[bitcoin-dev] Safer sighashes and more granular SIGHASH_NOINPUT

Rusty Russell rusty at rustcorp.com.au
Mon Dec 17 03:10:42 UTC 2018


Johnson Lau <jl2012 at xbt.hk> writes:
> I don’t think this has been mentioned: without signing the script or masked script, OP_CODESEPARATOR becomes unusable or insecure with NOINPUT.
>
> In the new sighash proposal, we will sign the hash of the full script (or masked script), without any truncation. To make OP_CODESEPARATOR works like before, we will commit to the position of the last executed OP_CODESEPARATOR. If NOINPUT doesn’t commit to the masked script, it will just blindly committing to a random OP_CODESEPARATOR position, which a wallet couldn’t know what codes are actually being executed.

My anti-complexity argument leads me to ask why we'd support
OP_CODESEPARATOR at all?  Though my argument is weaker here: no wallet
need support it.

But I don't see how OP_CODESEPARATOR changes anything here, wrt NOINPUT?
Remember, anyone can create an output which can be spent by any NOINPUT,
whether we go for OP_MASK or simply not commiting to the input script.

Confused,
Rusty.


More information about the bitcoin-dev mailing list