[Bitcoin-ml] Malleability Fix SIGHASH_ANYOUTPUT

Tomas tomas at bitcrust.org
Sun Oct 8 21:34:18 UTC 2017


On Sun, Oct 8, 2017, at 23:10, Jared Lee Richardson wrote:
> > The *only* purpose of allowing
> > non-malleable transactions is to enable automated processes to create an
> > off-chain multisig transaction and other off-chain transactions that
> > spend it. Such processes have no reason at all to reuse these multisig
> > addresses,
> 
> Ah, the good ole "You'll innovate the way we want or else that's not
> Bitcoin" approach.
> 
> 
> Why does that seem so familiar?  Have I see some other group doing
> that somewhere else?

You are the second to address that line, so let me be more clear:
Pushing for my proposed simple malleability fix, I have noted some
questions on why malleability needs to be fixed in the first place. 

This is a good question, and I do not think the bugs of MtGox and ViaBtc
in itself provide enough reason, as these were bugs that weren't
necessary to make. 

I do understand that the current rules have some limitations in
constructions that rely on chaining off-chain transactions.  This is
because you cannot create an off-chain transaction that relies on
another off-chain transaction, as the first transaction might malleate
its signature and thereby its transaction ID. 

Looking specifically at the problem of constructing off-chain
transaction chains, SIGHASH_ANYOUTPUT seems to be an excellent solution.
Not only does it allow construction of such chains, not harmed by
malleability, it actually allows much more flexibility in constructions,
for instance where additional inputs of transaction X aren't yet known,
yet transaction Y depending on an output of X can already be created.

I don't want to prescribe usage at all, and if I am somehow downplaying
the problem of malleability, please explain, but I think that offering
this additional flexibility with SIGHASH_ANYOUTPUT is exactly what
serves off-chain chaining constructions, and solves the current
limitations.

SIGHASH_ANYOUTPUT simply says "I don't care which transaction I'm
signing as long as the amount and the signature work". This seems to
cover a lot of use cases that are now impossible.

Tomas


More information about the bitcoin-ml mailing list