From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 41879723 for ; Thu, 24 May 2018 12:39:58 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mail.wpsoftware.net (wpsoftware.net [96.53.77.134]) by smtp1.linuxfoundation.org (Postfix) with ESMTP id 15F7B6EC for ; Thu, 24 May 2018 12:39:57 +0000 (UTC) Received: from boulet.lan (boulot.lan [192.168.0.193]) by mail.wpsoftware.net (Postfix) with ESMTPSA id 10C3340252; Thu, 24 May 2018 12:39:55 +0000 (UTC) Date: Thu, 24 May 2018 12:39:55 +0000 From: Andrew Poelstra To: Natanael , Bitcoin Protocol Discussion Message-ID: <20180524123955.GW14992@boulet.lan> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="qxpYSgLynlcP4boX" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.7.1 (2016-10-04) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] Should Graftroot be optional? X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 May 2018 12:39:58 -0000 --qxpYSgLynlcP4boX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 24, 2018 at 11:44:16AM +0200, Natanael via bitcoin-dev wrote: >=20 > As stated above by Wuille this seems to not be a concern for typical P2SH > uses, but my argument here is simply that in many cases, not all > stakeholders in a transaction will hold one of the private keys required = to > sign. And such stakeholders would want a guarantee that the original scri= pt > is followed as promised. > In this case, even mandatory graftroot would not allow the signing stakehol= ders to take the coins. The reason is that if there are _any_ non-signing script conditions that must be followed, then to use Taproot the top-level public = key needs to be unusable, e.g. by being a NUMS point. In that case the public k= ey would also be unusable for Graftroot. Another way to see this is -- in any context where Graftroot seems dangerou= s, there needs to be a reason why the ability to just create transactions is n= ot dangerous. In your example it seems that the signing parties can just take the coins with or without Graftroot, so the problem is not in Graftroot but in the way that the example is set up. =20 > I'm not concerned by the ability to move funds to an address with the new > rules that you'd otherwise graftroot in, only that you can provide a > transparent guarantee that you ALSO follow the original script as promise= d. > What happens *after* you have followed the original script is unrelated, > IMHO. > To do this in Taproot you need to disable the top-level key, which will also disable Graftroot.=20 --=20 Andrew Poelstra Mathematics Department, Blockstream Email: apoelstra at wpsoftware.net Web: https://www.wpsoftware.net/andrew "A goose alone, I suppose, can know the loneliness of geese who can never find their peace, whether north or south or west or east" --Joanna Newsom --qxpYSgLynlcP4boX Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJbBrKaAAoJEMWI1jzkG5fBmngH/3LGRcQq/vyoxliyoOJFKynT 4814NsJLzyQpL65G4ixlmhbi26FsKhRT4Y0IpaZJRMFFbgcetaBsW1EV05prnQNi Vjz3eG/0oCgl+PmJnOUiPwi2ZBe/EMzKL/XexHwGSbwVvpodRDR/rnEYSptWaguj je+JmfA0vafPoWWkNKNN/9KOKTx/Ak5kfP5vZjMiUdx/QaGsL+E7DXwMTBCr0doY gJcHmW7hzS3AUREbvjGwrLl/SBcSo9dmTY89PwXSdXBElU95/vsrZU6OuGQBBrL0 u82o6YA0gWdf5n9taFmKmWqDJygQ94sJGaNnIMIZD71daLEFs5RZDen7o2Wq22s= =OrGE -----END PGP SIGNATURE----- --qxpYSgLynlcP4boX--