[bitcoin-dev] Safer sighashes and more granular SIGHASH_NOINPUT
aj at erisian.com.au
Thu Dec 13 00:24:38 UTC 2018
On Wed, Dec 12, 2018 at 08:12:10PM +1030, Rusty Russell via bitcoin-dev wrote:
> Pieter Wuille via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> writes:
> > Here is a combined proposal:
> > * Three new sighash flags are added: SIGHASH_NOINPUT, SIGHASH_NOFEE,
> > and SIGHASH_SCRIPTMASK.
> > * A new opcode OP_MASK is added, which acts as a NOP during execution.
> > * The sighash is computed like in BIP143, but:
> > * If SIGHASH_SCRIPTMASK is present, for every OP_MASK in scriptCode
> > the subsequent opcode/push is removed.
> I'm asking on-list because I'm sure I'm not the only confused one.
> Having the SIGHASH_SCRIPTMASK flag is redundant AFAICT: why not always
> perform mask-removal for signing?
The way I'm thinking about it is there's four amounts of knowledge you
could have about the input you're spending at the time you generate a
ALL: you know everything about every input for this tx
SINGLE: you know everything about the input you're signing for, but
not necessarily the others
SCRIPTPUBKEY: you know the exact scriptPubKey you're trying to satisfy, but
don't know the txid
SCRIPTMASK: you don't know the txid, don't know the scriptPubKey, don't
know the other taproot branches, and maybe don't even know the masked
out terms in the script -- but you do know the structure of the
script, and the non-masked terms
There's no value to masking in any but the final case -- the txid and
scriptPubKey commit to the full scriptcode already, so also signing the
scriptcode is just belt-and-suspenders protection.
(It might be that the "SCRIPTPUBKEY" option isn't very useful in
practice; maybe you'll always either know the txid, or need to mask
> And I am struggling to understand the role of scriptmask in a taproot
> world, where the alternate script is both hidden and general?
In a taproot world, your scriptPubKey is a point P=Q+H(Q,S)*G, where S
is a merkle root of possibly many scripts, and is spendable either by:
Q, path(S,script), script, witness(script)
SCRIPTMASK lets you prepare a signature for one particular script in
advance, even before you've decided what the other scripts are (and even
what the base point Q is), let alone built an actual transaction.
At least, that's my current understanding; and I think it makes sense...
More information about the bitcoin-dev