[Bitcoin-ml] Malleability Fix SIGHASH_ANYOUTPUT

[Tomas]

While working on the simple malleability fix, I have been considering
another alternative that I believe is worth a discussion.

We introduce a SIGHASH flag, SIGHASH_ANYOUTPUT. With this flag set the
prevout field is not included in the sighash, but instead the
scriptPubKey of the output being spend is included. (and the amount is
already included). A transaction that uses it is not harmed by
malleation of the transaction it spends.

I briefly proposed and dismissed this as it is a very dangerous flag due
to address reuse: The recipient of such transaction can "replay" it for
every output with the same address and amount.

However, we should consider our goal: The *only* purpose of allowing
non-malleable transactions is to enable automated processes to create an
off-chain multisig transaction and other off-chain transactions that
spend it. Such processes have no reason at all to reuse these multisig
addresses, and the incompatibility  between SIGHASH_ANYOUTPUT and reused
addresses may be rather acceptable. SIGHASH_ANYOUTPUT seems to serve
these processes perfectly, without harm if it isn't used for other
cases.

The elegance of this approach, is that it follows the philosophy of
minimizing changes to the base layer. The change fits neatly into the
existing model, as we only extend the SIGHASH flags that allow the user
to choose which fields are covered by his signature.  

Tomas van der Wansem
bitcrust