[bitcoin-dev] Safer sighashes and more granular SIGHASH_NOINPUT
rusty at rustcorp.com.au
Thu Dec 13 00:37:28 UTC 2018
Rusty Russell <rusty at rustcorp.com.au> writes:
>> However, I’m not sure if there is any useful NOINPUT case with unmasked script.
> This is *not* true of Eltoo; the script itself need not change for the
> rebinding (Christian, did something change?).
This is wrong, sorry. I re-checked the paper, and the constant for the
timelock comparison changes on each new update.
(The alternative was a new opcode like OP_TIMELOCKGREATERVERIFY which
required remembering the nLocktime for the UTXO).
So now my opinion is closer to yours: what's the use for NOINPUT &&
And is it worthwhile doing the mask complexity, rather than just
removing the commitment to script with NOINPUT? It *feels* safer to
restrict what scripts we can sign, but is it?
Note that NOINPUT is only useful when you can't just re-sign the tx, and
you need to be able to create a new tx even if this input is spent once
(an attacker can do this with SIGHASH_MASK or not!). ie. any other
inputs need to be signed NOINPUT or this one
You already need both key-reuse and amount-reuse to be exploited.
SIGHASH_MASK only prevents you from reusing this input for a "normal"
output; if you used this key for multiple scripts of the same form,
you're vulnerable. Which, given the lightning software will be using
the One True Script, is more likely that your normal wallet using the
So I don't think it's worth it. SIGHASH_NOINPUT is simply dangerous
with key-reuse, and Don't Do That.
 Attacker can basically clone channel state to another channel.
More information about the bitcoin-dev