[bitcoin-dev] Safer sighashes and more granular SIGHASH_NOINPUT
aj at erisian.com.au
Thu Dec 13 00:05:53 UTC 2018
On Tue, Dec 11, 2018 at 05:50:24PM -0500, Russell O'Connor via bitcoin-dev wrote:
> On Sun, Dec 9, 2018 at 2:13 PM Johnson Lau <jl2012 at xbt.hk> wrote:
> The current proposal is that a 64-byte signature will be used for the
> default “signing all” sighash, and 65-byte for other sighash types. The
> space saved will allow a few more txs in a block, so I think it worths
> doing. However, this also makes witness weight estimation more difficult in
> multisig cases.
This seems strange to me -- why wouldn't you just assume every signature
is 65 witness bytes, and just be grateful for the prioritisation benefit
if someone chooses a shorter signature? Your error margin is just 0.25
vbytes per signature.
> I tend to think in opposite terms. Is there a proof that any script can be
> transformed into an equivalent one that avoids witness weight malleability?
An alternative generalisation: is there a proof that all valid witnesses
will have a weight within some small range?
> Moreover, even if witness weight malleability is entirely avoidable, it always
> seems to come at a cost. Taking as an example libwally's proposed "
> csv_2of3_then_2" Script, it begins with "OP_DEPTH OP_1SUB OP_1SUB"
(DEPTH 2 NUMNOTEQUAL seems like it would have been more obvious...)
More information about the bitcoin-dev