[bitcoin-dev] Safer sighashes and more granular SIGHASH_NOINPUT

Russell O'Connor roconnor at blockstream.io
Thu Dec 13 16:34:17 UTC 2018

On Wed, Dec 12, 2018 at 12:26 PM Gregory Maxwell <gmaxwell at gmail.com> wrote:

> On Wed, Dec 12, 2018 at 5:15 PM Russell O'Connor via bitcoin-dev
> <bitcoin-dev at lists.linuxfoundation.org> wrote:
> > I tend to think in opposite terms. Is there a proof that any script can
> be transformed into an equivalent one that avoids witness weight
> malleability?   But I admit there is a trade off:  If we don't allow for
> signature covers weight, and we do need it, it will be too late to add.  On
> the other hand if we add signature covers weight, but it turns out that no
> Script ever needs to use it, then we've added that software complexity for
> no gain.  However, I think the software complexity is relatively low,
> making it worthwhile.
> >
> > Moreover, even if witness weight malleability is entirely avoidable, it
> always seems to come at a cost.  Taking as an example libwally's proposed
> "csv_2of3_then_2"
> I'm largely in agreement with you-- but my difficulty in arguing for
> signing the weight is that it seemed to me that it was only easy to
> sign an upper bound because some witnesses are variable size... and
> signing an upper bound means more signalling overhead... offsetting
> the space gains for demalleating.

In multi-party protocols, the last person to sign knows what the total
weight is going to be (now that we have fixed sized signatures) and at
least they have the ability to sign it.  They are probably motivated to
sign the weight as long as they are interested in the success of the
transaction.  I suppose there could be asynchronous protocols where there
isn't a last person to sign, but that seems a bit weird.  Greg, you are
probably more familiar with examples of multi-party protocols than I am.

OTOH maybe the last person to sign isn't interested in the success of the
transaction and wants to cause grief by bloating the transaction and
signing the bloated weight.  I guess in such protocols, you'll have to keep
the anti-malleablity Script Code.

I totally get the idea that signing weight has a lot of issues in many
scenarios.  But I still feel than on the whole it is better to make the
option available than to be forced to rely on anti-malleability Script Code
or non-consensus relay policy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20181213/b933196e/attachment.html>

More information about the bitcoin-dev mailing list