📅 Original date posted:2018-05-14
📝 Original message:
On Thu, May 10, 2018 at 08:34:58AM +0930, Rusty Russell wrote:
> > The big concern I have with _NOINPUT is that it has a huge failure
> > case: if you use the same key for multiple inputs and sign one of them
> > with _NOINPUT, you've spent all of them. The current proposal kind-of
> > limits the potential damage by still committing to the prevout amount,
> > but it still seems a big risk for all the people that reuse addresses,
> > which seems to be just about everyone.
> If I can convince you to sign with SIGHASH_NONE, it's already a problem
> today.
So, I don't find that very compelling: "there's already a way to lose
your money, so it's fine to add other ways to lose your money". And
again, I think NOINPUT is worse here, because a SIGHASH_NONE signature
only lets others take the coin you're trying to spend, messing up when
using NOINPUT can cause you to lose other coins as well (with caveats).
> [...]
> In a world where SIGHASH_NONE didn't exist, this might be an argument :)
I could see either dropping support for SIGHASH_NONE for segwit
v1 addresses, or possibly limiting SIGHASH_NONE in a similar way to
limiting SIGHASH_NOINPUT. Has anyone dug through the blockchain to see
if SIGHASH_NONE is actually used/useful?
> That was also suggested by Mark Friedenbach, but I think we'll end up
> with more "magic key" a-la Schnorr/taproot/graftroot and less script in
> future.
Taproot and graftroot aren't "less script" at all -- if anything they're
the opposite in that suddenly every address can have a script path.
I think NOINPUT has pretty much the same tradeoffs as taproot/graftroot
scripts: in the normal case for both you just use a SIGHASH_ALL
signature to spend your funds; in the abnormal case for NOINPUT, you use
a SIGHASH_NOINPUT (multi)sig for unilateral eltoo closes or watchtower
penalties, in the abnormal case for taproot/graftroot you use a script.
> That means we'd actually want a different Segwit version for
> "NOINPUT-can-be-used", which seems super ugly.
That's backwards. If you introduce a new opcode, you can use the existing
segwit version, rather than needing segwit v1. You certainly don't need
v1 segwit for regular coins and v2 segwit for NOINPUT coins, if that's
where you were going?
For segwit v0, that would mean your addresses for a key "X", might be:
[pubkey] X
- not usable with NOINPUT
[script] 2 X Y 2 CHECKMULTISIG
- not usable with NOINPUT
[script] 2 X Y 2 CHECKMULTISIG_1USE_VERIFY
- usable with NOINPUT (or SIGHASH_ALL)
CHECKMULTISIG_1USE_VERIFY being soft-forked in by replacing an OP_NOP,
of course. Any output spendable via a NOINPUT signature would then have
had to have been deliberately created as being spendable by NOINPUT.
For a new segwit version with taproot that likewise includes an opcode,
that might be:
[taproot] X
- not usable with NOINPUT
[taproot] X or: X CHECKSIG_1USE
- usable with NOINPUT
If you had two UTXOs (with the same value), then if you construct
a taproot witness script for the latter address it will look like:
X [X CHECKSIG_1USE] [sig_X_NOINPUT]
and that signature can't be used for addresses that were just intending
to pay to X, because the NOINPUT sig/sighash simply isn't supported
without a taproot path that includes the CHECKSIG_1USE opcode.
In essence, with the above construction there's two sorts of addresses
you generate from a public key X: addresses where you spend each coin
individually, and different addresses where you spend the wallet of
coins with that public key (and value) at once; and that remains the
same even if you use a single key for both.
I think it's slightly more reasonable to worry about signing with NOINPUT
compared to signing with SIGHASH_NONE: you could pretty reasonably setup
your (light) bitcoin wallet to not be able to sign (or verify) with
SIGHASH_NONE ever; but if you want to use lightning v2, it seems pretty
likely your wallet will be signing things with SIGHASH_NOINPUT. From
there, it's a matter of having a bug or a mistake cause you to
cross-contaminate keys into your lightning subsystem, and not be
sufficiently protected by other measures (eg, muSig versus checkmultisig).
(For me the Debian ssh key generation bug from a decade ago is sufficient
evidence that people you'd think are smart and competent do make really
stupid mistakes in real life; so defense in depth here makes sense even
though you'd have to do really stupid things to get a benefit from it)
The other benefit of a separate opcode is support can be soft-forked in
independently of a new segwit version (either earlier or later).
I don't think the code has to be much more complicated with a separate
opcode; passing an extra flag to TransactionSignatureChecker::CheckSig()
is probably close to enough. Some sort of flag remains needed anyway
since v0 and pre-segwit signatures won't support NOINPUT.
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-09 12:50:36
in reply to nevent1q…yqf3
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-09 12:50:36Event JSON
{
"id": "b97c06511c59fe9f589cd2ceb4fc792cfc44fd85e965dfac3ee0c73457ae1082",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686315036,
"kind": 1,
"tags": [
[
"e",
"b96952336ac3c9bf98329984da334537047b985c3735bc2f731e82800af0b98a",
"",
"root"
],
[
"e",
"60a4c0222641d525158c5ac36448df626a70197ec26f8c363c08fd7812683b18",
"",
"reply"
],
[
"p",
"13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425"
]
],
"content": "📅 Original date posted:2018-05-14\n📝 Original message:\nOn Thu, May 10, 2018 at 08:34:58AM +0930, Rusty Russell wrote:\n\u003e \u003e The big concern I have with _NOINPUT is that it has a huge failure\n\u003e \u003e case: if you use the same key for multiple inputs and sign one of them\n\u003e \u003e with _NOINPUT, you've spent all of them. The current proposal kind-of\n\u003e \u003e limits the potential damage by still committing to the prevout amount,\n\u003e \u003e but it still seems a big risk for all the people that reuse addresses,\n\u003e \u003e which seems to be just about everyone.\n\u003e If I can convince you to sign with SIGHASH_NONE, it's already a problem\n\u003e today.\n\nSo, I don't find that very compelling: \"there's already a way to lose\nyour money, so it's fine to add other ways to lose your money\". And\nagain, I think NOINPUT is worse here, because a SIGHASH_NONE signature\nonly lets others take the coin you're trying to spend, messing up when\nusing NOINPUT can cause you to lose other coins as well (with caveats).\n\n\u003e [...]\n\u003e In a world where SIGHASH_NONE didn't exist, this might be an argument :)\n\nI could see either dropping support for SIGHASH_NONE for segwit\nv1 addresses, or possibly limiting SIGHASH_NONE in a similar way to\nlimiting SIGHASH_NOINPUT. Has anyone dug through the blockchain to see\nif SIGHASH_NONE is actually used/useful?\n\n\u003e That was also suggested by Mark Friedenbach, but I think we'll end up\n\u003e with more \"magic key\" a-la Schnorr/taproot/graftroot and less script in\n\u003e future.\n\nTaproot and graftroot aren't \"less script\" at all -- if anything they're\nthe opposite in that suddenly every address can have a script path.\nI think NOINPUT has pretty much the same tradeoffs as taproot/graftroot\nscripts: in the normal case for both you just use a SIGHASH_ALL\nsignature to spend your funds; in the abnormal case for NOINPUT, you use\na SIGHASH_NOINPUT (multi)sig for unilateral eltoo closes or watchtower\npenalties, in the abnormal case for taproot/graftroot you use a script.\n\n\u003e That means we'd actually want a different Segwit version for\n\u003e \"NOINPUT-can-be-used\", which seems super ugly.\n\nThat's backwards. If you introduce a new opcode, you can use the existing\nsegwit version, rather than needing segwit v1. You certainly don't need\nv1 segwit for regular coins and v2 segwit for NOINPUT coins, if that's\nwhere you were going?\n\nFor segwit v0, that would mean your addresses for a key \"X\", might be:\n\n [pubkey] X \n - not usable with NOINPUT\n [script] 2 X Y 2 CHECKMULTISIG\n - not usable with NOINPUT\n [script] 2 X Y 2 CHECKMULTISIG_1USE_VERIFY\n - usable with NOINPUT (or SIGHASH_ALL)\n\nCHECKMULTISIG_1USE_VERIFY being soft-forked in by replacing an OP_NOP,\nof course. Any output spendable via a NOINPUT signature would then have\nhad to have been deliberately created as being spendable by NOINPUT.\n\nFor a new segwit version with taproot that likewise includes an opcode,\nthat might be:\n\n [taproot] X\n - not usable with NOINPUT\n [taproot] X or: X CHECKSIG_1USE\n - usable with NOINPUT\n\nIf you had two UTXOs (with the same value), then if you construct\na taproot witness script for the latter address it will look like:\n\n X [X CHECKSIG_1USE] [sig_X_NOINPUT]\n\nand that signature can't be used for addresses that were just intending\nto pay to X, because the NOINPUT sig/sighash simply isn't supported\nwithout a taproot path that includes the CHECKSIG_1USE opcode.\n\nIn essence, with the above construction there's two sorts of addresses\nyou generate from a public key X: addresses where you spend each coin\nindividually, and different addresses where you spend the wallet of\ncoins with that public key (and value) at once; and that remains the\nsame even if you use a single key for both.\n\nI think it's slightly more reasonable to worry about signing with NOINPUT\ncompared to signing with SIGHASH_NONE: you could pretty reasonably setup\nyour (light) bitcoin wallet to not be able to sign (or verify) with\nSIGHASH_NONE ever; but if you want to use lightning v2, it seems pretty\nlikely your wallet will be signing things with SIGHASH_NOINPUT. From\nthere, it's a matter of having a bug or a mistake cause you to\ncross-contaminate keys into your lightning subsystem, and not be\nsufficiently protected by other measures (eg, muSig versus checkmultisig).\n\n(For me the Debian ssh key generation bug from a decade ago is sufficient\nevidence that people you'd think are smart and competent do make really\nstupid mistakes in real life; so defense in depth here makes sense even\nthough you'd have to do really stupid things to get a benefit from it)\n\nThe other benefit of a separate opcode is support can be soft-forked in\nindependently of a new segwit version (either earlier or later).\n\nI don't think the code has to be much more complicated with a separate\nopcode; passing an extra flag to TransactionSignatureChecker::CheckSig()\nis probably close to enough. Some sort of flag remains needed anyway\nsince v0 and pre-segwit signatures won't support NOINPUT.\n\nCheers,\naj",
"sig": "26d654af7d4bba170410e2c07826d4bacfc297637b8d8aa0967cc237cd0c14d7de5aa4a85d7b508d8a2ae4697633dbcc2f6b4c6b636793273207ca35d6dae3d7"
}