[bitcoin-dev] Safer sighashes and more granular SIGHASH_NOINPUT

Pieter Wuille pieter.wuille at gmail.com
Sat Feb 9 00:39:54 UTC 2019

On Wed, 19 Dec 2018 at 18:06, Rusty Russell via bitcoin-dev
<bitcoin-dev at lists.linuxfoundation.org> wrote:
> Meanwhile, both SIGHASH_NOINPUT and OP_MASK have the reuse-is-dangerous
> property; with OP_MASK the danger is limited to reuse-on-the-same-script
> (ie. if you use the same key for a non-lightning output and a lightning
> output, you're safe with OP_MASK.  However, this is far less likely in
> practice).

Having had some more time to consider this and seeing discussions
about alternatives, I agree. It doesn't seem that OP_MASK protects
against any likely failure modes. I do think that there are realistic
risks around NOINPUT, but output tagging (as suggested in another ML
thread) seems to match those much better than masking does.



More information about the bitcoin-dev mailing list