📅 Original date posted:2018-05-04
📝 Original message:ZmnSCPxj <ZmnSCPxj at protonmail.com> writes:
> It seems to me, that `SIGHASH_NOINPUT` may help make some protocol
> integrate better with existing wallets.
Depends on which end of a transaction the existing wallet is: existing
wallets will refuse to sign a transaction with an unknown sighash flag,
but if the wallet is creating the output that'll later be spent using a
`SIGHASH_NOINPUT` transaction it won't (and shouldn't) care.
> I remember vaguely that `SIGHASH_NOINPUT` was also mentioned before in
> LN discussions, when the issue of transaction malleation was
> considered (before SegWit, being totally uncontroversial, was
> massively adopted). The sketch below, I believe, is somewhat
> consistent with how it could have been used in funding a channel.
I consider `SIGHASH_NOINPUT` to be a poor-man's malleability fix, since
it comes with some baggage. Without trying to undermine my own proposal,
but address reuse in combination with binding through script, can lead
to very unexpected results. You need to be very careful about where you
allow rebinding, hence the warnings in the proposal.
> Consider a CoinSwap protocol. Each side writes a transaction that
> pays out to an ordinary 2-of-2 multisig address. But before each side
> writes and signs that transaction, it first demands a timelocked
> backout transaction to let them recover their own funds in case it
> falls through (more generally, every offchain protocol has a similar
> setup stage where some way to back out is signed before all parties
> enter into the contract).
>
> ...
>
> With `SIGHASH_NOINPUT`, we can indeed implement such a walletless
> CoinSwap (or other protocol) software. We only need to provide the
> public keys that will be used in the initial 2-of-2, and the other
> side can create a signature with `SIGHASH_NOINPUT` flag.
I was wondering whether we could actually skip one communication round
w.r.t. the previously described CoinSwap protocol, but it turns out we
need to at least exchange public keys before actually moving any
funds. Would have been nice to do spontaneous CoinSwaps.
> The setup of the CoinSwap then goes this way. The swapping nodes
> exchange public keys (two for each side in this case), they agree on
> who gets to move first in the swap and who generates the preimage, and
> then they agree on what the backout transactions look like (in
> particular, they agree on the address the backout transactions spend)
> and create signatures, with `SIGHASH_NOINPUT`. In particular, the
> signatures do not commit to the txid of the transaction that they
> authorize spending. The CoinSwap sofwares then turn around to their
> users and say "okay, send to this address", the users initiate the
> swap using their normal wallet software, the CoinSwap software
> monitors only the address it asked the user to use, then when it
> appears onchain (the CoinSwap software does not even need to track the
> mempool) it continues with the HTLC offers and preimage exchanges
> until the protocol completes.
>
> In a world where walletless CoinSwap exists, consider this:
>
> 1. A user buys Bitcoin from an exchange. The exchange operates a
> wallet which they credit when the user buys Bitcoin.
> 2. The user starts a CoinSwap, giving the destination address from
> their cold-storage wallet.
> 3. The CoinSwap tells the user an address to send to. The user
> withdraws money from the exchange using that address as destination (1
> transaction)
> 4. The user waits for the CoinSwap to finish, which causes the funds
> to appear in their cold-storage wallet (1 transaction).
>
> If CoinSwap implementations all needed their own wallets, then instead:
>
> 1. A user buys Bitcoin from an exchange.
> 2. The user withdraws the funds from the exchange to a CoinSwap
> implementation wallet (1 transaction).
> 3. The user performs a CoinSwap which goes back to the CoinSwap
> implementation wallet (2 transactions).
> 4. The user sends from the CoinSwap wallet to their cold storage (1
> transaction). (granted, the CoinSwap implementation could offer a
> feature that immediately transfers the swapped funds to some other
> wallet, but we still cannot get around the transfer from the exchange
> to the CoinSwap wallet)
>
> A drawback of course, is that `SIGHASH_NOINPUT` is an unusual flag to
> use; it immediately paints the user as using some special protocol.
> So much for `SIGHASH_NOINPUT` CoinSwap.
By providing a new use-case you are contributing to the obfuscation of
this technique. The more normal the use of `SIGHASH_NOINPUT` becomes the
less an observer can learn from it being used. In combination with MAST,
Taproot or Graftroot we can further hide the details of the executed
protocol :-)
Christian Decker [ARCHIVE] /
npub1wt…gtuyn
2023-06-07 18:11:48
in reply to nevent1q…2lr3
Author Public Key
npub1wtx5qvewc7pd6znlvwktq03mdld05mv3h5dkzfwd3dc30gdmsptsugtuynPublished at
2023-06-07 18:11:48Event JSON
{
"id": "102f1849ebcdcc476fd37b4cde67a557522de8af637b4c900daba47afc8b7a96",
"pubkey": "72cd40332ec782dd0a7f63acb03e3b6fdafa6d91bd1b6125cd8b7117a1bb8057",
"created_at": 1686161508,
"kind": 1,
"tags": [
[
"e",
"7f0cd1094aff3aae900132623e6891ac0d947319d5aba2c35a28aa44100a53e8",
"",
"root"
],
[
"e",
"491be8830c1f4bc734726542573e4bf1d6172736fd9e056a1fe2769da374bb6e",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "📅 Original date posted:2018-05-04\n📝 Original message:ZmnSCPxj \u003cZmnSCPxj at protonmail.com\u003e writes:\n\u003e It seems to me, that `SIGHASH_NOINPUT` may help make some protocol\n\u003e integrate better with existing wallets.\n\nDepends on which end of a transaction the existing wallet is: existing\nwallets will refuse to sign a transaction with an unknown sighash flag,\nbut if the wallet is creating the output that'll later be spent using a\n`SIGHASH_NOINPUT` transaction it won't (and shouldn't) care.\n\n\u003e I remember vaguely that `SIGHASH_NOINPUT` was also mentioned before in\n\u003e LN discussions, when the issue of transaction malleation was\n\u003e considered (before SegWit, being totally uncontroversial, was\n\u003e massively adopted). The sketch below, I believe, is somewhat\n\u003e consistent with how it could have been used in funding a channel.\n\nI consider `SIGHASH_NOINPUT` to be a poor-man's malleability fix, since\nit comes with some baggage. Without trying to undermine my own proposal,\nbut address reuse in combination with binding through script, can lead\nto very unexpected results. You need to be very careful about where you\nallow rebinding, hence the warnings in the proposal.\n\n\u003e Consider a CoinSwap protocol. Each side writes a transaction that\n\u003e pays out to an ordinary 2-of-2 multisig address. But before each side\n\u003e writes and signs that transaction, it first demands a timelocked\n\u003e backout transaction to let them recover their own funds in case it\n\u003e falls through (more generally, every offchain protocol has a similar\n\u003e setup stage where some way to back out is signed before all parties\n\u003e enter into the contract).\n\u003e\n\u003e ...\n\u003e\n\u003e With `SIGHASH_NOINPUT`, we can indeed implement such a walletless\n\u003e CoinSwap (or other protocol) software. We only need to provide the\n\u003e public keys that will be used in the initial 2-of-2, and the other\n\u003e side can create a signature with `SIGHASH_NOINPUT` flag.\n\nI was wondering whether we could actually skip one communication round\nw.r.t. the previously described CoinSwap protocol, but it turns out we\nneed to at least exchange public keys before actually moving any\nfunds. Would have been nice to do spontaneous CoinSwaps.\n\n\u003e The setup of the CoinSwap then goes this way. The swapping nodes\n\u003e exchange public keys (two for each side in this case), they agree on\n\u003e who gets to move first in the swap and who generates the preimage, and\n\u003e then they agree on what the backout transactions look like (in\n\u003e particular, they agree on the address the backout transactions spend)\n\u003e and create signatures, with `SIGHASH_NOINPUT`. In particular, the\n\u003e signatures do not commit to the txid of the transaction that they\n\u003e authorize spending. The CoinSwap sofwares then turn around to their\n\u003e users and say \"okay, send to this address\", the users initiate the\n\u003e swap using their normal wallet software, the CoinSwap software\n\u003e monitors only the address it asked the user to use, then when it\n\u003e appears onchain (the CoinSwap software does not even need to track the\n\u003e mempool) it continues with the HTLC offers and preimage exchanges\n\u003e until the protocol completes.\n\u003e\n\u003e In a world where walletless CoinSwap exists, consider this:\n\u003e\n\u003e 1. A user buys Bitcoin from an exchange. The exchange operates a\n\u003e wallet which they credit when the user buys Bitcoin.\n\u003e 2. The user starts a CoinSwap, giving the destination address from\n\u003e their cold-storage wallet.\n\u003e 3. The CoinSwap tells the user an address to send to. The user\n\u003e withdraws money from the exchange using that address as destination (1\n\u003e transaction)\n\u003e 4. The user waits for the CoinSwap to finish, which causes the funds\n\u003e to appear in their cold-storage wallet (1 transaction).\n\u003e\n\u003e If CoinSwap implementations all needed their own wallets, then instead:\n\u003e\n\u003e 1. A user buys Bitcoin from an exchange.\n\u003e 2. The user withdraws the funds from the exchange to a CoinSwap\n\u003e implementation wallet (1 transaction).\n\u003e 3. The user performs a CoinSwap which goes back to the CoinSwap\n\u003e implementation wallet (2 transactions).\n\u003e 4. The user sends from the CoinSwap wallet to their cold storage (1\n\u003e transaction). (granted, the CoinSwap implementation could offer a\n\u003e feature that immediately transfers the swapped funds to some other\n\u003e wallet, but we still cannot get around the transfer from the exchange\n\u003e to the CoinSwap wallet)\n\u003e\n\u003e A drawback of course, is that `SIGHASH_NOINPUT` is an unusual flag to\n\u003e use; it immediately paints the user as using some special protocol.\n\u003e So much for `SIGHASH_NOINPUT` CoinSwap.\n\nBy providing a new use-case you are contributing to the obfuscation of\nthis technique. The more normal the use of `SIGHASH_NOINPUT` becomes the\nless an observer can learn from it being used. In combination with MAST,\nTaproot or Graftroot we can further hide the details of the executed\nprotocol :-)",
"sig": "f477befa6931c783c0520d93b773ccdbd409873f32f3b3cd7cd5068ebe83bae452e63116ea024b220f2eb92f9cf3c2c816f3e78f561bd5764ef31c62090b0051"
}