[bitcoin-dev] Disallow insecure use of SIGHASH_SINGLE

Peter Todd pete at petertodd.org
Wed Jun 6 00:49:01 UTC 2018


On Fri, Jun 01, 2018 at 02:53:01AM +0800, Johnson Lau via bitcoin-dev wrote:
> I’ve made a PR to add a new policy to disallow using SIGHASH_SINGLE without matched output:
> 
> https://github.com/bitcoin/bitcoin/pull/13360
> 
> Signature of this form is insecure, as it commits to no output while users might think it commits to one. It is even worse in non-segwit scripts, which is effectively SIGHASH_NOINPUT|SIGHASH_NONE, so any UTXO of the same key could be stolen. (It’s restricted to only one UTXO in segwit, but it’s still like a SIGHASH_NONE.)
> 
> This is one of the earliest unintended consensus behavior. Since these signatures are inherently unsafe, I think it does no harm to disable this unintended “feature” with a softfork. But since these signatures are currently allowed, the first step is to make them non-standard.

I don't see why we should bother to soft fork this out on the basis of
security, given that there are many other ways to insecurely use private keys
(e.g. reused nonces). Maybe soft-fork it out on the basis of code complexity,
but this sounds like a lot of work.

Also, I have to wonder if it's just as likely the devs might think the
non-standardness means it is secure.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180605/c5beda70/attachment.sig>


More information about the bitcoin-dev mailing list