📅 Original date posted:2018-12-12
📝 Original message:Rusty Russell <rusty at rustcorp.com.au> writes:
>> However, I’m not sure if there is any useful NOINPUT case with unmasked script.
>
> This is *not* true of Eltoo; the script itself need not change for the
> rebinding (Christian, did something change?).
This is wrong, sorry. I re-checked the paper, and the constant for the
timelock comparison changes on each new update.
(The alternative was a new opcode like OP_TIMELOCKGREATERVERIFY which
required remembering the nLocktime for the UTXO).
So now my opinion is closer to yours: what's the use for NOINPUT &&
!NOMASK?
And is it worthwhile doing the mask complexity, rather than just
removing the commitment to script with NOINPUT? It *feels* safer to
restrict what scripts we can sign, but is it?
Note that NOINPUT is only useful when you can't just re-sign the tx, and
you need to be able to create a new tx even if this input is spent once
(an attacker can do this with SIGHASH_MASK or not!). ie. any other
inputs need to be signed NOINPUT or this one
SIGHASH_SINGLE|ANYONECANPAY.
You already need both key-reuse and amount-reuse to be exploited.
SIGHASH_MASK only prevents you from reusing this input for a "normal"
output; if you used this key for multiple scripts of the same form,
you're vulnerable[1]. Which, given the lightning software will be using
the One True Script, is more likely that your normal wallet using the
same keys.
So I don't think it's worth it. SIGHASH_NOINPUT is simply dangerous
with key-reuse, and Don't Do That.
Cheers,
Rusty.
[1] Attacker can basically clone channel state to another channel.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-07 18:15:36
in reply to nevent1q…hzud
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-07 18:15:36Event JSON
{
"id": "26ec8bac4147ef0097ce12528dba55b3eb12cc8149e8484f17f3604b7a274238",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686161736,
"kind": 1,
"tags": [
[
"e",
"77c824d861e497590991b7dc940a75787db11a7b2eab6adcf5563d0847a4df18",
"",
"root"
],
[
"e",
"16738b5ac8ffcfe1c3aa82e65735df8af40f10efa8b1a68dab55904f0b82eef2",
"",
"reply"
],
[
"p",
"13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425"
]
],
"content": "📅 Original date posted:2018-12-12\n📝 Original message:Rusty Russell \u003crusty at rustcorp.com.au\u003e writes:\n\u003e\u003e However, I’m not sure if there is any useful NOINPUT case with unmasked script.\n\u003e\n\u003e This is *not* true of Eltoo; the script itself need not change for the\n\u003e rebinding (Christian, did something change?).\n\nThis is wrong, sorry. I re-checked the paper, and the constant for the\ntimelock comparison changes on each new update.\n\n(The alternative was a new opcode like OP_TIMELOCKGREATERVERIFY which\nrequired remembering the nLocktime for the UTXO).\n\nSo now my opinion is closer to yours: what's the use for NOINPUT \u0026\u0026\n!NOMASK?\n\nAnd is it worthwhile doing the mask complexity, rather than just\nremoving the commitment to script with NOINPUT? It *feels* safer to\nrestrict what scripts we can sign, but is it?\n\nNote that NOINPUT is only useful when you can't just re-sign the tx, and\nyou need to be able to create a new tx even if this input is spent once\n(an attacker can do this with SIGHASH_MASK or not!). ie. any other\ninputs need to be signed NOINPUT or this one\nSIGHASH_SINGLE|ANYONECANPAY.\n\nYou already need both key-reuse and amount-reuse to be exploited.\nSIGHASH_MASK only prevents you from reusing this input for a \"normal\"\noutput; if you used this key for multiple scripts of the same form,\nyou're vulnerable[1]. Which, given the lightning software will be using\nthe One True Script, is more likely that your normal wallet using the\nsame keys.\n\nSo I don't think it's worth it. SIGHASH_NOINPUT is simply dangerous\nwith key-reuse, and Don't Do That.\n\nCheers,\nRusty.\n[1] Attacker can basically clone channel state to another channel.",
"sig": "370d48c86ac33448b8dec43c10b76dcc453db29463426341d82a1f208e96a654139123b53152bd3368fd63d95390b95ddafb3e03348ac5cb79b3944bd4a75dab"
}