[bitcoin-dev] Safer sighashes and more granular SIGHASH_NOINPUT
jl2012 at xbt.hk
Wed Dec 12 20:00:50 UTC 2018
> On 12 Dec 2018, at 5:42 PM, Rusty Russell via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> wrote:
> Pieter Wuille via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> writes:
>> Here is a combined proposal:
>> * Three new sighash flags are added: SIGHASH_NOINPUT, SIGHASH_NOFEE,
>> and SIGHASH_SCRIPTMASK.
>> * A new opcode OP_MASK is added, which acts as a NOP during execution.
>> * The sighash is computed like in BIP143, but:
>> * If SIGHASH_SCRIPTMASK is present, for every OP_MASK in scriptCode
>> the subsequent opcode/push is removed.
> I'm asking on-list because I'm sure I'm not the only confused one.
> Having the SIGHASH_SCRIPTMASK flag is redundant AFAICT: why not always
> perform mask-removal for signing?
Because a hardware wallet may want to know what exact script it is signing?
Masked script has reduced security, but this is a tradeoff with functionality (e.g. eltoo can’t work without masking part of the script). So when you don’t need that extra functionality, you go back to better security
However, I’m not sure if there is any useful NOINPUT case with unmasked script.
> If you're signing arbitrary scripts, you're surely in trouble already?
> And I am struggling to understand the role of scriptmask in a taproot
> world, where the alternate script is both hidden and general?
It makes sure that your signature is applicable to a specific script branch, not others (assuming you use the same pubkey in many branches, which is avoidable)
> I look forward to learning what I missed!
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
More information about the bitcoin-dev