📅 Original date posted:2018-11-19
📝 Original message:Hello everyone,
For future segwit versions, I think it would be good add a few things
to the sighash by default that were overlooked in BIP143:
* Committing to the absolute transaction fee (in addition to just the
amount being spent in each input) would categorically remove concerns
about wallets lying about fees to HW devices or airgapped signers.
* Committing to the scriptPubKey (in addition to the scriptCode) would
prevent lying to devices about the type of output being spent, even
when the scriptCode is correct. As a reminder, the scriptCode is the
actually executed script (which is the redeemscript in non-segwit
P2SH, and the witnesscript in P2WSH/P2WPKH).
As this implies additional information that may not be desirable to
commit to in all circumstances, it makes sense to make these optional.
This obviously interacts with SIGHASH_NOINPUT, which really adds two
different ways of rebinding signatures to inputs:
* Changing the prevout (so that the txid doesn't need to be known when
the signature is created)
* Changing the script (so that the exact scriptPubKey/redeemScript/...
doesn't need to be known when the signature is created)
Of course, the second implies the first, but do all use cases require
both being able to change the prevout and (arbitrarily) changing the
scriptPubKey? While BIP118 correctly points out this is secure if the
same keys are only used in scripts with which binding is to be
permitted, I feel it would be preferable if signatures/scripts would
explicitly state what can change. One way to accomplish this is by
indicating exactly what in a script is subject to change.
Here is a combined proposal:
* Three new sighash flags are added: SIGHASH_NOINPUT, SIGHASH_NOFEE,
and SIGHASH_SCRIPTMASK.
* A new opcode OP_MASK is added, which acts as a NOP during execution.
* The sighash is computed like in BIP143, but:
* If SIGHASH_SCRIPTMASK is present, for every OP_MASK in scriptCode
the subsequent opcode/push is removed.
* The scriptPubKey being spent is added to the sighash, unless
SIGHASH_SCRIPTMASK is set.
* The transaction fee is added to the sighash, unless SIGHASH_NOFEE is set.
* hashPrevouts, hashSequence, and outpoint are set to null when
SIGHASH_NOINPUT is set (like BIP118, but not for scriptCode).
So my question is whether anyone can see ways in which this introduces
redundant flexibility, or misses obvious use cases?
Cheers,
--
Pieter
Pieter Wuille [ARCHIVE] /
npub1tj…jtl6r
2023-06-07 18:15:15
in reply to nevent1q…kudz
Author Public Key
npub1tjephawh7fdf6358jufuh5eyxwauzrjqa7qn50pglee4tayc2ntqcjtl6rPublished at
2023-06-07 18:15:15Event JSON
{
"id": "0076f399a5d244107e757a6887913689c12babfdb9c8e44fc90c4ad6bdb79403",
"pubkey": "5cb21bf5d7f25a9d46879713cbd32433bbc10e40ef813a3c28fe7355f49854d6",
"created_at": 1686161715,
"kind": 1,
"tags": [
[
"e",
"1bd7a781e2cfd166ff9a33b1bac5fde47a675384fad1a2f913ed308d62699fea",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2018-11-19\n📝 Original message:Hello everyone,\n\nFor future segwit versions, I think it would be good add a few things\nto the sighash by default that were overlooked in BIP143:\n* Committing to the absolute transaction fee (in addition to just the\namount being spent in each input) would categorically remove concerns\nabout wallets lying about fees to HW devices or airgapped signers.\n* Committing to the scriptPubKey (in addition to the scriptCode) would\nprevent lying to devices about the type of output being spent, even\nwhen the scriptCode is correct. As a reminder, the scriptCode is the\nactually executed script (which is the redeemscript in non-segwit\nP2SH, and the witnesscript in P2WSH/P2WPKH).\n\nAs this implies additional information that may not be desirable to\ncommit to in all circumstances, it makes sense to make these optional.\nThis obviously interacts with SIGHASH_NOINPUT, which really adds two\ndifferent ways of rebinding signatures to inputs:\n* Changing the prevout (so that the txid doesn't need to be known when\nthe signature is created)\n* Changing the script (so that the exact scriptPubKey/redeemScript/...\ndoesn't need to be known when the signature is created)\n\nOf course, the second implies the first, but do all use cases require\nboth being able to change the prevout and (arbitrarily) changing the\nscriptPubKey? While BIP118 correctly points out this is secure if the\nsame keys are only used in scripts with which binding is to be\npermitted, I feel it would be preferable if signatures/scripts would\nexplicitly state what can change. One way to accomplish this is by\nindicating exactly what in a script is subject to change.\n\nHere is a combined proposal:\n* Three new sighash flags are added: SIGHASH_NOINPUT, SIGHASH_NOFEE,\nand SIGHASH_SCRIPTMASK.\n* A new opcode OP_MASK is added, which acts as a NOP during execution.\n* The sighash is computed like in BIP143, but:\n * If SIGHASH_SCRIPTMASK is present, for every OP_MASK in scriptCode\nthe subsequent opcode/push is removed.\n * The scriptPubKey being spent is added to the sighash, unless\nSIGHASH_SCRIPTMASK is set.\n * The transaction fee is added to the sighash, unless SIGHASH_NOFEE is set.\n * hashPrevouts, hashSequence, and outpoint are set to null when\nSIGHASH_NOINPUT is set (like BIP118, but not for scriptCode).\n\nSo my question is whether anyone can see ways in which this introduces\nredundant flexibility, or misses obvious use cases?\n\nCheers,\n\n-- \nPieter",
"sig": "25aeff86d29eac6ef3d7a3125afe0481a85de7832ef95f6128d1082f40ce25a061e44c98eef417ee3ef79b4132fb2c93b6e34be2ab522686fe32e5e32850135c"
}