š
Original date posted:2019-10-03
š Original message:
> > let me propose the more radical excision, starting with SegWit v1:
> >
> > - Remove `SIGHASH` from signatures.
> > - Put `SIGHASH` on public keys.
> > <sighash> <pubkey> OP_SETPUBKEYSIGHASH
> >
>
> I don't think you could reasonably do this for key path spends -- if
> you included the sighash as part of the scriptpubkey explicitly, that
> would lose some of the indistinguishability of taproot addresses, and be
> more expensive than having the sighash be in witness data.
Nonexistence of sighash byte implies `SIGHASH_ALL`, and for offchain anyway the desired path is to end up with an n-of-n MuSig `SIGHASH_ALL` signed mutual close transaction.
Indeed we can even restrict keypath spends to not having a sighash byte and just implicitly requiring `SIGHASH_ALL` with no loss of privacy for offchain while attaining safety against `SIGHASH_NOINPUT` for MuSig and VSSS multisignature adresses.
> So I think
> that means sighashes would still be included in key path signatures,
> which would make the behaviour a little confusingly different between
> signing for key path and script path spends.
>
> > This removes the problems with `SIGHASH_NONE` `SIGHASH_SINGLE`, as they are allowed only if the output specifically says they are allowed.
>
> I don't think the problems with NONE and SINGLE are any worse than using
> SIGHASH_ALL to pay to "1*G" -- someone may steal the money you send,
> but that's as far as it goes. NOINPUT/ANYPREVOUT is worse in that if
> you use it, someone may steal funds from other UTXOs too -- similar
> to nonce-reuse. So I think having to commit to enabling NOINPUT for an
> address may make sense; but I don't really see the need for doing the
> same for other sighashes generally.
As the existing sighashes are not particularly used anyway, additional restrictions on them are relatively immaterial.
>
> FWIW, one way of looking at a transaction spending UTXO "U" to address
> "A" is something like:
>
> - "script" lets you enforce conditions on the transaction when you
> create "A" [0]
>
> - "sighash" lets you enforce conditions on the transaction when
> you sign the transaction
>
> - nlocktime, nsequence, taproot annex are ways you express conditions
> on the transaction
>
> In that view, "sighash" is actually an extremely simple scripting
> language itself (with a total of six possible scripts).
>
> That doesn't seem like a bad design to me, fwiw.
Only one of the scripts is widely used, another has an edge use it sucks at (assurance contracts).
Does not seem to be good design, rather legacy cruft.
Regards,
ZmnSCPxj
>
> Cheers,
> aj
>
> [0] "graftroot" lets you update those conditions for address "A" after
> the fact
>
ZmnSCPxj [ARCHIVE] /
npub1g5ā¦3ms3l
2023-06-09 12:56:22
in reply to nevent1qā¦z93k
Author Public Key
npub1g5zswf6y48f7fy90jf3tlcuwdmjn8znhzaa4vkmtxaeskca8hpss23ms3lSeen on
wss://relay.noswhere.comPublished at
2023-06-09 12:56:22Event JSON
{
"id": "21bd7ab26bacd55ac8f87a4863db84054586667d918d20b99725b1c689b9a356",
"pubkey": "4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861",
"created_at": 1686315382,
"kind": 1,
"tags": [
[
"e",
"cdcb20d8f8d63cc4e462299d7b2042087b535b172c963061dbb6929331fffa55",
"",
"root"
],
[
"e",
"69451018d0fc64b9eee4347df37667bfcbcb6308bae495307fb0a646c231d71e",
"",
"reply"
],
[
"p",
"f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab"
]
],
"content": "š
Original date posted:2019-10-03\nš Original message:\n\u003e \u003e let me propose the more radical excision, starting with SegWit v1:\n\u003e \u003e\n\u003e \u003e - Remove `SIGHASH` from signatures.\n\u003e \u003e - Put `SIGHASH` on public keys.\n\u003e \u003e \u003csighash\u003e \u003cpubkey\u003e OP_SETPUBKEYSIGHASH\n\u003e \u003e\n\u003e\n\u003e I don't think you could reasonably do this for key path spends -- if\n\u003e you included the sighash as part of the scriptpubkey explicitly, that\n\u003e would lose some of the indistinguishability of taproot addresses, and be\n\u003e more expensive than having the sighash be in witness data.\n\nNonexistence of sighash byte implies `SIGHASH_ALL`, and for offchain anyway the desired path is to end up with an n-of-n MuSig `SIGHASH_ALL` signed mutual close transaction.\nIndeed we can even restrict keypath spends to not having a sighash byte and just implicitly requiring `SIGHASH_ALL` with no loss of privacy for offchain while attaining safety against `SIGHASH_NOINPUT` for MuSig and VSSS multisignature adresses.\n\n\n\u003e So I think\n\u003e that means sighashes would still be included in key path signatures,\n\u003e which would make the behaviour a little confusingly different between\n\u003e signing for key path and script path spends.\n\u003e\n\u003e \u003e This removes the problems with `SIGHASH_NONE` `SIGHASH_SINGLE`, as they are allowed only if the output specifically says they are allowed.\n\u003e\n\u003e I don't think the problems with NONE and SINGLE are any worse than using\n\u003e SIGHASH_ALL to pay to \"1*G\" -- someone may steal the money you send,\n\u003e but that's as far as it goes. NOINPUT/ANYPREVOUT is worse in that if\n\u003e you use it, someone may steal funds from other UTXOs too -- similar\n\u003e to nonce-reuse. So I think having to commit to enabling NOINPUT for an\n\u003e address may make sense; but I don't really see the need for doing the\n\u003e same for other sighashes generally.\n\nAs the existing sighashes are not particularly used anyway, additional restrictions on them are relatively immaterial.\n\n\u003e\n\u003e FWIW, one way of looking at a transaction spending UTXO \"U\" to address\n\u003e \"A\" is something like:\n\u003e\n\u003e - \"script\" lets you enforce conditions on the transaction when you\n\u003e create \"A\" [0]\n\u003e\n\u003e - \"sighash\" lets you enforce conditions on the transaction when\n\u003e you sign the transaction\n\u003e\n\u003e - nlocktime, nsequence, taproot annex are ways you express conditions\n\u003e on the transaction\n\u003e\n\u003e In that view, \"sighash\" is actually an extremely simple scripting\n\u003e language itself (with a total of six possible scripts).\n\u003e\n\u003e That doesn't seem like a bad design to me, fwiw.\n\n\nOnly one of the scripts is widely used, another has an edge use it sucks at (assurance contracts).\n\nDoes not seem to be good design, rather legacy cruft.\n\nRegards,\nZmnSCPxj\n\n\u003e\n\u003e Cheers,\n\u003e aj\n\u003e\n\u003e [0] \"graftroot\" lets you update those conditions for address \"A\" after\n\u003e the fact\n\u003e",
"sig": "c7b9500729b04d64f665032d4518df0f2a21b925658ae1372ca5acdbfc5f319f5df0ef9b7c3c648604f918f69d755ba9e79ef59dc4bb1f03a62475558f2520a5"
}