[bitcoin-dev] Safer sighashes and more granular SIGHASH_NOINPUT

[Rusty Russell]

Rusty Russell <rusty at rustcorp.com.au> writes:
>> However, I’m not sure if there is any useful NOINPUT case with unmasked script.
>
> This is *not* true of Eltoo; the script itself need not change for the
> rebinding (Christian, did something change?).

This is wrong, sorry.  I re-checked the paper, and the constant for the
timelock comparison changes on each new update.

(The alternative was a new opcode like OP_TIMELOCKGREATERVERIFY which
required remembering the nLocktime for the UTXO).

So now my opinion is closer to yours: what's the use for NOINPUT &&
!NOMASK?

And is it worthwhile doing the mask complexity, rather than just
removing the commitment to script with NOINPUT?  It *feels* safer to
restrict what scripts we can sign, but is it?

Note that NOINPUT is only useful when you can't just re-sign the tx, and
you need to be able to create a new tx even if this input is spent once
(an attacker can do this with SIGHASH_MASK or not!).  ie. any other
inputs need to be signed NOINPUT or this one
SIGHASH_SINGLE|ANYONECANPAY.

You already need both key-reuse and amount-reuse to be exploited.
SIGHASH_MASK only prevents you from reusing this input for a "normal"
output; if you used this key for multiple scripts of the same form,
you're vulnerable[1].  Which, given the lightning software will be using
the One True Script, is more likely that your normal wallet using the
same keys.

So I don't think it's worth it.  SIGHASH_NOINPUT is simply dangerous
with key-reuse, and Don't Do That.

Cheers,
Rusty.
[1] Attacker can basically clone channel state to another channel.