no one will get burnt. The inevitable conclusion is: every effective security measures are overkill.\n\u003e\n\u003e\u003e \n\u003e\u003e From practical experience; reuse of private keys between lightning and\n\u003e\u003e other things is not how people will lose funds[1].\n\u003e\n\u003e So you argument seems just begging the question. Without NOINPUT, it is just impossible to lose money by key reuse, and this is exactly the topic we are debating.\n\nI think we're getting confused here. I'm contributing my thoughts from\nthe lightning implementer's point of view; there are other important\nconsiderations, but this is my contribution.\n\nIn *lightning* there are more ways to lose funds via secret reuse.\n\nMeanwhile, both SIGHASH_NOINPUT and OP_MASK have the reuse-is-dangerous\nproperty; with OP_MASK the danger is limited to reuse-on-the-same-script\n(ie. if you use the same key for a non-lightning output and a lightning\noutput, you're safe with OP_MASK. However, this is far less likely in\npractice).\n\nI state again: OP_MASK doesn't seem to gain *lightning* any significant\nsecurity benefit.\n\n\u003e It does not need to be something like GetMaskedScript(GetScriptCodeForMultiSig()). After all, only a very small number of script templates really need NOINPUT. A GetMaskedScript() in a wallet is just an overkill (and a vulnerability if mis-implemented) \n\nOur current transaction signing code is quite generic (and, if I may say\nso, readable and elegant). We could, of course, special case\nGetMaskedScript() for the case we need (the Eltoo examples I've seen\nhave a single OP_MASK at the front, which makes it trivial).\n\n\u003e It’s also about functionality here: as I mentioned in another reply, OP_CODESEPARATOR couldn’t function properly with NOINPUT but without OP_MASKEDPUSH\n\nThe mailing list seems a bit backed up or something; I replied to that\nin the hope you can clear my confusion on that one.\n\n\u003e This debate happens because NOINPUT introduces the third way to lose fund with key reuse. And once it is deployed, we have to support it forever, and is not something that we could softfork it away.\n\nA would use the same words to encourage you to create the simplest\npossible implementation?\n\nI don't think we disagree on philosophy, just trade-offs. And that's\nOK.\n\nCheers,\nRusty.",
"sig": "40e0ce4982f8661ec768a15e1dd23f94a8d4cec040d8dc1d55a91dad4c2058fd3d6a51c1bfa39493a66662f1bc0255db6287060676d9eec14b71587cd1d569b6"
}