📅 Original date posted:2018-05-15
📝 Original message:
Anthony Towns <aj at erisian.com.au> writes:
> On Thu, May 10, 2018 at 08:34:58AM +0930, Rusty Russell wrote:
>> > The big concern I have with _NOINPUT is that it has a huge failure
>> > case: if you use the same key for multiple inputs and sign one of them
>> > with _NOINPUT, you've spent all of them. The current proposal kind-of
>> > limits the potential damage by still committing to the prevout amount,
>> > but it still seems a big risk for all the people that reuse addresses,
>> > which seems to be just about everyone.
>> If I can convince you to sign with SIGHASH_NONE, it's already a problem
>> today.
>
> So, I don't find that very compelling: "there's already a way to lose
> your money, so it's fine to add other ways to lose your money". And
> again, I think NOINPUT is worse here, because a SIGHASH_NONE signature
> only lets others take the coin you're trying to spend, messing up when
> using NOINPUT can cause you to lose other coins as well (with caveats).
`SIGHASH_NOINPUT` is a rather powerful tool, but has to be used
responsibly, which is why we always mention that it shouldn't be used
lightly. Then again all sighash flags can be dangerous if not well
understood. Think for example `SIGHASH_SINGLE` with it's pitfall when
the input has no matching output, or the already mentioned SIGHASH_NONE.
>From a technical, and risk, point of view I don't think there is much
difference between a new opcode or a new sighash flag, with the
activation being the one exception. I personally believe that a segwit
script bump has cleaner semantics than soft-forking in a new opcode
(which has 90% overlap with the existing checksig and checkmultisig
opcodes).
>> [...]
>> In a world where SIGHASH_NONE didn't exist, this might be an argument :)
>
> I could see either dropping support for SIGHASH_NONE for segwit
> v1 addresses, or possibly limiting SIGHASH_NONE in a similar way to
> limiting SIGHASH_NOINPUT. Has anyone dug through the blockchain to see
> if SIGHASH_NONE is actually used/useful?
That's a good point, I'll try looking for it once I get back to my full
node :-) And yes, `SIGHASH_NONE` should also come with all the warning
signs about not using it without a very good reason.
>> That was also suggested by Mark Friedenbach, but I think we'll end up
>> with more "magic key" a-la Schnorr/taproot/graftroot and less script in
>> future.
>
> Taproot and graftroot aren't "less script" at all -- if anything they're
> the opposite in that suddenly every address can have a script path.
> I think NOINPUT has pretty much the same tradeoffs as taproot/graftroot
> scripts: in the normal case for both you just use a SIGHASH_ALL
> signature to spend your funds; in the abnormal case for NOINPUT, you use
> a SIGHASH_NOINPUT (multi)sig for unilateral eltoo closes or watchtower
> penalties, in the abnormal case for taproot/graftroot you use a script.
That's true for today's uses of `SIGHASH_NOINPUT` and others, but there
might be other uses that we don't know about in which noinput isn't just
used for the contingency, handwavy I know. That's probably not the case
for graftroot/taproot, but I'm happy to be corrected on that one.
Still, these opcodes and hash flags being mainly used for contingencies,
doesn't remove the need for these contingency options to be enforced
on-chain.
>> That means we'd actually want a different Segwit version for
>> "NOINPUT-can-be-used", which seems super ugly.
>
> That's backwards. If you introduce a new opcode, you can use the existing
> segwit version, rather than needing segwit v1. You certainly don't need
> v1 segwit for regular coins and v2 segwit for NOINPUT coins, if that's
> where you were going?
>
> For segwit v0, that would mean your addresses for a key "X", might be:
>
> [pubkey] X
> - not usable with NOINPUT
> [script] 2 X Y 2 CHECKMULTISIG
> - not usable with NOINPUT
> [script] 2 X Y 2 CHECKMULTISIG_1USE_VERIFY
> - usable with NOINPUT (or SIGHASH_ALL)
>
> CHECKMULTISIG_1USE_VERIFY being soft-forked in by replacing an OP_NOP,
> of course. Any output spendable via a NOINPUT signature would then have
> had to have been deliberately created as being spendable by NOINPUT.
The main reason I went for the sighash flag instead of an opcode is that
it has clean semantics, allows for it to be bundled with a number of
other upgrades, and doesn't use up NOP-codes, which I was lectured
for my normalized tx BIP (BIP140) is a rare resource that should be used
sparingly. The `SIGHASH_NOINPUT` proposal is minimal, since it enhances
4 existing opcodes. If we were to do that with new opcodes we'd either
want a multisig and a singlesig variant, potentially with a verify
variant each. That's a lot of opcodes.
The proposal being minimal should also help against everybody trying to
get their favorite feature added, and hopefully streamline the
discussion.
> For a new segwit version with taproot that likewise includes an opcode,
> that might be:
>
> [taproot] X
> - not usable with NOINPUT
> [taproot] X or: X CHECKSIG_1USE
> - usable with NOINPUT
>
> If you had two UTXOs (with the same value), then if you construct
> a taproot witness script for the latter address it will look like:
>
> X [X CHECKSIG_1USE] [sig_X_NOINPUT]
>
> and that signature can't be used for addresses that were just intending
> to pay to X, because the NOINPUT sig/sighash simply isn't supported
> without a taproot path that includes the CHECKSIG_1USE opcode.
>
> In essence, with the above construction there's two sorts of addresses
> you generate from a public key X: addresses where you spend each coin
> individually, and different addresses where you spend the wallet of
> coins with that public key (and value) at once; and that remains the
> same even if you use a single key for both.
>
> I think it's slightly more reasonable to worry about signing with NOINPUT
> compared to signing with SIGHASH_NONE: you could pretty reasonably setup
> your (light) bitcoin wallet to not be able to sign (or verify) with
> SIGHASH_NONE ever; but if you want to use lightning v2, it seems pretty
> likely your wallet will be signing things with SIGHASH_NOINPUT. From
> there, it's a matter of having a bug or a mistake cause you to
> cross-contaminate keys into your lightning subsystem, and not be
> sufficiently protected by other measures (eg, muSig versus checkmultisig).
I think the same can be addressed by simply having the wallet use a
different derivation path for keys that it is willing to sign with
NOINPUT. I sort of dislike having a direct dependency on taproot, i.e.,
allowing noinput only in taproot scripts, since that isn't a done deal
either. Without that direct dependency, having the noinput path and the
sighash_all path be differentiated in the script leaks the details
on-chain, bloating the UTXO set, and leaking details about our contract.
Also isn't the same issue true for a separate opcode?
> (For me the Debian ssh key generation bug from a decade ago is sufficient
> evidence that people you'd think are smart and competent do make really
> stupid mistakes in real life; so defense in depth here makes sense even
> though you'd have to do really stupid things to get a benefit from it)
Totally agree, however one could argue that increased code complexity
is a major contributor to security issues, and I'm still convinced that
the hashflag is the simplest and cleanest approach to getting this
feature implemented.
That being said, I think the soft-forked opcode is also a good option,
if we can get agreement on the details in a reasonable amount of time.
> The other benefit of a separate opcode is support can be soft-forked in
> independently of a new segwit version (either earlier or later).
That can both be a positive as well as a negative, since a bundle of
complementing features likely is easier to get reviewed and activated.
> I don't think the code has to be much more complicated with a separate
> opcode; passing an extra flag to TransactionSignatureChecker::CheckSig()
> is probably close to enough. Some sort of flag remains needed anyway
> since v0 and pre-segwit signatures won't support NOINPUT.
That's moving the fanout for sighash_all vs sighash_none from the opcode
up to the interpreter, right.
Cheers,
Christian
Christian Decker [ARCHIVE] /
npub1wt…gtuyn
2023-06-09 12:50:37
in reply to nevent1q…3d3v
Author Public Key
npub1wtx5qvewc7pd6znlvwktq03mdld05mv3h5dkzfwd3dc30gdmsptsugtuynPublished at
2023-06-09 12:50:37Event JSON
{
"id": "470ef28e9169b10b3f5e64b0539f2237353f8a322a8fa3e45bb2ac32e876d5e0",
"pubkey": "72cd40332ec782dd0a7f63acb03e3b6fdafa6d91bd1b6125cd8b7117a1bb8057",
"created_at": 1686315037,
"kind": 1,
"tags": [
[
"e",
"b96952336ac3c9bf98329984da334537047b985c3735bc2f731e82800af0b98a",
"",
"root"
],
[
"e",
"b97c06511c59fe9f589cd2ceb4fc792cfc44fd85e965dfac3ee0c73457ae1082",
"",
"reply"
],
[
"p",
"f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab"
]
],
"content": "📅 Original date posted:2018-05-15\n📝 Original message:\nAnthony Towns \u003caj at erisian.com.au\u003e writes:\n\n\u003e On Thu, May 10, 2018 at 08:34:58AM +0930, Rusty Russell wrote:\n\u003e\u003e \u003e The big concern I have with _NOINPUT is that it has a huge failure\n\u003e\u003e \u003e case: if you use the same key for multiple inputs and sign one of them\n\u003e\u003e \u003e with _NOINPUT, you've spent all of them. The current proposal kind-of\n\u003e\u003e \u003e limits the potential damage by still committing to the prevout amount,\n\u003e\u003e \u003e but it still seems a big risk for all the people that reuse addresses,\n\u003e\u003e \u003e which seems to be just about everyone.\n\u003e\u003e If I can convince you to sign with SIGHASH_NONE, it's already a problem\n\u003e\u003e today.\n\u003e\n\u003e So, I don't find that very compelling: \"there's already a way to lose\n\u003e your money, so it's fine to add other ways to lose your money\". And\n\u003e again, I think NOINPUT is worse here, because a SIGHASH_NONE signature\n\u003e only lets others take the coin you're trying to spend, messing up when\n\u003e using NOINPUT can cause you to lose other coins as well (with caveats).\n\n`SIGHASH_NOINPUT` is a rather powerful tool, but has to be used\nresponsibly, which is why we always mention that it shouldn't be used\nlightly. Then again all sighash flags can be dangerous if not well\nunderstood. Think for example `SIGHASH_SINGLE` with it's pitfall when\nthe input has no matching output, or the already mentioned SIGHASH_NONE.\n\n\u003eFrom a technical, and risk, point of view I don't think there is much\ndifference between a new opcode or a new sighash flag, with the\nactivation being the one exception. I personally believe that a segwit\nscript bump has cleaner semantics than soft-forking in a new opcode\n(which has 90% overlap with the existing checksig and checkmultisig\nopcodes).\n\n\u003e\u003e [...]\n\u003e\u003e In a world where SIGHASH_NONE didn't exist, this might be an argument :)\n\u003e\n\u003e I could see either dropping support for SIGHASH_NONE for segwit\n\u003e v1 addresses, or possibly limiting SIGHASH_NONE in a similar way to\n\u003e limiting SIGHASH_NOINPUT. Has anyone dug through the blockchain to see\n\u003e if SIGHASH_NONE is actually used/useful?\n\nThat's a good point, I'll try looking for it once I get back to my full\nnode :-) And yes, `SIGHASH_NONE` should also come with all the warning\nsigns about not using it without a very good reason.\n\n\u003e\u003e That was also suggested by Mark Friedenbach, but I think we'll end up\n\u003e\u003e with more \"magic key\" a-la Schnorr/taproot/graftroot and less script in\n\u003e\u003e future.\n\u003e\n\u003e Taproot and graftroot aren't \"less script\" at all -- if anything they're\n\u003e the opposite in that suddenly every address can have a script path.\n\u003e I think NOINPUT has pretty much the same tradeoffs as taproot/graftroot\n\u003e scripts: in the normal case for both you just use a SIGHASH_ALL\n\u003e signature to spend your funds; in the abnormal case for NOINPUT, you use\n\u003e a SIGHASH_NOINPUT (multi)sig for unilateral eltoo closes or watchtower\n\u003e penalties, in the abnormal case for taproot/graftroot you use a script.\n\nThat's true for today's uses of `SIGHASH_NOINPUT` and others, but there\nmight be other uses that we don't know about in which noinput isn't just\nused for the contingency, handwavy I know. That's probably not the case\nfor graftroot/taproot, but I'm happy to be corrected on that one.\n\nStill, these opcodes and hash flags being mainly used for contingencies,\ndoesn't remove the need for these contingency options to be enforced\non-chain.\n\n\u003e\u003e That means we'd actually want a different Segwit version for\n\u003e\u003e \"NOINPUT-can-be-used\", which seems super ugly.\n\u003e\n\u003e That's backwards. If you introduce a new opcode, you can use the existing\n\u003e segwit version, rather than needing segwit v1. You certainly don't need\n\u003e v1 segwit for regular coins and v2 segwit for NOINPUT coins, if that's\n\u003e where you were going?\n\u003e\n\u003e For segwit v0, that would mean your addresses for a key \"X\", might be:\n\u003e\n\u003e [pubkey] X \n\u003e - not usable with NOINPUT\n\u003e [script] 2 X Y 2 CHECKMULTISIG\n\u003e - not usable with NOINPUT\n\u003e [script] 2 X Y 2 CHECKMULTISIG_1USE_VERIFY\n\u003e - usable with NOINPUT (or SIGHASH_ALL)\n\u003e\n\u003e CHECKMULTISIG_1USE_VERIFY being soft-forked in by replacing an OP_NOP,\n\u003e of course. Any output spendable via a NOINPUT signature would then have\n\u003e had to have been deliberately created as being spendable by NOINPUT.\n\nThe main reason I went for the sighash flag instead of an opcode is that\nit has clean semantics, allows for it to be bundled with a number of\nother upgrades, and doesn't use up NOP-codes, which I was lectured\nfor my normalized tx BIP (BIP140) is a rare resource that should be used\nsparingly. The `SIGHASH_NOINPUT` proposal is minimal, since it enhances\n4 existing opcodes. If we were to do that with new opcodes we'd either\nwant a multisig and a singlesig variant, potentially with a verify\nvariant each. That's a lot of opcodes.\n\nThe proposal being minimal should also help against everybody trying to\nget their favorite feature added, and hopefully streamline the\ndiscussion.\n\n\u003e For a new segwit version with taproot that likewise includes an opcode,\n\u003e that might be:\n\u003e\n\u003e [taproot] X\n\u003e - not usable with NOINPUT\n\u003e [taproot] X or: X CHECKSIG_1USE\n\u003e - usable with NOINPUT\n\u003e\n\u003e If you had two UTXOs (with the same value), then if you construct\n\u003e a taproot witness script for the latter address it will look like:\n\u003e\n\u003e X [X CHECKSIG_1USE] [sig_X_NOINPUT]\n\u003e\n\u003e and that signature can't be used for addresses that were just intending\n\u003e to pay to X, because the NOINPUT sig/sighash simply isn't supported\n\u003e without a taproot path that includes the CHECKSIG_1USE opcode.\n\u003e\n\u003e In essence, with the above construction there's two sorts of addresses\n\u003e you generate from a public key X: addresses where you spend each coin\n\u003e individually, and different addresses where you spend the wallet of\n\u003e coins with that public key (and value) at once; and that remains the\n\u003e same even if you use a single key for both.\n\u003e\n\u003e I think it's slightly more reasonable to worry about signing with NOINPUT\n\u003e compared to signing with SIGHASH_NONE: you could pretty reasonably setup\n\u003e your (light) bitcoin wallet to not be able to sign (or verify) with\n\u003e SIGHASH_NONE ever; but if you want to use lightning v2, it seems pretty\n\u003e likely your wallet will be signing things with SIGHASH_NOINPUT. From\n\u003e there, it's a matter of having a bug or a mistake cause you to\n\u003e cross-contaminate keys into your lightning subsystem, and not be\n\u003e sufficiently protected by other measures (eg, muSig versus checkmultisig).\n\nI think the same can be addressed by simply having the wallet use a\ndifferent derivation path for keys that it is willing to sign with\nNOINPUT. I sort of dislike having a direct dependency on taproot, i.e.,\nallowing noinput only in taproot scripts, since that isn't a done deal\neither. Without that direct dependency, having the noinput path and the\nsighash_all path be differentiated in the script leaks the details\non-chain, bloating the UTXO set, and leaking details about our contract.\n\nAlso isn't the same issue true for a separate opcode?\n\n\u003e (For me the Debian ssh key generation bug from a decade ago is sufficient\n\u003e evidence that people you'd think are smart and competent do make really\n\u003e stupid mistakes in real life; so defense in depth here makes sense even\n\u003e though you'd have to do really stupid things to get a benefit from it)\n\nTotally agree, however one could argue that increased code complexity\nis a major contributor to security issues, and I'm still convinced that\nthe hashflag is the simplest and cleanest approach to getting this\nfeature implemented.\n\nThat being said, I think the soft-forked opcode is also a good option,\nif we can get agreement on the details in a reasonable amount of time.\n\n\u003e The other benefit of a separate opcode is support can be soft-forked in\n\u003e independently of a new segwit version (either earlier or later).\n\nThat can both be a positive as well as a negative, since a bundle of\ncomplementing features likely is easier to get reviewed and activated.\n\n\u003e I don't think the code has to be much more complicated with a separate\n\u003e opcode; passing an extra flag to TransactionSignatureChecker::CheckSig()\n\u003e is probably close to enough. Some sort of flag remains needed anyway\n\u003e since v0 and pre-segwit signatures won't support NOINPUT.\n\nThat's moving the fanout for sighash_all vs sighash_none from the opcode\nup to the interpreter, right.\n\nCheers,\nChristian",
"sig": "f4e121ad98f27d9ba5cd07222e6f0da2380c7ad5a634dd6ef39c0a11b94f6f2375759e730113c2287ce43794df54ae9605b0988c0a28de773b15b1f1215f7b2a"
}